data loss during downsizing
DESCRIPTION
Preventing data loss during downsizing. Delivered at the IAPP Practical Privacy Series, Santa Clara CA, June 2009.TRANSCRIPT
Data Loss During Downsizing As Employees Exit, So Does Corporate
Data
Constantine Karbaliotis, LL.B., CIPP/C/IT Information Privacy Lead Information Security Services - Symantec Services Group
Quick Survey
3
Agenda
What is the risk of data loss in a down economy?
What are the repercussions?
How can you proactively protect your data?
11
22
33
What Happens to Data in a Down Economy?
5
Not Your Organization, Right?
• 945 respondents across US regions and industries– Corporate IT and sales were the largest functions represented
– Financial services represents the largest industry segment
• Surveyed all levels, from intern to executive– 28% of respondents at or above the supervisory level– Average job experience was 8.11 years– Average time at previous employer was 2.87 years
6
Survey Sample
59% of ex-employees took company data, including:• customer lists• employee records• non-financial information
59% of ex-employees took company data, including:• customer lists• employee records• non-financial information
68% used or planned to use stolen data at a new or future employer68% used or planned to use stolen data at a new or future employer
As employees exit, so does corporate data:As employees exit, so does corporate data:
Most common methods to take data:Most common methods to take data:
downloaded to CD/DVD
53%
copied to USB Drives
42%
sent toPersonal Email
38%
7
More than half of ex-employees took data
59%
41%
0%
20%
40%
60%
Yes No
8
Types of Data Susceptible to Theft
9
10
Close to 70% used or planned to use stolen data at a new or future employer
68%
67%
69%
66.5% 67.0% 67.5% 68.0% 68.5% 69.0%
Will use data at futureemployee
Used data to secure newposition
Did you obtain a new job?
For those who said yes
11
Most employers DO NOT perform a review or audit prior to an employee leaving
82%
4%
15%
0%
20%
40%
60%
80%
Yes No Can’t recall
12
Unhappy ex-employees are more likely to take data
13%
57%
61%
20%
0%
20%
40%
60%
Took data Did not take data
Favorable view Unfavorable view
13
Key Take-Aways
• Ex-employees are leaving with data at a high rate
• Organizations need to revisit business processes
• Data loss during downsizing is preventable
14
What are the Repercussions?
Data Loss Is A Growing Concern
59%59% The percentage ex-employees who took company data in 2008The percentage ex-employees who took company data in 2008
$6.7 Million$6.7 MillionThe average cost to remediate a data breach for US companies in 2008
The average cost to remediate a data breach for US companies in 2008
83 Million
83 Million
The total number of consumer records in publicly reported data breaches in 2008
The total number of consumer records in publicly reported data breaches in 2008
#1 Priority for Chief Information Security Officers
16
Public Examples of Theft of Data
17
How can the problem be fixed – a strategic approach
Governance• Corporate governance:
– Establish appropriate governance, policies, and procedures to protect your data
– Important to state that protection of data is not only a corporate but job responsibility
• Separation of duties: – For instance: DBA’s should not be able to alter logging of
accesses, and those in charge of monitoring should be unable to control databases themselves
• Documenting security and privacy efforts– Allows regulators to assess compliance activities, recognize
failures as human error rather than systemic problems– Allows organization defense to possible claims
Making Data Protection part of the job… Staff and contractors:
Ensure staff have privacy and confidentiality as requirements of employment
Similarly, provide by contract that contractors adhere to corporate standards
• Addressing 'human factor' in risks to protection for an organization:– Background checks for staff, especially those in
position to access and alter personal information– Privacy and security training for new hires and on a
regular basis, including recording the fact of such training
– Make security and privacy protection part of job descriptions, and part of performance objectives
Technology Controls Technology strategies have to be redundant:
Encryption of sensitive data Effective means to prevent malicious individuals from accessing
and taking corporate data - either at the perimeter (firewalls, intrusion detection) or through malicious software (anti-virus, anti-spyware)
Understanding what is going on – effective logging and auditing of activities on systems and networks
Effective access controls: “need to know” But many organisations already have these in place – so
why does this data loss keep happening? Failure to effective enforce policies, standards, access controls Legacy systems Webmail, PDAs and USB drives have altered landscape of how
data ‘leaks’
Content Controls• Organizations need to enforce more effective content controls:
it’s the content that is important• Data loss prevention (DLP) technology has the ability to prevent
the deliberate or accidental loss of corporate data, through its ability to recognize the characteristics of personal data:– Credit card numbers– Social security or other national identifiers– Employee data such as salary or other sensitive data– Financial data– Source code– Confidential client information
How Do You Protect Your Data?
Data loss during downsizing is preventable1. Find where sensitive data resides, 2. Understand how it is being used3. Prevent it from being downloaded, copied or sent outside the
company
downloads to CD/DVD
copying to USB Drives
emails toWebmail
23
Conclusion
Key Recommendations to Prevent Data Loss During
DownsizingPut appropriate controls and business processes in place before a downsizing event
Increase education and training efforts to remind employees of corporate policies
Leverage DLP technology to protect sensitive data
1
2
3
26
Register to receive a copy at: https://www4.symantec.com/Vrt/offer?a_id=78695Register to receive a copy at: https://www4.symantec.com/Vrt/offer?a_id=78695
Questions?
Appendix: Symantec DLP
What is Data Loss Prevention?
DATA LOSS PREVENTION (DLP)
DISCOVER PROTECTMONITOR
29
How best toprevent its loss?
How is it being used?
Where is yourconfidential data?
MANAGEMANAGE
DISCOVER
• Create data protection policies
• Measurably reduce your risk
MONITOR
11
22 33
PROTECT
44
55
• Understand where data is sent • Understand how data is used• Gain visibility whether users are
on or off corporate network
• Proactively secure data• Prevent confidential data loss• Enforce data protection policies
Key Requirements for DLP
30
• Find data wherever it is stored • Identify who has access to it• Clean up exposed sensitive data
31
Protect the Crown JewelsPricing Copied to USB
32
Stop it from being copied to USB.Notify User. Launch investigation.Stop it from being copied to USB.Notify User. Launch investigation.
Protect the Crown JewelsPricing Copied to USB
33
Block the email or gmail.On or off the corporate network.Block the email or gmail.On or off the corporate network.
Protect Sensitive Data… even at a CafeSensitive Data Sent via Webmail
34
Protect your IP.Automatically notify users of policy violations.Protect your IP.Automatically notify users of policy violations.
Keep the Competition GuessingProtect Intellectual Property From Being Sent
Secure Your Secret SauceCopy/Paste of Source Code
Block the copy/paste action.Notify user in real-time.Block the copy/paste action.Notify user in real-time.
Safeguard Your Customer RecordsPrint/Fax of Customer Data
Prevent the document from being printed or faxed.Notify user in real-time.Prevent the document from being printed or faxed.Notify user in real-time.
Executive Dashboards and Reporting
Executive Dashboards and Reporting
38Continuous Risk Reduction
1000
800
600
400
200
0 Inci
den
ts P
er W
eek
Remediation
Notification
Prevention
Risk Reduction Over Time
Baseline
Continuous Risk Reduction
Measurable Results
• Protect Patient Data
• HIPAA Compliance
• Automate protection
• Protect Patient Data
• HIPAA Compliance
• Automate protection
• Intellectual Property
• Competitive advantage
• Detection technology
• Intellectual Property
• Competitive advantage
• Detection technology
70% 98%80%
• Financial & Customer data
• Protect brand & customers
• Employee education
• Financial & Customer data
• Protect brand & customers
• Employee education
HealthcareHealthcare Financial ServicesFinancial Services ManufacturingManufacturing
Endpoint Data Protection for Mobile Employees
Monitor email and web traffic for CCNs and SSNs
Automatically notify employees of policy violations
Demonstrate compliance with GLBA and PCI
Prevent data loss with minimal impact to users, +1,700 employees
Stop unauthorized copying of files to USB drives and CDs
40