Data Loss During Downsizing
Upcoming SlideShare
Loading in...5

Data Loss During Downsizing



Preventing data loss during downsizing. Delivered at the IAPP Practical Privacy Series, Santa Clara CA, June 2009.

Preventing data loss during downsizing. Delivered at the IAPP Practical Privacy Series, Santa Clara CA, June 2009.



Total Views
Views on SlideShare
Embed Views



4 Embeds 6 3 1 1 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Data Loss During Downsizing Data Loss During Downsizing Presentation Transcript

  • Data Loss During Downsizing As Employees Exit, So Does Corporate Data Constantine Karbaliotis, LL.B., CIPP/C/IT Information Privacy Lead Information Security Services - Symantec Services Group
  • Quick Survey
  • Agenda What is the risk of data loss in a down economy? What are the repercussions? How can you proactively protect your data? 1 2 3
  • What Happens to Data in a Down Economy?
  • Not Your Organization, Right?
    • 945 respondents across US regions and industries
      • Corporate IT and sales were the largest functions represented
      • Financial services represents the largest industry segment
    • Surveyed all levels, from intern to executive
      • 28% of respondents at or above the supervisory level
      • Average job experience was 8.11 years
      • Average time at previous employer was 2.87 years
    Survey Sample
    • 59% of ex-employees took company data, including:
      • customer lists
      • employee records
      • non-financial information
    68% used or planned to use stolen data at a new or future employer As employees exit, so does corporate data: Most common methods to take data: downloaded to CD/DVD 53% copied to USB Drives 42% sent to Personal Email 38%
  • Types of Data Susceptible to Theft
  • For those who said yes
  • Key Take-Aways
    • Ex-employees are leaving with data at a high rate
    • Organizations need to revisit business processes
    • Data loss during downsizing is preventable
  • What are the Repercussions?
  • Data Loss Is A Growing Concern 59% The percentage ex-employees who took company data in 2008 $6.7 Million The average cost to remediate a data breach for US companies in 2008 83 Million The total number of consumer records in publicly reported data breaches in 2008 #1 Priority for Chief Information Security Officers
  • Public Examples of Theft of Data
  • How can the problem be fixed – a strategic approach
    • Governance
    • Corporate governance:
      • Establish appropriate governance, policies, and procedures to protect your data
      • Important to state that protection of data is not only a corporate but job responsibility
    • Separation of duties:
      • For instance: DBA’s should not be able to alter logging of accesses, and those in charge of monitoring should be unable to control databases themselves
    • Documenting security and privacy efforts
      • Allows regulators to assess compliance activities, recognize failures as human error rather than systemic problems
      • Allows organization defense to possible claims
  • Making Data Protection part of the job…
    • Staff and contractors:
      • Ensure staff have privacy and confidentiality as requirements of employment
      • Similarly, provide by contract that contractors adhere to corporate standards
    • Addressing 'human factor' in risks to protection for an organization:
      • Background checks for staff, especially those in position to access and alter personal information
      • Privacy and security training for new hires and on a regular basis, including recording the fact of such training
      • Make security and privacy protection part of job descriptions, and part of performance objectives
  • Technology Controls
    • Technology strategies have to be redundant:
      • Encryption of sensitive data
      • Effective means to prevent malicious individuals from accessing and taking corporate data - either at the perimeter (firewalls, intrusion detection) or through malicious software (anti-virus, anti-spyware)
      • Understanding what is going on – effective logging and auditing of activities on systems and networks
      • Effective access controls: “need to know”
    • But many organisations already have these in place – so why does this data loss keep happening?
      • Failure to effective enforce policies, standards, access controls
      • Legacy systems
      • Webmail, PDAs and USB drives have altered landscape of how data ‘leaks’
  • Content Controls
    • Organizations need to enforce more effective content controls: it’s the content that is important
    • Data loss prevention (DLP) technology has the ability to prevent the deliberate or accidental loss of corporate data, through its ability to recognize the characteristics of personal data:
      • Credit card numbers
      • Social security or other national identifiers
      • Employee data such as salary or other sensitive data
      • Financial data
      • Source code
      • Confidential client information
  • How Do You Protect Your Data?
    • Data loss during downsizing is preventable
      • Find where sensitive data resides,
      • Understand how it is being used
      • Prevent it from being downloaded, copied or sent outside the company
    downloads to CD/DVD copying to USB Drives emails to Webmail
  • Conclusion
  • Key Recommendations to Prevent Data Loss During Downsizing
    • Put appropriate controls and business processes in place before a downsizing event
    • Increase education and training efforts to remind employees of corporate policies
    • Leverage DLP technology to protect sensitive data
    1 2 3
  • Register to receive a copy at: Questions?
  • Thank You Constantine Karbaliotis [email_address] 416.402.9873
  • Appendix: Symantec DLP
  • What is Data Loss Prevention? How best to prevent its loss? How is it being used? Where is your confidential data? DATA LOSS PREVENTION (DLP) DISCOVER PROTECT MONITOR
  • Key Requirements for DLP MANAGE DISCOVER
    • Create data protection policies
    • Measurably reduce your risk
    MONITOR 1 2 3 PROTECT 4 5
    • Understand where data is sent
    • Understand how data is used
    • Gain visibility whether users are on or off corporate network
    • Proactively secure data
    • Prevent confidential data loss
    • Enforce data protection policies
    • Find data wherever it is stored
    • Identify who has access to it
    • Clean up exposed sensitive data
  • Protect the Crown Jewels Pricing Copied to USB
  • Stop it from being copied to USB. Notify User. Launch investigation. Protect the Crown Jewels Pricing Copied to USB
  • Block the email or gmail. On or off the corporate network. Protect Sensitive Data… even at a Cafe Sensitive Data Sent via Webmail
  • Protect your IP. Automatically notify users of policy violations. Keep the Competition Guessing Protect Intellectual Property From Being Sent
  • Secure Your Secret Sauce Copy/Paste of Source Code Block the copy/paste action. Notify user in real-time.
  • Safeguard Your Customer Records Print/Fax of Customer Data Prevent the document from being printed or faxed. Notify user in real-time.
  • Executive Dashboards and Reporting Executive Dashboards and Reporting
  • Continuous Risk Reduction 1000 800 600 400 200 0 Incidents Per Week Remediation Notification Prevention Risk Reduction Over Time Baseline Continuous Risk Reduction
  • Measurable Results
    • Protect Patient Data
    • HIPAA Compliance
    • Automate protection
    • Intellectual Property
    • Competitive advantage
    • Detection technology
    70% 98% 80%
    • Financial & Customer data
    • Protect brand & customers
    • Employee education
    Healthcare Financial Services Manufacturing
  • Endpoint Data Protection for Mobile Employees Monitor email and web traffic for CCNs and SSNs Automatically notify employees of policy violations Demonstrate compliance with GLBA and PCI Prevent data loss with minimal impact to users, +1,700 employees Stop unauthorized copying of files to USB drives and CDs