Data Loss During Downsizing


Published on

Preventing data loss during downsizing. Delivered at the IAPP Practical Privacy Series, Santa Clara CA, June 2009.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Data Loss During Downsizing

  1. 1. Data Loss During Downsizing As Employees Exit, So Does Corporate Data Constantine Karbaliotis, LL.B., CIPP/C/IT Information Privacy Lead Information Security Services - Symantec Services Group
  2. 2. Quick Survey
  3. 3. Agenda What is the risk of data loss in a down economy? What are the repercussions? How can you proactively protect your data? 1 2 3
  4. 4. What Happens to Data in a Down Economy?
  5. 5. Not Your Organization, Right?
  6. 6. <ul><li>945 respondents across US regions and industries </li></ul><ul><ul><li>Corporate IT and sales were the largest functions represented </li></ul></ul><ul><ul><li>Financial services represents the largest industry segment </li></ul></ul><ul><li>Surveyed all levels, from intern to executive </li></ul><ul><ul><li>28% of respondents at or above the supervisory level </li></ul></ul><ul><ul><li>Average job experience was 8.11 years </li></ul></ul><ul><ul><li>Average time at previous employer was 2.87 years </li></ul></ul>Survey Sample
  7. 7. <ul><li>59% of ex-employees took company data, including: </li></ul><ul><ul><li>customer lists </li></ul></ul><ul><ul><li>employee records </li></ul></ul><ul><ul><li>non-financial information </li></ul></ul>68% used or planned to use stolen data at a new or future employer As employees exit, so does corporate data: Most common methods to take data: downloaded to CD/DVD 53% copied to USB Drives 42% sent to Personal Email 38%
  8. 8.
  9. 9. Types of Data Susceptible to Theft
  10. 10.
  11. 11. For those who said yes
  12. 12.
  13. 13.
  14. 14. Key Take-Aways <ul><li>Ex-employees are leaving with data at a high rate </li></ul><ul><li>Organizations need to revisit business processes </li></ul><ul><li>Data loss during downsizing is preventable </li></ul>
  15. 15. What are the Repercussions?
  16. 16. Data Loss Is A Growing Concern 59% The percentage ex-employees who took company data in 2008 $6.7 Million The average cost to remediate a data breach for US companies in 2008 83 Million The total number of consumer records in publicly reported data breaches in 2008 #1 Priority for Chief Information Security Officers
  17. 17. Public Examples of Theft of Data
  18. 18. How can the problem be fixed – a strategic approach
  19. 19. <ul><li>Governance </li></ul><ul><li>Corporate governance: </li></ul><ul><ul><li>Establish appropriate governance, policies, and procedures to protect your data </li></ul></ul><ul><ul><li>Important to state that protection of data is not only a corporate but job responsibility </li></ul></ul><ul><li>Separation of duties: </li></ul><ul><ul><li>For instance: DBA’s should not be able to alter logging of accesses, and those in charge of monitoring should be unable to control databases themselves </li></ul></ul><ul><li>Documenting security and privacy efforts </li></ul><ul><ul><li>Allows regulators to assess compliance activities, recognize failures as human error rather than systemic problems </li></ul></ul><ul><ul><li>Allows organization defense to possible claims </li></ul></ul>
  20. 20. Making Data Protection part of the job… <ul><li>Staff and contractors: </li></ul><ul><ul><li>Ensure staff have privacy and confidentiality as requirements of employment </li></ul></ul><ul><ul><li>Similarly, provide by contract that contractors adhere to corporate standards </li></ul></ul><ul><li>Addressing 'human factor' in risks to protection for an organization: </li></ul><ul><ul><li>Background checks for staff, especially those in position to access and alter personal information </li></ul></ul><ul><ul><li>Privacy and security training for new hires and on a regular basis, including recording the fact of such training </li></ul></ul><ul><ul><li>Make security and privacy protection part of job descriptions, and part of performance objectives </li></ul></ul>
  21. 21. Technology Controls <ul><li>Technology strategies have to be redundant: </li></ul><ul><ul><li>Encryption of sensitive data </li></ul></ul><ul><ul><li>Effective means to prevent malicious individuals from accessing and taking corporate data - either at the perimeter (firewalls, intrusion detection) or through malicious software (anti-virus, anti-spyware) </li></ul></ul><ul><ul><li>Understanding what is going on – effective logging and auditing of activities on systems and networks </li></ul></ul><ul><ul><li>Effective access controls: “need to know” </li></ul></ul><ul><li>But many organisations already have these in place – so why does this data loss keep happening? </li></ul><ul><ul><li>Failure to effective enforce policies, standards, access controls </li></ul></ul><ul><ul><li>Legacy systems </li></ul></ul><ul><ul><li>Webmail, PDAs and USB drives have altered landscape of how data ‘leaks’ </li></ul></ul>
  22. 22. Content Controls <ul><li>Organizations need to enforce more effective content controls: it’s the content that is important </li></ul><ul><li>Data loss prevention (DLP) technology has the ability to prevent the deliberate or accidental loss of corporate data, through its ability to recognize the characteristics of personal data: </li></ul><ul><ul><li>Credit card numbers </li></ul></ul><ul><ul><li>Social security or other national identifiers </li></ul></ul><ul><ul><li>Employee data such as salary or other sensitive data </li></ul></ul><ul><ul><li>Financial data </li></ul></ul><ul><ul><li>Source code </li></ul></ul><ul><ul><li>Confidential client information </li></ul></ul>
  23. 23. How Do You Protect Your Data? <ul><li>Data loss during downsizing is preventable </li></ul><ul><ul><li>Find where sensitive data resides, </li></ul></ul><ul><ul><li>Understand how it is being used </li></ul></ul><ul><ul><li>Prevent it from being downloaded, copied or sent outside the company </li></ul></ul>downloads to CD/DVD copying to USB Drives emails to Webmail
  24. 24. Conclusion
  25. 25. Key Recommendations to Prevent Data Loss During Downsizing <ul><li>Put appropriate controls and business processes in place before a downsizing event </li></ul><ul><li>Increase education and training efforts to remind employees of corporate policies </li></ul><ul><li>Leverage DLP technology to protect sensitive data </li></ul>1 2 3
  26. 26. Register to receive a copy at: Questions?
  27. 27. Thank You Constantine Karbaliotis [email_address] 416.402.9873
  28. 28. Appendix: Symantec DLP
  29. 29. What is Data Loss Prevention? How best to prevent its loss? How is it being used? Where is your confidential data? DATA LOSS PREVENTION (DLP) DISCOVER PROTECT MONITOR
  30. 30. Key Requirements for DLP MANAGE DISCOVER <ul><li>Create data protection policies </li></ul><ul><li>Measurably reduce your risk </li></ul>MONITOR 1 2 3 PROTECT 4 5 <ul><li>Understand where data is sent </li></ul><ul><li>Understand how data is used </li></ul><ul><li>Gain visibility whether users are on or off corporate network </li></ul><ul><li>Proactively secure data </li></ul><ul><li>Prevent confidential data loss </li></ul><ul><li>Enforce data protection policies </li></ul><ul><li>Find data wherever it is stored </li></ul><ul><li>Identify who has access to it </li></ul><ul><li>Clean up exposed sensitive data </li></ul>MANAGE
  31. 31. Protect the Crown Jewels Pricing Copied to USB
  32. 32. Stop it from being copied to USB. Notify User. Launch investigation. Protect the Crown Jewels Pricing Copied to USB
  33. 33. Block the email or gmail. On or off the corporate network. Protect Sensitive Data… even at a Cafe Sensitive Data Sent via Webmail
  34. 34. Protect your IP. Automatically notify users of policy violations. Keep the Competition Guessing Protect Intellectual Property From Being Sent
  35. 35. Secure Your Secret Sauce Copy/Paste of Source Code Block the copy/paste action. Notify user in real-time.
  36. 36. Safeguard Your Customer Records Print/Fax of Customer Data Prevent the document from being printed or faxed. Notify user in real-time.
  37. 37. Executive Dashboards and Reporting Executive Dashboards and Reporting
  38. 38. Continuous Risk Reduction 1000 800 600 400 200 0 Incidents Per Week Remediation Notification Prevention Risk Reduction Over Time Baseline Continuous Risk Reduction
  39. 39. Measurable Results <ul><li>Protect Patient Data </li></ul><ul><li>HIPAA Compliance </li></ul><ul><li>Automate protection </li></ul><ul><li>Intellectual Property </li></ul><ul><li>Competitive advantage </li></ul><ul><li>Detection technology </li></ul>70% 98% 80% <ul><li>Financial & Customer data </li></ul><ul><li>Protect brand & customers </li></ul><ul><li>Employee education </li></ul>Healthcare Financial Services Manufacturing
  40. 40. Endpoint Data Protection for Mobile Employees Monitor email and web traffic for CCNs and SSNs Automatically notify employees of policy violations Demonstrate compliance with GLBA and PCI Prevent data loss with minimal impact to users, +1,700 employees Stop unauthorized copying of files to USB drives and CDs