The document discusses the risks of data loss during corporate downsizing, revealing that 59% of exiting employees took company data, including sensitive information, through various methods. It emphasizes the need for organizations to implement strategic governance, technology controls, and employee training to protect corporate data effectively. Recommendations include establishing robust policies and leveraging Data Loss Prevention (DLP) technology to safeguard sensitive information against unauthorized access and leaks.

1. Data Loss During Downsizing As Employees Exit, So Does Corporate Data Constantine Karbaliotis, LL.B., CIPP/C/IT Information Privacy Lead Information Security Services - Symantec Services Group

2. Quick Survey

3. Agenda What is the risk of data loss in a down economy? What are the repercussions? How can you proactively protect your data? 1 2 3

4. What Happens to Data in a Down Economy?

5. Not Your Organization, Right?

6. 945 respondents across US regions and industries Corporate IT and sales were the largest functions represented Financial services represents the largest industry segment Surveyed all levels, from intern to executive 28% of respondents at or above the supervisory level Average job experience was 8.11 years Average time at previous employer was 2.87 years Survey Sample

7. 59% of ex-employees took company data, including: customer lists employee records non-financial information 68% used or planned to use stolen data at a new or future employer As employees exit, so does corporate data: Most common methods to take data: downloaded to CD/DVD 53% copied to USB Drives 42% sent to Personal Email 38%

9. Types of Data Susceptible to Theft

11. For those who said yes

14. Key Take-Aways Ex-employees are leaving with data at a high rate Organizations need to revisit business processes Data loss during downsizing is preventable

15. What are the Repercussions?

16. Data Loss Is A Growing Concern 59% The percentage ex-employees who took company data in 2008 $6.7 Million The average cost to remediate a data breach for US companies in 2008 83 Million The total number of consumer records in publicly reported data breaches in 2008 #1 Priority for Chief Information Security Officers

17. Public Examples of Theft of Data

18. How can the problem be fixed – a strategic approach

19. Governance Corporate governance: Establish appropriate governance, policies, and procedures to protect your data Important to state that protection of data is not only a corporate but job responsibility Separation of duties: For instance: DBA’s should not be able to alter logging of accesses, and those in charge of monitoring should be unable to control databases themselves Documenting security and privacy efforts Allows regulators to assess compliance activities, recognize failures as human error rather than systemic problems Allows organization defense to possible claims

20. Making Data Protection part of the job… Staff and contractors: Ensure staff have privacy and confidentiality as requirements of employment Similarly, provide by contract that contractors adhere to corporate standards Addressing 'human factor' in risks to protection for an organization: Background checks for staff, especially those in position to access and alter personal information Privacy and security training for new hires and on a regular basis, including recording the fact of such training Make security and privacy protection part of job descriptions, and part of performance objectives

21. Technology Controls Technology strategies have to be redundant: Encryption of sensitive data Effective means to prevent malicious individuals from accessing and taking corporate data - either at the perimeter (firewalls, intrusion detection) or through malicious software (anti-virus, anti-spyware) Understanding what is going on – effective logging and auditing of activities on systems and networks Effective access controls: “need to know” But many organisations already have these in place – so why does this data loss keep happening? Failure to effective enforce policies, standards, access controls Legacy systems Webmail, PDAs and USB drives have altered landscape of how data ‘leaks’

22. Content Controls Organizations need to enforce more effective content controls: it’s the content that is important Data loss prevention (DLP) technology has the ability to prevent the deliberate or accidental loss of corporate data, through its ability to recognize the characteristics of personal data: Credit card numbers Social security or other national identifiers Employee data such as salary or other sensitive data Financial data Source code Confidential client information

23. How Do You Protect Your Data? Data loss during downsizing is preventable Find where sensitive data resides, Understand how it is being used Prevent it from being downloaded, copied or sent outside the company downloads to CD/DVD copying to USB Drives emails to Webmail

24. Conclusion

25. Key Recommendations to Prevent Data Loss During Downsizing Put appropriate controls and business processes in place before a downsizing event Increase education and training efforts to remind employees of corporate policies Leverage DLP technology to protect sensitive data 1 2 3

26. Register to receive a copy at: https://www4.symantec.com/Vrt/offer?a_id=78695 Questions?

27. Thank You Constantine Karbaliotis [email_address] 416.402.9873

28. Appendix: Symantec DLP

29. What is Data Loss Prevention? How best to prevent its loss? How is it being used? Where is your confidential data? DATA LOSS PREVENTION (DLP) DISCOVER PROTECT MONITOR

30. Key Requirements for DLP MANAGE DISCOVER Create data protection policies Measurably reduce your risk MONITOR 1 2 3 PROTECT 4 5 Understand where data is sent Understand how data is used Gain visibility whether users are on or off corporate network Proactively secure data Prevent confidential data loss Enforce data protection policies Find data wherever it is stored Identify who has access to it Clean up exposed sensitive data MANAGE

31. Protect the Crown Jewels Pricing Copied to USB

32. Stop it from being copied to USB. Notify User. Launch investigation. Protect the Crown Jewels Pricing Copied to USB

33. Block the email or gmail. On or off the corporate network. Protect Sensitive Data… even at a Cafe Sensitive Data Sent via Webmail

34. Protect your IP. Automatically notify users of policy violations. Keep the Competition Guessing Protect Intellectual Property From Being Sent

35. Secure Your Secret Sauce Copy/Paste of Source Code Block the copy/paste action. Notify user in real-time.

36. Safeguard Your Customer Records Print/Fax of Customer Data Prevent the document from being printed or faxed. Notify user in real-time.

37. Executive Dashboards and Reporting Executive Dashboards and Reporting

38. Continuous Risk Reduction 1000 800 600 400 200 0 Incidents Per Week Remediation Notification Prevention Risk Reduction Over Time Baseline Continuous Risk Reduction

39. Measurable Results Protect Patient Data HIPAA Compliance Automate protection Intellectual Property Competitive advantage Detection technology 70% 98% 80% Financial & Customer data Protect brand & customers Employee education Healthcare Financial Services Manufacturing

40. Endpoint Data Protection for Mobile Employees Monitor email and web traffic for CCNs and SSNs Automatically notify employees of policy violations Demonstrate compliance with GLBA and PCI Prevent data loss with minimal impact to users, +1,700 employees Stop unauthorized copying of files to USB drives and CDs