The document discusses the importance of user awareness in data loss prevention (DLP), emphasizing that humans are often the weakest link in security systems. It outlines the necessity of raising user awareness to protect against data breaches and reduce associated costs, proposing methods for effective education and management support. The authors, Valery Boronin and Vera Trubacheva from Kaspersky Lab, stress that improving user awareness is crucial for enhancing overall data security.

1. Click to edit Master title style
Humans Are The Weakest Link –
How DLP Can Help
Valery Boronin, Director DLP Research
Vera Trubacheva, System Analyst
DLP Research, R&D, Kaspersky Lab
February 3, 2012
Cancun, Mexico, Ritz-Carlton Hotel

2. Click to edit Master title style
Agenda
1. DLP to date
2. Key challenge
3. User awareness
1. What is it?
2. Why is it required?
3. How to raise it?
4. How DLP could help?
4. Q&A

3. DLP to date Master title style
Click to edit
Customers want:
Customers receive:
1. Easy
2. Convenient
3. Reliable
4. Cheap
1. Complicated
2. Inconvenient
3. Unreliable
4. Expensive
Gartner research estimates that more than 800 technology vendors and other
providers currently have data security offerings. Numerous nontechnical controls
are also available. The difficulty of understanding all these options, their benefits
and their challenges tends to lead to enterprises using limited subsets of
the available tools and having serious gaps in controls and risk mitigation
Typical Elements of an Enterprise Data Security Program, Gartner, Aug 2009
Page 3
SAS 2012, DLP Research, Kaspersky Lab
February, 3d, 2012

4. Key Challenge is the Complexity
Click to edit Master title style
Technologies
Expertise
& Tools
Data
Luxury
Protection
People
Processes
Page 4
SAS 2012, DLP Research, Kaspersky Lab
February, 3d, 2012

5. Accusation against title style
Click to edit Master DLP 1.0
No user awareness in DLP 1.0
Claim 1: Raising user awareness.
Claim 2: Control of education efficiency.
Mock trial
Page 5
SAS 2012, DLP Research, Kaspersky Lab
February, 3d, 2012

6. What to userMaster title style
Click is edit awareness?
User awareness is making users aware of information
security policies, threats, mitigating controls
Security education
Work
Childhood
Page 6
SAS 2012, DLP Research, Kaspersky Lab
February, 3d, 2012

7. Why is user awareness required?
Click to edit Master title style
1. It is required by law
See Appendix 1
Page 7
SAS 2012, DLP Research, Kaspersky Lab
February, 3d, 2012

8. Why is user awareness required?
Click to edit Master title style
2. To protect the weakest link in
security – the human
Page 8
SAS 2012, DLP Research, Kaspersky Lab
February, 3d, 2012

9. Why is user awareness required? Evidence 1
Click to edit Master title style
Guess what this is:
•
•
•
•
•
Page 9
12345
qwerty
11111
abc123
admin
SAS 2012, DLP Research, Kaspersky Lab
February, 3d, 2012

10. Why is user awareness required? Evidence 2
Click to edit Master title style
Page 10
SAS 2012, DLP Research, Kaspersky Lab
February, 3d, 2012

11. Why is user awareness required? Evidence 3
Click to edit Master title style
The weakest link in
security is human!
Security incidents
100%
Target of all
successful APT
attacks is a user
(Mandiant)
90%
Exploits need a
user interaction
(Symantec)
75%
Human factor
60%
Accidental mistakes
(InfoWatch)
Page 11
SAS 2012, DLP Research, Kaspersky Lab
February, 3d, 2012

12. Why is user awareness required?
Click to edit Master title style
3. To reduce huge costs!
$7,2 billion per data
breach in 2010
$56,165 for a lost
notebook in 2010
You could buy a yacht like this for one data breach
Page 12
SAS 2012, DLP Research, Kaspersky Lab
February, 3d, 2012

13. How to raiseMaster title style
Click to edit user awareness?
Recognize
the problem
Page 13
SAS 2012, DLP Research, Kaspersky Lab
February, 3d, 2012

14. How to raiseMaster title style
Click to edit user awareness?
Get top
management
support
Page 14
SAS 2012, DLP Research, Kaspersky Lab
February, 3d, 2012

15. How to raiseMaster title style
Click to edit user awareness?
Know your data
Page 15
SAS 2012, DLP Research, Kaspersky Lab
February, 3d, 2012

16. How to raise user awareness?
Click to edit Master title style
Prepare
clear, simple
instructions
Page 16
SAS 2012, DLP Research, Kaspersky Lab
February, 3d, 2012

17. What to edit Master title style
Click to teach?
1.Security basics
2.Corporate policy rules
3.Incident response
Page 17
SAS 2012, DLP Research, Kaspersky Lab
February, 3d, 2012

18. How to teach?
Click to edit Master title style
Use different ways
See Appendix 2
Page 18
SAS 2012, DLP Research, Kaspersky Lab
February, 3d, 2012

19. Key Factor 1Master title style
Click to edit
Explain
Page 19
SAS 2012, DLP Research, Kaspersky Lab
February, 3d, 2012

20. Key Factor 2Master title style
Click to edit
Measure
results
before and
after
Page 20
SAS 2012, DLP Research, Kaspersky Lab
February, 3d, 2012

21. Key Factor 3Master title style
Click to edit
Explain
consequences
for secure and
unsecure
behavior
Page 21
SAS 2012, DLP Research, Kaspersky Lab
February, 3d, 2012

22. Members of the Jury: Time for Action
Click to edit Master title style
Poll of the Jury
Page 22
SAS 2012, DLP Research, Kaspersky Lab
February, 3d, 2012

23. Courtto edit Master title style
Click Decision: Verdict
DLP 1.0 must
1. Raise user awareness
2. Control education efficiency
Page 23
SAS 2012, DLP Research, Kaspersky Lab
February, 3d, 2012

24. Click to edit Master title style
Humans Are The Weakest Link – How DLP Can Help
Thank you!
Raise User Awareness!
Valery Boronin
Director DLP Research
Kaspersky Lab
Valery.Boronin@kaspersky.com
+7 495 797 8700 x4200
Vera Trubacheva
System Analyst, DLP Research
Kaspersky Lab
Vera.Trubacheva@kaspersky.com
+7 495 797 8700 x4201

25. Appendix 1 Master title style
Click to edit
For compliance with laws and regulations:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Page 25
Payment Card Industry Data Security Standard (PCI DSS)
Federal Information System Security Managers Act (FISMA)
Health Insurance Portability and Accountability Act (HIPAA)
Gramm-Leach-Bliley Act (GLBA)
Sarbanes-Oxley Act (SOX)
EU Data Protection Directive
National Institute of Standards and Technology (NIST 800-53)
International Organization for Standardization: ISO/IEC 27001 & 27002
Control Objectives for Information and Related Technology (CoBiT 4.1)
Red Flag Identity Theft Prevention
Personal Information Protection and Electronic Documents Act (PIPEDA)
Management of Federal Information Resources (OMB Circular A-130)
Some state breach notification laws (ie Massachusetts 201 CMR 17.00)
Стандарт Банка России по обеспечению информационной безопасности
организаций банковской системы Российской Федерации (СТО БР
ИББС)
SAS 2012, DLP Research, Kaspersky Lab
February, 3d, 2012

26. Appendix 2 Master title style
Click to edit
• Security topics
• E-mail etiquette
• Social Engineering
• Clean Desk
• Protecting Sensitive Information
• Strong Password
• Data owners
• Internet
• Identity theft
• Personal use
• Protecting data
• Mobile security
Page 26
SAS 2012, DLP Research, Kaspersky Lab
February, 3d, 2012

27. Appendix 3 Master title style
Click to edit
Sources of Awareness Material:
• CERT
• Ponemon Institute
• ISSA
• The university of Arizona
• NIST SP 800-50 and NIST SP 800-16
• SANS (presentations, Security Awareness Newsletters,
training)
• InfoSecurityLab (posters, Wallpapers & Screensavers,
Newsletters)
Page 27
SAS 2012, DLP Research, Kaspersky Lab
February, 3d, 2012