Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Data Security: Why You Need Data Loss Prevention & How to Justify It

1.340 Aufrufe

Veröffentlicht am

With the increasing number of cyber-attacks and incidents seeming to occur weeks/months/years before discovery of breach, simply securing your perimeter is no longer enough to protect your most critical assets. Privacy breaches are averaging upwards of $200 per record and studies have shown at intellectual property infringement cost the average company $101.9 million in revenues.
Key points addressed include:

• The Impact of Cyber Crime on our Economy
• The Cost Companies are incurring due to Cyber Crime and Data Breaches
• Who are the threat actors?
• What makes up a Data Loss Prevention ecosystem?
• What does a Data Loss Prevention strategy do for me?
• Hidden Benefits of Data Loss Prevention
• Justifying a Data Loss Prevention Strategy

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

Data Security: Why You Need Data Loss Prevention & How to Justify It

  1. 1. Name of presentation Company name Data Security: Why You Need Data Loss Prevention & How to Justify It
  2. 2. Name of presentation Company name Marc Crudgington Vice President, Information Security
  3. 3. Agenda Impact of Cyber Crime on our Economy1 Cost Companies are Incurring2 Who are the Threat Actors3 Data Loss Prevention Strategy4 Data Loss Prevention Ecosystem5 Hidden Benefits of Data Loss Prevention6 Justifying a Data Loss Prevention Strategy7
  4. 4. 28% 8% 10% 8% 46% Jobs in US Economy IP Int en siv e US Economy 4*1, 2, 3
  5. 5. Impact on US Industries • IP: 70% of value of public companies • Annual losses: estimated over $300B • China: +$107B sales and +2.1M jobs IP Intensive • 2013: 856 reported breaches • Q1 2014: 98.3% of data exposed • 37%: Breaches affected the sector Finance / Business • 43%: ITRC account of breaches • 2013: 8.8M records stolen • 1.8M: Victims of Identity Theft Healthcare 5*3, 4, 5
  6. 6. US Economy: Loss Estimates 6 • 1M+ jobs lost and a $200B cost in 2010 • Based on estimate of 5,080 jobs per $1B • 0.5% ($70B) or 1% ($140B) of National Income • Globally - $350B or $700B • Healthcare: $7B for HIPAA 2013 losses • SMBs: 80% file bankruptcy or suffer significant financial losses • S&P 500: $136.5B due to AP Twitter hack *6, 7, 9
  7. 7. Past Data Breaches 2011 2012 2013 2014 Adobe – 152M (IDs, pwd, data) Epsilon - $4B, names/email Saudi Aramco – 30,000+ PCs infected Target – 110M affected; CEO/CIO gone eBay – 145M credentials 7*9
  8. 8. Per Record Cost of Breach 2014201320122011 8 $201 $18 8 $194 $214 *6
  9. 9. Per Cyber Incident Cost Associated Costs 9 Enterprises SMB’s Attack Type Incident - Prof Svcs $109k - Bus. Opp. $457k Prevention - New IT Sec $57k - Training $26k Total $649k Incident - Prof Svcs $13k - Bus. Opp. $23k Prevention - New IT Sec $9k - Training $5k Total $50k Targeted - Ent. $2.4M - SMB $92k Phishing - Ent. $57k - SMB $26k DDoS - Ent. $57k - SMB $26k *8
  10. 10. Malicious Cyber Activity 10 • Loss of IP and Confidential Information • Cybercrime • Loss of sensitive business information-stock market manipulation • Opportunity costs, including service and employment disruptions, and reduced trust for online activities • The additional cost of securing networks, insurance, and recovery from cyber attacks • Reputational damage
  11. 11. Malicious Software 11 • Third-party apps 87% of vulnerabilities 2012 • Per day 315,000 new malicious programs • 132 million applications at risk recorded in 2012 • Malicious software – 500,000 devices in 100 seconds though • 58% report IT Security under-resourced • 40% under prepared *8
  12. 12. Probability Likelihood Event happens Your corporation Impacts Outcomes + or - Event creates Your corporation What are your Risks? Threat vs. Risk 12 Cause Adversary’s determination Inflict damage Accept success or failure Ability Adversary’s resources Breach target Inflict damage Who are your Threats? Threat Risk
  13. 13. Threat Actors: Criminals Nation- states Corporation s Hacktivist 13 Extremists Insiders Animals, ‘Kids’, and the Guy/Gal sitting next to you
  14. 14. Threat Actors: Animals 14 • Criminals • Associated with Russian Federation, eastern-Euro countries, Global as well • Extort and/or sell data to others • Strategic Web Compromise, Botnets, Phishing,… • Nation-states • Testing war-time capabilities • Spying, stealing, disrupting • SWC, DDoS, Malware,…
  15. 15. Threat Actors: ‘Kids’ 15 • Extremists • Fanatics of ideas that create identity • Create terror or fear • Al-Qaida, Jihad • Hacktivists • Wrong to a group (country, people, ‘under-dog’) • Brazil World Cup, Sochi, Iranian election • Anonymous, LulzSec, AntiSec, others
  16. 16. Threat Actors: Guy/Gal… 16 • Insiders • Greed, hurt by corporation/organization • Expertise – built, admin, system knowledge • Accounts for about 15% of breaches • Corporations • Economic intelligence, sabotage • IP theft, copying, infringement, duplicating • Easier to steal it, not just China (Silicon Valley) *10, 11
  17. 17. Result People Processe s Tech. Leverage DLP Strategy What do you want to achieve? Who are the resources we’ll need? What’s in place? What not in place? Minimal disruption with greatest coverage In preparing for battle I have always found that plans are useless, but planning is indispensable. ~Dwight D. Eisenhower 17 Utilize others for what they know
  18. 18. DLP Strategy 18 • Result Align DLP to protection Strategy; KPI’s Evaluate for comprehensive solutions Buy-in from key stakeholders • People Roles – clearly define them Data Owners/Users – culture and importance of data Expertise – internal and external • Processes Assess controls and business impact (HR issues) Must have Data Classification program Supporting Business processes
  19. 19. DLP Strategy 19 • Technology Take steps, implement methodically Next-gen products for maximum coverage Over estimate Silver Bullets do not exist • Leverage Vendors for implementation expertise Like companies for solutions Information sharing groups
  20. 20. DLP Strategy 20 Warning Signs • Implement a workforce reduction • Employees regularly export data • Sensitive data resides across enterprise • Outside vendor/contractor accesses sensitive data • Unmonitored/controlled mobile devices • Stock lower, product end, company sale
  21. 21. DLP Ecosystem Data protection should be… At rest In motion On endpoints 21
  22. 22. Data Governanc e Regulatory Classificatio n PoliciesTools Discovery Training DLP Program DLP Ecosystem 22
  23. 23. Benefits of DLP 23 Flexible Security Data Visibility Limit Liability Cloud and Mobile Prepared for… Detect Maliciou s Events Compliance Employee Monitoring
  24. 24. Justifying DLP 24 • Bottom-up approach • Discuss with divisions, incremental budget • Present risks • Current and Potential • Utilize security trends • Breach size, frequency, cost • Cost of not having • Quantified vs. Qualified • Due diligence • Assets, strategy, vendors, costs
  25. 25. Justifying DLP 25 • What are the regulatory requirements? • State, federal, industry, customer • Innovation cost • Product development • Present benefits • Internal and external • Thought out Project Plan • Don’t over-sell, over-promise • Use Truth Tactics • Stock price, WSJ articles, C-level firings, Fines, Prison
  26. 26. Do you have any questions? ??
  27. 27. Thank You!
  28. 28. Bibliography 1. The State of American Energy 2013 Report, http://www.api.org/~/media/Files/Policy/SOAE- 2013/SOAE-Report-2013.pdf 2. Select USA, Commerce.gov, Industry Snapshots, http://selectusa.commerce.gov/industry-snapshots 3. The IP Commission Report, National Bureau of Asian Research, May 2013 4. Financial Institutions Privacy and Security – 2013 Year in Review, January 7, 2014, Anne Foster and Gerald Ferguson, Data Privacy Monitor 5. 2014 Data Breach Industry Forecast, Experian 6. 2014 Ponemon Study 7. The Economic Impact of Cybercrime and Cyber Espionage, McAfee, July 2013 8. IT Security by the Numbers: Calculating the Total Cost of Protection, Kaspersky Lab 9. Counting the Cost: A Meta-analysis of the Cost of Ineffective Business Continuity, The Business Continuity Institute, Patrick Alcantara, 2014 www.bcifiles.com/BCI-CountingtheCost.pdf 10. CrowdStrike Global Threat Report: 2013 Year in Review, CrowdStrike 11. Verizon 2014 Data Breach Investigations Report, Verizon Corp, 2014

×