With the increasing number of cyber-attacks and incidents seeming to occur weeks/months/years before discovery of breach, simply securing your perimeter is no longer enough to protect your most critical assets. Privacy breaches are averaging upwards of $200 per record and studies have shown at intellectual property infringement cost the average company $101.9 million in revenues.
Key points addressed include:
• The Impact of Cyber Crime on our Economy
• The Cost Companies are incurring due to Cyber Crime and Data Breaches
• Who are the threat actors?
• What makes up a Data Loss Prevention ecosystem?
• What does a Data Loss Prevention strategy do for me?
• Hidden Benefits of Data Loss Prevention
• Justifying a Data Loss Prevention Strategy
3. Agenda
Impact of Cyber Crime on our Economy1
Cost Companies are Incurring2
Who are the Threat Actors3
Data Loss Prevention Strategy4
Data Loss Prevention Ecosystem5
Hidden Benefits of Data Loss Prevention6
Justifying a Data Loss Prevention Strategy7
5. Impact on US Industries
• IP: 70% of value of public companies
• Annual losses: estimated over $300B
• China: +$107B sales and +2.1M jobs
IP Intensive
• 2013: 856 reported breaches
• Q1 2014: 98.3% of data exposed
• 37%: Breaches affected the sector
Finance /
Business
• 43%: ITRC account of breaches
• 2013: 8.8M records stolen
• 1.8M: Victims of Identity Theft
Healthcare
5*3, 4, 5
6. US Economy: Loss Estimates
6
• 1M+ jobs lost and a $200B cost in 2010
• Based on estimate of 5,080 jobs per $1B
• 0.5% ($70B) or 1% ($140B) of National Income
• Globally - $350B or $700B
• Healthcare: $7B for HIPAA 2013 losses
• SMBs: 80% file bankruptcy or suffer significant
financial losses
• S&P 500: $136.5B due to AP Twitter hack
*6, 7, 9
8. Per Record Cost of Breach
2014201320122011
8
$201
$18
8
$194
$214
*6
9. Per Cyber Incident Cost
Associated Costs
9
Enterprises SMB’s Attack Type
Incident
- Prof Svcs $109k
- Bus. Opp. $457k
Prevention
- New IT Sec $57k
- Training $26k
Total $649k
Incident
- Prof Svcs $13k
- Bus. Opp. $23k
Prevention
- New IT Sec $9k
- Training $5k
Total $50k
Targeted
- Ent. $2.4M
- SMB $92k
Phishing
- Ent. $57k
- SMB $26k
DDoS
- Ent. $57k
- SMB $26k
*8
10. Malicious Cyber Activity
10
• Loss of IP and Confidential Information
• Cybercrime
• Loss of sensitive business information-stock
market manipulation
• Opportunity costs, including service and
employment disruptions, and reduced trust for
online activities
• The additional cost of securing networks,
insurance, and recovery from cyber attacks
• Reputational damage
11. Malicious Software
11
• Third-party apps 87% of vulnerabilities 2012
• Per day 315,000 new malicious programs
• 132 million applications at risk recorded in 2012
• Malicious software – 500,000 devices in 100
seconds
though
• 58% report IT Security under-resourced
• 40% under prepared
*8
12. Probability
Likelihood
Event happens
Your corporation
Impacts
Outcomes + or -
Event creates
Your corporation
What are your
Risks?
Threat vs. Risk
12
Cause
Adversary’s determination
Inflict damage
Accept success or failure
Ability
Adversary’s resources
Breach target
Inflict damage
Who are your
Threats?
Threat Risk
14. Threat Actors: Animals
14
• Criminals
• Associated with Russian Federation, eastern-Euro
countries, Global as well
• Extort and/or sell data to others
• Strategic Web Compromise, Botnets, Phishing,…
• Nation-states
• Testing war-time capabilities
• Spying, stealing, disrupting
• SWC, DDoS, Malware,…
15. Threat Actors: ‘Kids’
15
• Extremists
• Fanatics of ideas that create identity
• Create terror or fear
• Al-Qaida, Jihad
• Hacktivists
• Wrong to a group (country, people, ‘under-dog’)
• Brazil World Cup, Sochi, Iranian election
• Anonymous, LulzSec, AntiSec, others
16. Threat Actors: Guy/Gal…
16
• Insiders
• Greed, hurt by corporation/organization
• Expertise – built, admin, system knowledge
• Accounts for about 15% of breaches
• Corporations
• Economic intelligence, sabotage
• IP theft, copying, infringement, duplicating
• Easier to steal it, not just China (Silicon Valley)
*10, 11
17. Result People
Processe
s
Tech. Leverage
DLP Strategy
What do
you want to
achieve?
Who are the
resources
we’ll need?
What’s in
place?
What not in
place?
Minimal
disruption
with greatest
coverage
In preparing for battle I have always found that plans are
useless, but planning is indispensable. ~Dwight D.
Eisenhower
17
Utilize others
for what they
know
18. DLP Strategy
18
• Result
Align DLP to protection Strategy; KPI’s
Evaluate for comprehensive solutions
Buy-in from key stakeholders
• People
Roles – clearly define them
Data Owners/Users – culture and importance of data
Expertise – internal and external
• Processes
Assess controls and business impact (HR issues)
Must have Data Classification program
Supporting Business processes
19. DLP Strategy
19
• Technology
Take steps, implement methodically
Next-gen products for maximum coverage
Over estimate
Silver Bullets do not exist
• Leverage
Vendors for implementation expertise
Like companies for solutions
Information sharing groups
20. DLP Strategy
20
Warning Signs
• Implement a workforce reduction
• Employees regularly export data
• Sensitive data resides across enterprise
• Outside vendor/contractor accesses sensitive data
• Unmonitored/controlled mobile devices
• Stock lower, product end, company sale
24. Justifying DLP
24
• Bottom-up approach
• Discuss with divisions, incremental budget
• Present risks
• Current and Potential
• Utilize security trends
• Breach size, frequency, cost
• Cost of not having
• Quantified vs. Qualified
• Due diligence
• Assets, strategy, vendors, costs
25. Justifying DLP
25
• What are the regulatory requirements?
• State, federal, industry, customer
• Innovation cost
• Product development
• Present benefits
• Internal and external
• Thought out Project Plan
• Don’t over-sell, over-promise
• Use Truth Tactics
• Stock price, WSJ articles, C-level firings,
Fines, Prison
28. Bibliography
1. The State of American Energy 2013 Report, http://www.api.org/~/media/Files/Policy/SOAE-
2013/SOAE-Report-2013.pdf
2. Select USA, Commerce.gov, Industry Snapshots, http://selectusa.commerce.gov/industry-snapshots
3. The IP Commission Report, National Bureau of Asian Research, May 2013
4. Financial Institutions Privacy and Security – 2013 Year in Review, January 7, 2014, Anne Foster and
Gerald Ferguson, Data Privacy Monitor
5. 2014 Data Breach Industry Forecast, Experian
6. 2014 Ponemon Study
7. The Economic Impact of Cybercrime and Cyber Espionage, McAfee, July 2013
8. IT Security by the Numbers: Calculating the Total Cost of Protection, Kaspersky Lab
9. Counting the Cost: A Meta-analysis of the Cost of Ineffective Business Continuity, The Business
Continuity Institute, Patrick Alcantara, 2014 www.bcifiles.com/BCI-CountingtheCost.pdf
10. CrowdStrike Global Threat Report: 2013 Year in Review, CrowdStrike
11. Verizon 2014 Data Breach Investigations Report, Verizon Corp, 2014