Data Loss During Downsizing As Employees Exit, So Does Corporate

Data

Constantine Karbaliotis, LL.B., CIPP/C/IT Information Privacy Lead Information Security Services - Symantec Services Group

Quick Survey

3

Agenda

What is the risk of data loss in a down economy?

What are the repercussions?

How can you proactively protect your data?

11

22

33

What Happens to Data in a Down Economy?

5

Not Your Organization, Right?

• 945 respondents across US regions and industries– Corporate IT and sales were the largest functions represented

– Financial services represents the largest industry segment

• Surveyed all levels, from intern to executive– 28% of respondents at or above the supervisory level– Average job experience was 8.11 years– Average time at previous employer was 2.87 years

6

Survey Sample

59% of ex-employees took company data, including:• customer lists• employee records• non-financial information

59% of ex-employees took company data, including:• customer lists• employee records• non-financial information

68% used or planned to use stolen data at a new or future employer68% used or planned to use stolen data at a new or future employer

As employees exit, so does corporate data:As employees exit, so does corporate data:

Most common methods to take data:Most common methods to take data:

downloaded to CD/DVD

53%

copied to USB Drives

42%

sent toPersonal Email

38%

7

More than half of ex-employees took data

59%

41%

0%

20%

40%

60%

Yes No

8

Types of Data Susceptible to Theft

9

10

Close to 70% used or planned to use stolen data at a new or future employer

68%

67%

69%

66.5% 67.0% 67.5% 68.0% 68.5% 69.0%

Will use data at futureemployee

Used data to secure newposition

Did you obtain a new job?

For those who said yes

11

Most employers DO NOT perform a review or audit prior to an employee leaving

82%

4%

15%

0%

20%

40%

60%

80%

Yes No Can’t recall

12

Unhappy ex-employees are more likely to take data

13%

57%

61%

20%

0%

20%

40%

60%

Took data Did not take data

Favorable view Unfavorable view

13

Key Take-Aways

• Ex-employees are leaving with data at a high rate

• Organizations need to revisit business processes

• Data loss during downsizing is preventable

14

What are the Repercussions?

Data Loss Is A Growing Concern

59%59% The percentage ex-employees who took company data in 2008The percentage ex-employees who took company data in 2008

$6.7 Million$6.7 MillionThe average cost to remediate a data breach for US companies in 2008

The average cost to remediate a data breach for US companies in 2008

83 Million

83 Million

The total number of consumer records in publicly reported data breaches in 2008

The total number of consumer records in publicly reported data breaches in 2008

#1 Priority for Chief Information Security Officers

16

Public Examples of Theft of Data

17

How can the problem be fixed – a strategic approach

Governance• Corporate governance:

– Establish appropriate governance, policies, and procedures to protect your data

– Important to state that protection of data is not only a corporate but job responsibility

• Separation of duties: – For instance: DBA’s should not be able to alter logging of

accesses, and those in charge of monitoring should be unable to control databases themselves

• Documenting security and privacy efforts– Allows regulators to assess compliance activities, recognize

failures as human error rather than systemic problems– Allows organization defense to possible claims

Making Data Protection part of the job… Staff and contractors:

Ensure staff have privacy and confidentiality as requirements of employment

Similarly, provide by contract that contractors adhere to corporate standards

• Addressing 'human factor' in risks to protection for an organization:– Background checks for staff, especially those in

position to access and alter personal information– Privacy and security training for new hires and on a

regular basis, including recording the fact of such training

– Make security and privacy protection part of job descriptions, and part of performance objectives

Technology Controls Technology strategies have to be redundant:

Encryption of sensitive data Effective means to prevent malicious individuals from accessing

and taking corporate data - either at the perimeter (firewalls, intrusion detection) or through malicious software (anti-virus, anti-spyware)

Understanding what is going on – effective logging and auditing of activities on systems and networks

Effective access controls: “need to know” But many organisations already have these in place – so

why does this data loss keep happening? Failure to effective enforce policies, standards, access controls Legacy systems Webmail, PDAs and USB drives have altered landscape of how

data ‘leaks’

Content Controls• Organizations need to enforce more effective content controls:

it’s the content that is important• Data loss prevention (DLP) technology has the ability to prevent

the deliberate or accidental loss of corporate data, through its ability to recognize the characteristics of personal data:– Credit card numbers– Social security or other national identifiers– Employee data such as salary or other sensitive data– Financial data– Source code– Confidential client information

How Do You Protect Your Data?

Data loss during downsizing is preventable1. Find where sensitive data resides, 2. Understand how it is being used3. Prevent it from being downloaded, copied or sent outside the

company

downloads to CD/DVD

copying to USB Drives

emails toWebmail

23

Conclusion

Key Recommendations to Prevent Data Loss During

DownsizingPut appropriate controls and business processes in place before a downsizing event

Increase education and training efforts to remind employees of corporate policies

Leverage DLP technology to protect sensitive data

1

2

3

26

Register to receive a copy at: https://www4.symantec.com/Vrt/offer?a_id=78695Register to receive a copy at: https://www4.symantec.com/Vrt/offer?a_id=78695

Questions?

Thank You

Constantine Karbaliotis

constantine_karbaliotis@symantec.com

416.402.9873

Appendix: Symantec DLP

What is Data Loss Prevention?

DATA LOSS PREVENTION (DLP)

DISCOVER PROTECTMONITOR

29

How best toprevent its loss?

How is it being used?

Where is yourconfidential data?

MANAGEMANAGE

DISCOVER

• Create data protection policies

• Measurably reduce your risk

MONITOR

11

22 33

PROTECT

44

55

• Understand where data is sent • Understand how data is used• Gain visibility whether users are

on or off corporate network

• Proactively secure data• Prevent confidential data loss• Enforce data protection policies

Key Requirements for DLP

30

• Find data wherever it is stored • Identify who has access to it• Clean up exposed sensitive data

31

Protect the Crown JewelsPricing Copied to USB

32

Stop it from being copied to USB.Notify User. Launch investigation.Stop it from being copied to USB.Notify User. Launch investigation.

Protect the Crown JewelsPricing Copied to USB

33

Block the email or gmail.On or off the corporate network.Block the email or gmail.On or off the corporate network.

Protect Sensitive Data… even at a CafeSensitive Data Sent via Webmail

34

Protect your IP.Automatically notify users of policy violations.Protect your IP.Automatically notify users of policy violations.

Keep the Competition GuessingProtect Intellectual Property From Being Sent

Secure Your Secret SauceCopy/Paste of Source Code

Block the copy/paste action.Notify user in real-time.Block the copy/paste action.Notify user in real-time.

Safeguard Your Customer RecordsPrint/Fax of Customer Data

Prevent the document from being printed or faxed.Notify user in real-time.Prevent the document from being printed or faxed.Notify user in real-time.

Executive Dashboards and Reporting

Executive Dashboards and Reporting

38Continuous Risk Reduction

1000

800

600

400

200

0 Inci

den

ts P

er W

eek

Remediation

Notification

Prevention

Risk Reduction Over Time

Baseline

Continuous Risk Reduction

Measurable Results

• Protect Patient Data

• HIPAA Compliance

• Automate protection

• Protect Patient Data

• HIPAA Compliance

• Automate protection

• Intellectual Property

• Competitive advantage

• Detection technology

• Intellectual Property

• Competitive advantage

• Detection technology

70% 98%80%

• Financial & Customer data

• Protect brand & customers

• Employee education

• Financial & Customer data

• Protect brand & customers

• Employee education

HealthcareHealthcare Financial ServicesFinancial Services ManufacturingManufacturing

Endpoint Data Protection for Mobile Employees

Monitor email and web traffic for CCNs and SSNs

Automatically notify employees of policy violations

Demonstrate compliance with GLBA and PCI

Prevent data loss with minimal impact to users, +1,700 employees

Stop unauthorized copying of files to USB drives and CDs

40