Name of presentationCompany name

Data Security:Why You Need Data Loss Prevention

& How to Justify It

Name of presentationCompany name

Marc CrudgingtonVice President, Information Security

Agenda Impact of Cyber Crime on our

Economy1

Cost Companies are Incurring2 Who are the Threat Actors3 Data Loss Prevention Strategy4 Data Loss Prevention Ecosystem5 Hidden Benefits of Data Loss

Prevention6

Justifying a Data Loss Prevention Strategy

7

28%

8%10%8%

46%Jobs in US Economy

IP Intensive Finance

Healthcare Energy

Other

US Economy

4*1, 2, 3

Impact on US Industries• IP: 70% of value of public

companies • Annual losses: estimated over

$300B• China: +$107B sales and +2.1M

jobs

IP Intensive

• 2013: 856 reported breaches • Q1 2014: 98.3% of data exposed• 37%: Breaches affected the sector

Finance / Business

• 43%: ITRC account of breaches • 2013: 8.8M records stolen• 1.8M: Victims of Identity Theft

Healthcare

5*3, 4, 5

US Economy: Loss Estimates

6

• 1M+ jobs lost and a $200B cost in 2010 • Based on estimate of 5,080 jobs per $1B

• 0.5% ($70B) or 1% ($140B) of National Income• Globally - $350B or $700B

• Healthcare: $7B for HIPAA 2013 losses• SMBs: 80% file bankruptcy or suffer

significant financial losses• S&P 500: $136.5B due to AP Twitter hack

*6, 7, 9

Past Data Breaches

2011 2012 2013 2014

Adobe – 152M (IDs, pwd,

data)Epsilon - $4B, names/email

Saudi Aramco – 30,000+

PCs infected

Target – 110M affected;

CEO/CIO gone

eBay – 145M credentials

7*9

Per Record Cost of Breach

2014

2013

2012

2011

8

$201$18

8$194

$214

*6

Per Cyber Incident Cost

Associated Costs

9

Enterprises SMB’s Attack TypeIncident- Prof Svcs

$109k- Bus. Opp.

$457kPrevention- New IT Sec

$57k- Training

$26k

Total $649k

Incident- Prof Svcs

$13k- Bus. Opp.

$23kPrevention- New IT Sec

$9k- Training

$5k

Total $50k

Targeted- Ent.

$2.4M- SMB

$92kPhishing- Ent.

$57k- SMB

$26kDDoS- Ent.

$57k- SMB

$26k

*8

Malicious Cyber Activity

10

• Loss of IP and Confidential Information• Cybercrime• Loss of sensitive business information-stock

market manipulation• Opportunity costs, including service and

employment disruptions, and reduced trust for online activities

• The additional cost of securing networks, insurance, and recovery from cyber attacks

• Reputational damage

Malicious Software

11

• Third-party apps 87% of vulnerabilities 2012

• Per day 315,000 new malicious programs • 132 million applications at risk recorded in

2012• Malicious software – 500,000 devices in

100 secondsthough• 58% report IT Security under-resourced• 40% under prepared

*8

Probability LikelihoodEvent happensYour corporationImpacts Outcomes + or -Event createsYour corporation

What are your Risks?

Threat vs. Risk

12

Cause Adversary’s determination Inflict damage Accept success or failureAbility Adversary’s resourcesBreach target Inflict damage

Who are your Threats?

Threat Risk

Threat Actors:

Criminals Nation-states

Corporations Hacktivist

13

Extremists

Insiders

Animals, ‘Kids’, and the Guy/Gal sitting next to you

Threat Actors: Animals

14

• Criminals • Associated with Russian Federation,

eastern-Euro countries, Global as well• Extort and/or sell data to others• Strategic Web Compromise, Botnets,

Phishing,…• Nation-states

• Testing war-time capabilities• Spying, stealing, disrupting• SWC, DDoS, Malware,…

Threat Actors: ‘Kids’

15

• Extremists• Fanatics of ideas that create identity• Create terror or fear• Al-Qaida, Jihad

• Hacktivists• Wrong to a group (country, people,

‘under-dog’)• Brazil World Cup, Sochi, Iranian election• Anonymous, LulzSec, AntiSec, others

Threat Actors: Guy/Gal…

16

• Insiders• Greed, hurt by corporation/organization• Expertise – built, admin, system

knowledge• Accounts for about 15% of breaches

• Corporations• Economic intelligence, sabotage• IP theft, copying, infringement,

duplicating• Easier to steal it, not just China (Silicon

Valley) *10, 11

Result People Processes Tech. Levera

ge

DLP Strategy

What do you want to achieve?

Who are the resources we’ll need?

What’s in place?What not in place?

Minimal disruption with greatest coverage

In preparing for battle I have always found that plans are useless, but planning is indispensable. ~Dwight D. Eisenhower

17

Utilize others for what they know

DLP Strategy

18

• ResultAlign DLP to protection Strategy; KPI’sEvaluate for comprehensive solutionsBuy-in from key stakeholders

• PeopleRoles – clearly define themData Owners/Users – culture and importance of dataExpertise – internal and external

• ProcessesAssess controls and business impact (HR issues) Must have Data Classification programSupporting Business processes

DLP Strategy

19

• TechnologyTake steps, implement methodicallyNext-gen products for maximum coverageOver estimateSilver Bullets do not exist

• LeverageVendors for implementation expertiseLike companies for solutionsInformation sharing groups

DLP Strategy

20

Warning Signs• Implement a workforce reduction• Employees regularly export data• Sensitive data resides across enterprise• Outside vendor/contractor accesses

sensitive data• Unmonitored/controlled mobile devices• Stock lower, product end, company sale

DLP Ecosystem

Data protection should be…

At rest In motionOn

endpoints

21

Data Governan

ce

Regulatory

Classification

PoliciesTools

Discovery

TrainingDLP

Program

DLP Ecosystem

22

Benefits of DLP

23

Flexible Securit

y

Data Visibilit

y

Limit Liability

Cloud and

MobilePrepared for…

Detect Malicio

us Events

Compliance

Employee Monitorin

g

Justifying DLP

24

• Bottom-up approach• Discuss with divisions, incremental

budget• Present risks

• Current and Potential• Utilize security trends

• Breach size, frequency, cost• Cost of not having

• Quantified vs. Qualified• Due diligence

• Assets, strategy, vendors, costs

Justifying DLP

25

• What are the regulatory requirements?• State, federal, industry, customer

• Innovation cost• Product development

• Present benefits• Internal and external

• Thought out Project Plan• Don’t over-sell, over-promise

• Use Truth Tactics• Stock price, WSJ articles, C-level firings,

Fines, Prison

Do you haveany questions? ???

Thank You!

Bibliography1. The State of American Energy 2013 Report, http://www.api.org/~/

media/Files/Policy/SOAE-2013/SOAE-Report-2013.pdf2. Select USA, Commerce.gov, Industry Snapshots, http://

selectusa.commerce.gov/industry-snapshots3. The IP Commission Report, National Bureau of Asian Research, May 20134. Financial Institutions Privacy and Security – 2013 Year in Review, January 7, 2014,

Anne Foster and Gerald Ferguson, Data Privacy Monitor5. 2014 Data Breach Industry Forecast, Experian6. 2014 Ponemon Study7. The Economic Impact of Cybercrime and Cyber Espionage, McAfee, July 20138. IT Security by the Numbers: Calculating the Total Cost of Protection, Kaspersky Lab9. Counting the Cost: A Meta-analysis of the Cost of Ineffective Business Continuity, The

Business Continuity Institute, Patrick Alcantara, 2014 www.bcifiles.com/BCI-CountingtheCost.pdf

10. CrowdStrike Global Threat Report: 2013 Year in Review, CrowdStrike 11. Verizon 2014 Data Breach Investigations Report, Verizon Corp, 2014