Upload
lamanh
View
220
Download
1
Embed Size (px)
Citation preview
Microsoft 365Security and CompliancePartner Opportunity PlaybookRegulatory Compliance Scenario for GDPR
2Microsoft Confidential – for internal only use by partners.
As companies embrace the opportunities presented by cloud and mobile computing to connect with customers and optimize operations, they
take on new risks. One of the biggest challenges in digital transformation is ensuring security, privacy & compliance.
The security and compliance opportunity
PROTECTING AGAINST EVOLVING CYBERSECURITY THREATS
In today’s world, it’s clear that increasing trust and managing security is a struggle for many organizations. But as these statistics point out, the
importance of improving security comprehensively has become even more evident:
Traditional IT boundaries are disappearing and organizations now need to protect data on employee-owned mobile devices and SaaS
applications not operated by the IT team. If they do not adapt their approach to security, companies face the risk of significant financial loss,
damage to customer satisfaction, and market reputation. This presents an opportunity to help companies manage security concerns in an ever-
evolving technology world that’s constantly under threat.
MEETING DATA AND PRIVACY REGULATIONS
Increasing regulations such as the EU Global Data Protection Regulation (GDPR) ensure safeguards are in place to help ensure individuals’ data is
private and secure. Some customers will elect for a strict compliance approach, while others see the effort to become compliant as an
opportunity to use data privacy as a differentiator for their business. In either case, partners will play an important role in helping customers
meet their compliance and strategic business objectives.
Source: Risk Based Security Report Date: 2017 Source: FireEye/Mandiant report Date: March 2017 Source: Ponemon Institute Cyber crime--a risk you can manage:
Information management and governance to protect business
innovation business white paper. Date: Nov. 2016
4.2 BILLION 99 DAYS $17 MILLION
Customer records compromised. From breach to detection. Average cost of a security breach.
3Microsoft Confidential – for internal only use by partners.
1Forrester’s Security Budgets 2017: Increases Help But Remain Reactionary, Jeff Pollard,
Nov 23, 20162Forrester’s The State of Security Services 2016, Jeff Pollard, August 4, 20163IDC Worldwide Semiannual Security Spending Guide, March 29, 2017
Business today happens digitally, as the world increasingly adopts cloud
and mobile technologies. For organizations to take full advantage of the
productivity promise of digital transformation, they must equally focus
on protecting themselves from increasing threats.
As a consequence, it’s not surprise that IT spend on security is growing,
with an increasing share of the overall IT budget year after year. From
22% share of budget in 2014, the allocation for security grew to 23% in
2015, then jumped to 28% in 20161.
The spend on both product and services is basically a 50-50 split, with
49% of this budget planned for services, and 51% planned for products2.
This research is complemented by a recent report from IDC3, in which
they forecast that “worldwide revenues for security-related hardware,
software, and services will reach $81.7 billion in 2017.” This is 8.2%
higher than 2016. IDC also forecasts that revenues will be nearly $105
billion by 2020.
The increasing budget and significant allocation for services means that
partners who choose to establish a business based on the security and
compliancy capabilities of Microsoft 365 will be able to tap into a
marketplace that is increasing year-on-year, creating a solid foundation
for stable, profitable future business.
Growing market and partner opportunity
Security’s share of the IT budget1
For organizations with over 1,000 employees
2014 20162015
28%
23%22%
4Microsoft Confidential – for internal only use by partners.
An update to the Worldwide Semiannual Security Spending Guide from
IDC indicates that security as part of the overall IT budget is increasing.
"The rapid growth of digital transformation is putting pressures on
companies across all industries to proactively invest in security to protect
themselves against known and unknown threats," said Eileen Smith,
program director, Customer Insights and Analysis.
Insights from the global guide include:
• Industries forecasted to spend the most on security hardware, software,
and services are banking, discrete manufacturing, and federal/central
government.
• Services will be the largest segment of security spending.
• Geographically, the United States will be the largest market for security
products, with Europe coming in second.
• Large or very large enterprises will be responsible for two thirds of all
security-related spending.
Top Technology Category Based on 2016
Market Share
According to IDC, services will be the largest area of security-
related spending throughout their recent forecast, led by three of
the five largest technology categories: managed security services,
integration services, and consulting services. Together, companies
will spend nearly $31.2 billion, more than 38% of the worldwide
total, on these three categories in 2017. Technology categories
with fastest spending growth over 2015-2020 forecast period
include managed security services, with a CAGR of 12.2%.
Source: IDC Worldwide Semiannual Security Spending Guide,
March 29, 2017.
Network Security,
18.4%
Endpoint Security,
13.10%
Managed Security
Services ,17.20%Interation Services,
11.50%
Consulting Services,
8.90%
Others,
30.90%
Customer spending on security services expected to grow through 2020
4
5Microsoft Confidential – for internal only use by partners.
Four core principles of Microsoft 365
We are living in a time of inflection. Digital transformation is the biggest change
any of us has seen in our lifetime. Companies invest in technology to optimize
operations, transform products, engage customers, and empower employees.
The challenge is finding the way to empower people to do their best work. This
starts with fostering a culture of work that is inspiring for everyone, and
embraces the trends in the workplace that make work inspiring.
To deliver on the tremendous opportunity for business growth and innovation,
we are simplifying the customer experience by bringing together Office 365,
Windows 10 and Enterprise Mobility + Security with the introduction of
Microsoft 365.
It’s a complete, intelligent solution that empowers everyone to be creative and
work together, securely. For enterprise customers, Microsoft 365 Enterprise is
built on the foundation of Secure Productive Enterprise.
Introducing Microsoft 365.
Intelligent
security
Unlocks
creativity
Built for
teamwork
Integrated
for simplicity
6Microsoft Confidential – for internal only use by partners.
Microsoft 365 opens up unique value-creating opportunities. There are four core practice areas where we see the most room
for growth for partners with Microsoft 365. This playbook is designed to help you build your business with the Microsoft 365
security & compliance practice area.
6
Microsoft 365 is a complete, intelligent solution to empower employees to be creative and work together,
securely. It brings together:
Office 365 + Windows 10 + Enterprise Mobility + Security
7Microsoft Confidential – for internal only use by partners.
Security and compliance will play a central role in most Microsoft
365 customer engagements. For partners, Microsoft 365 is a great
platform on which to build a profitable set of security and
productivity solutions to simplify the task of identifying, classifying,
and governing personal data.
Microsoft 365 also helps customers protect personal data from loss
or unauthorized access or disclosure. And Microsoft 365 aids
customers in complying with the new standards for transparency,
accountability, and record keeping.
✓ Central to customers’ digital transformation initiatives
✓ Security is a door opener to additional solution areas
✓ Helps customers with a multi-year journey
✓ Creates a wide range of additional revenue and
service delivery opportunities for partners
Customers and partners both win.
Source: Forrester Total Economic Impact™ Study
Commissioned By Microsoft July 2017, The Partner Opportunity For Microsoft 365 Enterprise
“For our customers interested in digital
transformation, the revenue opportunity is
huge. We are especially excited about ongoing
consulting work and managed services.”
-an interviewee
7 7Microsoft Confidential – for internal only use by partners.
8Microsoft Confidential – for internal only use by partners.
Top Microsoft 365 security and compliance scenarios for partners
Proactive Attack
Detection and Prevention
Control and Protect
InformationEnterprise-Level Identity
ProtectionImplement and manage cloud
identity and access. Audit and
mitigate use of cloud apps.
Assess and classify customer
data. Implement and manage
information policies and
procedures.
Perform security assessment
analysis, migrate and deploy
security solutions and provide
managed security services.
Ensuring security and compliance is key to customers’ digital transformation. As an end-to-end solution, Microsoft 365 offers a
comprehensive set of features and unique intelligence across critical end-points in today’s mobile-first, cloud-first world.
Regulatory Compliance
Help customers with increased
demands of regulators and legal
authorities in every country in
which they operate.
9Microsoft Confidential – for internal only use by partners.
Understanding the business
opportunity
ENTERPRISE-LEVEL
IDENTITY PROTECTION
CONTROL AND PROTECT
INFORMATION
PROACTIVE ATTACK
DETECTION AND
PREVENTION
REGULATORY COMPLIANCE
Help your customers protect their identities
and manage access to apps and data. With
Microsoft 365 products and tools, you can
help customers develop identity
management policies, give users a single
sign-on for use across the entire enterprise,
strengthen credential authentication, and
streamline identity administration.
Help your enterprise customers protect
their data while enabling access from
virtually anywhere on almost any device.
With Microsoft 365, you can help customers
create policies to identify, monitor, and
protect sensitive data; better secure
sensitive information; improve security for
cloud apps; and guard against accidental
data leaks.
Build a practice that helps your customers
proactively guard against threats, identify
breaches and threats using advanced
analytics, and automate the response to
threats enterprise wide.
Help customers assess their readiness for
GDPR. Provide consulting and advisory
services around devising their plan of action
and risk management plans. Resell, deploy,
and implement Microsoft 365 – our hero
SKU for GDPR.
Choose your scenarioNow that you understand the opportunity to build a practice based on Microsoft 365 security and compliance capabilities, explore the possible
solution scenarios open to you. We recommend you choose one scenario to start with, and then expand your practice from there.
Four key partner scenarios are:
By developing a security and compliance practice, you can help turn the potentially dizzying array of services, licensing options, and
overlapping feature sets into a cohesive, comprehensive, and understandable solution that enables customers to manage their security, protect
their assets, respond to security incidents, and stay compliant with regulations such as GDPR.
10Microsoft Confidential – for internal only use by partners.
The GDPR is a landmark regulation that replaces the 20 year old Data Protection Directive in the EU. Its intent is to lay the foundation for trust in the digital economy –recognizing that the balance of power has not favored consumers over the past couple of decades.
In the process, it takes data privacy to new heights—broadening the definition of personal data, expanding the rights of data subjects over their data, setting a new bar for protecting data, and increasing transparency over data protection processes and data breaches.
From an industry standpoint, it’s a watershed moments where some organizations will elect for a strict compliance approach and others will use the effort and investment as an opportunity to differentiate themselves and what they offer their own customers.
The opportunity to serve our customers is massive.
And the opportunity is now, because there is so much
to do before May 25, 2018 when the GDPR goes into
effect. Solutions for GDPR aren’t simple; customers will
need partners to help them.
Revise to issues solved, not products
SIGNIFICANT
FINES
The fines alone will get anyone’s
attention. Up to 4% of global revenue is
at stake.
NEED FOR
PRIVACY
PROFESSIONALS
GDPR calls for organizations to have Data
Protection Officers and there’s a known
dearth of talent.
OPERATIONAL
COMPLEXITY
The complexity of defining a path
forward, implementing, and landing
those changes is massive. It impacts how
data is collected, processed, managed,
and how breaches are addressed.
GLOBAL IMPACT
While the GDPR is an EU regulation, its
reach is global. It applies to any
organization that touches EU residents
and holds their data.
Regulatory compliance/ GDPR opportunity
10Microsoft Confidential – for internal only use by partners.
11Microsoft Confidential – for internal only use by partners.
Regulatory compliance
12Microsoft Confidential – for internal only use by partners.
Regulatory Compliance
Laws and regulations can be outpaced by new technology as governmental bodies are faced with the
difficult task of regulating new technologies. We all have to ensure our organizations can take advantage of
innovative technologies for growth and success, while managing risks.
We need to enable our customers to deploy our cloud services with the highest confidence that they are
safe and compliant around topics like data security; personal information privacy; compliance with the EU-
U.S. Privacy Shield and the EU General Data Protection Regulation; compliance with regulations governing
the financial services, health care, government, and education sectors; and how we will stand with our
customers on the issues of government access and encryption.
To start, we will be focusing on how we enable partners and customers to be ready for GDPR, with more
tools and information to come.
Customers need help with the burden of compliance and the increased demands of regulators and
legal authorities in every country in which they operate.
13Microsoft Confidential – for internal only use by partners.
In May 2018, a new European Union (EU) privacy regulation goes into effect with broad
reaching implications for multinationals around the globe (not just in the EU). The
regulation, called the General Data Protection Regulation (GDPR), sets a new bar for privacy
rights, security, and compliance. It requires significant changes by organizations all over the
world regarding how they manage and protect personal data.
Specifically, GDPR imposes new rules on organizations that offer goods and services to
people who reside in the European Union (EU), or that collect and analyze data tied to EU
residents, no matter where they are located.
These new requirements – like greater data access and deletion rules, risk assessment
procedures, a Data Protection Officer role for many organizations and data breach
notification processes – will mean changes for many organizations. When it comes to GDPR
compliance, it’s not just European organizations that are affected, but also those outside of
the EU who process data in connection with the offering of goods and services to, or
monitoring the behavior of, EU residents. Customers will need to understand obligations
related to GDPR regardless of where theor organization resides.
It will take time, tools, processes and expertise to comply with the GDPR. Organizations
will need to make changes to their privacy and data management practices. Failure to do so
could prove costly – as companies that do not meet the requirements could face reputational
harm and substantial fines of 20 million euros, or 4 percent of annual worldwide turnover,
whichever is greater.
• 75% of US companies that consider
GDPR a top priority have budgeted $1
million or more to become compliant1
• Amount ranges from €100,000 to a few
million in Europe, depending on
organization1
• IDC predicts GDPR will create a $3.5B
market opportunity2
• Non-compliance fines can be up to 4%
of a firm’s global revenues or €20
million, whichever is greater. A fine of
this magnitude could put many
companies out of business, so customers
should be motivated to take action.
1As reported in the Forrester Report, Assess Your Data Privacy Practices With The Forrester Privacy And GDPR Maturity Model, April
20172 Source: IDC Press release, https://www.idc.com/getdoc.jsp?containerId=prEMEA40551915, 03 Nov 2015
About the GDPR
13
1 As reported in the Forrester Report, Assess Your Data Privacy Practices With The Forrester Privacy And GDPR Maturity Model, April 20172 Source: IDC Press release, https://www.idc.com/getdoc.jsp?containerId=prEMEA40551915, 03 Nov 2015
Microsoft Confidential – for internal only use by partners.
14Microsoft Confidential – for internal only use by partners.
“How do I trust that my data is being held private? I see the promise of digital transformation, but am worried about my data. I have limited visibility to what data I have, where it exists, and how it’s used.”
Before people will fully buy in to the cloud they must overcome the trepidation that inhibits them from taking full advantage of all the
capabilities. They want to know that safeguards are in place to ensure their data is private and secure.
To address data privacy concerns, the GDPR gives EU residents more control over their “personal data”. It’s designed to ensure personal
data is protected no matter where it is sent, processed, or stored.
The new regulation imposes stricter guidelines for transparency and obtaining consent for customer data, resulting in new challenges for
many organizations, who now have concerns of their own:
• I have no consolidated view of customer data and ability to take action on their behalf.
• How do I interpret what GDPR means for my business?
• Will I meet the approaching deadline for compliancy?
• What’s the best way for me to leverage existing investments to solve requirements?
• Do I need to add a Data Protection Officer? Where do I find one?
• What constitutes a breach and what do I need to report to regulators?
• How do we prove the right things are in place for good faith efforts to be compliant?
✓ Partners provide needed people, process and technology to help customers meet GDPR.
Data privacy regulations will help drive digital transformation
14
Microsoft Confidential – for internal only use by partners.
15Microsoft Confidential – for internal only use by partners.
CONSULTING &
ASSESSMENTS
Help customers in identifying the personal data they store, where it is stored, how it is stored and how it
needs to be protected. Partners can conduct gap assessments and make recommendations on technology,
people and processes that customers need to comply with GDPR.
TECHNOLOGY
SALES AND
DEPLOYMENT
Sell, deploy, and implement the Microsoft cloud technologies that address customers’ compliance needs.
DATA BREACH
NOTIFICATION
Help customers build and maintain detection and notification systems for data breaches. With 72-hour data
breach notification, use Microsoft Cloud services to become an incident response (IR) orchestrator through
managed services or professional services.
EVIDENCE OF
RISK
MITIGATION
Per GDPR policy, organizations must demonstrate they have implemented appropriate measures to mitigate
privacy risks. Use Microsoft Cloud services to build evidence of mitigation strategies and controls.
Top
are
as
of
part
ner
op
po
rtu
nit
y
GDPR, is estimated, will create a $3.5B market opportunity for security and storage vendors1. As a partner, you have multiple opportunities
to build a practice on GDPR. Many firms that do business in the Europe market or with European customers will have to tackle privacy rules for the
first time. The Microsoft Cloud and your GDPR-related services can be critical to customer compliance.
Partner opportunity with GDPR
1https://blogs.partner.microsoft.com/mpn/can-monetize-new-privacy-regulation-gdpr/
16Microsoft Confidential – for internal only use by partners.
Helping you build a GDPR business
Learn more at aka.ms/GDPRPartners
The Security and Practice Development Playbook will help you understand the opportunity for security
and compliance and what you need to do to get started with your GDPR offerings, services and practices.
Microsoft can help you accelerate your time to market, stand up your practice, or hone your
GTM strategy.
Use GDPR Demos to demonstrate to customers how the Microsoft Cloud helps them comply with the
GDPR. The demos will help your teams provide evidence of Microsoft’s capabilities to help customers.
The GDPR Activity Hub provides an Office 365 Solution Accelerator that partners can build on top of to
manage GDPR related processes and activities.
16
Microsoft Confidential – for internal only use by partners.
17Microsoft Confidential – for internal only use by partners.
GDPR Assessment toolsThe GDPR Assessment is an online interactive tool that will help you structure the initial conversation with
your customers. It’s a conversation starter that can be very useful for the initial part of your presales efforts.
The GDPR Detailed Assessment is an offline tool with approximately 150 questions to help you assess a
customer’s readiness and maturity across technology, people and processes. It will help you structure your
paid assessment offerings and scope out subsequent managed services offerings with an appropriate SOW.
Find both at
aka.ms/GDPRPartners
18Microsoft Confidential – for internal only use by partners.
Windows Server
Windows
Office
EMS
SQL
Microsoft AzureSOLUTIONS TO HELP YOU
PREPARE FOR GDPR
Windows Hello
Credential Guard
Data Loss Prevention
Threat Intelligence
Audit Logs
eDiscovery
Information Protection Transparent Data Encryption
Always Encrypted
Threat Detection
Key Vault
Data Log
Log Analytics
Intune
Cloud App Security
Active Directory
Data Classification
19Microsoft Confidential – for internal only use by partners.
Impact Analysis
Detecting & Responding to Breaches
Preventing
Data Attacks
Risk
Identity
Encryption
Monitoring
Intrusion
Detection
Security
Planned Response
Data Governance At Rest
In Transit
Data Classification
Data Types
Sensitivity
Metadata
Documents
Emails
Databases
Log FilesTeam Sites
Instant Messages
Discover Manage
Protect Report
Microsoft’s Approach to GDPR
20Microsoft Confidential – for internal only use by partners.
DiscoverIdentify what personal data you have and
where it resides1
ManageGovern how personal data is used
and accessed2
ProtectEstablish security controls to prevent, detect,
and respond to vulnerabilities & data breaches3
ReportKeep required documentation, manage data
requests and breach notifications4
How do I get started?
Microsoft Confidential – for internal only use by partners.
21Microsoft Confidential – for internal only use by partners.
Discover Manage Protect Report
Microsoft cloud services make it easier to
locate and identify the personal data you
collect, so you can more easily find and
evaluate the data across your
organization.
Microsoft cloud services make it possible
to centralize processing by more
effectively managing applicable policies,
data categorizations, and use cases.
Microsoft cloud services synthesize threat intelligence and provide tools that
help you get the greatest benefit from that intelligence for your
security efforts.
Microsoft cloud services centralize and
streamline technical and administrative
steps that are required for compliance,
such as demonstrating due diligence and
handling data access requests.
Office & Office 365:
Data Loss Prevention
Advanced Data Governance
Office 365 eDiscovery
Enterprise Mobility + Security (EMS):
Microsoft Cloud App Security
Windows 10:
PowerShell
Dynamics 365:
Audit Data and User Activity
Report & Analytics with Dynamics 365
Dynamics 365 metadata & data models
SQL Server and Azure SQL Database:
SQL Query Language
Microsoft Azure:
Microsoft Azure Data Catalog
Windows 10 & Windows Server 2016:
Microsoft Data Classification Toolkit
Office & Office 365:
Advanced Data Governance
Enterprise Mobility + Security (EMS):
Microsoft Azure Information Protection
Windows 10:
Permissions
Dynamics 365:
Security concepts for Microsoft
Dynamics 365
Enterprise Mobility + Security (EMS):
Azure Active Directory (Azure AD)
Azure Active Directory Premium
Cloud App Security
Microsoft Cloud App Security
Microsoft Intune
Microsoft Azure Information Protection
SQL Server and Azure SQL Database:
Azure SQL Database firewall
SQL Server authentication
Dynamic Data Masking (DDM)
Row-Level Security (RLS)
Transparent Data Encryption
Always Encrypted
Auditing for SQL Database and SQL
Server audit
SQL Database Threat Detection
Microsoft Azure:
Azure Security Center
Data Encryption in Azure Storage
Azure Key Vault
Log Analytics
Windows 10 & Windows Server 2016:
Windows Hello
Windows Defender Antivirus
Windows Defender Advanced Threat
Protection
Device Guard
Credential Guard
BitLocker Drive Encryption
Windows Information Protection
Shielded Virtual Machines
Just Enough Administration and Just in
Time Administration
Office & Office 365:
Advanced Threat Protection
Threat Intelligence
Advanced Security Management
Office 365 Audit Logs
Office & Office 365:
Service Assurance
Office 365 Audit Logs
Customer Lockbox
Windows 10:
Windows Defender Advanced Threat
Protection (ATP)
Dynamics 365
Report & Analytics with Dynamics 365
Microsoft Azure:
Azure Auditing and Logging
Microsoft is the vendor your customers need to help prepare for GDPR
22Microsoft Confidential – for internal only use by partners.
In-scope:
Any data that helps you
identify a person
• Name
• Email address
• Social media posts
• Physical, physiological, or genetic information
• Medical information
• Location
• Bank details
• IP address
• Cookies
• Cultural identity
Inventory:
Identifying where personal
data is collected and stored
• Emails
• Documents
• Databases
• Removable media
• Metadata
• Log files
• Backups
• Microsoft Azure
Microsoft Azure Data Catalog
• Enterprise Mobility + Security (EMS)
Microsoft Cloud App Security
• Dynamics 365
Audit Data & User Activity
Reporting & Analytics
• Office & Office 365
Data Loss Prevention
Advanced Data Governance
Office 365 eDiscovery
• SQL Server and Azure SQL Database
SQL Query Language
Example solutions
1 Discover: Identify what personal data customers have and where it resides
22Microsoft Confidential – for internal only use by partners.
23Microsoft Confidential – for internal only use by partners.
Discover Manage Protect Report
DISCOVER:
Understand the complexities of discovering data in the enterprise, understanding what data you have and where it resides.
KEY TAKEAWAYS:
Discover: Microsoft 365 solutions by stage of GDPR readiness
24Microsoft Confidential – for internal only use by partners.
OFFICE & OFFICE 365:
• Data Loss Prevention (DLP) in Office and Office 365 can identify over 80 common sensitive data types including financial, medical, and
personally identifiable information.
• Office 365 eDiscovery search can be used to find text and metadata in content across your Office 365 assets—SharePoint Online, OneDrive
for Business, Skype for Business Online, and Exchange Online.
• Office 365 Advanced eDiscovery, powered by machine learning technologies, can help you identify documents that are relevant to a
particular subject (for example, a compliance investigation) quickly and with better precision than traditional keyword searches or manual
reviews of vast quantities of documents. Advanced eDiscovery can significantly reduce cost and effort to identify relevant documents and
data relationships by using machine learning to train the system to intelligently explore large datasets and quickly zero in on what’s
relevant—reducing the data prior to review.
ENTERPRISE MOBILITY + SECURITY:
• Microsoft Cloud App Security is a comprehensive service that provides deeper visibility, comprehensive controls, and improved protection
for your data in your cloud applications. You can have visibility to which cloud apps are in use in your network—identifying over 13,000 apps
from all devices—and get risk assessments and ongoing analytics.
WINDOWS:
• Content Search using PowerShell, administrators can search for and identify personal data in some file types in local- or connected-storage.
Discover: Microsoft 365 products you could choose to use for this stage
Discover Manage Protect Report
25Microsoft Confidential – for internal only use by partners.
GDPR analysis begins with understanding what data exists and where it resides. The GDPR regulates the collection, storage, use, and sharing of “personal data.”
Personal data is defined very broadly under the GDPR as any data that relates to an identified or identifiable natural person. Data can reside in:
• Customer databases
• Feedback forms filled out by customers
• Email content
• Photos
• CCTV footage
• Loyalty program records
• HR databases
• Photos
• CCTV footage
• Loyalty program records
Discover: Analysis begins with customers
Discover Manage Protect Report
It all comes down to personal data. • Metadata is data that provides information about other data. There are two
types: structural and descriptive. Structural metadata is data about the
containers of data. Descriptive metadata uses individual instances of
application data or the data content. This is important as personal
identifiable information (PII) can be spread across metadata types and can
thus be correlated with emails, logs, documents, etc. Example of PII
metadata can be building entrance logs, payroll information, last time a
document was modified, etc.
• Team Sites refers to SharePoint site where files and other data (e.g. lists,
forms, etc.) can be used to collaborate across teams. PII can extend across
files stored on a team site (e.g. HR records, legal documents, etc.).
• Log Files are a file that records events that occur in software or online
service. Examples include, user login date/time to Office 365, data state
change in Office 365 (i.e. last modified by), Skype Meetings information,
administrative activity on Office 365 (user deletes, adds, etc.)
• By combining user entries in log files, user metadata across various systems,
user documents, emails, databases, etc. it’s possible to correlate and build a
profile on an individual user.
GDPR analysis begins with understanding what data exists and where it resides. The GDPR regulates the collection, storage, use, and sharing of “personal data.”
Personal data is defined very broadly under the GDPR as any data that relates to an identified or identifiable natural person. Data can reside in:
• Customer databases
• Feedback forms filled out by customers
• Email content
• Photos
• CCTV footage
• Loyalty program records
• HR databases
• Photos
• CCTV footage
• Loyalty program records
26Microsoft Confidential – for internal only use by partners.
Data governance:
Defining policies, roles and
responsibilities for the
management and use of
personal data
• At rest
• In process
• In transit
• Storing
• Recovery
• Archiving
• Retaining
• Disposal
Data classification:
Organizing and labeling
data to ensure proper
handling
• Types
• Sensitivity
• Context / use
• Ownership
• Custodians
• Administrators
• Users
• Microsoft Azure
Azure Active Directory
Azure Role-Based Access Control (RBAC)
• Enterprise Mobility + Security (EMS)
Azure Information Protection
• Dynamics 365
Security Concepts
• Office & Office 365
Advanced Data Governance
Journaling (Exchange Online)
• Windows & Windows Server
Microsoft Data Classification Toolkit
Example solutions
2 Manage: Assist customers in governing how personal data is used and accessed
26Microsoft Confidential – for internal only use by partners.
27Microsoft Confidential – for internal only use by partners.
MANAGE:
The key to properly managing data is through a sound data governance and classification strategy using people, process, and technology
relevant to GDPR to establish trust and accountability within the enterprise. This enables customers to create policies that govern how data
is processed and consumed, based on the different types of data (i.e. personal identifiable) but also help them understand the impact that
data would have on the organization if lost, stolen or leaked to better protect the data.
KEY TAKEAWAYS:
The GDPR provides data subjects—individuals to whom data relates—with more control of how their personal data is captured and
used. Data subjects can, for example, request that your enterprise share data that relates to them, transfer their data to other services,
etc. In some cases, these requests must be addressed within fixed time periods.
In order to satisfy obligations to data subjects, you will need to understand what types of personal data the enterprise processes, how,
and for what purposes. The data inventory discussed previously is a first step to achieving this understanding. Once that inventory is
complete, it is important to develop and implement a data governance plan. A data governance plan can help you define policies,
roles, and responsibilities for the access, management, and use of personal data, and ensure the customer’s data handling practices
comply with the GDPR. For example, a data governance plan can give an enterprise confidence that it effectively respects data subject
demands to delete or transfer data.
Manage: Microsoft 365 solutions by stage of GDPR readiness
Discover Manage Protect Report
28Microsoft Confidential – for internal only use by partners.
OFFICE & OFFICE 365:
• Data Loss Prevention (DLP) in Office and Office 365 can identify over 80 common sensitive data types including financial, medical, and
personally identifiable information.
• Office 365 eDiscovery search can be used to find text and metadata in content across your Office 365 assets—SharePoint Online, OneDrive for
Business, Skype for Business Online, and Exchange Online.
• Office 365 Advanced eDiscovery, powered by machine learning technologies, can help you identify documents that are relevant to a particular
subject (for example, a compliance investigation) quickly and with better precision than traditional keyword searches or manual reviews of
vast quantities of documents. Advanced eDiscovery can significantly reduce cost and effort to identify relevant documents and data
relationships by using machine learning to train the system to intelligently explore large datasets and quickly zero in on what’s relevant—
reducing the data prior to review.
ENTERPRISE MOBILITY + SECURITY:
• Microsoft Cloud App Security is a comprehensive service that provides deeper visibility, comprehensive controls, and improved protection for
your data in your cloud applications. You can have visibility to which cloud apps are in use in your network—identifying over 13,000 apps
from all devices—and get risk assessments and ongoing analytics.
WINDOWS & WINDOWS SERVER:
• Data Governance using Windows permissions, administrators can manage and govern access to personal data.
• Microsoft Data Classification Toolkit
Manage: Microsoft 365 products you could choose to use for this stage
Discover Manage Protect Report
29Microsoft Confidential – for internal only use by partners.
• Data governance is a set of processes that ensures that important data assets are formally managed throughout the enterprise.
Data governance ensures that data can be trusted and that people can be made accountable for any adverse event that happens
because of low data quality.
o At Rest refers to inactive data which is stored physically in any digital form (e.g. databases, files, backups, on a mobile device,
data on a server, etc.)
o Data in transit. Data in transit is defined into two categories, information that flows over an untrusted network such as the
internet and data which flows in the confines of a private network. Data in transit is also referred to as data in motion.
o This is important to understand as data must be governed differently if it is at rest or in transit, as the governance rules may be
different, or similar for the two. For example, data that is at rest must be stored in a certain way (i.e. encrypted, w/ restricted
access)
• Data classification is the process of sorting and categorizing data into various types, forms or any other distinct class. Data
classification enables the separation and classification of data according to data set requirements for various business or personal
objectives. It is mainly a data management process.
• Data Types can have various meanings based on how the partner works with the customer to define the unique data types that
are applicable to the customer’s enterprise. This is the practice of understanding what types of data exist and how to best classify
those data types. For example, may be structured and unstructured data, that when combined with other data can result in
Personally Identifiable Information for a given individual.
Discover Manage Protect Report
Manage: Data Governance, Classification and Types
30Microsoft Confidential – for internal only use by partners.
PROTECT:
GDPR raises the bar on security. It requires organizations take appropriate technical and organizational measures to protect personal data
from loss or unauthorized access or disclosure. Better controls can be applied to reduce risks, prevent attacks and be proactive.
KEY TAKEAWAYS:
Discover Manage Protect Report
Protect: Microsoft 365 solutions by stage of GDRP readiness
31Microsoft Confidential – for internal only use by partners.
Preventing data attacks:
Protecting data
• Physical datacenter protection
• Network security
• Storage security
• Compute security
• Identity management
• Access control
• Encryption
• Risk mitigation
Detecting & responding to breaches:
Monitoring for and
detecting system intrusions
• System monitoring
• Breach identification
• Calculating impact
• Planned response
• Disaster recovery
• Notifying DPA & customers
• Microsoft Azure
Azure Key Vault
• Enterprise Mobility + Security (EMS)
Azure Active Directory Premium
Microsoft Intune
• Office & Office 365
Advanced Threat Protection
Threat Intelligence
• SQL Server and Azure SQL Database
Transparent data encryption
Always Encrypted
• Windows & Windows Server
Windows Hello
Credential Guard
Example solutions
3 Protect: Establish security controls to prevent, detect, and respond to vulnerabilities and data breaches
31Microsoft Confidential – for internal only use by partners.
32Microsoft Confidential – for internal only use by partners.
ENTERPRISE MOBILITY & SECURITY:
• Azure Active Directory (Azure AD) in Enterprise Mobility + Security helps you protect your organization at the access level by managing and protecting your identities—including your privileged and non-privileged identities. Azure AD provides one protected common identity for accessing thousands of apps. Azure AD Premium features Multi-Factor Authentication (MFA), which is access control based on device health, user location, identity and sign-in risk, and holistic security reports, audits, and alerts. Azure AD Privileged Identity Management (PIM) helps discover, restrict, and monitor privileged identities and their access to resources through a security wizard, reviews, and alerts. This enables scenarios such as time-limited “just in time” and “just enough administration” access.
• Microsoft Intune provides mobile device management, mobile application management, and PC management capabilities from the cloud. Using Intune, you can provide your employees with access to corporate applications, data, and resources from virtually anywhere on almost any device, while helping to keep corporate information highly secure.
OFFICE & OFFICE 365:
• Advanced Threat Protection (ATP) for Exchange Online helps protect your email against new, sophisticated malware attacks in real time. It also allows you to create policies that help prevent your users from accessing malicious attachments or malicious websites linked through email. ATP for Exchange Online includes protection against unknown malware and viruses, time-of-click protection against malicious URLs, and rich reporting and URL trace capabilities.
• Threat Intelligence helps you proactively uncover and protect against advanced threats in Office 365. Deep insights into threats—available in part because of Microsoft’s global presence, the Intelligent Security Graph, and input from cyber threat hunters—help you quickly and effectively enable alerts, dynamic policies, and security solutions.
WINDOWS & WINDOWS SERVER:
• Windows Hello is a convenient, enterprise-grade alternative to passwords that uses a natural (biometrics) or familiar (PIN) method to validate identity, providing the security benefits of smartcards without the need for additional peripherals.
• Credential Guard is a feature that isolates your secrets on a device, like your single sign-on tokens, from access even in the event of a full Windows operating system compromise. This solution fundamentally prevents the use of hard-to-defend attacks such as “pass the hash.”
• Windows Information Protection helps to protect against accidental data leakage without interfering with the employee experience.
Discover Manage Protect Report
Protect: Microsoft 365 products you could choose to use for this stage
33Microsoft Confidential – for internal only use by partners.
• Risk in the context of data protection is understanding what the level of exposure is that could lead to the data being lost, stolen or
leaked, and how damaging it could be if compromised. Once the level of risk is understood, we must think about safeguards that must
be in place to protect that data from being compromised. In addition, risk must be mitigated to eliminate or reduce the level of
exposure of the data so that it can be better protected.
• Encryption refers to ensuring data and network transmission traffic is kept confidential and it’s integrity is maintained in the event it is
lost, stolen or leaked that it cannot be accessed by individuals who are not authorized or granted permissions to view the data. In the
event it is compromised, data that is encrypted has a lesser risk of being accessed than unencrypted data.
• It’s important to protect the Identity of end-users to ensure their cyber identity within the enterprise is not compromised. Identities that
become compromised enable an attacker to leverage a user’s identity credentials to move laterally throughout the environment gaining
access to data and systems that may be restricted. Ways to protect include ensuring that only the authorized individual to whom the
identity belongs is accessing the network through technology such as Multi-Factor Authentication).
• Security refers to protecting data, such as a database, from destructive forces and from the unwanted actions of unauthorized users. To
protect the data and systems, precautions are taken either through implementing technology or process.
• When detecting and responding to a breach, an Impact Analysis must be performed to understand the downstream effects the
incident may have, and to understand what type of data may have been compromised (e.g. PII)
• Intrusion detection is key in a protection strategy by detecting suspicious activity through monitoring network or system activities for
malicious activities or policy violations, and producing reports.
Discover Manage Protect Report
Protect: More information
34Microsoft Confidential – for internal only use by partners.
Record-keeping:
Enterprises will need to
record the:
• Purposes of processing
• Classifications of personal data
• Third-parties with access to the data
• Organizational and technical security measures
• Data retention times
Reporting tools:
Implement reporting
capabilities
• Cloud services (processor) documentation
• Audit logs
• Breach notifications
• Handling Data Subject Requests
• Governance reporting
• Compliance reviews
• Microsoft Trust Center
Service Trust Portal
• Microsoft Azure
Azure Auditing & Logging
Microsoft Azure Monitor
• Enterprise Mobility + Security (EMS)
Azure Information Protection
• Dynamics 365
Reporting & Analytics
• Office & Office 365
Service Assurance
Office 365 Audit Logs
Customer Lockbox
Example solutions
4 Report: Keep required documentation, manage data requests and breach notifications
34Microsoft Confidential – for internal only use by partners.
35Microsoft Confidential – for internal only use by partners.
REPORT:
Reporting is key to help ensure the customer’s GDPR obligations are being met.
KEY TAKEAWAYS:
• Record-keeping
• Breaches
Discover Manage Protect Report
Report: Microsoft 365 solutions by stage of GDRP readiness
36Microsoft Confidential – for internal only use by partners.
OFFICE & OFFICE 365:
• Service Assurance in the Office 365 Security & Compliance Center gives you deep insights for conducting risk assessments, with details on Microsoft Compliance
reports and transparent status of audited controls, including:
o Microsoft security practices for customer data that is stored in Office 365.
o Independent third-party audit reports of Office 365.
o Implementation and testing details for security, privacy, and compliance controls that help customers comply with standards, laws, and regulations across
industries, such as ISO 27001 and ISO 27018, as well as the Health Insurance Portability and Accountability Act (HIPAA).
• Office 365 audit logs allow you to monitor and track user and administrator activities across workloads in Office 365, which help with early detection and
investigation of security and compliance issues. Use the Office 365 Audit log search page to start recording user and admin activity in your organization. After
Office 365 prepares the audit log, you can search it for a broad range of activities, including uploads to OneDrive or SharePoint Online or user password resets.
Exchange Online can be set up to track changes that are made by administrators, and track whenever a mailbox is accessed by someone other than the person
who owns the mailbox.
• Customer Lockbox gives you authority over how a Microsoft support engineer may access your data during a help session. In cases where the engineer requires
access to your data to troubleshoot and fix an issue, Customer Lockbox allows you to approve or reject the access request. If you approve it, the engineer is able
to access the data. Each request has an expiration time, and once the issue is resolved, the request is closed, and access is revoked.
WINDOWS:
• Windows Defender Advanced Threat Protection (ATP) helps enterprise customers to detect, investigate, and respond to advanced and targeted attacks.
• Auditing and Logging provide rich and detailed raw data that can be forwarded into other solutions for deeper analysis or compliance reporting.
Discover Manage Protect Report
Report: Microsoft 365 products you could choose to use for this stage
37Microsoft Confidential – for internal only use by partners.
MICROSOFT TRUST CENTER:
• In the Service Trust Portal, you can find comprehensive information about the various Azure, Office 365, and Dynamics 365
compliance, security, privacy, and trust offerings, including reports and attestations. Third-party independent audit and GRC
(governance, risk management, and compliance) assessment reports help you to stay up to date on how Microsoft cloud services
comply with global standards that matter to your organization. Trust documents can help you understand how Microsoft cloud
services protect your data and how you can manage data security and compliance for your cloud services.
BEST PRACTICES:
• A key pillar of protecting data and responding to breaches is through reporting systems by maintaining good record keeping
practices and deploying robust reporting tools to gather the applicable data.
• Many factors go into reporting on how data is protected, accessed, and consumed. It may require working cross-functionally to
generate governance reports, determine how the cloud vendor secures and maintains their infrastructure, audit user and
administrator access to systems/applications, and notify regulatory bodies and customers when a data breach occurs. In addition,
factors such as how long data should be retained, how data is processed, and who, (internally and externally), has access to that
data are important to understand so that proper decisions can be made.
Discover Manage Protect Report
Report: More information
38Microsoft Confidential – for internal only use by partners.
Build your GDPR practice
UNDERSTANDING THE BUSINESS
OPPORTUNITY
DEVELOP YOUR SKILLS AND BUSINESS
PLANLAUNCH YOUR PRACTICE GROW YOUR PRACTICE
Business opportunities
• Partner Opportunity with GDPR flyer
here
• Partner role in GDPR blog post here
• How partners can monetize GDPR here
• GDPR 101 video here
• Security Practice Development playbook
here
• See more partner readiness materials on
the Microsoft partner portal here
Learn about the Microsoft Trusted Cloud
• Microsoft Trust Center GDPR site here
• Microsoft commitment to GDPR
compliance here
• Microsoft on Trust, Privacy, and the
GDPR on-demand webcast here
• How Microsoft helps customers prepare
for GDPR video (4 min) here
Learn about GDPR solutions
• GDPR demo site here
• GDPR Products and Solutions page here
• GDPR white paper here
• Microsoft 365 site here
Build your skills
• Office University: Office 365 Security
Partner Training (MPN17435) here
Customer-ready information
• Resources for GDPR compliance here,
• Including white papers, blog posts,
related information, FAQs, and
languages
Tools for you
• GDPR Activity Hub (solution accelerator
tool that helps partners operationalize
GDPR related processes and activities)
here
Engage with customers
• Assess GDPR readiness with the GDPR
Assessment here
• Extended questions/guidance for
workshops & SOWs in GDPR Detailed
Assessment here
Tools to use with your customers
• GDPR Briefing To Customer deck here
• Beginning Your GDPR Journey and other
white papers here
• GDPR Product Demos – tools to
demonstrate how the Microsoft cloud
helps customers comply with GDPR here
Use the resources listed here to help you:
39Microsoft Confidential – for internal only use by partners.
Accelerate customer success with FastTrack
Partner-led deployment with FastTrack Support
Access to deployment
and adoption resources
Request assistance for
onboarding & adoption
Unlock performance
based benefits
At the end of the day, your success comes down to making your customer successful. FastTrack is a customer benefit from Microsoft that
can enable your customers to smoothly and confidently make the move to Microsoft cloud services. Partner-led deployment with FastTrack
support give you access to deployment and adoption resources, take advantage of data migration services, and request assistance for
onboarding & adoption.
Core untapped benefits:
About one-third of Microsoft 365 E3 and E5 customers will be moving from on-premises. There is a very big opportunity for partners to
leverage Fast Track Migration services.
As an enhanced benefit, you’ll have access to remote assistance from Fast Track managers & engineers
We’re also offering new Performance based benefits, such as:
• Special adoption incentive and special modern desktop accelerators to drive client refresh
• FastTrack Center will direct 300+ customer referrals per month
• We will have dedicated account management & Access to Tier-2 technical SMEs
Check out the Fast Track partner site to learn more at aka.ms/FastTrackOpportunity.
40Microsoft Confidential – for internal only use by partners.
Resources
41Microsoft Confidential – for internal only use by partners.
PARTNER RESOURCES
• Microsoft 365 partner opportunity site here
• Microsoft 365 partner announcement here
• Forrester Total Economic Impact Study: Partner Opportunity
for Microsoft 365 Enterprise here
• Gartner Industry Addressability Study here
• Security Practice Development Playbook here
• Office 365 Security and Compliance portal here
• Microsoft Security Strategy, Inspire 2017, with Julia White here
• Gives and gets page on MPN partner portal here
CUSTOMER RESOURCES
• Microsoft 365 main page here
• Microsoft Trust Center here
• Microsoft Trust Center GDPR page here
Additional resources
42Microsoft Confidential – for internal only use by partners.
Intro to Microsoft 365/security and compliance resources
Statistic Source
4.2B customer records compromised. Risk Based Security Reports, 2017
99 days from breach to detection. FireEye/Mandiant report, March 2017.
$17M average cost of a security breach. Cyber crime--a risk you can manage: Information management and governance to
protect business innovation business white paper. Date: Nov. 2016
Security spending for organizations with over 1,000 employees increased from 22% in 2015 to 28% in 2016. Forrester’s Security Budgets 2017: Increases Help But Remain Reactionary, Jeff Pollard, Nov 23, 2016
The spend on both product and services is roughly a 50-50 split, with 49% of this budget planned for
services, and 51% planned for products.
Forrester’s The State of Security Services 2016, Jeff Pollard, August 4, 2016
IDC forecasts that “worldwide revenues for security-related hardware, software, and services will reach
$81.7 billion in 2017.” This is 8.2% higher than 2016. IDC also forecasts that revenues will be nearly $105
billion by 2020.
IDC Worldwide Semiannual Security Spending Guide , March 29, 2017
Services will be the largest area of security-related spending, led by three of the five largest technology
categories: managed security services, integration services, and consulting services. Together, companies
will spend nearly $31.2 billion, more than 38% of the worldwide total, on these three categories in 2017.
Technology categories with fastest spending growth over 2015-2020 forecast period include managed
security services, with a CAGR of 12.2%.
IDC Worldwide Semiannual Security Spending Guide, March 29, 2017
“For our customers interested in digital transformation, the revenue opportunity is huge. We are
especially excited about ongoing consulting work and managed services.” – An Interviewee
Forrester Total Economic Impact™ Study Commissioned By Microsoft July 2017, The Partner
Opportunity For Microsoft 365 Enterprise
43Microsoft Confidential – for internal only use by partners.
Customer targeting and partner value resources
Statistic Source
SMBs are more likely to have an informal IT risk management policy or manage issues on the go than Enterprise. SMBs tend to be more reactive, identifying and addressing
risk as issues arise (26% SMB vs. 21% Enterprise). They are less likely to have a formal process to manage risk (10% SMBs have no formal process vs. 4% Enterprise). Enterprise
Information Workers are also more likely than SMBs to be aware of/understand/follow their company's policies for data use andhandling.
Forrester's Global Business Technographics Devices and Security Workforce Survey, 2016
Enterprise customers are more likely to adopt a wide array of identity and access management technologies . Forrester's Global Business Technographics Security Survey, 2016
Enterprise customers are also more likely to increase their threat intelligence capabilities and spending and security and audit requirements post-breach. Forrester's Global Business Technographics Security Survey, 2016
Worldwide IT spending by small and medium-size businesses (SMBs) will approach $568 billion in 2017. The increase is projected to grow by
more than $100 billion to exceed $676 billion in 2021.
IDC, Worldwide Semiannual Small and Medium Business Spending Guide, July, 2017
The gap between how SMBs and Enterprises see their businesses, their customers, and their technology initiatives is narrowing. In recent
research, Forrester reported that SMBs are becoming more active in both new technology adoption and acceleration of their refresh cycles.
Just as similar priorities guide SMBs’ and Enterprises’ investments and focus, SMBs’ technology investment patterns map closely to those of
Enterprises.
Forrester, SMBs Now View Their Tech Investments Through An Enterprise-Like Lens, May 8, 2017
You’ll also want to keep the customer size in mind when strategizing your security conversations, both pre-sales and throughout the journey,
as the approach should differ.
Forrester, Security Software Buyers Influence Map, June, 2017
The three industries with the highest spending on security solutions are banking, discrete manufacturing, and federal/central government
industries. The three other industries will each spend more than $5 billion in 2017 are process manufacturing, professional services, and
telecommunications.
IDC Worldwide Semiannual Security Spending Guide , March 29, 2017
The average first-phased advanced security workload project costs $60K to $100K. The Partner Opportunity For Office 365 Advanced Security And Compliance Workloads, A
Forrester Total Economic ImpactTM Study Commissioned By Microsoft July 2017
Anticipated follow on project revenues, based on numbers of workloads at $50K, is estimated at $50K to $150K. The Partner Opportunity For Office 365 Advanced Security And Compliance Workloads, A
Forrester Total Economic ImpactTM Study Commissioned By Microsoft July 2017
The average margin across all revenue streams is 38.7%. The Partner Opportunity For Office 365 Advanced Security And Compliance Workloads, A
Forrester Total Economic ImpactTM Study Commissioned By Microsoft July 2017
Security decision makers surveyed show strong interest in implementing these security offerings, per a recent Forrester study. Over 1/3 of the
top intended “as a service” offerings are based around security. Those implementing, expanding/upgrading, or planning to implement:
• Advanced Threat Protection: 75%
• Security analytics: 75%
• Threat Intelligence: 72%
• Security information management: 72%
Forrester Research, Inc. Global Business Technographics® Security Survey, 2016
When targeting your project services, our research with partners emphasized the importance of targeting the enterprise customer to attain
significantly higher per project revenue.
Microsoft Cloud Practice Development Study, MDC Research, June 2017
44Microsoft Confidential – for internal only use by partners.
Security and Compliance Scenario resources
Statistic Source
75% of users use the same password for social networking and email. Security Week
71% of accounts are guarded by passwords used across multiple sites. TeleSign Consumer Account Security Report 2016
46% of users employ a password that is at least five years old. TeleSign Consumer Account Security Report 2016
Stolen and/or weak passwords are used in 81% of all hacking-related security breaches and 15% of phishing
victims within companies of 30-plus employees fall victim to a second phishing attack.
Verizon 2017 Data Breach Investigations Report
95% of phishing attacks that lead to a breach are followed by some form of software installation. Verizon 2017 Data Breach Investigations Report
91% phishing attacks are launched with the intent of stealing users’ credentials. Verizon 2017 Data Breach Investigations Report
81% of hacking-related breaches are based on stolen and/or weak passwords. Verizon 2017 Data Breach Investigations Report
91% of cyberattacks start with a phishing email. https://phishme.com/2016-enterprise-phishing-susceptibility-report
44% of the organizations surveyed saw phishing as the top threat and 43% identified malware as their top threat.
Additionally, these organizations identified zero-day attacks and targeted cyber attacks to steal financial
information, disrupt or deface the organization, or steal intellectual property or data. In the same survey, 36% of
respondents said they do not have a threat intelligence program.
2016 EY Global Information Security Survey, http://www.ey.com/gl/en/services/advisory/ey-global-information-security-
survey-2016
86% of organizations surveyed are worried that their cybersecurity systems do not fully protect their information
systems.
2016 EY Global Information Security Survey, http://www.ey.com/gl/en/services/advisory/ey-global-information-security-
survey-2016
Losses from ransomware in 2016 totaled $1 billion. https://www.vircom.com/blog/the-10-craziest-cybersecurity-statistics-of-2016/
The cost for each lost or stolen record of sensitive data is now at $158 and the total cost of a typical data breach
now averages $4 million.
2016 Ponemon Institute Cost of a Data Breach Study
In 2016, there were 4,149 breaches reported, exposing more than 4.2 billion records. Risk-Based Security 2016 Data Breach Trends
https://pages.riskbasedsecurity.com/hubfs/Reports/2016%20Year%20End%20Data%20Breach%20QuickView%20Report.pdf
In 2016, on average there were more than 4,000 ransomware attacks per day, a 300 percent increase over 2015. https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view
73% of organizations report being concerned about poor user awareness and/or behavior around mobile devices. http://www.ey.com/gl/en/services/advisory/ey-global-information-security-survey-2016
Global spending on cybersecurity products and services will exceed $1 trillion over the next four years. http://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/
75% of US companies that consider GDPR a top priority have budgeted $1 million or more to become compliant.
Amount ranges from €100,000 to a few million in Europe, depending on organization.
Forrester Report, Assess Your Data Privacy Practices With The Forrester Privacy And GDPR Maturity Model, April 2017
IDC predicts GDPR will create a $3.5B market opportunity for security and storage vendors. IDC Press release, https://www.idc.com/getdoc.jsp?containerId=prEMEA40551915, 03 Nov 2015
Microsoft Confidential – for internal only use by partners.