Data Security in the Age of the Road Warrior

Data Security in the Age of the Road Warrior

Heidi Shey | Forrester Research, Senior Analyst

Dave Bull | Intel Security, Director, Content Security Products

Our Speakers

2

Heidi SheySenior Analyst

Forrester

Dave BullDirector, Content Security Products

Intel Security

Data Security in the Age of the Road WarriorHeidi Shey, Senior Analyst

December, 2015

© 2015 Forrester Research, Inc. Reproduction Prohibited 4

Your extended enterprise spans across three dimensions






Data is at the core


Employees are on the go


Base: 7.267 global information workersSource: Forrester’s Business Technographics Device & Security Workforce Survey, 2015

Employees have access to variety of sensitive data…whether they need it or not

24%

27%

32%

34%

41%

45%

52%

Non-public corporate marketing/strategy plans relatingto the company (e.g., pricing changes,

merger/acquisition plans)

Non-public corporate financial information relating to thecompany (e.g., sales forecasts, earnings estimates)

Employee data (e.g., HR data, payroll data)

Intellectual property belonging to the company(blueprints, designs, formulas, recipes)

Customer service data, account numbers

Contracts, invoices, customer orders

Customer data (e.g., names, contact information, creditcard data)

“What types of information do you have access to at work, regardless of whether you need to use it for your job or not?”


Base: 7,267 global information workers (US, Canada, UK, France, Germany, Brazil, Australia/NZ, China, India)Source: Forrester’s Business Technographics Device & Security Workforce Survey, 2015

Most aren’t looking to break the rules

53%

11%

5%

"I follow the policies that are in placefor data use and handling"

"Security restrictions and policiesmake me less productive"

"I sometimes ignore or go around oursecurity policies"

“Which of the following statements about security do you agree with?”


“Which of the following statements about security do you agree with?”

Base: 7,267 global information workers (US, Canada, UK, France, Germany, Brazil, Australia/NZ, China, India)Source: Forrester’s Business Technographics Device & Security Workforce Survey, 2015

Employees are trying to do their jobs

“It’s the most efficient way of doing what I need to get done”

“The security policies are too strict or unreasonable”

“I don’t have time to wait to get an exception granted from IT to do what I need to do”

42%

27%

22%

53%

11%

5%

"I follow the policies that are in placefor data use and handling"

"Security restrictions and policiesmake me less productive"

"I sometimes ignore or go around oursecurity policies"


Data loss and exposure happens in different ways…



• Secretary of State Brian KempFulton County, Georgia (Oct/Nov 2015)

• 6 million individuals affectedClerical error/ data misuse

Clerical error/ data misuse






• Department of Health and Human ServicesGranville, North Carolina (Oct 2015)

• 1,615 individuals affectedEmail errorEmail error






• Department of Health and Human ServicesGranville, North Carolina (Oct 2015)

• 1,615 individuals affectedEmail errorEmail error

• T-Bird Restaurant Group, Inc. (Outback Steakhouse), Northridge, California (September 2015)

• Unknown number of individuals affected

Physical theftPhysical theft


…and cost consequences vary widely

• Fines

• Lawsuits

• Exec departure • Negative press

• Customer churn

• Brand, reputational damage

• Operational changes

• Recruiting issues

• Layoffs

• Added audit reqs

• Lost business partners


There’s plenty beneath the surface that is difficult to estimate

• Fines for noncompliance

• X years’ worth of audits

• Hiring a privacy officer

• Implementing training

• Other costs related to meeting compliance


No accident; employees are targets too

- Wired, November 10, 2014

- CSO Online, October 15, 2015


No accident; employees are targets too

- Wired, November 10, 2014

- CSO Online, October 15, 2015

- SC Magazine November 9, 2010


- CRN, June 25, 2015

“

”


Understand how data protection requirements are changing


Security


Security faces a mutating threat landscape


Security Privacy


›EU General Data Protection Regulation

›Safe Harbor

›Varying US state privacy laws

›Varying country privacy laws from Latin America to Asia Pacific

Privacy faces an evolving regulatory landscape

Implications for where data must stay, or how it must be processed and handled


Privacy brings more stakeholders to the your table


Security Privacy


Security Privacy

• Consumer/customer concerns and expectations

• Third party relationships (and risk)


Business concern over customer privacy concerns vary widely by country


Business concern over customer privacy concerns vary widely by country

Understand the level of concern, and reasons for concern in your organization


Architect a data protection strategy to defend against today's threats


Take a holistic, data-centric approach

Forrester’s data security and control framework




Define

Data discovery Data classification


›What it is and where it is

Define




›Understanding and mapping how it flows today vs how it needs to flow

Define




›Understanding and mapping how it flows today vs how it needs to flow

› Context matters for use and access, especially for third party access, mobile employees, and travelers

Define





Define


Dissect

Data intelligence Data analytics


›Two sides: data and policy

• Security data

Dissect



›Two sides: data and policy

• Security data

• Implications for data handling

› State, country, industry specific requirements

› Business partner requirements

› Customer perceptions

Dissect





Define


Dissect


Defend

Access Inspect Dispose Kill


›Platform, suite, standalone

Defend




›Embedded feature

Defend




›Embedded feature

›Audit mechanisms to prove policy enforcement

Defend



Ensure that policies and controls are aligned

Thank you

forrester.com

Heidi Shey+1 [email protected]

How McAfee DLP Can Help

Dave Bull | Intel Security, Director, Content Security Products

McAfee Can Help!

Data-in-Motion

Data-at-Rest

Data-in-Use

Data Types Data Loss Vectors Solution

DLP PreventDLP Monitor

DLP Discover

DLP Endpoint

Email Web Post Network Traffic IM Chat

Desktop/LaptopDatabase

Removable/Devices

CloudEmail/IM

File Share

Clipboard

47

48

43%

57%

½ are intentional½ are accidental

Internal ActorsExternalActors

Hackers36%

Malware Authors

23%

Organized Crime 14%

Activists15%

Nation-State 13%

Others 1%

Who’s stealing the data?

Actors Involved in BreachesExternal Actors

Internal and External Actors

49

Customer/Employee PII Are Primary Targets

Data Types

Source: Grand Theft Data, Intel Security, 2015

20%

18%

14%

13%

12%

12%

11%

0%

22%

19%

14%

14%

11%

11%

10%

1%

Customer PII

Employee PII

PCI Information

Customer PHI

Intellectual property

Other financial information

Employee PHI

Others

Cloud

Traditional

50

How are the thieves getting data out?

Data Exfiltration

Source: Grand Theft Data, Intel Security, 2015

Physical Media used

Physical media data breaches

Physical

Means

40%

Electronic

Means

60%

26%

22%

15%

12%

11%

10%

9%

Laptops/Tablets

USB Flash Drives

Mobile Phones

Printed Hardcopies

CDs/DVDs

Microphones/Web Cams

Faxes

Resources

51

Go to the Resources Area of this webcast console to access:

• McAfee Total Protection for DLP Solution Brief

• Data Exfiltration Research Report

• Data Exfiltration Infographic

• Data Exfiltration Webcast

• Best Practices for Implementing Data Loss Prevention Webcast

• Today’s Presentation Slides

http://www.mcafee.com/us/resources/solution-briefs/sb-total-protection-for-dlp.pdf

http://www.mcafee.com/us/resources/reports/rp-data-exfiltration.pdf

http://www.mcafee.com/us/resources/misc/infographic-data-leaking-your-watch.pdf

http://bcove.me/z7txfr6b

.

Intel and the Intel and McAfee logos are trademarks of Intel Corporation or McAfee, Inc. in the US and/or other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2015 McAfee, Inc.

Technology

Data Security in the Age of the Road Warrior