Embed Size (px)
DESCRIPTION
How to prevent and cope with accidental data leakage
Citation preview
The CISO’s Guide to Being HumanHow to prevent and cope with accidental data leakage
The CISO’s guide to being human
The issue of data security is becoming ever more pressing for the public and private sectors:
• Sensitive data that has been lost or leaked by Britain’s private and public sectors has risen by 1,014% between August 2007 and August 2012
• From 2011/2012, the UK logged 821 data breaches
• 58% of IT professionals polled by Computer Weekly admit to not using Data Loss Protection products
SOURCE: The Register2012 Verizon Data Breach Investigation Report
While malicious hacking is the number one threat to your data security, there is one element that still accounts for making much of it possible – staff making mistakes that can lead to costly data leakage...
The CISO’s guide to being human
The issue of data security is becoming ever more pressing for the public and private sectors:
• Sensitive data that has been lost or leaked by Britain’s private and public sectors has risen by 1,014% between August 2007 and August 2012
• From 2011/2012, the UK logged 821 data breaches
• 58% of IT professionals polled by Computer Weekly admit to not using Data Loss Protection products
SOURCE: The Register2012 Verizon Data Breach Investigation Report
While malicious hacking is the number one threat to your data security, there is one element that still accounts for making much of it possible – staff making mistakes that can lead to costly data leakage...
97%
97% of breaches were avoidable through simple or intermediate
controls
According to ISACA’s 2012 Governance of Enterprise IT (GEIT) Survey of over 3,700 of its members, of the security challenges that a company is likely to face in the next 12 months:
According to ISACA’s 2012 Governance of Enterprise IT (GEIT) Survey of over 3,700 of its members, of the security challenges that a company is likely to face in the next 12 months:
16%
16% will be mistakes made by employees
13%
13% will be incidents relating to employees’
personal devices (BYOD)
According to ISACA’s 2012 Governance of Enterprise IT (GEIT) Survey of over 3,700 of its members, of the security challenges that a company is likely to face in the next 12 months:
16%
16% will be mistakes made by employees
13%
13% will be incidents relating to employees’
personal devices (BYOD) VIEW INFOGRAPHIC
According to ISACA’s 2012 Governance of Enterprise IT (GEIT) Survey of over 3,700 of its members, of the security challenges that a company is likely to face in the next 12 months:
16%
16% will be mistakes made by employees
13%
13% will be incidents relating to employees’
personal devices (BYOD)
But are companies doing enough to tackle data compliance issues? According to the same report:
• Nearly 1/4 of respondents said management’s level of involvement in governance is low
• 49% of enterprises will be increasing investments in IT over the next 12 months.
But will they be increasing their data security budgets too?
VIEW INFOGRAPHIC
SOURCE: FlashRouters, Mashable
While DLP solutions are available, there are several basic lessons that can be instilled into staff to act as your first line of defense against data leakage:
• More than 60% of people use the same password across a multitude of accounts; this can make life easy for hackers
• Use a secure password generator that will create difficult-to-crack passwords
http://www.pctools.com/guides/password/
Facepalm Passwords
According to SplashData, the worst passwords of 2012 were:
5. ‘qwerty’4. ‘abc123’3. ‘12345678’
2. ‘123456’1. ‘password’
SOURCE: FlashRouters, Mashable
While DLP solutions are available, there are several basic lessons that can be instilled into staff to act as your first line of defense against data leakage:
• More than 60% of people use the same password across a multitude of accounts; this can make life easy for hackers
• Use a secure password generator that will create difficult-to-crack passwords
http://www.pctools.com/guides/password/
Facepalm Passwords
According to SplashData, the worst passwords of 2012 were:
5. ‘qwerty’4. ‘abc123’3. ‘12345678’
2. ‘123456’1. ‘password’
Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every
six months.Clifford Stoll, data security guru
“Speared by phishing”
SOURCE: Websense, MashableSOURCE: Verizon
Spear-phishing is the latest trend in sucker-punching naive employees; it’s the specific targeting of particular groups or individuals via socially-engineered content:
• Combat phishing through employee education. Facebook holds an annual ‘Hacktober’ where employees are treated to simulated security threats for a month. Those who report fake phishing attempts and other security attacks are given prizes – while those who fail to do so are given further training.
“Speared by phishing”
SOURCE: Websense, MashableSOURCE: Verizon
Spear-phishing is the latest trend in sucker-punching naive employees; it’s the specific targeting of particular groups or individuals via socially-engineered content:
• Combat phishing through employee education. Facebook holds an annual ‘Hacktober’ where employees are treated to simulated security threats for a month. Those who report fake phishing attempts and other security attacks are given prizes – while those who fail to do so are given further training. 84%
84% of victims unknowingly possessed evidence of a breach in
their logs
2012 Verizon Data Breach Investigation Report
Research has revealed that half of the surveyed companies had lost a device with important business data on it, causing security implications for over a fifth of organizations. If correct encryption procedures had been followed, such security implications would have been eliminated.
[SOURCE: Business Computing World]
Research has revealed that half of the surveyed companies had lost a device with important business data on it, causing security implications for over a fifth of organizations. If correct encryption procedures had been followed, such security implications would have been eliminated.
[SOURCE: Business Computing World]
Encrypt laptops, mobile devices and removable media to ensure that if tech is lost out in the field (or in a pub), its data remains inaccessible.
[SOURCE: Ernst & Young]
Take extra care...… and consider controlling the use of removable media such as USB flash drives – and enforce the ban by using software that will not allow unauthorized drives to be accessed when plugged in.
[SOURCE: Ernst & Young]
Worst case scenario
An international oil and gas company lost an unencrypted laptop containing the personal information of 13,000 US individuals including their names, Social Security numbers and addresses. The sting in the tail? The information lost was for claimants who had already filed against the company...
Take extra care...… and consider controlling the use of removable media such as USB flash drives – and enforce the ban by using software that will not allow unauthorized drives to be accessed when plugged in.
[SOURCE: Ernst & Young]
Scorched Earth Policy
Always have the ability to remotely wipe lost or stolen devices available to you as your last line of defense...
Worst case scenario
An international oil and gas company lost an unencrypted laptop containing the personal information of 13,000 US individuals including their names, Social Security numbers and addresses. The sting in the tail? The information lost was for claimants who had already filed against the company...
Take extra care...… and consider controlling the use of removable media such as USB flash drives – and enforce the ban by using software that will not allow unauthorized drives to be accessed when plugged in.
“Being Human”
Remember: serious data leakage could be caused by something as simple as sending an email to the wrong person by accident (auto-complete in the ‘To:’ field has made slips ups easier than ever). Help employees care about data compliance and leakage:
“Being Human”
Remember: serious data leakage could be caused by something as simple as sending an email to the wrong person by accident (auto-complete in the ‘To:’ field has made slips ups easier than ever). Help employees care about data compliance and leakage:
Create clear, understandable policies that list prohibited behaviors and what is expected from employees when it comes to handling company data
“Being Human”
Remember: serious data leakage could be caused by something as simple as sending an email to the wrong person by accident (auto-complete in the ‘To:’ field has made slips ups easier than ever). Help employees care about data compliance and leakage:
Create clear, understandable policies that list prohibited behaviors and what is expected from employees when it comes to handling company data
Provide regular mandatory training on security awareness for employees – especially for those who are regularly handling highly sensitive data
“Being Human”
Remember: serious data leakage could be caused by something as simple as sending an email to the wrong person by accident (auto-complete in the ‘To:’ field has made slips ups easier than ever). Help employees care about data compliance and leakage:
Create clear, understandable policies that list prohibited behaviors and what is expected from employees when it comes to handling company data
Avoid long, waffly checklists of dos and don’ts that don’t engage employees but simply turn them off
Provide regular mandatory training on security awareness for employees – especially for those who are regularly handling highly sensitive data
“Being Human”
Remember: serious data leakage could be caused by something as simple as sending an email to the wrong person by accident (auto-complete in the ‘To:’ field has made slips ups easier than ever). Help employees care about data compliance and leakage:
Create clear, understandable policies that list prohibited behaviors and what is expected from employees when it comes to handling company data
Avoid long, waffly checklists of dos and don’ts that don’t engage employees but simply turn them off
Provide regular mandatory training on security awareness for employees – especially for those who are regularly handling highly sensitive data
If a new data threat emerges, keep staff informed so they know what to look for
