Sebastien RoquesSales and Strategic Alliance Manager, UKI & SSA-NWA11 February 2014

The Data Breach Threat

How can we better protect ourselves?

£349

£19599p

or£5000000

2

The Data Breach Threat

Reported data breaches are on the rise and data privacy regulations are

intensifying globally. How can we better protect ourselves?

How are they happening?

What are the consequences?

How does the new EU Data Regulations change things?

What data security methods are we using and are they good enough?

What else could we be doing?

Mobility is Accelerating Data Breaches

“Over half a billion (526 million) mobile devices and connections were added in 2013. Global mobile devices and connections in 2013 grew to 7 billion, up from

6.5 billion in 2012.”

Cisco – Global Data Report

93% businesses have mobile devices connecting to their corporate networks.

53% report there is sensitive customer information on mobile devices.

Dimensional Research

3

4

“Coca-Cola laptop theft could have compromised info for 74,000.” – Jan 27 Jan 2014

“Laptop stolen with health information of 620,000 Albertans.” – 22 Jan 2014

“Unencrypted Laptops Lead to Mega-Breach - Horizon Blue Cross Blue Shield Reveals Incident.”– 9 Dec 2013

“Laptop thefts compromise 729,000 hospital patient files at AHMC Healthcare.” – 21 Oct 2013

4

Biggest Data Breaches since 2004

5

Security Capabilities Benchmark Study

• 59 percent of CISO’s view their security processes as optimised, compared to 46 percent of security operations managers.

• About 75 percent of CISOs see their security tools as very or extremely effective, with about one-quarter perceiving security tools as only somewhat effective.

• Ninety-one percent of respondents from companies with sophisticated security strongly agree that company executives consider security a high priority.

• Less than 50 percent of respondents use standard tools such as patching and configuration to help prevent security breaches.

Over half of respondents to the survey say their organisation has had to manage public scrutiny of a security breach.

Has your organisation ever had to manage public scrutiny of a security breach?

Security Capabilities Benchmark Study

46%

54% NoYes

8

The New EU Data Protection Law

Why are the current laws being assessed?

• The current EU data protection laws are positively archaic

The current set of rules came into force in 1995 when the Internet was still in its infancy. Back then about 1% of Europeans used the Internet.

• Each member state currently have their own data protection laws

One of the key aims of the new law is to remedy that and to streamline and unify the enforcement process across Europe.

What are the new proposed laws?

Question

Some organisations will have to appoint a dedicated data protection officer under the proposed new law.

How big does a company have to be for this to apply?

What are the new proposed laws?

Question

The current maximum fine is £500,000 under the UK Data Protection Act of 1998.

There will be increased sanctions including fines for those who breach their responsibility of keeping personal data safe. What is the new maximum fine?

The New EU Data Protection Law

• The right to be forgotten - Consumers having a statutory right to have their data deleted on demand.

• Consumers having easier access to their data

• Organisations having a legal obligation to notify the authorities about data breaches as early as possible and “if feasible”, within 24 hours.

• Mandatory appointment of a data protection officer for companies with 250 employees or more.

• Significant increase in sanctions for a data breach including fines of up to €100 million or up to 2% of annual global turnover, whichever is greater.

So, what can we do?

StandardiseImplement ISO level controls.

Plan. Do. Check. Act.Have a protocol in place to plan your security processes ahead of time, do the difficult work of integrating these processes, check that they are being followed and act quickly in cases of non-compliance. AuditCarry out an internal audit of your security practices on a frequent basis.

Identify AssetsMake a list of all hardware, software, media, data and applications that contain sensitive data. Assign a location and ownership to each one, and ensure that each owner is aware of their responsibilities.

Question

Is your organisation carrying out all of the above?

Hiring and CommunicationScreen new applicants and set responsibilities on a contractually level. Back-up and archiveDaily is best, followed by a complete backup on a weekly basis. Data should also be regularly archived for long-term storage.

Access ControlAssign and maintain access levels among staff. Physical SecurityEnsuring critical servers and workstations are well protected from theft and damage.

EncryptionImplement a company-wide encryption policy

Keep software up to dateExternal threats against your network are constantly evolving. Keeping your IT resources updated, such as antivirus programs and other security software, will reduce the likelihood of breaches and better prepare your team to respond to threats

Ok, what else?

Question

Is your organisation carrying out all of the above?

Log CollectionCollect and store log and report data, to aid future forensic investigations.

ScalabilityEnsure you software solutions are easily expandable to meet your future needs.

Manage Mobile DevicesImplement lost-phone policies, restrict the use of third party apps and enabling remote wiping of data.

Remove Data SecurelyExtremely sensitive data can still be recovered, even when deleted from workstation. Invest in secure wiping utilities, and make sure old equipment is thoroughly destroyed.

Real Time MonitoringKeep track of logged data and correlate information from different sources, identifying malicious behaviour and giving your IT team tools and data to respond to emerging threats.

And these?

Question

Is your organisation carrying out all of the above…….and does it have the technology to carry it out?

Why is an Encryption-only solution not enough?

“Strong cryptography is very powerful when it is done right, but it is not a panacea. Focusing on cryptographic algorithms while ignoring other aspects of security is like defending your house not by building a fence a round it, but by putting an immense stake in the ground and hoping that your adversary runs right into it.”

– Bruce Schneier

19

Mobile Endpoint Encryption Vulnerabilities

• Brute Force Attack – the encryption is only as strong as the encryption key (basically a password).

• Cold Boot Attack – encryption key is stolen from the memory (RAM).

• Backdoor – vulnerability (“bug”) in the encryption software, or it could also be purposefully built.

• Human Factor – susceptible to bad security practices.

20

Absolute Software Persistence TechnologyA unique partnership.

OEM Persistence Partnership

Absolute Persistence Technology

Built-in technology at the factory

Software agents automatically reinstall regardless of user of

location

Persistent on premise or in the

cloud

IT

An unbreakable tether to the device

Absolute Computrace for Endpoint Security

Computers and ultra-portable devices can be remotely managed and secured to ensure – and most importantly prove – that endpoint IT compliance processes are properly implemented and enforced.

Absolute Computrace allows organisations to centrally locate, monitor and secure all of their endpoints within a single cloud-based console.

The Computrace Agent is automatically installed so that IT Administrators can track, manage, and secure all devices regardless of user or location

GRC Tools: Computrace Features

Risk Management = Tools = Computrace FeaturesManagement of the process to monitor, direct, and control

• Track software licenses

• Receive alerts to be notified about suspicious behavior

• Remotely recover or delete data from a device

• Freeze a device to block access

• Remove all data from a device at end-of-life

• Track the location of a device

• Use geofences to monitor device movement

• Investigate and recover stolen devices

• Initiate an investigation to determine why a security incident occurred and prevent it from happening again

• Investigate suspicious employee behavior

• Identify security holes• Prevent incidents from

happening again

GRC Data: Computrace Device Data

• Use Computrace data to prove compliance with corporate and government regulations:– Software license compliance report for contract negotiations and audits– Encryption status report to show which devices were properly protected

with encryption– End-of-Life data delete certificate– Data delete audit log– Proof if data was accessed post-incident

Interconnected Relationships– User <> Device– Device <> Company

Compliance= Data = Computrace Data & ReportsConform to internal and external regulations, must be provable

25

DATA

Customer Evangelism

26