Biggest Loser: Data Loss
Examples and Prevention
Data Loss Defined
• Defined as “An unforeseen loss
of data or information”
• Unforeseen
• Loss
• Information
• How does this happen?
Data Loss Examples
• Laptop stolen from city office
• Key logging software installed on bank computer
• Disgruntled employee installs malware
• Company loses backup tape
• Hardware/systems malfunction
• External attacker breaches system
• Documents lost on way to be destroyed
Data Loss in the News
1) Madison officials and employees are complaining that Social Security
numbers were stored on a laptop computer stolen from a city office Friday.
2) More than 1,000 patients of the Royal Bolton Hospital have been contacted after their
personal details were lost near the hospital grounds. The hospital said the documents fell
from a waste container which was taking them to be destroyed on 30 January.
3) Someone illegally gained access to 17 computer servers at the University of Alabama in
November 2008. The servers had a database containing 37,000 records of patients. The
records contain the names, addresses, birthdates and Social Security numbers of each
person who has had lab work, such as a blood or urine test, done on the UA campus since
1994.
4) A number of individuals attempted to steal GBP 229 million (US $318.1 million) from
Sumitomo Mitsui Banking Corporation in the fall of 2004. A security supervisor at the bank
allegedly allowed two Belgian men into the bank's London offices where they allegedly
placed spyware on computers that allowed them to steal account access information.
Source: OSF Data Loss Database http://datalossdb.org/
Data Loss is Expensive
• Data breaches cost businesses an
average of $197 per customer record in
2007, up from $182 in 2006
Source: Ponemon Institute
Data Loss Calculator
Source: http://www.tech-404.com/calculator.html
Proposed Lawsuits as a Result of Data Loss
Action Against Potential Seeking
Class Size Damages of:
St. Francis 260,000 $5,000/pp
Hospital
Verizon 2,000,000 $21,000/pp
AOL 500,000 $1,000/pp
Veteran’s 260,000 $5,000/pp
Administration
Bringing the Math Together
• Hypothetical Data Loss Scenario
– Acme Company loses data impacting
1000 people (1 person/record)
1) Data Loss calculator states the average cost of
recovery is $166,272 for 1000 records.
2) Clients open Class Action Lawsuit with a size of
1000. Costing an average of $8000 per person
impacted. Total cost of Class Action Suit is $8M
Bringing the Math Together
• Hypothetical Data Loss Scenario
– Acme Company loses data impacting
1000 people (1 person/record)
1) Data Loss calculator states the average cost of
recovery is $166,272 for 1000 records.
2) Clients open Class Action Lawsuit with a size of
1000. Costing an average of $8000 per person
impacted. Total cost of Class Action Suit is $8M
Total Potential Cost of Data Loss:
$8,166,272.00
Proactive Prevention
• Properly classify information
• Encrypt data at rest
• full disk encryption on mobile devices
• strong file encryption on files residing on file shares
• encrypt backup tapes and drives
• User awareness training at least yearly
• Perform onsite destruction of confidential hardcopy documents
• Access control reviews
• Disable user access immediately upon separation
• Network access control
Data Loss Prevention (DLP)
• According to Gartner, “15-20% of sensitive data can be
effectively blocked or redirected, {using DLP technology}.
“The remaining 80 percent should be monitored. Record
and notify."
• DLP is “analogous to intrusion prevention systems--
detection vs. prevention. Reliably detecting some activity,
such as someone sending an email attachment with
10,000 credit card numbers, is relatively easy. Determining
if an email is really talking about a pending merger is
tougher.”
Get Started Preventing Data Loss
• Analyze Policies, Establish Standards
• Create a Data Classification Policy
• Identify location of Confidential Data
• Establish a process with Human Resources (New
Hires, Employee Separation)
• Create a User Access Audit Process
• Establish proper roles for user access
• Manage user change requests by properly
managing access to employee role changes
• Establish encryption key management processes
Summary
• Don’t be another statistic or news story
• Data Loss is not cheap, invest in your business’ future
• Establish a data classification policy
• Determine the location of sensitive data (data flow diagrams)
• Implement encryption and key management processes
• Deny access to unauthorized devices on the network
• Enable the business while protecting the business
• Manage user access appropriately
• Mature internal security audit processes
• Persistent User Awareness for handling sensitive data
About SDS
• Established in 2005
• Have a team of experts with varying backgrounds
• Comfortable Compliance® and Micro Services
• Member of Board of Advisors for St. Mary’s U of MN Masters
of Information Technology program
• Certified consultants
• Member of ISSA and ISACA
•Provides services for audit readiness, compliance, vulnerability
assessments and security program development
• Corporate Office located in Minnetonka, MN
THANK YOU!
• Questions or Comments?
• Chad Boeckmann, CISA, CISSP
ChadB@SecureDigitalSolutions.com
763-234-9422
http://www.SecureDigitalSolutions.com