Today’s business users are nothing if not productive, but too often they don’t think about if they are working with confidential data or if they are protecting it appropriately. The fact is, employees regularly save patient records to thumb drives, transfer customer data to personal devices, and email unreleased product plans to personal webmail. Although well-intentioned, their actions can expose sensitive business information to unnecessary risk. Add advanced threats by external attackers to the mix plus malicious insiders, who are intent on stealing corporate data for their own gain, and it becomes clear that data loss prevention (DLP) is no longer a nice-to-have, but a need-to-have.

CISOs are turning to DLP solutions to effectively protect valuable intellectual property (IP) and personally identifiable information (PII) and keep their organizations from becoming the next headline.  Symantec recently published a research paper examining how DLP programs impact the effectiveness of security executives while also protecting corporate data. We surveyed more than 130 CISOs, VPs, directors and managers responsible for the evaluation, selection, deployment and governance of their organization’s DLP solution.

Join Symantec Security Response experts on Twitter (using the #ISTR hashtag) on Tuesday, April 30, at 9 a.m. PT / 12 p.m. ET to chat about the key trends highlighted in Symantec’s recently released Internet Security Threat Report (ISTR), Volume 18.

The ISTR, which covers the major threat trends observed by Symantec in 2012, reveals a significant increase in cyberespionage to gain access to confidential formation and valuable intellectual property, and the criminals methods of obtain this information are shifting. In fact, the largest growth area for targeted attacks in 2012 was businesses with fewer than 250 employees; 31 percent of all attacks targeted them, representing a threefold increase from 2011.

Mark your calendars to join #ISTR chat and plan to discuss the latest attack vectors and techniques used by cybercriminals to gain access to your intellectual property.

Topic: Internet Security Threat Report: Volume 18—what does the data tell us?

The Symantec Internet Security Threat Report (ISTR) 2013 reveals how the threat landscape is evolving, compiling information from more than 69 million attack sensors in 157 countries around the world. This year’s report shows more targeted attacks, inceasing focus on smaller businesses, and the continued development of new threats.

Targeted attacks, hacktivism, and data breaches

Targeted attacks saw a 42 percent increase in 2012, to 116 per day on average, with a corresponding increase in data theft and incidents of industrial espionage. Attackers are changing their targets, as well. Small businesses make up a larger percentage of those targeted for attack then in 2011—a threefold increase–with 31 percent of all targeted attacks directed at companies with less than 250 employees. Attackers are finding valuable data to steal from small companies and fewer defenses in place to stop them. Manufacturing is now the most targeted business sector, making up 24 percent of targeted attacks. One of the most significant innovations in targeted attacks is the emergence of watering hole attacks. The attackers compromise the security of a website that an intended target is likely to visit, once the target visits the website their computer becomes infected with malware. This successful tactic, popularized by a group known as the Elderwood Gang, has infected up to 500 companies in a single day.

I read with great interest The New York Times’ “Room for Debate” that discussed whether companies should disclose when they get hacked. When brands big and small suffer a data breach and lose customer data, they are required to disclose the breach based on various state privacy laws that mandate disclosure when personally identifiable information (PII) is lost. But, when hackers get in the backdoor and make off with other valuable IP, we typically don’t hear about it. Opinions on the matter of disclosure run the gamut. Some think mandatory disclosure of security breaches will telegraph weaknesses while others think disclosing cyber-risks is material and investors should know if a company can keep its crown jewels secret.

There’s plenty to debate on this front, but by focusing so much attention on hackers pilfering sensitive corporate data we’re ignoring one of the biggest threats to IP that companies face everyday – our own trusted employees. We need to consider to whom more corporate secrets are lost – the external attacker or the insider?

In today’s global economy, it’s no secret that many organizations rely on third parties for critical business activities. While outsourcing isn’t a new concept, the rise of readily available cloud-based and everything-as-a-service solutions is rapidly increasing an organization’s liability and risk landscape – often with limited IT oversight.

Unfortunately many enterprises relying on third-party vendors often assume that these third parties properly protect their sensitive employee, customer and business data. Sadly, this is not always the case. Consider these data points:

• Only 24 percent of respondents require third-party suppliers or partners to comply with baseline security procedures. [1]
• Although 84 percent of senior IT decision makers [were] concerned or very concerned about the risks associated with IT security breaches, 55 percent of CIOs have not tested cloud vendors’ security systems and procedures. [2]

I came across this article not too long ago and it really got me thinking about not only the places where I put my information on the Internet, but the reasons I put my information out there.  Most sites we put our information seem really innocuous and quasi-safe because we don’t think the site is very interesting to anyone but ourselves and a hand full of others with similar interests.  It seems like it almost becomes a “second nature” activity to just blindly assume that Internet sites that don’t ask for your credit card are okay cause well, it’s just my name, and maybe my phone number and/or address.

Just a few short years ago, cloud seemed like a far-away thought for businesses, a “nice to have” rather than a “need to have.” Now, cloud is becoming the new normal. Organizations of all sizes are seeing the benefits of cloud. However, as businesses move to the cloud, they must do so safely, and with a well thought-out plan in place. To achieve a safe cloud environment, however, the IT industry needs to enforce rigorous cloud strategies around the protection of policy, information, people and infrastructures. This includes implementing security metrics.

According to the Symantec 2013 Hidden Costs of Cloud survey, rogue cloud deployments are one of the pitfalls of the cloud. It is a surprisingly common problem, found in more than 77 percent of businesses within the last year. It also seems to be an issue experienced more by enterprises (83 percent) than SMBs (70 percent).

fren·e·my [fren-uh-mee] noun. Someone who is both friend and enemy, a relationship that is both mutually beneficial or dependent while being competitive, fraught with risk.

When it comes to taking your intellectual property (IP), employees are the less obvious player but they can be frenemy #1. In many cases, these trusted employees are moving, sharing and exposing sensitive data in order to do their daily jobs. In other instances, they are deliberately taking confidential information to use at their next employer. It’s not that these employees are inherently malicious – often they just don’t know it is wrong to do so.

Defining a data loss prevention (DLP) strategy for your business can seem daunting because it’s not just about technology.  It’s also about people and processes.  Every group in your company can be affected by the loss of intellectual property and other sensitive information. Forwarding-looking security executives are driving DLP initiatives to prevent costly data breaches, comply with strict data privacy regulations, and stop malicious insiders and hackers.  But like any other part of your security plan, it’s not always as simple as just turning on software – rolling out DLP without adequate preparation can derail your plans before you realize the benefits. Whether you’re just thinking about starting a DLP program at your company or have already decided to deploy one, set yourself up for success by avoiding these common pitfalls.