So, if companies are better at detecting breaches and breaches involve fewer records, why are notification costs continuing to creep up?

The simple answer is there are more laws and regulations governing data breach notification. Forty-six states now have data breach notification laws and there are other regulatory requirements to deal with, for instance HIPAA and HITECH. While each state’s requirements for notification vary, notification is typically required when personal identifying information (PII) has been or is “reasonably believed” to have been breached.

There are some recent state breach law updates that companies should be aware of as well. In January, California updated its breach notification law to include more information in notices. Illinois also updated its law to include more details. But the biggest update on the state level will come next fall when a Texas law will go into effect that requires any company that does business in Texas (even if they have just one customer there) to notify all affected customers if a breach takes place, not just Texas customers.

The Securities and Exchange Commission (SEC) also issued guidance in October 2011 prompting public companies to disclose privacy breaches because they can be material events. The new SEC guidance does not add any requirements to a company’s state-by-state obligations, but companies should consider the SEC’s current position when weighing whether disclosures must be included in filings.

Ultimately, all of these regulations requiring disclosure are not only increasing notification costs, but they’re also making consumers somewhat numb to data breach notification. The most recent data from the Ponemon Institute on the cost of a data breach shows that consumers are less likely than before to take their business elsewhere when a company has a data breach. This is a significant shift. When notification requirements first came on the scene, it was always couched in identity theft with real cases of people losing real money and their lives being disrupted. But, as time has gone on and notification requirements have evolved, consumers now may get a handful of notifications and may never suffer financial loss or identity theft. I’ve gotten quite a few of these myself, and I’ve yet to suffer a financial loss as a result.

With all of these changing regulations, any organization that stores sensitive data needs to be in the know. It doesn’t matter if it’s customer credit card numbers, social security numbers, patient health information or email addresses, you need to protect it. It’s definitely not cheaper to deal with losses, so investment in tighter controls makes sense.

To estimate your organization’s risk exposure, visit: www.databreachcalculator.com.

What are your thoughts on data breach notification laws?

Cross-posted on Symantec’s Information Unleashed.

This year’s report, which covers the major threat trends observed by Symantec in 2011, highlights several troubling developments. For example:

• Symantec blocked more than 5.5 billion malicious attacks in 2011, an increase of 81 percent over the previous year.
• The number of unique malware variants increased to 403 million and the number of Web attacks blocked per day increased by 36 percent.
• Targeted attacks are growing, with the number of daily targeted attacks increasing from 77 per day to 82 per day by the end of 2011. The targets of these attacks are also becoming more diverse, with SMBs being targeted in addition to large enterprises.

The news isn’t all bad, however, with several positive trends also being called out; though these trends do demonstrate that there are two sides to every coin. For instance:

• Spam levels have fallen by 13 percent, though this is likely a result of attackers turning more of their attention to social networks as attack vectors.
• Overall, new vulnerabilities discovered in 2011 decreased by 20 percent. However, new mobile device-related vulnerabilities discovered during the year increased by 93 percent.

The report is based on data from the Global Intelligence Network, which Symantec’s analysts use to identify, analyze and provide commentary on emerging trends in attacks, malicious code activity, phishing and spam.

So, mark your calendars now:

Symantec ISTR Twitter Chat

Date: Tuesday, May 15, 2012

Time: Starts at 10 a.m. PT / 1 p.m. ET

Length: 1 hour

Where: On Twitter.com; follow the hashtag #ISTR

Expert participants:

• Paul Wood, Senior Intelligence Analyst, Symantec  (@paulowoody)
• Kevin Haley, Director of Product Management, Security Technology and Response, Symantec (@KPHaley)

(Cross-posted from Symantec Connect)

Admittedly, it’s fairly easy to secure funding for compliance. After all, you really don’t have a choice – you must comply with all the mandates, rules and regulations that are central to your industry. But, being compliant is just the start of what you must do. Adequately protecting that information means going beyond the minimum – which many are guilty of doing – despite everyone in IT recognizing that being compliant doesn’t equate to being secure. The problem is that justifying additional security budget beyond the compliance checklist remains a significant challenge for most IT departments.

The IT Policy Compliance Group has done extensive research on IT security spend and performance outcomes, and what they’ve seen is that greater spend in every industry, and by all size organizations, equals better results. In fact, organizations with the best outcomes (those with fewer incidents of loss or theft of sensitive information, fewer deficiencies in IT to pass audit, less business downtime from IT problems, and higher revenue and profits) spend 240% more in actual dollars on information security than those with average results, and a whopping 2,400% more than the worst performers.

Getting better results is not just about spending more, however. It’s where the funds are directed. The organizations with the best outcomes are using their information security budgets to deal with exposure to higher-risk. The thought seems very simple and logical, but unfortunately hasn’t made a dent with most organizations. On the one hand the worst performers are under spending compared to their risks, while others who may be spending enough are underperforming because they’re not allocating enough to the business risks.

So how do companies who have less-than-desirable IT security and audit outcomes start to shine like their better performing peers? Research from the IT Policy Compliance Group shows that the CEO is the primary decision maker for how much is spent on preventing IT risk to an organization. This means that how you communicate risk to CXO’s and the board of directors directly impacts your information security budget. CISOs can’t get too granular and focusing on the technology is often the wrong approach. Instead, they must explain risks as these relate to business priorities, and in simple terms that everyone understands. One CISO told me, “If my wife understands what I’m talking about, I know I can sell it to the board.” The best performers in each industry understand this and they’re helping their business peers make informed decisions based on prioritized business risks.

To do this, these best performing organizations are using tools like dashboards and scorecards to communicate risk, security exposures, etc in a business context to different stakeholders. Best performers utilize reports and dashboards to focus on communicating the business impact of IT risk. For instance, the data they show might summarize the trends in the risks to a critical business process, instead of highlighting the technical gotchas on some databases, a data warehouse or set of servers in the datacenter. With these approaches, these best performers foster the understanding that drives more action amongst stakeholders and makes for a better case for additional security spending to manage the risks.

I get asked quite frequently how long it normally takes to go from a worst performer to a best performer in regards to IT security and audit. The answer is that there is no normal. We’ve seen organizations, for a variety of reasons from budget to planning time, take between 2 and 6 years to become a best performer. It remains clear from our research that if you’re communicating the business risks to the executive team and board members, the easier it is for CxOs to understand and approve key security spending initiatives to drive down the risks.

What are you doing to communicate and address higher-risk security problems in your organization?

Guest blogger James Hurley is managing director of IT Policy Compliance Group.

In part one of the series I explained why information security programs should include practical risk management as a key component. In this post I will explain “the what” of practical risk management with some guidelines. The final post in the series will be “the how” of implementing practical risk management in your environment.

All information security programs are unique. The interactions of business, industry, and technology are too complex to prescribe a definitive framework for practical risk management. Instead, I will outline various guidelines and themes that any practical risk framework should contain.

Business Compatible – Above all, practical risk management needs to acknowledge and be compatible with the business it will protect. Most often the people who will accept the risk or approve the mitigation will not be security experts per se – however, they will understand the business and its goals/objectives. Presenting the risk by acknowledging business needs as well as security dangers will defuse the perception that security hinders the business instead of protecting it.

Qualitative – Expressing risk with complex formulas and finely detailed scoring will likely create more confusion, focusing the discussion on the math rather than on the critical decision-making process surrounding risk. You don’t want to get into an argument on what a risk score of 6.3 versus 5.9 means to the business as a whole. Instead, risk should be measured in general terms of severity. I’ve found four severity levels — calculated by a matrix of threat and impact definitions — to be the most effective way of relaying risk in nearly every environment I’ve been familiar with:
1. Critical – An active threat to the environment with high impact requiring immediate action
2. High – Very likely threat with high impact requiring high priority action
3. Medium – Likely threat with moderate impact requiring normal priority action
4. Low – Unlikely threat or minimal impact requiring documentation and tracking

Process Focused – Practical risk management should not be limited to patching and compliance with configuration standards but should also include business processes, system design, change management, and data lifecycle management.

Actionable – The ultimate goal of practical risk management is to get the decision makers to agree upon a strategy where they accept risk, transfer risk, or approve mitigating controls. Documenting and educating on the strategic risks of an environment has value, but should be kept separate from the operational functions of practical risk management.

Documented – It is likely that you will uncover multiple risks in various stages of management. Documentation of each risk as it travels through the process, and archiving managed risks, will be critical to the effective implementation of the program. I recommend keeping it simple and easy to use in order to improve the security team’s ability to process and track high volumes of risks.

Repeatable – Consistency will build trust with the process of practical risk management. Build your program off of the many existing frameworks for information security risk. NIST SP 800-39 and ISO 27005 are two great resources to get you started.

In the next post I’ll wrap up with recommendations on how to get a practical risk management program up and running.

The tongue-in-cheek response from James Christiansen, Evantix CEO and CISO, brought a room full of laughter when he said, “Yes, you just need to put the computer in a safe and bury it 30 feet underground.”

Jon Oltsik, an analyst at Enterprise Strategy Group, equated the situation to the war on drugs, “Border control may be able to capture some on the borders, but the problem continues to escalate and keeps getting bigger.”   John Townsend, Manager of Information Protection and Security, DTE Energy commented, “If we use the wall analogy, rather than having a brick fence what we now have is a chain link fence. While we have made some inroads, people are still not taking security seriously enough.”

Malicious Insiders

Clearly, it’s been a very busy year for breaches in general and, while the panel touched on news-making hacktivists, one of the more concerning themes was malicious insiders. From stories of a rogue UNIX programmer who hacked their own systems and needed to be shown the door, to discussions of Bradley Manning, it was apparent that the malicious insider problem is underestimated.

This is not a simple problem to solve. Malicious insiders are going after high-value information. Among Symantec’s customers, we see desire to protect intellectual property – things like product design plans and source code. This is harder than finding and protecting something like Social Security numbers.

The discussion of malicious insiders boiled down to one key point – Access. Malicious insiders frequently steal information that they have access to. Bradley Manning is a perfect example of this, and Jon Oltsik was wise to point out that, “You never hear about the folks who didn’t put the proper controls in place. They had a role to play in this too.” And, everyone on the panel agreed with this statement.

Well-Meaning Insiders

But it’s not just bad people doing bad things that organizations need to worry about. As Rich Dandliker, Senior Director of Product Management at Symantec, noted on the panel, there will always be Darwin Award candidates, but what we see with our customers is the danger of folks taking inadvertent risks while trying to get their jobs done. For example, one of our healthcare customers found that doctors were emailing patient records to their personal, web-based email addresses. This wasn’t malicious by any means. They were just trying to get their work done the easiest way they knew. However, they were obviously putting this data at risk.

Education is critical for reducing risks from these well-meaning insiders. But, neither technology nor training is the “silver bullet.” In my opinion, organizations need to make training actionable. One of our financial services customers implemented DLP, and their employees started receiving alerts in real time when they did something against policy. The result was an 80 percent reduction in the behavior after a single notification.

Other panelists shared some equally interesting thoughts on training:

“In Korea they train children on how to use the Internet and security best practices from a young age. My two kids are teenagers, and they know nothing about security even though they are online all the time. You need a combination of controls and training. Training can only take you so far.” – Jon Oltsik

“Training is good for awareness. It helps to make security more transparent. Then if things get flagged, they have the background to know where it is coming from.” – James Christiansen

Disruptive Technologies

I don’t think any panel at RSA would be complete without talking about mobility, the cloud and the consumerization of IT. This panel was no exception.

Jon Oltsik’s take on the situation was judicious. He said, “It’s a cascading situation. We need to bake security in rather than bolting it on. But, right now we see a shortage of security skills, and it is getting worse. The problem is the intersection of these disruptive technologies and security. There’s a real lack of professionals to tackle these challenges.”

Rich Dandliker equated the growth of mobile to what Voltaire said about drinking coffee – when asked whether it was a poison, he said it must be a slow one. Currently, organizations don’t realize how much mobile has impacted their organizations because it is happening here and there. It’s important that organizations address mobile security challenges proactively or they’ll be in for a nasty shock.

However, when it comes down to it, all of these trends go together. It’s not enough to worry about mobile. It’s not enough to worry about the cloud. Security leaders need to look at all of them because businesspeople are looking at all of these options to increase productivity, and we need to find ways to support them.

Better or Worse?

Larry Ponemon concluded the panel by asking “Is this problem getting better or worse?” Panelists seemed to agree that it’s going to get worse before it gets better. Jon Oltsik summed it up nicely, “From our research, we see organizations spending more money and attention on the problem. CEOs are more aware and involved than ever before. However, the problem is getting worse and more complex. In general I am mildly optimistic.”

Many thanks to the panelists and moderator for the lively discussion.

Moderator:

• Larry Ponemon, Chairman and Founder, Ponemon Institute

Panelists:

• James Christiansen, CEO and CISO, Evantix
• John Townsend, Manager of Information Protection and Security, DTE Energy
• Jon Oltsik, Senior Principal Analyst, Enterprise Strategy Group
• Rich Dandliker, Senior Director of Product Management, Symantec Corporation

Compliance with laws and regulations cannot be the only guiding force behind our security decisions. These laws and regulations are too generic and static to provide anything more than a baseline of security for the business. HIPAA doesn’t understand the cloud. SOX doesn’t address BYOD. State privacy laws don’t provide guidance on the use of cloud-based file sharing services. It’s up to us, the security professionals, to understand how our business works, how these new capabilities can improve business and what unacceptable security risk might result from using these.

Compliance is also a binary state. You are either compliant or not. The security of a business changes on a daily basis and cannot align with that kind of binary thinking. Basing a security program solely on compliance can also create the incorrect perception that compliant equals secure. When I became a health care CISO, I spent a significant amount of time creating a culture of protecting all sensitive information beyond the relatively narrow confines of HIPAA requirements around protected health information.

When security affects business processes the decision is rarely left to the CISO. Previously, I was concerned when a new unofficial business process by our users was bypassing an already defined access process. There was no specific instance of law, regulation, or policy that was against the unofficial process but I felt that it incurred an unacceptable risk to the business. So I did my research and made my case explaining the risk to various business leaders. This helped them to understand the risk to their business and our company and make an educated decision on whether or not to accept or mitigate the risk. In this instance they chose to accept the risk but I was able to sleep well that night knowing that I communicated the risk well and they were able to use that to make an educated decision.

This was an example of practical risk management. A tool that I believe all information security programs need to have.  It focuses on operational issues that are directly affecting the business today and expresses the security risk in a qualitative manner that is easily understood by non-security professionals. It also has a framework of good information security practices backing it up to withstand closer scrutiny. I’ll be digging into how to build this kind of framework in subsequent posts.

Let’s dive into some of the more interesting findings from this year’s study.

Malicious Attacks Most Costly Breaches

Malicious or criminal attacks are causing almost as many breaches as negligent insiders. In 2011, negligence was the root cause of 39 percent of the data breaches, while malicious attacks caused 37 percent of data breaches (up 6 points from 2010). For the first time malicious attacks account for more than a third of breaches; they also remain the most costly type of breach at $222 per compromised record.

New to this year’s study, the report includes the types of malicious attacks (see figure below). Not surprisingly, data-stealing malware is the leading attack type at 50 percent. The second most common type of malicious attack comes from within the organization – malicious insiders were involved in 33 percent of criminal attacks. That’s right, a third of malicious attacks involved rogue employees.

Organizations of all sizes are susceptible to malicious insider data theft. In a recent white paper, two forensic psychologists examined corporate data theft trends. The research they reviewed showed that in about half of corporate IP theft cases the employee stole trade secrets, followed by business information such as billing information or price lists. In other cases source code or proprietary software was taken, as well as customer information or business plans. This research also indicated that in 75 percent of cases the insider had authorized access to the data they stole, making it more difficult to solve the problem simply by strengthening security measures.

Data Breach Costs Declined

Dr. Larry Ponemon speculated last year that eventually data breach costs would start coming down because consumers will become somewhat immune to data breach news — data breach notifications will become so commonplace that customers just won’t care anymore. For the first time in seven years, both the organizational cost of data breach and the cost per lost or stolen record have declined. Only time will tell if we’ve truly reached this turning point, but this year’s Cost of a Data Breach Study certainly seems to support the notion.

More Customers Remain Loyal After Breach

The biggest impact on the cost of a data breach has always been lost business, and this year lost business costs sharply decreased from $4.5 million in 2010 to $3 million in 2011. These costs include abnormal turnover of customers, increased customer acquisition activities, reputation loss and diminished goodwill. For the first time, fewer customers are abandoning companies that have a data breach. The customer churn rate following a data breach decreased from 3.9 percent to 3.2 percent, which means more customers remain loyal after the data breach.

Clearly, we’re seeing a shift here. But it may be a bit premature to declare that consumers have become numb to data breach news (we’ll see what the data shows next year).

Know Your Potential Cost

While some may take the decrease in data breach costs as a good sign, it’s important to put things in perspective – data breaches still cost companies just shy of $200 per record. As organizations of all sizes battle an uptick in both internal and external threats, the question is, what would a data breach cost you?

Calculate your potential cost of a data breach at www.databreachcalcuator.com. This free tool from Symantec lets you connect the dots between all of this research and what it really means to you by estimating how a data breach could impact your company. You can check it out at www.databreachcalculator.com.

Symantec also recommends that you implement information protection best practices and technologies to reduce the risk of data breach incidents. Consider the following best practices to avoid data loss:

• Assess risks by identifying and classifying confidential information
• Educate employees on information protection policies and procedures (such as streamlined social media profiles), then hold them accountable
• Implement an integrated security solution that includes reputation-based security, proactive threat protection, firewall and intrusion prevention in order to keep malware off endpoints
• Deploy data loss prevention technologies which enable policy compliance and enforcement
• Proactively encrypt laptops to minimize consequences of a lost device
• Implement two-factor authentication (Ex. VPN plus strong user name and password)
• Integrate information protection practices into businesses processes

As always, I’d like to hear from you. What do you think about the findings from this year’s report?

[ii] Identity Theft Resource Center

In fact, according to the analyst firm Gartner, sales of smartphones will exceed 461 million this year – surpassing PC shipments in the process – and rise to 645 million in 2012. Combined sales of smartphones and tablets will be 44 percent greater than the PC market by the end of the year. Beyond 2011, Gartner says the rise in tablet use will jump to 900 million by 2016.

These devices are not just becoming mainstream, they are penetrating nearly every aspect of our lives. More importantly, for many the line between personal and business devices has been blurred, or erased altogether. More often than not, a single device is used for both personal and business activities, with Gartner also predicting that 80 percent of professionals will use at least two personal devices to access corporate systems and data by 2014.

It’s not just employees who see the value in mobile computing. A recent IDG CSO Quick Poll survey commissioned by Symantec found that CISOs strongly believe mobile computing is important to their organizations. In fact, nearly 90 percent of CISOs feel mobile devices should be treated as equal endpoints with desktops and laptops.

However, the security challenges mobile devices create – especially personally-liable devices associated with a BYOD program – also weigh heavily on CISOs’ minds. According to the same Symantec-commissioned study, the majority of CISOs say they can provide email to mobile devices securely, but one-third are not comfortable securing additional information sources and apps beyond email for mobile devices. Given that employees are sure to use mobile apps in connection with corporate data, this is a critical area in the near and mid-term for CISOs. The survey also found that one-third of IT departments have not yet stepped up to secure personally owned devices connecting to their networks.

So what areas do CISOs see as their biggest priorities when it comes to securing mobility? First up, 90 percent of CISOs surveyed identify protecting information on devices as a must-have. Data loss prevention (DLP) technology is a leading choice here. They realize that such rapid adoption of smart mobile devices is leaving their organizations vulnerable to data loss from insiders, both malicious and well-meaning. With smartphones and tablets in hand, insiders can potentially fly under the radar of IT to access and send sensitive corporate data, and in the case of the malicious insider, steal highly confidential intellectual property.

Next, 89 percent identified authentication as a must have. This includes users being authenticated to their devices and to network, information and application resources. Users often save login credentials to the device itself, making access to sensitive data and corporate resources only a click away. This however can be dangerous as well. Authentication helps prevent unauthorized users from reaching these assets.

Finally, 88 percent said security policy-setting and enforcement is a must-have. Mobile device management (MDM) solutions are a key tool to accomplishing this. Another priority area for CISOs where MDM can play a role is in the separation of personal and corporate data.

Overall, the poll showed that enabling secure, well-managed mobility has become a priority for CISOs, but that this is only the beginning. They must now move beyond making it priority and take action to implement the solutions and policies that will protect their organizations’ sensitive information from danger.

How are you taking action to secure mobility in 2012?

(Cross-posted from Symantec Connect)

Adding to this pressure on CISOs is the fact that their boards are more attuned to security issues than ever before.  Recent data from Forrester Research notes that 70% of security decision makers report increased executive awareness of IT security as a result of high profile attacks and breaches.  So now, in less than 10 minutes, CISOs need to manage interactions with the board to focus on the most critical issues while avoiding distractions from what senior executives may have read about or heard regarding cyber-attacks.  As a security leader, how do you maintain their focus on the issues that matter, and walk away from the board meeting with the resources or approvals you need to manage IT risk for the organization?

The simple answer is this: speak in business terms, not technical jargon. Unfortunately, only 12% of organizations view this as currently happening – a recent survey by the Information Risk Executive Council illustrates that only 1-in-8 best performing organizations feel Info Sec can effectively influence business decisions. These CISOs are communicating IT risk through a business lens and can sit down with other C-level executives and business unit leaders to talk about how IT risk is impacting their business. To date very few organizations have yet reached this level of maturity.

The good news, however, is that most security leaders recognize that changes to their IT risk management program will positively impact their relationship with business counterparts. Nearly half of respondents (47%) to a Symantec commissioned survey by Forrester said that improvements in their ability to communicate the value of security and risk management in business terms would have the most impact on their relationship with business counterparts, while over 40% called out the need for more timely and accurate data, or more frequent reporting of risk and compliance.

Know your business risk

A new IT Policy Compliance Group report, “Data Driven Reporting and Communications about IT: Better Results, Less Risk”, also echoes what security leaders told Forrester. This report offers some pointed findings around what best performing organizations are doing differently to communicate and report about IT, allowing senior managers to take action.

The best performing organizations do a number of things that set them apart. They communicate what the IT risks mean in business terms to a wide range of stakeholders. They gather more information about risk from the environment, including from their people and systems, and collect this information more frequently than others in an automated manner.  These organizations use dashboards and scorecards to communicate the business context to different stakeholders, and customize reports for each audience.  Most importantly, their dashboards focus on communicating the business impact of IT risk.  For instance, the data they show might summarize the risk to a business process, rather than highlight a technical issue on a server in the datacenter.  With these approaches, they can garner more attention, drive more action amongst stakeholders and make a better case for additional security investments.

When you consider that only one organization in ten uses data-driven reporting and communications, there’s clearly room for improvement among the other 90%. Whatever your approach is to reporting information about the business risks of using IT, most organizations can and should increase the relevance of IT to non-IT stakeholders. Adopting the practices of best performers is one place to start.

Translate business risk

It’s critical that CISOs communicate IT risks in business context if they are to drive accountability and action amongst business stakeholders.  Today Symantec announced a better way to communicate IT risk in business terms. The latest version of our IT governance, risk and compliance (IT-GRC) solution features the new Control Compliance Suite Risk Manager module. Risk Manager will enable security leaders to represent technical issues in the form of risks relevant to business processes, deliver customized views of IT risk for different stakeholders, and help prioritize remediation efforts based on business criticality rather than technical severity.

Would you welcome a streamlined way to communicate IT risk to your execs in business terms and secure more security budget?  I look forward to your comments.

It’s no wonder then, that businesses are talking more about data breach insurance. This coverage is designed to provide businesses with compensation for legal costs and other expenses incurred in the aftermath of a data breach, such as identifying the source of the leak and notifying those whose information may have been compromised.

But at the same time, insurance should not be considered a replacement for adequate preparation and security. You should already have other security measures in place. In fact, many businesses are subject to regulations that mandate security—for instance, some regulations require encryption of sensitive information, greatly reducing the losses when incidents do occur.

If your security measures are less than robust, however, consider for a moment what damage would be done if your customers’ personal information was exposed through a data breach. The insurance would help with some of the costs, such as contacting your customers to make them aware of the problem. But there’s more at stake than court fees and downtime of your network. The loss of trust is one thing that can’t adequately be measured or accounted for by an insurance policy. Once your customers feel betrayed, they will immediately look to your competitors, and they’ll tell their friends to do the same. This abnormal customer churn is the number one cost associated with a data breach, according to the U.S. Cost of a Data Breach study.

While the CFO may ask ‘wouldn’t insurance be cheaper,’ the organization needs to look at the cost of a data breach in terms of customer churn – in this case, mitigating the risk of a data breach is the better choice. Your best bet, then, is to ensure that you do everything you can to prevent such a breach from ever happening in the first place.

In order to protect your organization from data breaches that are becoming all too common these days, consider the following preventive measures.

• Assess risks by identifying and classifying confidential information
• Educate employees on information protection policies and procedures, then hold them accountable
• Implement an integrated security solution that includes reputation-based security, proactive threat protection, firewall and intrusion prevention in order to keep malware off endpoints
• Deploy data loss prevention technologies which enable policy compliance and enforcement
• Proactively encrypt laptops to minimize consequences of a lost device
• Implement two factor authentication
• Integrate information protection practices into businesses processes

These common sense measures will help reduce your chances of losing sensitive corporate information. With the right preparation, you may never have to find out just how effective data breach insurance actually is.