DATA IS POTENTIAL

Enterprise Security Risk Management

Sarah Jolly | H2FY19
Enterprise Security Risk Management

$300 Million Unknown $2 Million $1.6 Billion

2
Pillar Overview

Corporate Security Champions

Joan Kate Brad

Motsinger Schuelke Jones
Business Legal and Information
Excellence other Security
relations

3
Only You Can Mitigate Security Risks

4
Target’s Cybersecurity Breach

Date of Discovery…….... December 2013

What Happened?……..... 40 million payment card
credentials and 70 million
customer records were stolen and
sold on the black market
Estimated Cost……......... $300 Million

https://www.welivesecurity.com/2018/12/18/target-targeted-five-years-breach-shook-cybersecurity/
https://www.thesslstore.com/blog/2013-target-data-breach-settled/ 5
Cybersecurity at Seagate
FY2020 Goals Actions You Can Take

• Complete Network • Follow these steps to protect

Segmentation and Control at all Seagate from spam and
Seagate and third party sites phishing
• Drive compliance and
• Always keep your Enterprise-
CYBER
accountability metrics across
managed security software
the entire environment
installed, current, and enabled
• Incremental tactical controls,
Protecting our and increase risk awareness • Only install Seagate approved
infrastructure
and and alignment applications on your devices
information • Third Party Risk Mitigation:
systems • Use strong, unique passwords
Drive architecture and
implementation changes to and update every six months
mitigate risk • Do not use Seagate devices for
personal reasons

6
Intel’s Product Security Catastrophe

Date of Discovery…….... January 2018

What Happened?……..... Spectre and Meltdown are
hardware vulnerabilities.
They exploit vulnerabilities in modern
processors, allowing programs to steal
data which is currently
processed on a computer
Estimated Cost……......... Unknown

https://investorplace.com/2018/01/intc-stock-meltdown-issues/
https://redmonk.com/rstephens/2018/02/09/cost-of-meltdown-spectre/ 7
Product Security at Seagate
FY2020 Goals Actions You Can Take

• Protect Seagate Products with ISO • If you work on our products, be

20243 Policy Compliance vigilant about allowing access to
• Protect Seagate Product Life-Cycle with our hardware, firmware, or
Risk Mitigation Programs for Increasing software
Threat Landscape
PRODUCT
• Manage Seagate Product Risk to Policy • Report suspected vulnerabilities to
Based Evaluation, Incident and Crisis security.reporting@seagate.com
Protecting the
Maturity Aligned to Enterprise Risk • Learn about our Seagate Secure
data on our Management features to pass on to our
products • Protect Seagate Products by Delivering
customers
Trusted Essential and Certified Security
Infrastructure & Services for all products
• Protect Seagate Products with Essential
and Certified features assurance in all
Device and Services Products

8
Barclays’ Physical Security Nightmare

Date of Discovery…….... April 2013

What Happened?……..... Eight men used physical
penetration and social
engineering with system compromise to
steal millions of dollars from the
Swiss Cottage branch of Barclays Bank
Estimated Cost……......... $2 Million (eventually recovered)

https://www.cso.com.au/article/527083/gang_exploits_both_physical_system_security_during_bank_robbery/ 9
Physical Security at Seagate
FY2020 Goals Actions You Can Take

• Mature Security processes & • Always badge in to our facilities,

programs for improvements and do not let anyone follow you
appropriate to Seagate risk and in without scanning their badge
business needs.
• Centralize multiple Access • Never leave your laptop or other
PHYSICAL device unattended
Control and Surveillance
systems to two primary systems • Always lock your computer when
Protecting our
from over 24 and feed raw data you walk away from it
sites, IP, and into actionable intelligence via
employees Dashboard 2.0.  • Do not work on or talk about
• Implement new programs: confidential work topics around
anyone you do not know
Expand Supply Chain Security,
personally
Brand Protection & Counterfeit
Program, Event/EP Updated

10
Facebook’s Data Woes

Date of Discovery…….... September 2018

What Happened?……..... A security bug allowed
hackers to access
information to around 50 million
accounts
Estimated Cost……......... $1.6 Billion (potential)

https://www.cnbc.com/2018/10/02/facebook-data-breach-social-network-could-face-eu-fine.html 11
Data Privacy and Data Protection at Seagate
FY2020 Goals Actions You Can Take

• Establish Binding Corporate • Treat any personal data as if it were

Rules (BCRs) or other legal your own
transfer mechanism and/or
public acknowledgement of • Report ethical concerns to the
Seagate’s commitment to data anonymous ethics helpline
DATA PRIVACY /
PROTECTION protection and privacy. • Understand the new data
• Complete Data Protection “pilot” classification policy and label your
program, and continue sensitive data with the appropriate
TBD implementation across the levels
enterprise.
• Expand periodic audit/review • Internalize the yearly required
process of vendors, services and training
applications.
• Automate and streamline
existing privacy processes and
initiatives.
12
Seagate Strategy
In the context of the evolution of the datasphere

Expand our reach

and capabilities
to address
vertical markets

Develop a unified
data experience to
solve unmet IT 4.0
needs

Establish clear
leadership position
in our existing
device markets

Seagate Confidential 13
Six Crucial Behaviors
1) Stop. Think. Protect.
• Security is your responsibility. Know what to do, what not to do, and who to go to
2) If you see something, say something
• Know the right contacts and process for reporting across all four pillars (resources and process on slide 8)
3) Design for protection
• Be proactive and design our products, services, and processes for protection (given)
4) Protect Seagate data
• Do not work on, share, or discuss Seagate business including business, personal, customer, and third party data where
it might be overheard, seen, or taken
5) Protect Seagate sites, people, and property
• Keep out unauthorized access. Always badge in, do not leave devices/property unattended in office, home, or vehicle;
lock computers and devices
6) Be vigilant
• Watch for phishing, tailgating, and social engineering, and always keep your devices up-to-date and compliant with
policies. Phishing is the initial vector for 91% of cyber breaches!

https://cofense.com/enterprise-phishing-susceptibility-report/ Seagate Confidential 14

 ESRM Resources

CYBER PRODUCT PHYSICAL DATA

PRIVACY /
PROTECTION
When you
When you When you
When you see suspect data is
encounter suspect our
suspicious not being
suspicious products are
behaviour handled
cyber activity compromised
properly

servicedesk@seagate.com security.reporting@seagate.com Global Trust and Security data.protection.team@seagate.com

Contact the IT Contact the Product Contact your local site Contact the data
service desk with Security Office with security, your manager protection team with
your concern your concern or you can also use the your concern
anonymous
ethics helpline

You can also use the anonymous ethics helpline as a means of reporting any concern or issue Seagate Confidential 15