Case Study: Fortune 500 Tech Company with Global Workforce

Challenge:

• State of the art cybersecurity infrastructure did not prevent data breach
• Spear phishing and other social engineering attacks using employee and vendor PII were successful in circumventing existing infosec practices
• Executive leadership and Board ambivalent about the threat of unsecured external data

Solution:

• Due diligence performed and IDs Privacy Bee as a potential solution
• CISO uses free EDPA and DPRA scans/assessments to derive actionable data about existing privacy risk and possible financial impacts of failures
• Cost-benefit analysis using the data presented to CEO and BOD, supporting engagement of Privacy Bee
• Thousands of licenses secured for internal employees as well as third-party vendor users with integrated systems access
• Employee Risk Management and Third-Party Vendor solution elements engaged
• Deletion requests managed on an ongoing basis for hundreds of thousands of identified exposures, reducing privacy risks
• Privacy Bee University deployed for all employees

Results:

• No subsequent data breaches to date
• Significant reduction in inbound spear phishing and other email attacks
• Reduction in HR costs due to lowered volume of HR poaching/churn
• Internal calculations suggest yield of greater than $13,000 in value per employee covered by the solution

Challenge:  In spite of a very savvy CISO and a multi-million-dollar cybersecurity regimen including employee training, phishing simulations, GRC and policies, network security, endpoint protection, and more, the customer still fell prey to a data breach in the summer of 2022.  Like many other organizations with world-class information security policies and practices in place, PII-infused social engineering attacks successfully circumvented the traditional InfoSec tech stack. 

The CISO and the rest of IT leadership were not unaware of the mushrooming threat of exposed external data.  However, the 2023 breach brought into clear focus the extent to which information on nearly all of their employees were available for sale and weaponized against them via hyper-personalized Social Engineering or Spear Phishing.  They recognized that existing practices, including training and awareness campaigns, were not enough to prevent sophisticated scammers from tricking employees, bypassing all their cybersecurity, and breaching their company’s sensitive systems.

While the 2023 data breach was immediately discovered and quickly mitigated, the damage could have been much worse.  The incident brought into focus the deficiencies in the customer’s approach to security and motivated leadership to adopt a much more aggressive posture, specifically with respect to external data privacy (EDP). 

As a technology industry leader, suffering from further data breaches represented a potentially devastating threat to the company’s reputation.  One that could easily send customers and prospects running to the competition.  Moreover, the customer’s top product line was heavily reliant on exclusivity.  The intellectual property that comprised the customer’s proprietary code was to be protected at all costs.  The customer had already been involved in litigation against former employees for breach of contract when these workers defied non-compete clauses and attempted to recreate the company’s flagship tech products while working for their competitor.

The luckily inconsequential initial breach was a wakeup call to the CISO and his cybersecurity team.

Solution:  After having their metaphorical “come to religion” moment, the Board of Directors together with executive leadership agreed to apply a very aggressive approach to managing their heretofore unsecured external data. 

The CISO and his team performed a deep dive analysis of the available solutions on the market focusing on reducing the new “social engineering attack surface”.  Privacy Bee for Business provided the team with no-cost tools to help build a data-driven business case for deploying an External Data Privacy solution.

The External Data Privacy Audit (EDPA) from Privacy Bee performed a quantitative analysis of the entire workforce at this customer. It identified hundreds of thousands of privacy exposures and vulnerabilities across the entire global workforce. The EDPA also delivered opportunity and loss analyses, yielding accurate financial forecasts of how subsequent data breaches would impact the organization’s profitability.  This data alone provided perspective and data to produce a cost benefit analysis for the solution.

However, the security team at the customer didn’t stop there.  In order to illustrate how privacy was still a vulnerability despite the robust information security and cybersecurity practices already in place, the customer engaged the no-cost Data Privacy Risk Assessment (DPRA) from Privacy Bee. The DPRA’s roughly 75 questions helped the customer explore how customer and employee data was being managed by the organization.  It offered up significant opportunities for improvement, identified wide stretches of unmitigated risk, and provided a basis for a more fulsome Governance Risk and Compliance function specific to data privacy.

The output of these two free audits/assessments more than convinced the customer that the Privacy Bee for Business solution was critically necessary.  Beginning in early 2023, the customer engaged Employee Risk Management as well as Third-Party Vendor Management segments of the platform to apply metrics to the privacy risk profiles of all persons with any level of information systems access.  The Employee Risk Management function provided insight into employee risk while the Third-Party Vendor Management piece did the same for the many supply chain and channel partner personnel who accessed ERP, logistics and other business systems via integration points designed to afford limited systems access to external parties.

The customer procured licenses for thousands of users – both internal employees and external third parties to ensure that identified exposures were subsequently removed from the Data Brokers, People Search Sites and other locations where it was vulnerable to exploitation by hackers and threat actors.   As part of the licensing, the customer also gained access for all their covered personnel and partners to participate in Privacy Bee University.  PBU goes well beyond the typical training programs which focus on password protection and other well-known strategies.  Instead it focuses on educating users on the unique and emerging threats posed by social engineering and illustrates in detail how PII is leveraged by hackers to craft sophisticated attacks to bypass cybersecurity by fooling individuals.

InfoSec leadership at the customer also included in their business case the extent to which reduction in exposed external data would drive benefits elsewhere within the organization.  They cited the potential for reduction in HR poaching and employee turnover, decrease in productivity-sapping spam emails/phone calls and even increased physical security for executives and their families who’ve recently been experiencing increased targeting by threat actors.

Results:  Of course, the most noticeable result this customer experienced was precisely what they DIDN’T experience.  Since implementing Privacy Bee for Business, the customer has not experienced any further data breaches.  However, 11 months after deployment, the customer noted a significant decrease in inbound spear phishing emails and text messages.  They also reported a steep drop in HR onboarding and offboarding costs which they largely attributed to reduced HR churn driven by HR poaching in a very tight labor market.

Using a proprietary calculation involving quantitative assessments of risk mitigation, productivity increases, theft prevention, physical safety and HR defense, the customer estimates the Privacy Bee for Business solution yields greater than $13,000.00 in value annually, per employee.