All right. So my name's John Pocknell. I work in product marketing. I'm a database solutions evangelist. So my job is to look at what Quest offers across our database portfolio, and how it can help you solve real problems in your business. In this particular session, we're going to be talking about how all DBAs often have to deal with protecting the business data, which is part of your role anyway.
But with state of privacy regulations, like GDPR and HIPAA and the Californian Data Protection regulations, and many, many others-- this is a global issue. It's not confined to Europe, right? It's a big deal. Personal data. So GDPR is concerned with personal data. But as a business, you've got data this not necessarily personal data but is sensitive to you as a business. And with all these external attacks that we're hearing about, how do you make sure you protect this data should it be hacked , and anonymize it?
So you can see here the prevalence of data breaches. So this is-- and you can go to this. It's informationisbeautiful.net. It's great because it's a visual cloud, and it keeps changing. Every time you hear about a data breach they publish this. And you can see it says go back to way before 2016. I think it goes back to 2009. But it's got more recent ones up in here. It's got Facebook, and Canva, Nametests, and Twitter, and Marriott Hotels.
And these are the number of-- so what these numbers are is the number of individuals that were affected by a data breach. That's not the how much they were fined. Nonetheless, the fines are pretty big, as you probably know. These are the number of individuals that were affected by data breach. Shocking, isn't it? So data privacy has become an urgent requirement. We're seeing more and more data breaches happening. We have data privacy regulations, of course, now. GDPR, which is out of the European Union.
But, as you see, this is a global issue, right. So if we look at the next slide-- if I can move it on. So you can see, as well, that we have internal threats as well as external threats. This is a survey from the CA Insider Threat Report, 2018. And they ask the people taking part in the survey is, where do they feel most vulnerable to attack? And 90% of companies said that they felt they were more vulnerable to insider attacks. Isn't that interesting? Not external attacks. Insider attacks.
66% of survey respondents said that insider attacks, accidental breaches more dangerous than external attacks. Interesting. And what was their number one highest risk IT asset? The corporate database. Shouldn't be as big surprise, right? That's where all the data is. So how do we make sure we protect it against attack? Let's talk about GDPR for a second because I started off talking about GDPR. So GDPR guidelines specify how companies collect, share, and store the personal data of EU citizens. Is this a problem that's restricted to the EU?
What about global companies? Any global company, including those in North America, that use data that originated from the European Union, is subject to GDPR. And I think a lot of US companies are beginning to realize that they may well be subject to GDPR regulations. For example, Google-- company you might have heard of-- they were fined recently $57 million US for improperly disclosing how data is collected across its services to prevent personalized advertisements.
Facebook, of course, that's probably one of the bigger ones you hear, right? $653,000. They were improperly sharing data from Cambridge Analytica. You probably heard about that one, right? And then finally, Equifax. Equifax were fined $653,000 US for failing to protect the personal information of 15 million UK citizens affected by a 2017 cyber attack. All right. These are-- these are headline issues.
And, like I said, this is not-- this is not an issue that's confined to European Union, right? It's not-- it's not even an issue that's confined to European Union and North America. You might have heard about the-- since we're in California-- California Consumer Privacy Act, CCPA, that comes into force in January next year.
New York Privacy Act. That follows on from the CCPA that comes-- that's already in force this year. And you can see, if you look across the globe, there are many, many other countries that have some form of data privacy regulations. All right. It's a global problem. So, from your standpoint, is your IT department doing all it can to protect the business data? Are you complying with GDPR, or any other data privacy regulations? Who is responsible of that? Do you have a data protection, or a data security part of your organization?
Do you have risk management piece in your organization? So whose ultimately responsible for managing this risk? How are you going to minimize the risk associated with data breaches? How are you going to identify and protect your personal data? Identification's the biggest issue. So how do you respond to these pressures? So if you're DBA, how do you go about finding where your sensitive or personal data is? Are you relying on metadata, or you do have some way of actually mining the data itself-- which is a more reliable way of doing it.
Once you've identified it, how are you going to protect it? It depends upon where it is. If it's production data, you might have to take a form of encryption or redaction. If it's not production data, maybe it's test data, maybe you can mask it. If it's production data, you may want to set some audit policies. How many of you have some sort of Oracle auditing in your environment? Yeah? How do you do that right now? Do you audit everything? How do you know what to audit?
If you have some way to selectively audit the things you needed to audit, and don't bother auditing everything else, you find the right balance between security and performance. If you audit everything, that's going to really impact your performance. Right? So do you-- how do you find that data? Do you manually troll through all the database tables looking for sensitive or personal data? Very time consuming. If you don't do anything, there's a lot of risk involved-- you exposing personal data in the public domain, you might overlook sensitive data in places didn't know about, such as backups or in the cloud.
Because if you're using cloud databases, you've got to protect that, too. You're still responsible for the data. The cloud service provider isn't responsible for your data. All right. So if it's in the cloud, you've got to take that into account, as well. So the better way is if you could confidently know where your sensitive data exists, in different environments, on premise, in the cloud, enable search capabilities that made that discovery easier.
So rather than manually searching for sensitive data and personal data, is find a way to automate it. A rules based approach based on rules that you define to make it easy to identify the data. That way you got a much more efficient way to optimize security with performance. Solution? You may already have thought. You may already be using Toad. So, if you're already using Toad, you can extend what you already use in Toad into the world of data protection. You can find sensitive data on base-- on how you define it, based on data polling, not just on metadata searches.
How many of you use the-- how many have used applications like JD Edwards or Oracle E-Business? Right. So you'll know, then, that metadata searches are not going to help you because the table names and column names are meaningless. If you can't we can't rely on column names to tell you what's in that-- what's in that column, right? You've got to-- you've got to pull the actual data itself. Automate that process. So once you've set it up, you've got your rules defined, automate the process of keeping up. This is not a one time gig. This is not like Y2K. Right?
So something you fix and forget. It's something that you have to keep doing. And then provide visibility to other stakeholders. There's an aspect in GDPR regulations, if you're familiar with that, called Privacy by Design. And Privacy by Design means make sure that the people who are responsible for designing the data structures and maintaining those structures know when they're actually potentially exposing sensitive data, and change the way that it's being designed. Change the column names to something different.
Change the references in that stored procedure to something that doesn't obviously suggest it's personal data. So if you got Toad for Oracle, if you don't have Toad for Oracle, Toad for Oracle has a piece called Sensitive Data Protection. And if you have that, then as a DBA you can become a superhero. You're going to be the person who's going to help protect your business. So what is Toad for Oracle Sensitive Data Protection?
Well it helps customers identify and resolve data privacy issues across all the Oracle databases, and meet data privacy regulations, allows developers-- they're the people that are writing the code, building the data structures-- to apply data protection measures proactively as they're working, allow DBAs to discover and take action on any columns that contain sensitive data through redaction, encryption, and so forth. It actually comes in two parts.
So you've got sensitive data awareness-- this is aimed at developers. It's available in Toad for Oracle Professional and higher. And then you've got the piece that's for DBAs, which is called sensitive data search. This is an add on to Toad for Oracle. Sensitive Data Awareness enables developers to see-- as they're writing their code or they're making table changes-- where sensitive data could be exposed. So you can see on the screenshot here there's a column reference to email. Email contains potentially personal data. It's obvious. It's called email.
So that's been exposed to the developer. Maybe the developer can rename that column to something different that doesn't suggest what it is. So having identified it based on the rules, that maybe the DBA set up, they can identify where this is. And this helps with the Privacy by Design requirements of GDPR. Sensitive Data Search is more for DBAs. It is a rule based system. You can see on the screenshot, these are some rules that come out of the box.
They have some obvious things up-- name, address, IP address, social security numbers, et cetera, et cetera. You can customize these rules and create your own rules. These become the rules by which the search happens. And then having set these rules up, you can then search across your databases and generate a report on any instance where sensitive or personal data is being identified in your database.
Once you've done that, you can then protect that data, either through encrypting the data column, adding a reduction policy to a column, or set up an audit policy. The audit policy means that you'll set up an audit policy on that column, or columns. Not the entire database. Which, as we said before, can potentially affect-- adversely affect performance.
And that's it. If you want to learn more, this demo booth over here, Toad for Oracle. Have a word with Gary and he can actually show you how this works. I've just really touched the surface here. But is you want to learn more about, as a DBA, how do I identify and protect my sensitive data, have a word with Gary in the Toad booth. Thank you very much for listening.