Microsoft 365Security and CompliancePartner Opportunity PlaybookRegulatory Compliance Scenario for GDPR

2Microsoft Confidential – for internal only use by partners.

As companies embrace the opportunities presented by cloud and mobile computing to connect with customers and optimize operations, they

take on new risks. One of the biggest challenges in digital transformation is ensuring security, privacy & compliance.

The security and compliance opportunity

PROTECTING AGAINST EVOLVING CYBERSECURITY THREATS

In today’s world, it’s clear that increasing trust and managing security is a struggle for many organizations. But as these statistics point out, the

importance of improving security comprehensively has become even more evident:

Traditional IT boundaries are disappearing and organizations now need to protect data on employee-owned mobile devices and SaaS

applications not operated by the IT team. If they do not adapt their approach to security, companies face the risk of significant financial loss,

damage to customer satisfaction, and market reputation. This presents an opportunity to help companies manage security concerns in an ever-

evolving technology world that’s constantly under threat.

MEETING DATA AND PRIVACY REGULATIONS

Increasing regulations such as the EU Global Data Protection Regulation (GDPR) ensure safeguards are in place to help ensure individuals’ data is

private and secure. Some customers will elect for a strict compliance approach, while others see the effort to become compliant as an

opportunity to use data privacy as a differentiator for their business. In either case, partners will play an important role in helping customers

meet their compliance and strategic business objectives.

Source: Risk Based Security Report Date: 2017 Source: FireEye/Mandiant report Date: March 2017 Source: Ponemon Institute Cyber crime--a risk you can manage:

Information management and governance to protect business

innovation business white paper. Date: Nov. 2016

4.2 BILLION 99 DAYS $17 MILLION

Customer records compromised. From breach to detection. Average cost of a security breach.

3Microsoft Confidential – for internal only use by partners.

1Forrester’s Security Budgets 2017: Increases Help But Remain Reactionary, Jeff Pollard,

Nov 23, 20162Forrester’s The State of Security Services 2016, Jeff Pollard, August 4, 20163IDC Worldwide Semiannual Security Spending Guide, March 29, 2017

Business today happens digitally, as the world increasingly adopts cloud

and mobile technologies. For organizations to take full advantage of the

productivity promise of digital transformation, they must equally focus

on protecting themselves from increasing threats.

As a consequence, it’s not surprise that IT spend on security is growing,

with an increasing share of the overall IT budget year after year. From

22% share of budget in 2014, the allocation for security grew to 23% in

2015, then jumped to 28% in 20161.

The spend on both product and services is basically a 50-50 split, with

49% of this budget planned for services, and 51% planned for products2.

This research is complemented by a recent report from IDC3, in which

they forecast that “worldwide revenues for security-related hardware,

software, and services will reach $81.7 billion in 2017.” This is 8.2%

higher than 2016. IDC also forecasts that revenues will be nearly $105

billion by 2020.

The increasing budget and significant allocation for services means that

partners who choose to establish a business based on the security and

compliancy capabilities of Microsoft 365 will be able to tap into a

marketplace that is increasing year-on-year, creating a solid foundation

for stable, profitable future business.

Growing market and partner opportunity

Security’s share of the IT budget1

For organizations with over 1,000 employees

2014 20162015

28%

23%22%

4Microsoft Confidential – for internal only use by partners.

An update to the Worldwide Semiannual Security Spending Guide from

IDC indicates that security as part of the overall IT budget is increasing.

"The rapid growth of digital transformation is putting pressures on

companies across all industries to proactively invest in security to protect

themselves against known and unknown threats," said Eileen Smith,

program director, Customer Insights and Analysis.

Insights from the global guide include:

• Industries forecasted to spend the most on security hardware, software,

and services are banking, discrete manufacturing, and federal/central

government.

• Services will be the largest segment of security spending.

• Geographically, the United States will be the largest market for security

products, with Europe coming in second.

• Large or very large enterprises will be responsible for two thirds of all

security-related spending.

Top Technology Category Based on 2016

Market Share

According to IDC, services will be the largest area of security-

related spending throughout their recent forecast, led by three of

the five largest technology categories: managed security services,

integration services, and consulting services. Together, companies

will spend nearly $31.2 billion, more than 38% of the worldwide

total, on these three categories in 2017. Technology categories

with fastest spending growth over 2015-2020 forecast period

include managed security services, with a CAGR of 12.2%.

Source: IDC Worldwide Semiannual Security Spending Guide,

March 29, 2017.

Network Security,

18.4%

Endpoint Security,

13.10%

Managed Security

Services ,17.20%Interation Services,

11.50%

Consulting Services,

8.90%

Others,

30.90%

Customer spending on security services expected to grow through 2020

4

5Microsoft Confidential – for internal only use by partners.

Four core principles of Microsoft 365

We are living in a time of inflection. Digital transformation is the biggest change

any of us has seen in our lifetime. Companies invest in technology to optimize

operations, transform products, engage customers, and empower employees.

The challenge is finding the way to empower people to do their best work. This

starts with fostering a culture of work that is inspiring for everyone, and

embraces the trends in the workplace that make work inspiring.

To deliver on the tremendous opportunity for business growth and innovation,

we are simplifying the customer experience by bringing together Office 365,

Windows 10 and Enterprise Mobility + Security with the introduction of

Microsoft 365.

It’s a complete, intelligent solution that empowers everyone to be creative and

work together, securely. For enterprise customers, Microsoft 365 Enterprise is

built on the foundation of Secure Productive Enterprise.

Introducing Microsoft 365.

Intelligent

security

Unlocks

creativity

Built for

teamwork

Integrated

for simplicity

6Microsoft Confidential – for internal only use by partners.

Microsoft 365 opens up unique value-creating opportunities. There are four core practice areas where we see the most room

for growth for partners with Microsoft 365. This playbook is designed to help you build your business with the Microsoft 365

security & compliance practice area.

6

Microsoft 365 is a complete, intelligent solution to empower employees to be creative and work together,

securely. It brings together:

Office 365 + Windows 10 + Enterprise Mobility + Security

7Microsoft Confidential – for internal only use by partners.

Security and compliance will play a central role in most Microsoft

365 customer engagements. For partners, Microsoft 365 is a great

platform on which to build a profitable set of security and

productivity solutions to simplify the task of identifying, classifying,

and governing personal data.

Microsoft 365 also helps customers protect personal data from loss

or unauthorized access or disclosure. And Microsoft 365 aids

customers in complying with the new standards for transparency,

accountability, and record keeping.

✓ Central to customers’ digital transformation initiatives

✓ Security is a door opener to additional solution areas

✓ Helps customers with a multi-year journey

✓ Creates a wide range of additional revenue and

service delivery opportunities for partners

Customers and partners both win.

Source: Forrester Total Economic Impact™ Study

Commissioned By Microsoft July 2017, The Partner Opportunity For Microsoft 365 Enterprise

“For our customers interested in digital

transformation, the revenue opportunity is

huge. We are especially excited about ongoing

consulting work and managed services.”

-an interviewee

7 7Microsoft Confidential – for internal only use by partners.

8Microsoft Confidential – for internal only use by partners.

Top Microsoft 365 security and compliance scenarios for partners

Proactive Attack

Detection and Prevention

Control and Protect

InformationEnterprise-Level Identity

ProtectionImplement and manage cloud

identity and access. Audit and

mitigate use of cloud apps.

Assess and classify customer

data. Implement and manage

information policies and

procedures.

Perform security assessment

analysis, migrate and deploy

security solutions and provide

managed security services.

Ensuring security and compliance is key to customers’ digital transformation. As an end-to-end solution, Microsoft 365 offers a

comprehensive set of features and unique intelligence across critical end-points in today’s mobile-first, cloud-first world.

Regulatory Compliance

Help customers with increased

demands of regulators and legal

authorities in every country in

which they operate.

9Microsoft Confidential – for internal only use by partners.

Understanding the business

opportunity

ENTERPRISE-LEVEL

IDENTITY PROTECTION

CONTROL AND PROTECT

INFORMATION

PROACTIVE ATTACK

DETECTION AND

PREVENTION

REGULATORY COMPLIANCE

Help your customers protect their identities

and manage access to apps and data. With

Microsoft 365 products and tools, you can

help customers develop identity

management policies, give users a single

sign-on for use across the entire enterprise,

strengthen credential authentication, and

streamline identity administration.

Help your enterprise customers protect

their data while enabling access from

virtually anywhere on almost any device.

With Microsoft 365, you can help customers

create policies to identify, monitor, and

protect sensitive data; better secure

sensitive information; improve security for

cloud apps; and guard against accidental

data leaks.

Build a practice that helps your customers

proactively guard against threats, identify

breaches and threats using advanced

analytics, and automate the response to

threats enterprise wide.

Help customers assess their readiness for

GDPR. Provide consulting and advisory

services around devising their plan of action

and risk management plans. Resell, deploy,

and implement Microsoft 365 – our hero

SKU for GDPR.

Choose your scenarioNow that you understand the opportunity to build a practice based on Microsoft 365 security and compliance capabilities, explore the possible

solution scenarios open to you. We recommend you choose one scenario to start with, and then expand your practice from there.

Four key partner scenarios are:

By developing a security and compliance practice, you can help turn the potentially dizzying array of services, licensing options, and

overlapping feature sets into a cohesive, comprehensive, and understandable solution that enables customers to manage their security, protect

their assets, respond to security incidents, and stay compliant with regulations such as GDPR.

10Microsoft Confidential – for internal only use by partners.

The GDPR is a landmark regulation that replaces the 20 year old Data Protection Directive in the EU. Its intent is to lay the foundation for trust in the digital economy –recognizing that the balance of power has not favored consumers over the past couple of decades.

In the process, it takes data privacy to new heights—broadening the definition of personal data, expanding the rights of data subjects over their data, setting a new bar for protecting data, and increasing transparency over data protection processes and data breaches.

From an industry standpoint, it’s a watershed moments where some organizations will elect for a strict compliance approach and others will use the effort and investment as an opportunity to differentiate themselves and what they offer their own customers.

The opportunity to serve our customers is massive.

And the opportunity is now, because there is so much

to do before May 25, 2018 when the GDPR goes into

effect. Solutions for GDPR aren’t simple; customers will

need partners to help them.

Revise to issues solved, not products

SIGNIFICANT

FINES

The fines alone will get anyone’s

attention. Up to 4% of global revenue is

at stake.

NEED FOR

PRIVACY

PROFESSIONALS

GDPR calls for organizations to have Data

Protection Officers and there’s a known

dearth of talent.

OPERATIONAL

COMPLEXITY

The complexity of defining a path

forward, implementing, and landing

those changes is massive. It impacts how

data is collected, processed, managed,

and how breaches are addressed.

GLOBAL IMPACT

While the GDPR is an EU regulation, its

reach is global. It applies to any

organization that touches EU residents

and holds their data.

Regulatory compliance/ GDPR opportunity

10Microsoft Confidential – for internal only use by partners.

11Microsoft Confidential – for internal only use by partners.

Regulatory compliance

12Microsoft Confidential – for internal only use by partners.

Regulatory Compliance

Laws and regulations can be outpaced by new technology as governmental bodies are faced with the

difficult task of regulating new technologies. We all have to ensure our organizations can take advantage of

innovative technologies for growth and success, while managing risks.

We need to enable our customers to deploy our cloud services with the highest confidence that they are

safe and compliant around topics like data security; personal information privacy; compliance with the EU-

U.S. Privacy Shield and the EU General Data Protection Regulation; compliance with regulations governing

the financial services, health care, government, and education sectors; and how we will stand with our

customers on the issues of government access and encryption.

To start, we will be focusing on how we enable partners and customers to be ready for GDPR, with more

tools and information to come.

Customers need help with the burden of compliance and the increased demands of regulators and

legal authorities in every country in which they operate.

13Microsoft Confidential – for internal only use by partners.

In May 2018, a new European Union (EU) privacy regulation goes into effect with broad

reaching implications for multinationals around the globe (not just in the EU). The

regulation, called the General Data Protection Regulation (GDPR), sets a new bar for privacy

rights, security, and compliance. It requires significant changes by organizations all over the

world regarding how they manage and protect personal data.

Specifically, GDPR imposes new rules on organizations that offer goods and services to

people who reside in the European Union (EU), or that collect and analyze data tied to EU

residents, no matter where they are located.

These new requirements – like greater data access and deletion rules, risk assessment

procedures, a Data Protection Officer role for many organizations and data breach

notification processes – will mean changes for many organizations. When it comes to GDPR

compliance, it’s not just European organizations that are affected, but also those outside of

the EU who process data in connection with the offering of goods and services to, or

monitoring the behavior of, EU residents. Customers will need to understand obligations

related to GDPR regardless of where theor organization resides.

It will take time, tools, processes and expertise to comply with the GDPR. Organizations

will need to make changes to their privacy and data management practices. Failure to do so

could prove costly – as companies that do not meet the requirements could face reputational

harm and substantial fines of 20 million euros, or 4 percent of annual worldwide turnover,

whichever is greater.

• 75% of US companies that consider

GDPR a top priority have budgeted $1

million or more to become compliant1

• Amount ranges from €100,000 to a few

million in Europe, depending on

organization1

• IDC predicts GDPR will create a $3.5B

market opportunity2

• Non-compliance fines can be up to 4%

of a firm’s global revenues or €20

million, whichever is greater. A fine of

this magnitude could put many

companies out of business, so customers

should be motivated to take action.

1As reported in the Forrester Report, Assess Your Data Privacy Practices With The Forrester Privacy And GDPR Maturity Model, April

20172 Source: IDC Press release, https://www.idc.com/getdoc.jsp?containerId=prEMEA40551915, 03 Nov 2015

About the GDPR

13

1 As reported in the Forrester Report, Assess Your Data Privacy Practices With The Forrester Privacy And GDPR Maturity Model, April 20172 Source: IDC Press release, https://www.idc.com/getdoc.jsp?containerId=prEMEA40551915, 03 Nov 2015

Microsoft Confidential – for internal only use by partners.

14Microsoft Confidential – for internal only use by partners.

“How do I trust that my data is being held private? I see the promise of digital transformation, but am worried about my data. I have limited visibility to what data I have, where it exists, and how it’s used.”

Before people will fully buy in to the cloud they must overcome the trepidation that inhibits them from taking full advantage of all the

capabilities. They want to know that safeguards are in place to ensure their data is private and secure.

To address data privacy concerns, the GDPR gives EU residents more control over their “personal data”. It’s designed to ensure personal

data is protected no matter where it is sent, processed, or stored.

The new regulation imposes stricter guidelines for transparency and obtaining consent for customer data, resulting in new challenges for

many organizations, who now have concerns of their own:

• I have no consolidated view of customer data and ability to take action on their behalf.

• How do I interpret what GDPR means for my business?

• Will I meet the approaching deadline for compliancy?

• What’s the best way for me to leverage existing investments to solve requirements?

• Do I need to add a Data Protection Officer? Where do I find one?

• What constitutes a breach and what do I need to report to regulators?

• How do we prove the right things are in place for good faith efforts to be compliant?

✓ Partners provide needed people, process and technology to help customers meet GDPR.

Data privacy regulations will help drive digital transformation

14

Microsoft Confidential – for internal only use by partners.

15Microsoft Confidential – for internal only use by partners.

CONSULTING &

ASSESSMENTS

Help customers in identifying the personal data they store, where it is stored, how it is stored and how it

needs to be protected. Partners can conduct gap assessments and make recommendations on technology,

people and processes that customers need to comply with GDPR.

TECHNOLOGY

SALES AND

DEPLOYMENT

Sell, deploy, and implement the Microsoft cloud technologies that address customers’ compliance needs.

DATA BREACH

NOTIFICATION

Help customers build and maintain detection and notification systems for data breaches. With 72-hour data

breach notification, use Microsoft Cloud services to become an incident response (IR) orchestrator through

managed services or professional services.

EVIDENCE OF

RISK

MITIGATION

Per GDPR policy, organizations must demonstrate they have implemented appropriate measures to mitigate

privacy risks. Use Microsoft Cloud services to build evidence of mitigation strategies and controls.

Top

are

as

of

part

ner

op

po

rtu

nit

y

GDPR, is estimated, will create a $3.5B market opportunity for security and storage vendors1. As a partner, you have multiple opportunities

to build a practice on GDPR. Many firms that do business in the Europe market or with European customers will have to tackle privacy rules for the

first time. The Microsoft Cloud and your GDPR-related services can be critical to customer compliance.

Partner opportunity with GDPR

1https://blogs.partner.microsoft.com/mpn/can-monetize-new-privacy-regulation-gdpr/

16Microsoft Confidential – for internal only use by partners.

Helping you build a GDPR business

Learn more at aka.ms/GDPRPartners

The Security and Practice Development Playbook will help you understand the opportunity for security

and compliance and what you need to do to get started with your GDPR offerings, services and practices.

Microsoft can help you accelerate your time to market, stand up your practice, or hone your

GTM strategy.

Use GDPR Demos to demonstrate to customers how the Microsoft Cloud helps them comply with the

GDPR. The demos will help your teams provide evidence of Microsoft’s capabilities to help customers.

The GDPR Activity Hub provides an Office 365 Solution Accelerator that partners can build on top of to

manage GDPR related processes and activities.

16

Microsoft Confidential – for internal only use by partners.

17Microsoft Confidential – for internal only use by partners.

GDPR Assessment toolsThe GDPR Assessment is an online interactive tool that will help you structure the initial conversation with

your customers. It’s a conversation starter that can be very useful for the initial part of your presales efforts.

The GDPR Detailed Assessment is an offline tool with approximately 150 questions to help you assess a

customer’s readiness and maturity across technology, people and processes. It will help you structure your

paid assessment offerings and scope out subsequent managed services offerings with an appropriate SOW.

Find both at

aka.ms/GDPRPartners

18Microsoft Confidential – for internal only use by partners.

Windows Server

Windows

Office

EMS

SQL

Microsoft AzureSOLUTIONS TO HELP YOU

PREPARE FOR GDPR

Windows Hello

Credential Guard

Data Loss Prevention

Threat Intelligence

Audit Logs

eDiscovery

Information Protection Transparent Data Encryption

Always Encrypted

Threat Detection

Key Vault

Data Log

Log Analytics

Intune

Cloud App Security

Active Directory

Data Classification

19Microsoft Confidential – for internal only use by partners.

Impact Analysis

Detecting & Responding to Breaches

Preventing

Data Attacks

Risk

Identity

Encryption

Monitoring

Intrusion

Detection

Security

Planned Response

Data Governance At Rest

In Transit

Data Classification

Data Types

Sensitivity

Metadata

Documents

Emails

Databases

Log FilesTeam Sites

Instant Messages

Discover Manage

Protect Report

Microsoft’s Approach to GDPR

20Microsoft Confidential – for internal only use by partners.

DiscoverIdentify what personal data you have and

where it resides1

ManageGovern how personal data is used

and accessed2

ProtectEstablish security controls to prevent, detect,

and respond to vulnerabilities & data breaches3

ReportKeep required documentation, manage data

requests and breach notifications4

How do I get started?

Microsoft Confidential – for internal only use by partners.

21Microsoft Confidential – for internal only use by partners.

Discover Manage Protect Report

Microsoft cloud services make it easier to

locate and identify the personal data you

collect, so you can more easily find and

evaluate the data across your

organization.

Microsoft cloud services make it possible

to centralize processing by more

effectively managing applicable policies,

data categorizations, and use cases.

Microsoft cloud services synthesize threat intelligence and provide tools that

help you get the greatest benefit from that intelligence for your

security efforts.

Microsoft cloud services centralize and

streamline technical and administrative

steps that are required for compliance,

such as demonstrating due diligence and

handling data access requests.

Office & Office 365:

Data Loss Prevention

Advanced Data Governance

Office 365 eDiscovery

Enterprise Mobility + Security (EMS):

Microsoft Cloud App Security

Windows 10:

PowerShell

Dynamics 365:

Audit Data and User Activity

Report & Analytics with Dynamics 365

Dynamics 365 metadata & data models

SQL Server and Azure SQL Database:

SQL Query Language

Microsoft Azure:

Microsoft Azure Data Catalog

Windows 10 & Windows Server 2016:

Microsoft Data Classification Toolkit

Office & Office 365:

Advanced Data Governance

Enterprise Mobility + Security (EMS):

Microsoft Azure Information Protection

Windows 10:

Permissions

Dynamics 365:

Security concepts for Microsoft

Dynamics 365

Enterprise Mobility + Security (EMS):

Azure Active Directory (Azure AD)

Azure Active Directory Premium

Cloud App Security

Microsoft Cloud App Security

Microsoft Intune

Microsoft Azure Information Protection

SQL Server and Azure SQL Database:

Azure SQL Database firewall

SQL Server authentication

Dynamic Data Masking (DDM)

Row-Level Security (RLS)

Transparent Data Encryption

Always Encrypted

Auditing for SQL Database and SQL

Server audit

SQL Database Threat Detection

Microsoft Azure:

Azure Security Center

Data Encryption in Azure Storage

Azure Key Vault

Log Analytics

Windows 10 & Windows Server 2016:

Windows Hello

Windows Defender Antivirus

Windows Defender Advanced Threat

Protection

Device Guard

Credential Guard

BitLocker Drive Encryption

Windows Information Protection

Shielded Virtual Machines

Just Enough Administration and Just in

Time Administration

Office & Office 365:

Advanced Threat Protection

Threat Intelligence

Advanced Security Management

Office 365 Audit Logs

Office & Office 365:

Service Assurance

Office 365 Audit Logs

Customer Lockbox

Windows 10:

Windows Defender Advanced Threat

Protection (ATP)

Dynamics 365

Report & Analytics with Dynamics 365

Microsoft Azure:

Azure Auditing and Logging

Microsoft is the vendor your customers need to help prepare for GDPR

22Microsoft Confidential – for internal only use by partners.

In-scope:

Any data that helps you

identify a person

• Name

• Email address

• Social media posts

• Physical, physiological, or genetic information

• Medical information

• Location

• Bank details

• IP address

• Cookies

• Cultural identity

Inventory:

Identifying where personal

data is collected and stored

• Emails

• Documents

• Databases

• Removable media

• Metadata

• Log files

• Backups

• Microsoft Azure

Microsoft Azure Data Catalog

• Enterprise Mobility + Security (EMS)

Microsoft Cloud App Security

• Dynamics 365

Audit Data & User Activity

Reporting & Analytics

• Office & Office 365

Data Loss Prevention

Advanced Data Governance

Office 365 eDiscovery

• SQL Server and Azure SQL Database

SQL Query Language

Example solutions

1 Discover: Identify what personal data customers have and where it resides

22Microsoft Confidential – for internal only use by partners.

23Microsoft Confidential – for internal only use by partners.

Discover Manage Protect Report

DISCOVER:

Understand the complexities of discovering data in the enterprise, understanding what data you have and where it resides.

KEY TAKEAWAYS:

Discover: Microsoft 365 solutions by stage of GDPR readiness

24Microsoft Confidential – for internal only use by partners.

OFFICE & OFFICE 365:

• Data Loss Prevention (DLP) in Office and Office 365 can identify over 80 common sensitive data types including financial, medical, and

personally identifiable information.

• Office 365 eDiscovery search can be used to find text and metadata in content across your Office 365 assets—SharePoint Online, OneDrive

for Business, Skype for Business Online, and Exchange Online.

• Office 365 Advanced eDiscovery, powered by machine learning technologies, can help you identify documents that are relevant to a

particular subject (for example, a compliance investigation) quickly and with better precision than traditional keyword searches or manual

reviews of vast quantities of documents. Advanced eDiscovery can significantly reduce cost and effort to identify relevant documents and

data relationships by using machine learning to train the system to intelligently explore large datasets and quickly zero in on what’s

relevant—reducing the data prior to review.

ENTERPRISE MOBILITY + SECURITY:

• Microsoft Cloud App Security is a comprehensive service that provides deeper visibility, comprehensive controls, and improved protection

for your data in your cloud applications. You can have visibility to which cloud apps are in use in your network—identifying over 13,000 apps

from all devices—and get risk assessments and ongoing analytics.

WINDOWS:

• Content Search using PowerShell, administrators can search for and identify personal data in some file types in local- or connected-storage.

Discover: Microsoft 365 products you could choose to use for this stage

Discover Manage Protect Report

25Microsoft Confidential – for internal only use by partners.

GDPR analysis begins with understanding what data exists and where it resides. The GDPR regulates the collection, storage, use, and sharing of “personal data.”

Personal data is defined very broadly under the GDPR as any data that relates to an identified or identifiable natural person. Data can reside in:

• Customer databases

• Feedback forms filled out by customers

• Email content

• Photos

• CCTV footage

• Loyalty program records

• HR databases

• Photos

• CCTV footage

• Loyalty program records

Discover: Analysis begins with customers

Discover Manage Protect Report

It all comes down to personal data. • Metadata is data that provides information about other data. There are two

types: structural and descriptive. Structural metadata is data about the

containers of data. Descriptive metadata uses individual instances of

application data or the data content. This is important as personal

identifiable information (PII) can be spread across metadata types and can

thus be correlated with emails, logs, documents, etc. Example of PII

metadata can be building entrance logs, payroll information, last time a

document was modified, etc.

• Team Sites refers to SharePoint site where files and other data (e.g. lists,

forms, etc.) can be used to collaborate across teams. PII can extend across

files stored on a team site (e.g. HR records, legal documents, etc.).

• Log Files are a file that records events that occur in software or online

service. Examples include, user login date/time to Office 365, data state

change in Office 365 (i.e. last modified by), Skype Meetings information,

administrative activity on Office 365 (user deletes, adds, etc.)

• By combining user entries in log files, user metadata across various systems,

user documents, emails, databases, etc. it’s possible to correlate and build a

profile on an individual user.

GDPR analysis begins with understanding what data exists and where it resides. The GDPR regulates the collection, storage, use, and sharing of “personal data.”

Personal data is defined very broadly under the GDPR as any data that relates to an identified or identifiable natural person. Data can reside in:

• Customer databases

• Feedback forms filled out by customers

• Email content

• Photos

• CCTV footage

• Loyalty program records

• HR databases

• Photos

• CCTV footage

• Loyalty program records

26Microsoft Confidential – for internal only use by partners.

Data governance:

Defining policies, roles and

responsibilities for the

management and use of

personal data

• At rest

• In process

• In transit

• Storing

• Recovery

• Archiving

• Retaining

• Disposal

Data classification:

Organizing and labeling

data to ensure proper

handling

• Types

• Sensitivity

• Context / use

• Ownership

• Custodians

• Administrators

• Users

• Microsoft Azure

Azure Active Directory

Azure Role-Based Access Control (RBAC)

• Enterprise Mobility + Security (EMS)

Azure Information Protection

• Dynamics 365

Security Concepts

• Office & Office 365

Advanced Data Governance

Journaling (Exchange Online)

• Windows & Windows Server

Microsoft Data Classification Toolkit

Example solutions

2 Manage: Assist customers in governing how personal data is used and accessed

26Microsoft Confidential – for internal only use by partners.

27Microsoft Confidential – for internal only use by partners.

MANAGE:

The key to properly managing data is through a sound data governance and classification strategy using people, process, and technology

relevant to GDPR to establish trust and accountability within the enterprise. This enables customers to create policies that govern how data

is processed and consumed, based on the different types of data (i.e. personal identifiable) but also help them understand the impact that

data would have on the organization if lost, stolen or leaked to better protect the data.

KEY TAKEAWAYS:

The GDPR provides data subjects—individuals to whom data relates—with more control of how their personal data is captured and

used. Data subjects can, for example, request that your enterprise share data that relates to them, transfer their data to other services,

etc. In some cases, these requests must be addressed within fixed time periods.

In order to satisfy obligations to data subjects, you will need to understand what types of personal data the enterprise processes, how,

and for what purposes. The data inventory discussed previously is a first step to achieving this understanding. Once that inventory is

complete, it is important to develop and implement a data governance plan. A data governance plan can help you define policies,

roles, and responsibilities for the access, management, and use of personal data, and ensure the customer’s data handling practices

comply with the GDPR. For example, a data governance plan can give an enterprise confidence that it effectively respects data subject

demands to delete or transfer data.

Manage: Microsoft 365 solutions by stage of GDPR readiness

Discover Manage Protect Report

28Microsoft Confidential – for internal only use by partners.

OFFICE & OFFICE 365:

• Data Loss Prevention (DLP) in Office and Office 365 can identify over 80 common sensitive data types including financial, medical, and

personally identifiable information.

• Office 365 eDiscovery search can be used to find text and metadata in content across your Office 365 assets—SharePoint Online, OneDrive for

Business, Skype for Business Online, and Exchange Online.

• Office 365 Advanced eDiscovery, powered by machine learning technologies, can help you identify documents that are relevant to a particular

subject (for example, a compliance investigation) quickly and with better precision than traditional keyword searches or manual reviews of

vast quantities of documents. Advanced eDiscovery can significantly reduce cost and effort to identify relevant documents and data

relationships by using machine learning to train the system to intelligently explore large datasets and quickly zero in on what’s relevant—

reducing the data prior to review.

ENTERPRISE MOBILITY + SECURITY:

• Microsoft Cloud App Security is a comprehensive service that provides deeper visibility, comprehensive controls, and improved protection for

your data in your cloud applications. You can have visibility to which cloud apps are in use in your network—identifying over 13,000 apps

from all devices—and get risk assessments and ongoing analytics.

WINDOWS & WINDOWS SERVER:

• Data Governance using Windows permissions, administrators can manage and govern access to personal data.

• Microsoft Data Classification Toolkit

Manage: Microsoft 365 products you could choose to use for this stage

Discover Manage Protect Report

29Microsoft Confidential – for internal only use by partners.

• Data governance is a set of processes that ensures that important data assets are formally managed throughout the enterprise.

Data governance ensures that data can be trusted and that people can be made accountable for any adverse event that happens

because of low data quality.

o At Rest refers to inactive data which is stored physically in any digital form (e.g. databases, files, backups, on a mobile device,

data on a server, etc.)

o Data in transit. Data in transit is defined into two categories, information that flows over an untrusted network such as the

internet and data which flows in the confines of a private network. Data in transit is also referred to as data in motion.

o This is important to understand as data must be governed differently if it is at rest or in transit, as the governance rules may be

different, or similar for the two. For example, data that is at rest must be stored in a certain way (i.e. encrypted, w/ restricted

access)

• Data classification is the process of sorting and categorizing data into various types, forms or any other distinct class. Data

classification enables the separation and classification of data according to data set requirements for various business or personal

objectives. It is mainly a data management process.

• Data Types can have various meanings based on how the partner works with the customer to define the unique data types that

are applicable to the customer’s enterprise. This is the practice of understanding what types of data exist and how to best classify

those data types. For example, may be structured and unstructured data, that when combined with other data can result in

Personally Identifiable Information for a given individual.

Discover Manage Protect Report

Manage: Data Governance, Classification and Types

30Microsoft Confidential – for internal only use by partners.

PROTECT:

GDPR raises the bar on security. It requires organizations take appropriate technical and organizational measures to protect personal data

from loss or unauthorized access or disclosure. Better controls can be applied to reduce risks, prevent attacks and be proactive.

KEY TAKEAWAYS:

Discover Manage Protect Report

Protect: Microsoft 365 solutions by stage of GDRP readiness

31Microsoft Confidential – for internal only use by partners.

Preventing data attacks:

Protecting data

• Physical datacenter protection

• Network security

• Storage security

• Compute security

• Identity management

• Access control

• Encryption

• Risk mitigation

Detecting & responding to breaches:

Monitoring for and

detecting system intrusions

• System monitoring

• Breach identification

• Calculating impact

• Planned response

• Disaster recovery

• Notifying DPA & customers

• Microsoft Azure

Azure Key Vault

• Enterprise Mobility + Security (EMS)

Azure Active Directory Premium

Microsoft Intune

• Office & Office 365

Advanced Threat Protection

Threat Intelligence

• SQL Server and Azure SQL Database

Transparent data encryption

Always Encrypted

• Windows & Windows Server

Windows Hello

Credential Guard

Example solutions

3 Protect: Establish security controls to prevent, detect, and respond to vulnerabilities and data breaches

31Microsoft Confidential – for internal only use by partners.

32Microsoft Confidential – for internal only use by partners.

ENTERPRISE MOBILITY & SECURITY:

• Azure Active Directory (Azure AD) in Enterprise Mobility + Security helps you protect your organization at the access level by managing and protecting your identities—including your privileged and non-privileged identities. Azure AD provides one protected common identity for accessing thousands of apps. Azure AD Premium features Multi-Factor Authentication (MFA), which is access control based on device health, user location, identity and sign-in risk, and holistic security reports, audits, and alerts. Azure AD Privileged Identity Management (PIM) helps discover, restrict, and monitor privileged identities and their access to resources through a security wizard, reviews, and alerts. This enables scenarios such as time-limited “just in time” and “just enough administration” access.

• Microsoft Intune provides mobile device management, mobile application management, and PC management capabilities from the cloud. Using Intune, you can provide your employees with access to corporate applications, data, and resources from virtually anywhere on almost any device, while helping to keep corporate information highly secure.

OFFICE & OFFICE 365:

• Advanced Threat Protection (ATP) for Exchange Online helps protect your email against new, sophisticated malware attacks in real time. It also allows you to create policies that help prevent your users from accessing malicious attachments or malicious websites linked through email. ATP for Exchange Online includes protection against unknown malware and viruses, time-of-click protection against malicious URLs, and rich reporting and URL trace capabilities.

• Threat Intelligence helps you proactively uncover and protect against advanced threats in Office 365. Deep insights into threats—available in part because of Microsoft’s global presence, the Intelligent Security Graph, and input from cyber threat hunters—help you quickly and effectively enable alerts, dynamic policies, and security solutions.

WINDOWS & WINDOWS SERVER:

• Windows Hello is a convenient, enterprise-grade alternative to passwords that uses a natural (biometrics) or familiar (PIN) method to validate identity, providing the security benefits of smartcards without the need for additional peripherals.

• Credential Guard is a feature that isolates your secrets on a device, like your single sign-on tokens, from access even in the event of a full Windows operating system compromise. This solution fundamentally prevents the use of hard-to-defend attacks such as “pass the hash.”

• Windows Information Protection helps to protect against accidental data leakage without interfering with the employee experience.

Discover Manage Protect Report

Protect: Microsoft 365 products you could choose to use for this stage

33Microsoft Confidential – for internal only use by partners.

• Risk in the context of data protection is understanding what the level of exposure is that could lead to the data being lost, stolen or

leaked, and how damaging it could be if compromised. Once the level of risk is understood, we must think about safeguards that must

be in place to protect that data from being compromised. In addition, risk must be mitigated to eliminate or reduce the level of

exposure of the data so that it can be better protected.

• Encryption refers to ensuring data and network transmission traffic is kept confidential and it’s integrity is maintained in the event it is

lost, stolen or leaked that it cannot be accessed by individuals who are not authorized or granted permissions to view the data. In the

event it is compromised, data that is encrypted has a lesser risk of being accessed than unencrypted data.

• It’s important to protect the Identity of end-users to ensure their cyber identity within the enterprise is not compromised. Identities that

become compromised enable an attacker to leverage a user’s identity credentials to move laterally throughout the environment gaining

access to data and systems that may be restricted. Ways to protect include ensuring that only the authorized individual to whom the

identity belongs is accessing the network through technology such as Multi-Factor Authentication).

• Security refers to protecting data, such as a database, from destructive forces and from the unwanted actions of unauthorized users. To

protect the data and systems, precautions are taken either through implementing technology or process.

• When detecting and responding to a breach, an Impact Analysis must be performed to understand the downstream effects the

incident may have, and to understand what type of data may have been compromised (e.g. PII)

• Intrusion detection is key in a protection strategy by detecting suspicious activity through monitoring network or system activities for

malicious activities or policy violations, and producing reports.

Discover Manage Protect Report

Protect: More information

34Microsoft Confidential – for internal only use by partners.

Record-keeping:

Enterprises will need to

record the:

• Purposes of processing

• Classifications of personal data

• Third-parties with access to the data

• Organizational and technical security measures

• Data retention times

Reporting tools:

Implement reporting

capabilities

• Cloud services (processor) documentation

• Audit logs

• Breach notifications

• Handling Data Subject Requests

• Governance reporting

• Compliance reviews

• Microsoft Trust Center

Service Trust Portal

• Microsoft Azure

Azure Auditing & Logging

Microsoft Azure Monitor

• Enterprise Mobility + Security (EMS)

Azure Information Protection

• Dynamics 365

Reporting & Analytics

• Office & Office 365

Service Assurance

Office 365 Audit Logs

Customer Lockbox

Example solutions

4 Report: Keep required documentation, manage data requests and breach notifications

34Microsoft Confidential – for internal only use by partners.

35Microsoft Confidential – for internal only use by partners.

REPORT:

Reporting is key to help ensure the customer’s GDPR obligations are being met.

KEY TAKEAWAYS:

• Record-keeping

• Breaches

Discover Manage Protect Report

Report: Microsoft 365 solutions by stage of GDRP readiness

36Microsoft Confidential – for internal only use by partners.

OFFICE & OFFICE 365:

• Service Assurance in the Office 365 Security & Compliance Center gives you deep insights for conducting risk assessments, with details on Microsoft Compliance

reports and transparent status of audited controls, including:

o Microsoft security practices for customer data that is stored in Office 365.

o Independent third-party audit reports of Office 365.

o Implementation and testing details for security, privacy, and compliance controls that help customers comply with standards, laws, and regulations across

industries, such as ISO 27001 and ISO 27018, as well as the Health Insurance Portability and Accountability Act (HIPAA).

• Office 365 audit logs allow you to monitor and track user and administrator activities across workloads in Office 365, which help with early detection and

investigation of security and compliance issues. Use the Office 365 Audit log search page to start recording user and admin activity in your organization. After

Office 365 prepares the audit log, you can search it for a broad range of activities, including uploads to OneDrive or SharePoint Online or user password resets.

Exchange Online can be set up to track changes that are made by administrators, and track whenever a mailbox is accessed by someone other than the person

who owns the mailbox.

• Customer Lockbox gives you authority over how a Microsoft support engineer may access your data during a help session. In cases where the engineer requires

access to your data to troubleshoot and fix an issue, Customer Lockbox allows you to approve or reject the access request. If you approve it, the engineer is able

to access the data. Each request has an expiration time, and once the issue is resolved, the request is closed, and access is revoked.

WINDOWS:

• Windows Defender Advanced Threat Protection (ATP) helps enterprise customers to detect, investigate, and respond to advanced and targeted attacks.

• Auditing and Logging provide rich and detailed raw data that can be forwarded into other solutions for deeper analysis or compliance reporting.

Discover Manage Protect Report

Report: Microsoft 365 products you could choose to use for this stage

37Microsoft Confidential – for internal only use by partners.

MICROSOFT TRUST CENTER:

• In the Service Trust Portal, you can find comprehensive information about the various Azure, Office 365, and Dynamics 365

compliance, security, privacy, and trust offerings, including reports and attestations. Third-party independent audit and GRC

(governance, risk management, and compliance) assessment reports help you to stay up to date on how Microsoft cloud services

comply with global standards that matter to your organization. Trust documents can help you understand how Microsoft cloud

services protect your data and how you can manage data security and compliance for your cloud services.

BEST PRACTICES:

• A key pillar of protecting data and responding to breaches is through reporting systems by maintaining good record keeping

practices and deploying robust reporting tools to gather the applicable data.

• Many factors go into reporting on how data is protected, accessed, and consumed. It may require working cross-functionally to

generate governance reports, determine how the cloud vendor secures and maintains their infrastructure, audit user and

administrator access to systems/applications, and notify regulatory bodies and customers when a data breach occurs. In addition,

factors such as how long data should be retained, how data is processed, and who, (internally and externally), has access to that

data are important to understand so that proper decisions can be made.

Discover Manage Protect Report

Report: More information

38Microsoft Confidential – for internal only use by partners.

Build your GDPR practice

UNDERSTANDING THE BUSINESS

OPPORTUNITY

DEVELOP YOUR SKILLS AND BUSINESS

PLANLAUNCH YOUR PRACTICE GROW YOUR PRACTICE

Business opportunities

• Partner Opportunity with GDPR flyer

here

• Partner role in GDPR blog post here

• How partners can monetize GDPR here

• GDPR 101 video here

• Security Practice Development playbook

here

• See more partner readiness materials on

the Microsoft partner portal here

Learn about the Microsoft Trusted Cloud

• Microsoft Trust Center GDPR site here

• Microsoft commitment to GDPR

compliance here

• Microsoft on Trust, Privacy, and the

GDPR on-demand webcast here

• How Microsoft helps customers prepare

for GDPR video (4 min) here

Learn about GDPR solutions

• GDPR demo site here

• GDPR Products and Solutions page here

• GDPR white paper here

• Microsoft 365 site here

Build your skills

• Office University: Office 365 Security

Partner Training (MPN17435) here

Customer-ready information

• Resources for GDPR compliance here,

• Including white papers, blog posts,

related information, FAQs, and

languages

Tools for you

• GDPR Activity Hub (solution accelerator

tool that helps partners operationalize

GDPR related processes and activities)

here

Engage with customers

• Assess GDPR readiness with the GDPR

Assessment here

• Extended questions/guidance for

workshops & SOWs in GDPR Detailed

Assessment here

Tools to use with your customers

• GDPR Briefing To Customer deck here

• Beginning Your GDPR Journey and other

white papers here

• GDPR Product Demos – tools to

demonstrate how the Microsoft cloud

helps customers comply with GDPR here

Use the resources listed here to help you:

39Microsoft Confidential – for internal only use by partners.

Accelerate customer success with FastTrack

Partner-led deployment with FastTrack Support

Access to deployment

and adoption resources

Request assistance for

onboarding & adoption

Unlock performance

based benefits

At the end of the day, your success comes down to making your customer successful. FastTrack is a customer benefit from Microsoft that

can enable your customers to smoothly and confidently make the move to Microsoft cloud services. Partner-led deployment with FastTrack

support give you access to deployment and adoption resources, take advantage of data migration services, and request assistance for

onboarding & adoption.

Core untapped benefits:

About one-third of Microsoft 365 E3 and E5 customers will be moving from on-premises. There is a very big opportunity for partners to

leverage Fast Track Migration services.

As an enhanced benefit, you’ll have access to remote assistance from Fast Track managers & engineers

We’re also offering new Performance based benefits, such as:

• Special adoption incentive and special modern desktop accelerators to drive client refresh

• FastTrack Center will direct 300+ customer referrals per month

• We will have dedicated account management & Access to Tier-2 technical SMEs

Check out the Fast Track partner site to learn more at aka.ms/FastTrackOpportunity.

40Microsoft Confidential – for internal only use by partners.

Resources

41Microsoft Confidential – for internal only use by partners.

PARTNER RESOURCES

• Microsoft 365 partner opportunity site here

• Microsoft 365 partner announcement here

• Forrester Total Economic Impact Study: Partner Opportunity

for Microsoft 365 Enterprise here

• Gartner Industry Addressability Study here

• Security Practice Development Playbook here

• Office 365 Security and Compliance portal here

• Microsoft Security Strategy, Inspire 2017, with Julia White here

• Gives and gets page on MPN partner portal here

CUSTOMER RESOURCES

• Microsoft 365 main page here

• Microsoft Trust Center here

• Microsoft Trust Center GDPR page here

Additional resources

42Microsoft Confidential – for internal only use by partners.

Intro to Microsoft 365/security and compliance resources

Statistic Source

4.2B customer records compromised. Risk Based Security Reports, 2017

99 days from breach to detection. FireEye/Mandiant report, March 2017.

$17M average cost of a security breach. Cyber crime--a risk you can manage: Information management and governance to

protect business innovation business white paper. Date: Nov. 2016

Security spending for organizations with over 1,000 employees increased from 22% in 2015 to 28% in 2016. Forrester’s Security Budgets 2017: Increases Help But Remain Reactionary, Jeff Pollard, Nov 23, 2016

The spend on both product and services is roughly a 50-50 split, with 49% of this budget planned for

services, and 51% planned for products.

Forrester’s The State of Security Services 2016, Jeff Pollard, August 4, 2016

IDC forecasts that “worldwide revenues for security-related hardware, software, and services will reach

$81.7 billion in 2017.” This is 8.2% higher than 2016. IDC also forecasts that revenues will be nearly $105

billion by 2020.

IDC Worldwide Semiannual Security Spending Guide , March 29, 2017

Services will be the largest area of security-related spending, led by three of the five largest technology

categories: managed security services, integration services, and consulting services. Together, companies

will spend nearly $31.2 billion, more than 38% of the worldwide total, on these three categories in 2017.

Technology categories with fastest spending growth over 2015-2020 forecast period include managed

security services, with a CAGR of 12.2%.

IDC Worldwide Semiannual Security Spending Guide, March 29, 2017

“For our customers interested in digital transformation, the revenue opportunity is huge. We are

especially excited about ongoing consulting work and managed services.” – An Interviewee

Forrester Total Economic Impact™ Study Commissioned By Microsoft July 2017, The Partner

Opportunity For Microsoft 365 Enterprise

43Microsoft Confidential – for internal only use by partners.

Customer targeting and partner value resources

Statistic Source

SMBs are more likely to have an informal IT risk management policy or manage issues on the go than Enterprise. SMBs tend to be more reactive, identifying and addressing

risk as issues arise (26% SMB vs. 21% Enterprise). They are less likely to have a formal process to manage risk (10% SMBs have no formal process vs. 4% Enterprise). Enterprise

Information Workers are also more likely than SMBs to be aware of/understand/follow their company's policies for data use andhandling.

Forrester's Global Business Technographics Devices and Security Workforce Survey, 2016

Enterprise customers are more likely to adopt a wide array of identity and access management technologies . Forrester's Global Business Technographics Security Survey, 2016

Enterprise customers are also more likely to increase their threat intelligence capabilities and spending and security and audit requirements post-breach. Forrester's Global Business Technographics Security Survey, 2016

Worldwide IT spending by small and medium-size businesses (SMBs) will approach $568 billion in 2017. The increase is projected to grow by

more than $100 billion to exceed $676 billion in 2021.

IDC, Worldwide Semiannual Small and Medium Business Spending Guide, July, 2017

The gap between how SMBs and Enterprises see their businesses, their customers, and their technology initiatives is narrowing. In recent

research, Forrester reported that SMBs are becoming more active in both new technology adoption and acceleration of their refresh cycles.

Just as similar priorities guide SMBs’ and Enterprises’ investments and focus, SMBs’ technology investment patterns map closely to those of

Enterprises.

Forrester, SMBs Now View Their Tech Investments Through An Enterprise-Like Lens, May 8, 2017

You’ll also want to keep the customer size in mind when strategizing your security conversations, both pre-sales and throughout the journey,

as the approach should differ.

Forrester, Security Software Buyers Influence Map, June, 2017

The three industries with the highest spending on security solutions are banking, discrete manufacturing, and federal/central government

industries. The three other industries will each spend more than $5 billion in 2017 are process manufacturing, professional services, and

telecommunications.

IDC Worldwide Semiannual Security Spending Guide , March 29, 2017

The average first-phased advanced security workload project costs $60K to $100K. The Partner Opportunity For Office 365 Advanced Security And Compliance Workloads, A

Forrester Total Economic ImpactTM Study Commissioned By Microsoft July 2017

Anticipated follow on project revenues, based on numbers of workloads at $50K, is estimated at $50K to $150K. The Partner Opportunity For Office 365 Advanced Security And Compliance Workloads, A

Forrester Total Economic ImpactTM Study Commissioned By Microsoft July 2017

The average margin across all revenue streams is 38.7%. The Partner Opportunity For Office 365 Advanced Security And Compliance Workloads, A

Forrester Total Economic ImpactTM Study Commissioned By Microsoft July 2017

Security decision makers surveyed show strong interest in implementing these security offerings, per a recent Forrester study. Over 1/3 of the

top intended “as a service” offerings are based around security. Those implementing, expanding/upgrading, or planning to implement:

• Advanced Threat Protection: 75%

• Security analytics: 75%

• Threat Intelligence: 72%

• Security information management: 72%

Forrester Research, Inc. Global Business Technographics® Security Survey, 2016

When targeting your project services, our research with partners emphasized the importance of targeting the enterprise customer to attain

significantly higher per project revenue.

Microsoft Cloud Practice Development Study, MDC Research, June 2017

44Microsoft Confidential – for internal only use by partners.

Security and Compliance Scenario resources

Statistic Source

75% of users use the same password for social networking and email. Security Week

71% of accounts are guarded by passwords used across multiple sites. TeleSign Consumer Account Security Report 2016

46% of users employ a password that is at least five years old. TeleSign Consumer Account Security Report 2016

Stolen and/or weak passwords are used in 81% of all hacking-related security breaches and 15% of phishing

victims within companies of 30-plus employees fall victim to a second phishing attack.

Verizon 2017 Data Breach Investigations Report

95% of phishing attacks that lead to a breach are followed by some form of software installation. Verizon 2017 Data Breach Investigations Report

91% phishing attacks are launched with the intent of stealing users’ credentials. Verizon 2017 Data Breach Investigations Report

81% of hacking-related breaches are based on stolen and/or weak passwords. Verizon 2017 Data Breach Investigations Report

91% of cyberattacks start with a phishing email. https://phishme.com/2016-enterprise-phishing-susceptibility-report

44% of the organizations surveyed saw phishing as the top threat and 43% identified malware as their top threat.

Additionally, these organizations identified zero-day attacks and targeted cyber attacks to steal financial

information, disrupt or deface the organization, or steal intellectual property or data. In the same survey, 36% of

respondents said they do not have a threat intelligence program.

2016 EY Global Information Security Survey, http://www.ey.com/gl/en/services/advisory/ey-global-information-security-

survey-2016

86% of organizations surveyed are worried that their cybersecurity systems do not fully protect their information

systems.

2016 EY Global Information Security Survey, http://www.ey.com/gl/en/services/advisory/ey-global-information-security-

survey-2016

Losses from ransomware in 2016 totaled $1 billion. https://www.vircom.com/blog/the-10-craziest-cybersecurity-statistics-of-2016/

The cost for each lost or stolen record of sensitive data is now at $158 and the total cost of a typical data breach

now averages $4 million.

2016 Ponemon Institute Cost of a Data Breach Study

In 2016, there were 4,149 breaches reported, exposing more than 4.2 billion records. Risk-Based Security 2016 Data Breach Trends

https://pages.riskbasedsecurity.com/hubfs/Reports/2016%20Year%20End%20Data%20Breach%20QuickView%20Report.pdf

In 2016, on average there were more than 4,000 ransomware attacks per day, a 300 percent increase over 2015. https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view

73% of organizations report being concerned about poor user awareness and/or behavior around mobile devices. http://www.ey.com/gl/en/services/advisory/ey-global-information-security-survey-2016

Global spending on cybersecurity products and services will exceed $1 trillion over the next four years. http://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/

75% of US companies that consider GDPR a top priority have budgeted $1 million or more to become compliant.

Amount ranges from €100,000 to a few million in Europe, depending on organization.

Forrester Report, Assess Your Data Privacy Practices With The Forrester Privacy And GDPR Maturity Model, April 2017

IDC predicts GDPR will create a $3.5B market opportunity for security and storage vendors. IDC Press release, https://www.idc.com/getdoc.jsp?containerId=prEMEA40551915, 03 Nov 2015

Microsoft Confidential – for internal only use by partners.