Transcript

Patrick Spencer (00:01.23)

Welcome back everyone to another Kitecast episode. I’m joined by my co -host Tim Freestone. Tim, how are you doing today?

Tim Freestone (00:08.956)

Yeah, I’m just counting the days to PTO. So nine left.

Patrick Spencer (00:12.302)

Yeah. Or the weekend that you’re counting the hours in that case. I promise not to schedule any podcast during your PTO. How’s that? we’re in for a real treat today. We’re going to do something a little bit different than we normally do. we just published or by the time this podcast is released, we have a early version that, all the participants on this call have obviously taken a look at, or you will discover, we’re going to publish our.

Tim Freestone (00:22.716)

Thanks.

Patrick Spencer (00:42.03)

Third, sensitive content communications, privacy and compliance reports. The annual report that delves into issues related to, you guessed it, data privacy and compliance, cybersecurity and so forth. And we thought our audience would find an engaged conversation around some of the key insights. Obviously, you’re not going to be able to cover all of them during this call. We’ll just cover a few of the ones that we think are more salient. To get expert input on some of those from a couple of folks that we’ve had interactions with in the past.

Alexander Blunk is a former cybersecurity director at several companies. He is a consultant. He helps organizations with things such as ISO 27001, 27 ,017 and so forth. MITRE ATT &CK framework, how to use it, as well as other cybersecurity and compliance initiatives. And then Ranbir Bhutani, he has years of experience in cybersecurity and compliance, including having served as a VCISO.

And he is currently the CEO and VC So at cyber culture. He’s also a PhD candidate at George Washington university. So gentlemen, thanks for joining me today.

Alexandre Blanc (01:52.188)

Nice to be there, thank you for having us.

Patrick Spencer (01:54.624)

I’m looking forward to this conversation and getting your insights as well as Tim’s on, you know, what some of the findings show us or maybe point to in terms of things that our audience members can be doing today when addressing cybersecurity and compliance challenges as well as things they should be thinking about a year out or two years out, for example. The report just for our audience is conducted annually. We used a survey form of a company called Sentiment this go -around. They did a great job.

Ranbir Bhutani (01:54.95)

Thank you.

Patrick Spencer (02:23.726)

572 responses from IT cybersecurity risk and compliance leaders around the globe. I think across about 10 different countries. And the report is broken up into it’s about a 30 page report as various charts and graphs. It’s broken up into five different sections, cyber attacks and data breaches. What are you going to talk a little bit about today? There’s some interesting findings there. Data types and classification, third compliance and risk, third cybersecurity and risk management, and finally operational proceeds.

We’ll talk a little bit about some of those. We’ll let our audience check out the report on their own to delve into some of those details, but there’s some interesting insights there that we can cover today. So with that, we’ll jump into the report. But before we do so, because we just got out of RSA a month ago or so, and we had the Verizon Data Breach Investigations Report come out. What are you guys seeing in 2024?

When it comes to cybersecurity and compliance, are there any trends? If we look at hacks, are there any trends there that we need to watch out for? Alexander, let’s start with you. What are you seeing?

Alexandre Blanc (03:35.836)

Well, it’s interesting because we see bigger incidents, like less of them, but way bigger. Like the past years, we had many small businesses being attacked and stuff like that. And it seems that these threat actors did get more organized and target bigger organizations. And we have bigger impact from what I see right now. And they also target some specific vertical. We seem to see campaigns toward like health care and then more financial stuff.

And it’s very, very segmented. I think it goes together with the geopolitical tension. I mean, it’s more used as an ammunition kind of, and the goal is to break the trust in our systems and the organization and society. So that’s what I see overall.

Patrick Spencer (04:24.014)

Interesting. And we certainly saw that with the Move It breach, the Go Anywhere breach to a lesser extent, where they were hitting hundreds of thousands of companies in the case of Move It and large organizations. And our research ironically shows that healthcare has a lot of work to do. And I’ll throw out a few data points when we get down to…

some of those relevant sections in the discussion. Ranbir, when you’re working with your clients, are you seeing something comparable to what Alexander just referenced? Are you seeing something different?

Ranbir Bhutani (04:56.102)

No, actually, what Alexander references is quite accurate. I would add, again, can’t share client’s information, but again, there are incidents that are happening where hackers are actually trying to get into clients’ tenants. Pretty much most companies are all cloud -based, Google, AWS, Azure. So in this case, what they did is they actually

got an account that was Keys to the Kingdom. Could have been maybe a potential insider that we don’t know. But the idea is they got into their tenant. Luckily, they didn’t mess with their environments. But what they did is create many other environments and racked up a bill more than well over six figures. So the idea was to do maybe crypto mining or some type of crypto activities. And the more horsepower you have, not leveraging obviously your own funds, but.

Patrick Spencer (05:45.422)

wow.

Ranbir Bhutani (05:54.726)

in this case, more of for their own gain. So that’s some of the trends that I see happening. The phishing, it will always be there. It’s actually getting a lot more sophisticated. So a lot of these hackers are using unethical AI programs that they’re building, just like we have, you know, chat GPT is a known one and everybody’s kind of building off that. Well, how do, you know, again, the bigger question is how are we securing AI? Nobody’s really talking about it, frankly, but.

the ideas and again, I have some ideas, but either way the point is, is that I’ve gotten emails that look so legitimate from, you know, an American Express or a huge, you know, the Navy federal again, I don’t mean to say these names, but it just giving you an idea that like, it looks so legitimate that even if you check where it’s coming from, it looks even more legit. But the idea is obviously in phishing, you have to check the URL and there’s other things that you can do to, you know, more preventative. So, so that, you know, again, the phishing is there.

Scamming is up even more. I don’t know if you’re getting text messages, calls. I mean, it’s getting really, really bad.

Tim Freestone (06:58.972)

Yeah, the human element is just like, it’s always, it’s the easiest one to break. Right. so until we abstract people from the process of business, it’s, it’s just, it’s just chasing your tail constantly. But let me ask about the tenant thing. And you mentioned a couple of service cloud service providers. you know, one of the things that we’ve seen is that.

Patrick Spencer (06:59.278)

One.

Ranbir Bhutani (07:05.19)

Yes.

Ranbir Bhutani (07:12.646)

course.

Tim Freestone (07:28.38)

in cloud service providers, oftentimes when it’s SaaS, it’s a multi -tenant environment. So threat actors will get into one organization’s environment within the multi -tenant ecosystem and then move left and right into other companies’ tenants. Was that a similar situation here or was it a single -tenant environment? Do you know?

Ranbir Bhutani (07:51.942)

it was a single tenant environment, but again, the good thing was they didn’t mess with their, environments or there’s, you know, their, their servers and whatever they built. It was just, they were trying to do something else, which is nice, but in the sense bad that, you know, they racked up a bill and then you have to go to the vendor to say, okay, well, I have to now see how I can fight this or cyber insurance. Right. Yeah.

Tim Freestone (08:17.212)

I see. Interesting.

Patrick Spencer (08:21.038)

Yeah, that is an interesting point. Well, the Tim’s Verizon in their report, it was like 87%, if I remember correctly, of all data breaches are tied back to human error. So that human element just isn’t going away. And we tried lots of different technologies, a lot of different strategies, processes, you name it. Maybe it’s minimized slightly, but it’s still a problem, right? It’s the weak link.

Alexandre Blanc (08:21.916)

That’s also…

Ranbir Bhutani (08:36.614)

That’s it.

Patrick Spencer (08:48.142)

at the end of the day, maybe AI will solve that problem for us, you know, that’s right.

Tim Freestone (08:48.86)

I’ve been in this.

Yeah. I mean, I’ve been in the industry for 15 years and just yesterday I almost clicked the link. I almost clicked it and I looked closer and sure enough, it was a phishing email. And, you know, I’ve seen every kind of training video you could possibly see and I’m in the industry. So anybody who isn’t,

It’s just easy. It’s fish in a barrel for hackers, right? It’s just, it’s insane. It seems like the only, only way to almost get around it is locking down the, the, the business email, environment to just authorized communication streams, you know?

Patrick Spencer (09:24.334)

Yep. Yep.

Patrick Spencer (09:36.846)

You lock the fishers out. Yeah.

Ranbir Bhutani (09:39.11)

Well, yeah, no, and again, Tim, sorry for you that I just.

Tim Freestone (09:44.444)

What’s that? Yeah, I was done going. Yeah.

Ranbir Bhutani (09:45.19)

Sorry, were you done? I just wanted to, but no, it’s interesting to attempt to your point, right? Well, how do you lock down the workstations, right? How do you lock down organization owned laptops, like lockdown USBs, even using, let’s say a web filtering or proxy service, lock down all the sites that could like gambling and, you know, the naughty sites not going there. But my point is like not locked down specific things, or maybe go down to zero trust to where they’re basically a need to know and only access the sites.

like human resources needing their accounting tools and software, right? To do the work in their job. And again, yeah, you know, the employees browse the internet and again, and sometimes all it takes is just one, it’s clicking on one site and then you’re downloading malware or ransomware into your networks, right? So I don’t know more of like locking down.

Tim Freestone (10:30.14)

Yeah. Even, and I understand it inhibits productivity, but which is always the balance between security and IT innovation. But, you know, think of a scenario where, you know, in for business in email, you cannot receive emails and you cannot send emails who haven’t been onboarded to the email to people who haven’t been onboarded and approved in the email system like that. Outside of that, I don’t.

Ranbir Bhutani (10:37.926)

Of course.

Tim Freestone (10:59.068)

I don’t see true risk reduction, but it’s almost untenable in terms of business innovation and, you know, it just, anyway.

Alexandre Blanc (11:09.648)

And I want.

Ranbir Bhutani (11:09.894)

Yeah, this could be a whole separate conversation here. I have ideas, but we don’t have to get into it. It’s a very good conversation.

Patrick Spencer (11:10.158)

Well, and then well, zero trust, Randy.

Tim Freestone (11:16.252)

Okay, yeah.

Patrick Spencer (11:17.966)

That’s the next podcast. You mentioned Zero Trust, which we did ask a question in the survey report on that front around the maturity levels organizations have. It included like endpoint, when you apply it to the network, when you apply it to the data security and so forth. And I think none of them were over 60 % or just maybe one or two were barely over 60%. Data security was the lowest.

Tim Freestone (11:21.372)

Really.

Ranbir Bhutani (11:21.798)

What is that?

Patrick Spencer (11:46.35)

Probably no big surprise, but that’s the target of what cyber criminals are looking at is how do I get to the crown jewels to the sensitive content that these organizations have so I can hold it for ransom. I can still use it for nation state issues and so forth. You guys were probably all at RSA zero trust. Everyone claims to do it, but we still have organizations admitting that, you know, about 60 % of us are there. If even that, what are your thoughts and.

What are your thoughts in regards to how we apply it to zero trust or to content?

Alexandre Blanc (12:22.748)

Well, I can jump on that. So the first thing is that a lot of marketing came around that make organizations believe that they add what it takes to be zero trust. You know, when they have just like the VPN with MFA and multi attribute check, they’re like, okay, we’re good. We use zero trust, but that’s not the core. That’s not how it’s implemented. And that’s not explained properly. I mean, zero trust is about knowing each item and attributing a rating for each data user.

and then applying policies on top of that. So it’s just, it’s not just about remote access with multifactor and you know, conditional access stuff you see, but this is sold as this. So when you get the poll about the organization adopting zero trust, I do not believe that number is there already because to implement that thing, it’s a big, big architectural change in the infrastructure. And to be honest, either you ramp up and move your information.

into a system that is natively implementing the process. But I barely see that fully implemented in any legacy system, even the cloud existing systems. It’s not designed for it. It’s getting there, but it’s not there yet. So there is a lot of brag, hype about zero trust. And if we get back to the first NIST definition, the NIST document, I mean, this is the policy enforcement point.

the attribute based and the risk level and the risk rating that you apply to each document. And this is very aligned to the government requirement. The US, if you worked in the federal acquisition requirement and the military staff, this is something that exists for long and it’s not existing in the private sector. So there’s a big catch up being played there. And between the marketing and staff, it’s like a false sentiment of security that is being deployed.

by solution provider coming with that, but it’s not really the case. There is a big, big work of data classification and identification that you have to do before you can claim you have it in place. And it’s not about deploying a box or whatever solution. It’s about integrating a technology, but then you have to make it work with all your data. And this is all of it that is supposed to be under the regulation or the classification that you want to. So that’s my take. I think it’s…

Alexandre Blanc (14:40.124)

There are two kinds of zero trust, like the fancy thing in the marketing and the real accurate data governance that is applied to it.

Tim Freestone (14:50.78)

Yeah. I mean, yeah, exactly. We’re starting. I mean, you may have seen, or maybe not since it’s Canada, but NIS, no, the NSA came out with, you know, zero trust that the data for the data pillar and really good concrete guidance, at least for federal agencies and companies doing business with federal agencies about exactly what you said, which is least privilege access, always on monitoring, never trust, always verify.

Patrick Spencer (14:51.022)

Yeah, the marketing people ruined it. Go Tim.

Tim Freestone (15:19.516)

at every data point, you know, all of the assets. So those are, that’s a good direction. It’s just, for some reason, we always go backwards in this industry. It’s like we start with the machines and end with the data, but the machines were the reason you secure the machines, the network and the applications is because of the data. Let’s go the other way. I know it’s a more complex problem, but it’s the problem at the end of the day, outside of just sabotage, you know, DDoS attacks or something.

Patrick Spencer (15:47.886)

I wonder, you know, we had the interesting insight as a finally get to one of the points I wrote down here, which I figured to be the case. we, we had, fine actually a little bit better than last year, like slightly by a couple of percentage points, but seven plus data breaches on average reported by the 572 response we had. But then we, we, this year for the first time, I think we threw in don’t know as one of the ops, right? We had one, we had eight, whatever’s the case.

Tim Freestone (15:54.172)

Okay.

Patrick Spencer (16:16.334)

And others, you know, said, just don’t know. And these are IT, cyber security, risk and compliance leaders. We had 9 % overall say they don’t know. And then in state, this is scary, in state government, 25 % said they don’t know and 22 % in pharmaceutical said they don’t know. So is this back to this, you know, is it tied to the zero trust that they just really don’t completely know what’s going on in their environment? Cause these folks should be aware of how many data breaches they experienced. You would think in the roles there.

Yeah. Alexander, do you have any thoughts on that front?

Alexandre Blanc (16:50.236)

yeah, I mean, clearly, but thing is that a lot of organization learn about a breach from an external provider first, they don’t see because they do not have the audit log capability, they do not have the visibility, or they do not have the resources assigned to it. Now we spoke about the medical sector, health care. Well, these guys invest on health care stuff, medical equipment. So they are not information management companies. So it makes sense that the investment is.

going for the information security after the operational capability. Now, there is a switch when we lever and move everything digital, then we have to adjust and the priority when the operational capability depends on the data, then it becomes as important and we cannot ignore that thing. And I think we are just right now reaching that point where it’s time to play catch up in many, many verticals. And that’s a challenge we face because the set -up didn’t wait.

The automation, the AI is used by the threat actor and the security posture of this organization are not yet there. So, and there’s no magical solution for that because it’s a lot of work for anybody having been working in data classification appointment in an organization that didn’t do it before. I mean, they have, let’s say a SharePoint stuff and I’m telling you when you have to pull that inventory of file in the CSV file and someone to actually tag each of them. Well, you have now, you know.

automated pre -classification, you use AI for the community, it’s assuming some rating, but still you need a manual process to validate all these things. And that’s taking a lot of time. So if organization didn’t start with that, there’s a lot of work to do. And this is a lot of cost. I mean, this is time on people or time on AI, because we tend in that to bring more AI automation. Yet you still have to do it. So that’s the challenge we see and it’s not going to happen in a day. So that will be about it.

Patrick Spencer (18:42.606)

Yeah, very, very true. Ram beer, you know, building on that, you know, I wrote down the two industries that had the highest percentage of hacks is like 50 % or more in both instances. I believe higher ed. It’s like, said they had a 56 % said they had over seven plus hacks security and defense was not far behind, which is a bit scary. Cause we have something called CMMC 2 .0 that, they’re supposedly working to adhere to, but they.

Apparently you’re still having a lot of hacks either they’re more aware At least these aren’t the two that said they don’t know most of the time But there’s a lot of attacks going on in that space. Is there a reason? Security defense obviously that’s where you know The most critical contents being stored so I can understand why they’re going after that but higher ed. It’s just it’s a immature Technology space. Is that the reason?

Ranbir Bhutani (19:38.118)

Well, no, this is all a great conversation that we’re having, right? And to everyone’s point on this call is where, I say, as secure as reasonably practical, right? Again, depending on the organization and industry, let’s be honest here. If the federal government were to enforce cybersecurity to all entities like sole proprietorship, LLCs, S -corps, C -corps, it doesn’t matter if you’re federal or not, if you’re private owned business.

then our industry would be a complete game changer within the cybersecurity because now, regardless of what industry you’re in, you have to have some type of cybersecurity program or maybe resource. Again, you brought up CMMC, right? So DoD, let’s say, is enforcing. I mean, 2019 and we’re on 2024. So you could see how long the federal government takes to enforce a requirement. I mean, the Gov cons came back. Hey, DoD, are you going to fund us for this? Because it was going to be a six -figure tab.

Tim Freestone (20:30.652)

Yeah.

Ranbir Bhutani (20:35.91)

Even the smaller businesses, let’s say 10 to 15 employees, just to give you an example. So the idea is that, okay, yes, you have the controls, you have the policies, the procedures, but let’s also be, another point I’m adding is that why does cybersecurity always have to continue selling themselves? Like the CISO has to sell himself daily or herself daily to just convince C -levels and board of directors the importance of this. And then, you know,

Sorry, going back to like, let’s say again, SolarWinds was a big one, right? Why did they get hacked? What happened? What broke? What was, you know, again, even SEC went after the XCZO, right? I don’t know him and never met him personally, but the idea is something really bad had to happen on the inside for this to have such a huge impact. And I’m just really surprised that other companies are not catching on to say, okay, well, not just publicly traded companies, but you know, folks in the, you know, the Federal Trade Commission is another one. Again, they enforced…

cyber, what do you know, again, what do mortgage broker dealer firms, payday loans and car dealers know about cyber? They don’t know what they don’t know. So again, going back to your question, sorry, I’m all over the place, but higher ed, right? Where’s the enforcement from the federal side or quasi enforcement saying, okay, well, all higher level education, colleges, universities, community colleges, training centers, you must have at least some minimum cybersecurity program in place or even from strategic going.

aligning back to NIST, right? And that’s where the rub is right there for us to say, okay, well, we have these guides, these policies, procedures that go back to NIST that could easily be implemented from a risk management perspective, right?

Tim Freestone (22:20.124)

Yeah, there’s a couple of things that I want to springboard off of. One is in education. I mean, there’s not a lot of money there to begin with. So it gets thinned out into priorities. And to your point, Ranveer, security doesn’t make the cut to the degree that it should, especially in education, especially in state and local government. I mean, it’s a little bit disturbing to hear it trend up in the federal government, but I get it. But, you know,

Ranbir Bhutani (22:36.678)

Absolutely.

Tim Freestone (22:50.012)

I had this conversation just the other day. There’s all these best practices, frameworks, how to’s, you know, risk management, one -on -ones out there. But when it comes to almost pretty much directly to your point, it’s not followed because there’s no, tangible or, meaningful repercussion other than the potential for loss. If you get breached.

Whereas with, you know, regulations that actually drive change, there’s meaningful guaranteed repercussions for not following the situation. CMM, GDPR is one, although, you know, there’s some pencil sharpening that needs to be done there, but CMMC 2 .0 is about the closest I’ve seen. And even there, it’s not necessarily penalties. It’s you’ll lose.

the ability to do business with the federal government ergo ipso facto, you will go out of business. That’s a, that’s a motivating regulation to adhere to, assuming it actually goes all the way through. but outside of that, everything’s out, everything’s best practices frameworks and should do’s right. And it just, people got other things on there.

Ranbir Bhutani (24:13.862)

Well, yeah, no, no. And to your point, Tim, it’s like, well, where’s my return on investment? Or I call it road return on security investment. So we’re at a point to say, okay, well, see level and board of directors, maybe perhaps we showed them a dollar value, the impact of a breach in your organization, if the human resources or operations or let’s say your digital media group or whichever departments you or business units you have.

in your organization, the potential impact of breach and the outcome, right? Because the idea is like, if you get breached, you will lose, you know, you may potentially lose your clientele A and your reputation goes down, right? Because the breach is, man, it’s a big deal. And now it seems like it’s sort of a norm thing too today. But the idea is that you could have put these preventative measures in place. Yes, it’s going to cost you, but…

But what if it cost you tenfold in the future? Right? Even if you have cyber insurance, they’re not going to cover, you know, a $2 million ransomware. Look what happened to a colonial pipeline. I mean, really? Right? You know, again, it’s an energy, you know, oil company, you know, and, you know, they’re a big company. They got breached. I mean, it doesn’t matter how, you know, how big or small you are. They’re just, the target is a target. It doesn’t matter.

Tim Freestone (25:36.924)

Yeah, I think the challenge, the problem word in that statement is the first word, which is if, if you get breached, you know, right. And when you’re in the, in the business seat and the board level, especially almost the entire decision tree for all business operations is a, is an if then statement. a balance of if thens and this if.

Ranbir Bhutani (25:42.886)

Yes.

Tim Freestone (26:05.788)

falls lower than other ifs. If we do this, we’ll drive this much more business. Okay, that seems concrete. If we don’t do this, we may lose, you see what I’m saying? But if there’s a, when regulations change the if to an absolute, then action happens. I know people don’t like regulations because it’s like parenting, but.

I just don’t see any other way to drive meaningful change at scale across industries, right?

Patrick Spencer (26:41.069)

Do we?

Ranbir Bhutani (26:41.158)

Yeah, no, and, and, and, and sorry to be silly in a moment here, but you know, I have a two and a half year old toddler. Every time I asked her to do something, she says no. So just, it’s like, every time you ask the board something related to cyber, no. But again, it’s like, okay, well, why don’t we sort of think of it from an observation perspective where they’re thinking about profits and losses, right? Because from a business perspective, you want your business to grow. You want to get more clients, you know, you want to build that.

name and reputation even further. But the idea if you sort of come from a different, especially sizzles, right? I think sometimes sizzles are either A, they’re way too technical or, you know, maybe a more compliance, right? Or maybe the mix of the two. But the idea is how do you show them numbers? Because then you’ll get their attention within a matter of seconds and they’ll be like, okay, well, it could cost me a half a million dollars if my human resources department got breached. Yes.

Okay, here’s your funding that you need. Okay, well then that’s a complete game changer. I don’t know that just giving you some ideas here to maybe the whole industry is going about it wrong where, okay, we had these 20 critical CVEs and now they have to be addressed, right? I don’t know about you, but a board of directors, C levels usually get very turned off by that and they walk away.

Tim Freestone (27:54.556)

Yeah.

Patrick Spencer (27:54.894)

Yeah.

Alexandre Blanc (27:55.548)

But that’s something you see, I mean, Tim, you spoke about GDPR, and that’s exactly the spirit they came with. I mean, if you breach, there is a big key notion there, which is negligence. If you’ve been negligent, you are guilty and you will be fine. That’s either a couple of millions or a percentage of your annual income of the company. So that’s actually something that exists and is in place. You know, you speak, Tim, you said we need a regulation, but it’s there in some places.

But the issue is the enforcement of it. What we see is that they come after the fact. They come, okay, big corporation, big enough to be worth investigating, getting the money from, then it will slap them after the incident. And we know the same rule has been taken and the laws into Quebec laws in here in Canada. And that’s exactly the same thing because they wanted to be on an equal requirement for the market. So we face the same thing. But the fact is there is no one to enforce it.

Tim Freestone (28:26.076)

Yeah, yeah.

Alexandre Blanc (28:53.148)

So you run your SMB, no one’s gonna go after you, you’re not gonna be fined, no one is gonna be, unless there is a claim or someone suing you for, because you abused the PII or something or you stole the information, or there is a big thing eating the news, and then you’re gonna have some fine. But, and we face, Ranbir, what you said about the board members, if you speak about it, it’s like, yeah, well, you know, who’s gonna check that? So, I mean.

Tim Freestone (29:20.06)

Great, 100%.

Alexandre Blanc (29:20.956)

What’s the lever, you know? What’s the lever? What can we do?

Tim Freestone (29:23.548)

Yeah.

Ranbir Bhutani (29:24.134)

Trust me, we all feel the heartburn here. We’re like, we really want to make impact. We really want to put these prevent. I mean, it’s like sort of the boy cried wolfs is its scenario, right? The boy keeps crying wolf and then the townspeople come, you’re like, and then eventually the wolf comes and eats him, right? So that it’s like, why not sit, you know, why not put preventative measures in place now versus the future if something were to happen? It’s kind of like insurance, right?

Like, and again, I don’t know about Alexander in Canada, but in US you’re required to get car insurance before you go drive on the road. And if you don’t and you get pulled over, you’ll get a huge ticket, even jail time. So the idea is if we were to apply, and again, not applying jail time in cyber, but to companies, hey, if you don’t implement these things, then you may get fined, right? The SEC DOD and DOD is more of like, hey, you can lose money in going after contracts because your score is so low.

Alexandre Blanc (30:02.108)

same.

Ranbir Bhutani (30:20.614)

FTC is still those industries don’t understand cyber because nobody’s pushing it. And obviously, and that it was so random that FTC came out and did this, right? And then SEC is like the breach reporting, right? Okay, well, all those public traded companies, you know, actually doing something to improve their cyber posture, I have no idea.

Tim Freestone (30:42.556)

Yeah, I’ve been just…

Patrick Spencer (30:42.862)

I think Alexander’s right because you have… Go ahead, Tim.

Tim Freestone (30:47.184)

I just to close off on this point, because otherwise I’ll lose my train of thought is it’s, you know, you, you must do this. If you don’t, here’s the penalty and here’s how we’ll enforce it. It’s like that to Alexander’s point, the last part is missing. My point is a lot of times the middle part is missing and the first part is only a general recommendation right now.

Patrick Spencer (31:16.462)

Yeah. And it’s, I think being applied to the larger organizations, like Alexander said, if you look at the fine data from GDPR this past year, it went up exponentially. I think it’s this, it was exceeded. All the fines issued in 19, 20 and 21, if I remember correctly, but the amount of the fine went up a huge amount, like 10 fold, if I remember the data. And that means they’re probably focusing on the bigger breaches, the bigger organizations.

Tim Freestone (31:17.084)

by and large, you know.

Patrick Spencer (31:45.87)

And everyone else is sort of sliding by because the administrators of these compliance programs are focused on just the big names. So I’m not sure it’s driving the behavior we want to see. And we saw that in the report findings, the tie back to the report where 11 % said they need no improvement when it comes to their compliance work in terms of how they measure and manage sensitive content communications, which is the same as last year. So.

I don’t know that we see improvement there. 43 % and we start looking at causes, so they can actually track and control and it’s probably lower than that. Some may think they can and they really can’t track and control content once it leaves their organization. And then you looked at the industries and guess what? Higher ed, 14 % said they could. They’re the worst. Federal government, which is promising, probably because of the regulations that they have in place there was…

was the best, they said 59 at a rate of 59%. Do you guys, you know, keeping it on the topic of this idea of costs, we did look at specifically the idea of litigation costs, because you look at the IBM report that comes out annually, and, you know, it has brand impact and operational impact and etc, etc. That ongoing litigation costs that organizations must expend, not only the cost, but just the resources and the, the, the,

the fact that it’s wear and tear on your organization over a period of time. It was quite high. We had over 50 % say they spend over $5 million, I believe, or somewhere in that vicinity. And litigation costs alone associated with data breaches. Is that often underplayed in many organizations? We’re going to deal with brand impact, we’re going to deal with the operational issues, if we have to pay ransom, we’ll pay ransom. But then…

You know, the ongoing litigation costs that are tied to some of the compliance regulations, they sort of don’t realize the full impact of those until two or three years in the breach. They’re still dealing with litigation associated with it. What’s your, your sense, Alexander, let’s start with you and then we get Ramirez thoughts as well.

Alexandre Blanc (33:58.908)

Yeah, I mean, finally, while it’s a formal risk management thing, it looks like organizations didn’t take it seriously. And we now see because it’s been a crazy rush, like in the five past years, and we see now the outcome and the lawsuit still wrapping up. We see some settlement about abuse and breaches and stuff in the news now. So it starts to ring a bell, but it seemed like it was like buried, you know, like they didn’t think it will bring that stuff or it was just marketing because…

To be honest, every cybersecurity company is like brand impact, you know, economic impact, your market is going to suffer a little bit. But everybody says that. So everybody’s like, yeah, marketing stuff, you know, and now we start to see it. So, but just for the big names. So I think there is a lot of road to get that down to the all the SMBs because the big names is one thing, but the economical market is made of SMBs. And these are the core, you know, just the big names. They’re big, but this is just a small part of it.

not financially, but on the operational side. So for that to reach SMBs, there is a lot of work. I think we might need a cyber police. Like they come after you to review the taxes. You didn’t declare the taxes right. So maybe annual review of the cybersecurity stuff is going to change. Like randomly, you’ll be picked and they’re going to check if you have the control in place. And then if you don’t align with the regulation, then boom, fine, no consequences or whatever. That could be something. I don’t know. I don’t want to be a police state.

But if we come with regulation, maybe that’s something that we need to consequence.

Patrick Spencer (35:31.918)

Spot checks. Ranbir, what are your thoughts when it comes to the litigation costs? Do organizations often underestimate the long -term impact of data breaches?

Ranbir Bhutani (35:43.846)

Absolutely, a thousand percent. But it’s not just litigation, right? What’s the cost of the amount of customers or clients they lost? That’s another cost. What’s the cost of downtime? Because let’s say you’re down, your systems are down, right? Let’s say you average $100 ,000 a day if you’re a really big company. I’ll just give you an example, right? So you’re not incorporating all these other costs just on top of litigation. Now,

an idea just sprung in my head. Well, why aren’t CISOs taking that information and breaking the cost down? Like, let’s say, and again, I know a lot of companies don’t advertise this, but you can sort of kind of guesstimate, you know, to say, okay, well, a lawyer charges like five to $100 to $1 ,000 an hour. Okay, fine. You know, and then you get breached and then cyber insurance. And again, there’s a lot of costs associated with it and it’s a lot of moving pieces, but you can show the data.

to let’s say the C levels and board of directors so they understand that, hey, this could be the impact. Because it’s like Tim said earlier, if, then when, then okay, now what do we do now? So the idea is you show the numbers. That’s what we’re forgetting in our field sometimes because yeah, the numbers are on the Verizon report and CrowdStrike is another one, right? They come out with their reports. But again,

Data is only as good as the information provided by the leaders, right? And they may or may not be accurate, but again, it’s more of a guesstimate, right? Versus, okay, well, every single organization, right? They are going to, at one point, experience attack or they’ve already been attacked, right? Again, I bring up SolarWinds because they didn’t know about it. And they were already breached. It just so happened that FireEye was the one that caught that, but the idea is a lot bigger than that.

You have a company that had 300 ,000 plus clients in 2019 at that time frame. They probably lost maybe about 30 or 40 % of that. I don’t know about dollars, but that’s a lot of dollars there, right? So we have to say, okay, litigation, yes, that’s a piece of it, but we also have to show that to, let’s say the C -level board of directors and so they can understand, hey, these companies, this is what happened. This is what it potentially could have cost them. Do we really want to be there? And it’s not a scare tactic. It’s just saying,

Ranbir Bhutani (38:04.39)

Why don’t we be smart and put these prevent and give us the seven figure budget we’re asking for so we can not just technology, but get the resource and get the right resources, right? Sometimes you hire some resources, they say they may have the experience and they don’t, but again, this happens all the time. But the point is like, okay, find the right candidates and build an effective cybersecurity program in place, right? Not just technology.

Tim Freestone (38:29.532)

Have you ever seen anybody, Ranbir, boil it down to something as simple as a thesis statement? You know, for every $1 we spend on cybersecurity, we keep $5 in our bank account.

Ranbir Bhutani (38:38.278)

Thank you.

Ranbir Bhutani (38:42.918)

That’s, I’ve never heard that, but you should patent, you should copyright that or something. Or maybe be one of your promotions for, you know, for, that works. That’s.

Tim Freestone (38:46.619)

You know, it’s just like…

Patrick Spencer (38:49.486)

It’s your PhD algorithm you’re going to create, Ranbir.

Tim Freestone (38:52.476)

Yeah, it’s one page for every dollar you spent on cybersecurity. Your company keeps $5 in the bank. Yeah. There you go.

Ranbir Bhutani (38:59.174)

That’s a great marketing tactic, just even for you guys. Ky works, right? Start having your sales folks do things that way.

Tim Freestone (39:05.788)

I’m like, I’m like George Costanza. So I said something smart. I’m out.

Ranbir Bhutani (39:09.83)

No, but on a real note, like that’s the amazing statement to say from a thesis standpoint, because they’re like, science then won’t, they’ll be like, I didn’t think of it that way. Right? I don’t know. It’s funny.

Tim Freestone (39:23.356)

Mm -hmm. Yeah.

Alexandre Blanc (39:25.98)

Yeah, I like.

Patrick Spencer (39:26.062)

Or about out of time, I had one more area I wanted to get everyone’s thoughts on. We did some interesting cross analysis of various questions and we ask, how many tools do you have in place? How many third parties do you exchange information with? It’s sensitive annually. And then we analyze that across the number of breaches that organizations have, as well as back to that litigation cost issue. And lo and behold, this probably is not a big surprise, it’s like two to three,

350 % higher, the more tools you have in place, those that are up at the top where they say, we have 10 plus tools in place and we communicate with over 2 ,500 third parties. Their litigation costs were exponentially higher than their peers and the number of breaches they experienced was also a lot higher. Well, this is probably no surprise to you, Tim, being at Kiteworks, we talk to clients all the time where this plays out, but…

What are your thoughts on this front and how do you mitigate that? Right? It’s all right. You communicate with 5000 third parties a day. You want to lower your risk. How do you do that?

Alexandre Blanc (40:38.364)

You ask me?

Patrick Spencer (40:39.79)

Well, go ahead, Alexander. I was asking Tim, but he’s looking at me.

Tim Freestone (40:41.628)

you’re asking me?

Alexandre Blanc (40:42.012)

Okay, yeah Okay, go ahead Tim

Tim Freestone (40:46.812)

I’ll tell you how you don’t do it. You don’t send out a security questionnaire, get it filled out and then feel confident in the results. Yeah. How you don’t do it to any degree of value. Yeah. I mean, it’s a loaded question, right? I mean, you have to, you have to maintain control of your sensitive data, no matter where it goes internally and externally. And that’s a very hard thing to do.

Patrick Spencer (40:55.086)

You’re covered.

Ranbir Bhutani (40:57.254)

Super coming.

Tim Freestone (41:15.484)

I do know a way to do it, but.

Patrick Spencer (41:18.446)

Good, Alexander, you’re about to answer it, I think. Any thoughts on that?

Alexandre Blanc (41:22.972)

Yeah, I mean, it’s about the expansion of the attack surface. When you speak about the requirement and the compliance requirement that you have to apply, the more you expand your attack surface, which means your stack, how many tools you use, how many partners, the more you have to work and the more you need security controls means that the biggest amount of things you have to watch. And we speak about, you know, alert fatigue or how tired our security teams, but that’s for sure.

If you have a nightmare of fireworks of solution all around the organization, that’s unmanageable. So you have to consolidate. And I mean, I’m publicly against monoculture. So it doesn’t mean that you have to stick with just one provider or one method. It means that you have to control your stack and break solution that will allow to have the audit visibility and the capability to provide a security control in a formal way that would give you that at least vision of what’s happening.

Because what we see in the reports, they don’t know. It’s like people, they don’t know if they’ve been breached. And we see that all the time. So if you consolidate, let’s say, the file sharing side of things, I mean, you need to be able to control what happened when the thing is out. And that’s not happening if you drop your sensitive or control content in a third party solution. Because as soon as you drop it, that’s over. It could be copied or whatever. You don’t know what’s happening. So and…

I mean, there is the contract, the boundaries that cover that side of things, but it doesn’t always happen. So the more you control and the further you keep control on that, and the more you provide your partner and providers, customers, the solution to collaborate with you, the less risk you take. So basically you have to be like, I know, a long harm as far as you can hold your stuff, because you know, that’s the only way you’re going to keep control of that. And it’s going to match your requirements. So that will be my take.

Patrick Spencer (43:15.822)

Another great point, and the fewer tools you have, the easier it is to consolidate your logs into something that they can be monitored, can be managed, can be reported on.

You know, Rambeer, do you have thoughts on that front? We certainly saw that one interesting answer to one of the questions was like five to 10 % depending on the industry and so forth said when we asked, you know, how much time do you spend consolidating your logs into something that’s actionable that you can actually, and like five to 10 % said, can’t do it. It’s just not possible. We have too many essentially content communication tools that we use in our organization. They don’t talk to each other.

It doesn’t matter how many resources we throw at it, it just isn’t possible. Getting that into one stream and consolidating down your tools so it’s manageable would seem to be, if you’re looking to reduce risk, that’s one of those check boxes that you should check off.

Ranbir Bhutani (44:14.854)

Yeah, no, this is a great conversation. I always say a tool is but a tool, but a tool in the sense that, yes, there’s many tools out there, right? My concern, at least when I put my cyber hat on, is where is my data actually being transported, right? Because MSPs is a big one, right? Now they’re reselling just different vendor names. Okay, where is that vendor storing my data, my backups, my monitoring? Again,

Yes, the big name Microsoft, you can one stop shop off. They offer all of the tools that are different brands and names. Fine, again, I’m just giving you an example. I’m not saying I’m for or against. I’m just giving you the example that you can consolidate all of that stuff. So maybe you have better insight of where your data is being stored. I don’t care what you tell me. When you say cloud, it’s still stored on physical gear monitored by a big name vendor. Well, how are they protecting my data?

I mean, do they actually tell you? I mean, you can ask and like, maybe we’re soft two type two. And again, it doesn’t have to be a big name vendor. It’s just saying, okay, where’s my data physically being stored? If it is on some physical device that has hard drive, that has memory through shared resources and software, which we all forgotten sometimes and we can go back. I’m dating myself here, but remember the days of having a network.

you having served physical servers, firewalls managed by the organization. And obviously because of the pricing and moving over to cloud, I think it’s actually more expensive to go cloud now because you pay per minute per second. It can get very, very expensive real fast, real quick, especially if you don’t know what you’re doing. But the idea is why are we also revisiting how these cloud instances are being built like with the layer of virtual land segmentation, right? And

firewalls again, not to get more technical, but it goes back to say, okay, well, we have all these tools, we have all these different vendors, but where’s my data being stored? And I think that’s the rub to say, okay, well, maybe when the breaches happen, because the organization doesn’t know that maybe their data is going onto some island or some international waters. You don’t know, right?

Patrick Spencer (46:25.518)

Great points. Tim, any final thoughts? It’s been a great conversation. The report has a lot more data than what we discussed today. So I encourage your audience to go to Kiteworks .com, go to resources and go to the annual survey report tab and check it out. It’s not gated and we have some supplemental resources that are available along with the full report. But Tim, any final thoughts?

Tim Freestone (46:51.292)

No, I think just to your point again, that on the report that, there’s a lot of breach reports. It’s endless. this is one of the few that looks at the third party ecosystem, the information supply chain and the data layer. So, you know, that that’s an, it’s the broadest attack surface out there. So it’s good to have some intelligence there and yeah, Alexandra and.

Ranbir, thanks a lot for joining us and talking about this today. It was an enjoyable conversation.

Patrick Spencer (47:22.35)

Absolutely. Thanks guys. For our audience, if you’re interested in other Kitecast episodes, go to Kiteworks .com forward slash Kitecast.

Ranbir Bhutani (47:22.886)

Thank you. Appreciate it.

Alexandre Blanc (47:22.94)

Bye.

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who feel confident in their content communications platform today. Select an option below.

Lancez-vous.

Avec Kiteworks, se mettre en conformité règlementaire et bien gérer les risques devient un jeu d’enfant. Rejoignez dès maintenant les milliers de professionnels qui ont confiance en leur plateforme de communication de contenu. Cliquez sur une des options ci-dessous.

Jetzt loslegen.

Mit Kiteworks ist es einfach, die Einhaltung von Vorschriften zu gewährleisten und Risiken effektiv zu managen. Schließen Sie sich den Tausenden von Unternehmen an, die sich schon heute auf ihre Content-Kommunikationsplattform verlassen können. Wählen Sie unten eine Option.

Share
Tweet
Share
Explore Kiteworks