Companies need to monitor that the access given to non-employees and supply chains is the correct amount of access and is terminated when that person is no longer affiliated with the company. There are many instances of breaches caused by orphaned accounts.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing David Pignolet.
David is president and CEO of SecZetta. With nearly two decades of experience in application, network, and data security, David founded SecZetta in 2006 as a systems integrator for cybersecurity solutions. After being repeatedly asked to customize solutions to solve new business problems, he decided to pivot directions and develop purpose-built software solutions that help companies more securely govern the identity and related risk of providing non-employees like partners, vendors, and contractors with insider access to facilities, systems, and data.
As a successful entrepreneur, David has founded two IT management and security companies working with global enterprise sized organizations across industries. He is a former member of the Air Force National Guard, where he specialized in combat communications focusing on encrypted secure communications.
Thank you for joining us David. Are you working on any exciting new projects now? How do you think that will help people?
We have just recently enhanced our solutions to include a new capability for Identity Proofing which makes it possible to help prove that people are who they claim to be. This is actually a very difficult task for most organizations and has become even more challenging with the amount of remote work that has prevailed during the pandemic. In many companies, there are processes like background checks for example, in place for full-time employees but oftentimes the people who work for a company’s vendors/partners, are provided with access with little to no knowledge of the person themselves. With companies granting growing numbers of these non-employees with access to sensitive information and systems, the risk is growing exponentially and knowing who has access to your systems and data has never been more important.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
Firstly, one of them most exciting things about the cybersecurity industry is the overall relevance to every aspect of our lives. As the world has become more digitized, more connected in every aspect of our lives, cybersecurity has moved from being just a business concern to something that impacts us all — every day. In an enterprise cybersecurity is now a regular board level discussion, the topic has never been more relevant than it is today.
Secondly, being on the side of the “good” guys, providing software solutions that are used to help protect organizations, their data, and the privacy and security of their customers and employees is exhilarating.
And lastly, the opportunity. The cybersecurity industry has a massive skills gap. SecZetta is actively promoting the role of women in cyber to encourage more women to take a chance on the industry — we need them! And in addition to women already in the workforce, we are working with schools in our community to bring more awareness to cybersecurity roles and helping them shape curriculum to better support those career paths.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
The number of non-human workers is growing, particularly as global organizations increasingly prioritize cloud computing, DevOps, Internet of Things (IoT) devices, and other digital transformation initiatives. Yet, these organizations frequently only apply access controls to humans (employees, contractors, etc.) — despite the risks associated with cyberattacks and data breaches linked to non-human workers and their access.
Further, when a human worker leaves an organization, the organization revokes the worker’s access to any accounts and systems, eliminating the risk the worker could illegally access these accounts and systems at a later time. But what happens when a non-human worker is no longer needed? For many organizations, a non-human worker (i.e., a robot or application) will be deactivated — but that non-human worker’s access privileges remain intact. This presents opportunities for cybercriminals to exploit the orphaned accounts for unauthorized access and initiate cyberattacks.
Taking the proper proactive approach to the monitoring and management of the lifecycle of non-human workers can help organizations improve operational efficiencies while at the same time stopping cyberattacks, data breaches, and compliance issues associated with these entities and their access.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
One of the most underutilized yet effective tools is good cybersecurity awareness training. It is critical to ensure that while we are providing security tools to a broader market we are ensuring that we are not inadvertently creating an environment highly-susceptible to cyber-attacks. One key thing to remember is that cybersecurity starts with people.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
One thing that companies can do immediately to support better cybersecurity is to operationalize their business processes. We find that even in organizations who have gone to great lengths to create good cybersecurity policies, that oftentimes they are not operationalized or automated and rely on people enforcing them. This is a big gap that can be solved with cybersecurity solutions that are easy to use and actually can end up costly an organization less money than the manual efforts of personnel who have been tasked with ensuring that the processes are being followed.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Many breaches start with an identity being compromised. Someone has clicked on a bad link or provided out their credentials as a result of a phishing scheme. Other times, the sheer quantity of individuals who have access, many of whom no longer need it greatly expand the attack surface for companies.
In addition to good security training making sure that people — whether they are your employees or non-employees who have been granted access are only being provided with “least privilege” or the least amount of privileges they need to do their jobs and that access is terminated or downgraded appropriately are very important steps in good identity lifecycle management.
Also, being able to confirm that people are who they say they are through identity proofing, that non-employees are not sharing credentials, and that if a partner organization is breached, that all access to its employees can be removed instantaneously.
Companies obviously need to safeguard the PII of consumer, customer, and employee information, so being able to audit what systems have access to PII and who they share it with on a regular basis is key.
These regulations have created a need to ensure that individuals have visibility into the data that is stored about them this has created an additional function for organizations to allow for.
While on one hand we are charged with securing data, organizations now have to be prepared to share with individuals what is kept about them and delete it if requested.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Adding complexity to this already daunting scenario is the fact organizations have become perimeter-less, often finding they are compelled to grant access to internal systems and data to non-employees (contractors, partners, freelancer, students, non-human workers). And at times, the number of those non-employees with access to sensitive information is greater than actual employees.
While providing access for third-party, non-employees is critical to meeting business objectives, it oftentimes has the unintended consequence of exponentially increasing an organization’s attack surface, increasing labor costs, and creating massive operational efficiency challenges for IT and HR departments.
Most enterprises make great efforts to manage regular employees to risk but they struggle through ad-hoc, manual workflows, or native applications to extend that vigilance to third-party risk. In fact, data shows 59% of all data breaches can be traced to third parties, and only 16% of organizations say they can effectively mitigate third-party risks. Onboarding processes that are usually automated for employees are often highly manual for third-party users and in large organizations or those in highly regulated industries (e.g., healthcare, financial services), these manual processes are time-consuming, costly, difficult to audit, and most importantly, error-prone — expanding the potential for additional risk associated with third-party users.
Another area of risk is the overlapping ownership of third-party identity risk management. The Chief Risk Officer (CRO) or Chief Information Security Officer (CISO) is usually responsible for identifying, monitoring, and mitigating internal and external risks. Many CRO/CISOs share the burden of managing these identities with other cross-functional teams and stakeholders that are not well equipped to manage risk, such as HR, Procurement and IT.
Additionally, onboarding and account recertification responsibilities can sometimes fall to separate teams. The HR team handles onboarding, while account recertification may be handled by IT. The CRO/CISO may have limited visibility into the activity of other teams.
However, the most important thing that I would ask for people to take away from this question is to remember that applying controls to meet compliance demands is not the same as actually evaluating and mitigating risk is that by far is the biggest mistake that companies can make.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Data breaches have always been costly, but with the onset of COVID-19, they have become an even greater risk since the number of workers who have been granted remote access as well as the number of third-party workers has risen dramatically. In particular, the massive adoption of large numbers of third-party workers was critical to the success of the healthcare industry during the pandemic.
As companies increasingly provide remote access to data and systems to vast numbers and types of third-party workers, being able to confirm that these people are in fact who they say they are is becoming more critical than ever before. Third-party workers are already known to be higher risk than a company’s own employees so providing access is risky and doing so for remote work compounds that risk. Organizations must be able to adapt to the new working reality to align security activities and mitigate external risks.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Companies need to know that the people — especially third-party workers, who has access to your sensitive information, whether they are employees or vendors, contractors, freelancers, are who they say they are. Unless your non-employee management is tied into an authoritative source of identity truth you are unnecessarily adding to the risk of your business practices.
- Companies need to monitor that the access given to non-employees and supply chains is the correct amount of access and is terminated when that person is no longer affiliated with the company. There are many instances of breaches caused by orphaned accounts.
- Non-human workers such as bots, RPAs, and IoTs devices, are being quickly adopted by industries across the board, and what they have access to and when, has to be managed just as much, if not more than human workers as they almost always have privileged access. Bank ATMs utilize accounts that share information with many systems and can be hacked. Also, safety RPAs used to ensure the safety of workers in a manufacturing setting may be inadvertently removed or turned off.
- Evaluating the risk of each individual identity is critical as almost 60% of all data breaches are caused by a third party (Ponemon). Most organizations have no idea who the third-party users are that being provided with access to data and systems. In addition to evaluating risk at the vendor or partner level, organizations need to assess the risk of each individual third-party users.
- The most important thing that I would ask for people to take away from this question is to remember that applying controls to meet compliance demands is not the same as actually evaluating and mitigating risk is that by far is the biggest mistake that companies can make.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!