Do not rely on assumptions or what you think to be true about what data your business holds. Assume everything is in scope until it is proven otherwise.
Follow an evidence-based approach by conducting a data audit across every piece of data in every location.
Build your compliance and security program around the data you can prove you have. This is built from the evidence generated by a robust data discovery approach.
It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?
As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewingStephen Cavey.
Stephen is a co-founder of Ground Labs, leading a global team empowering its customers to discover, identify and secure sensitive data across their organizations. As the Chief Evangelist, he leads its worldwide product development, sales and marketing and business operations and was instrumental in extending Ground Labs’ presence with enterprise customers. Stephen has deep security domain expertise with a focus on electronic payments and data security compliance.
He is a frequent speaker at industry events on topics related to data security, risk mitigation and cybersecurity trends and futures. He started Ground Labs after holding leadership positions at Paycorp Holdings, a provider of integrated electronic payments solutions; he also held engineering roles with Webpay, a payment services provider later acquired by Fidelity, and Webtel, an early Australian ISP.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I was born and raised in a typical Australian working family by my parents alongside my younger sister, complete with a dog in the backyard. My father worked in printing and my mother worked for one of Australia’s largest banks. Through the 1980s and early 1990s we went to the local primary and high school in an area of Sydney that was surrounded by national parks. A lot of my childhood memories were climbing trees, riding bikes in the street, and exploring the local bush where we encountered wild snakes, large goanna lizards and other local wildlife found in an outlying suburb of Sydney. During school holidays, we would drive for two hours to the north coast of New South Wales with our family, friends and cousins who had ski boats. We would camp on the lake and water ski, kneeboard and parafly, as well as catch fish, prawns and blue swimmer crabs. Because of this, I was fortunate to be taught how to water ski since the age of five, and have loved it ever since. In fact, one of my proudest moments in recent years has been teaching my own kids to water ski, and watching the sport come around full circle within our family.
Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.
Since a young age, I have always had an interest in computers. This started with my fourth grade teacher Mr Lannan, who was responsible for maintaining the school’s computer room which allowed our class to use a computer more often. As the years progressed, I would sneak into the computer room during lunch to use the school’s old Microbee computers. I did the same thing in high school as often as possible thanks to the support of my computer teachers Mr Soaper and Mr Allard who let me run free on the school computing facilities.
My first computer came when I was 12 years old, which was a 386sx running DOS 3.3 and Windows 3.0. I actively sought out new friends in the area who also had a computer and learn anything I could from their setup and their own self-taught experience. At the age of 15, I started a Bulletin Board System (BBS) which essentially meant turning my computer into a 24/7 server accessible via multiple phone lines coming into my bedroom for other computer enthusiasts with a modem to dial in and send email, exchange data and have real-time chat sessions. This was complemented by network gaming weekends where a ping pong table would convert into a communal table connecting anywhere up to 8 computers. Different circles of friends would come together and connect their computer to play Doom, Quake, Command & Conquer and other network games of the time. While it seemed like this was just for fun, these weekends were inadvertently a large part of our networking education.
During this time, I met my Ground Labs co-founder, Peter Duthie. We were introduced through a mutual friend who knew we were both into computers. Our different circles of friends would gather at these networking weekends and bring new games, networking technology, and other software for all to play with.
Through my connections with the various circles of these computing friends, I was introduced to one of my earliest mentors Aaron, who ran a retail computer shop in a Westfield shopping centre in 1995. I worked during holidays and part-time while still finishing school. It was an experience I will always remember as it taught me real-life skills such as customer service and how to sell. This shop pivoted to become a dial-up Internet Service Provider (ISP) called Webtel within a year. Peter became involved and helped get the ISP ramped up with his extensive Linux knowledge and ability to code billing systems and other platform needs while I provided technical support, signed up customers and eventually ran that business before we pivoted into payments.
Looking back, my youth was a trailblazing era where so much rapid learning happened — without even realizing it at the time.
Can you share the most interesting story that happened to you since you began your career?
When we founded Ground Labs in 2007, it was an entirely online business with no sales team, operating from one location. Peter and I bootstrapped the business from our own pockets, without any marketing budget with our sales during the first years of operation being modest. In fact, our first sale was for 298 dollars from a small parking software vendor, a few months post-launch. This was the most satisfying 298 dollars we have ever made.
We relied on the security consulting community who would recommend Ground Labs as part of their security reviews with clients. This created word of mouth momentum, which carried us through the first few years of business. It wasn’t long before we received an inbound email inquiry from a large organization in London, asking us to quote a license of our software to be run on a considerable number of systems. A few weeks later, after eagerly awaiting feedback, we received a purchase order matching the £39,000 (approximately 50,000 dollars) quote we had sent.
This was a profound achievement, both in our personal life and professional careers. It was certainly the “ah ha” moment for Ground Labs, and convinced us to push the accelerator on this venture. The customer had trusted our new business, without ever having met or spoken to us nor having run a full scale deployment before making their decision.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
There are three people who were instrumental in helping me get to where I am today. They are:
Aaron Bartrim and John Caliguri, investors and directors in the dial-up ISP at the onset of my career: Both Aaron and John placed significant trust and faith in an overly-enthusiastic teenager who had no commercial experience to run a business. Aaron and John were my first exposure to entrepreneurs. I was in awe of their courage and boldness to take risks and make rapid decisions, during a time when the internet industry was moving so fast that you had to make a call or be left behind.
It was Aaron and John’s foresight to identify that online payments would be a critical piece needed to power the eCommerce boom many years before the major banks decided to enter the space. As a result, we pivoted from being “Webtel” to “Webpay,” and became a successful payment company that was invested in by one of Australia’s largest banks. This was how I entered the payments industry and acquired knowledge and experience in data security. That exposure led my own foresight many years later in seeing a clear industry data problem not being solved, which underpins the story behind how Ground Labs was eventually founded.
Peter Duthie, my co-founder: I often tell people that Ground Labs couldn’t exist without either Peter or myself knowing each other, and the uniquely different experience and skill sets we bring to the table. Peter was the one who, when I presented the idea and the opportunity, came back within weeks to demo an alpha version of what would become our first software product. Since then Peter has been the driving force in powering Ground Labs’ engineering efforts. It didn’t matter how impossible the technical challenge was, Peter would always find a way to solve it.
Some of the most successful relationships are built on having two very different personalities work together who share common values and get excited about similar things. Ask anyone who has bootstrapped a business to any reasonable size and they will tell you that it is a challenging journey, but one that is far more likely to succeed if you have the right partner. For me, building Ground Labs alongside Peter has been the most fulfilling experience in my entire career.
Are you working on any exciting new projects now? How do you think that will help people?
When COVID-19 forced companies to accelerate their digital transformation, including a shift to remote and virtual environments, we knew companies would need new ways to identify and manage data. This was very much driven by the alarming rate that personal and sensitive data was being shared and stored insecurely across businesses after work from home became mainstream.
To better solve this challenge, we recently released Enterprise Recon PRO, a completely new offering that offers the most advanced feature set we have ever provided to our customers. Enterprise Recon PRO enables organizations to achieve full visibility of all their data and visualize it in completely new ways that makes it understandable from any skill level and from any department. What is most exciting about this project is that Enterprise Recon PRO goes beyond data discovery to introduce full data classification, data access governance, risk scoring, and delegated remediation.
From a wider lens, this new solution really targets the needs of today’s C-suite. Now, CISOs and IT leaders specifically can better identify where their at-risk data lies and prioritize how best to mitigate its impact on business. During a time when we are working remotely, or in a hybrid setting, this is invaluable to any organization, regardless of size or sector.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
This is a challenge that has always existed but hasn’t been so widespread or so openly talked about until now. In the earlier part of my own career long before Ground Labs started, I worked seven day weeks for many years and my life-work balance was non-existent. I never took any real amounts of time out for myself and rarely looked beyond my work. As a result, I suffered burn out on multiple occasions over those years without even realizing it.
I’ve learnt various lessons along the way from this, and it really is simple things that make all the difference between being happy and fulfilled in both your personal life and your career vs being someone who is unsatisfied, easily stressed and in danger of doing long term damage to their health. These simple things include:
Take time off. Employees have taken substantially less time off since we have started working remotely. Despite any time saved from commuting, work from home is absolutely not the same as taking proper time off. It is important to take a few days but ideally weeks, and truly disconnect from the virtual workforce. This break is necessary and will dramatically improve the happiness, morale and effectiveness of yourself and your team. If you’re a leader, lead by example. Show your team that it is OK to take time off, even if it’s for a week of Netflix binging (see next point though).
Schedule a regular outdoor activity. Getting outside to do some kind of physical activity is important. Scheduling it regularly reduces the temptation to allow work or other reasons to get in the way. I practice what I preach and now have regular tennis coaching which is a socially distanced sport and has become one of my favorite entries in the calendar that I look forward to each week. Having that physical reset makes a real difference in trying to find some balance under this new way of working.
Get back to your company’s cultural roots. In a remote setting, the days, weeks and months tend to blend together. We live and work at home. How do you break out of that monotony? The answer lies in company culture. If you’re fortunate enough to be allowed back in an office for at least some part of the week, re-introduce social events including regular happy hours (and try a virtual Happy Hour if your team can only be remote). If happy hours are not your style, then set up regular virtual morning coffee groups. Also, make an effort to take the time at the start of any virtual meetings to not talk about work for a moment — have those chats you would usually have had at the water cooler or in the office kitchen.
Have an open line of communication. It is ok not to be ok. We are all in this together, and being transparent with each other about how we are feeling physically and emotionally will help us all more efficiently work together, especially as work continues to permeate our personal space.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?
First and foremost, many organizations do not realize that data privacy is not about the state or country where they are located. It is about the location of the customers they are serving, which for many, span global boundaries.
More fundamentally, this advent of privacy is very much about ensuring that when businesses collect the personal information of their customers, their employees and other individuals, that they are required to assure the security and integrity of that data so that it does not fall into the wrong hands. Today, many privacy laws adopt a concept of consumer rights, which means that a consumer has the right to contact a business that is holding its information and ask for full disclosure — including what information is being held, what they are doing with it and, and requesting that the data be forgotten (or deleted).
Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?
When it comes to data retention and data privacy, there are some best practices that you can follow regardless of which country or regulation you’re complying with. Local regulations may dictate specific retention periods, however, managing a data retention policy becomes an impossible task if you are not aware of where all the data is.
Regardless of the jurisdictions a business operates in, a single, global, consistent approach should be followed for identifying and monitoring where data rests across all storage repositories. Once this becomes an ongoing repeatable process, only then will a company be in a stronger position to implement data retention policies and processes to ensure that the data is purged on a permanent basis. Today’s businesses are challenged with increasing volumes of data, and if they do not have an appropriate data management strategy in place to monitor then subsequently delete any data that is no longer required, this can lead to considerable security issues down the line.
In the face of this changing landscape, how has your data retention policy evolved over the years?
Traditional data retention policies did not make a strong delineation between the storage of personal data and non-personal data. In today’s world, organizations are now facing the most challenging levels of data privacy laws to comply with, so a modern data retention policy will need to distinguish between data sets that contain regulated personal and sensitive information and those that contain other forms of information. The challenge companies will have when following such a retention policy is the ability to determine which data sets contain that personal and sensitive information.
Are you able to tell our readers a bit about your specific policies about data retention? How do you store data? What type of data is stored or is not? Is there a length to how long data is stored?
The Ground Labs business model does not direct handling of data from individuals. However, our own team spans several different countries and we have a responsibility to protect their data. When faced with this, its key to identify and minimize the data footprint, and ensure clear separation from other parts of the business.
When it comes to retention of data, whilst various data protection laws won’t stipulate exactly how long you must or must not keep employee data, there are other regulations that exist which influence retention such as long a former employee may submit a query or how long local tax authorities may require financial records to be retained including payroll data. This results in retention requirements of multiple years at minimum depending on the type of data collected and the exact jurisdiction the employee resides in.
For a business that does store personal information collected from consumer customers, the data retention period will be dictated by the appropriate, region-specific privacy regulation where the consumer resides — not where the business collecting the data is located. For example, the GDPR being one of the most stringent of all standards covering individuals in Europe, does not mandate a maximum retention period however it does require businesses to have a complete understanding of the data they hold, and to retain it only for the maximum time they have a business justified purpose. Beyond this, data should either be deleted, or retained only in an anonymized form so that it can no longer identify a specific individual if retention requirements exist for long term statistical or historical purposes. The critical piece here is ensuring what “business justified” clearly means, documenting it, and following it consistently.
Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?
The most significant legislation that has affected all companies selling globally is once again, the GDPR for EU data. There is often some confusion from organizations based outside of Europe regarding this law — many assume they may not have to comply with the GDPR due to the location of their business. But the reality is that the GDPR is a far-reaching law which requires businesses located anywhere in the world who are handling European citizens data to comply with its requirements. In the event of European data loss, organizations may face significant penalties that take into consideration the breadth of their operations and revenue globally.
However, we are now seeing a similar policy coming out of the U.S., as different states enact their own privacy legislation in the absence of a federal legislation at this point in time. This is potentially a major challenge for businesses selling across the U.S., as at some point in the future, all 50 states may enact their own privacy laws with slight differences in penalty regimes.
In your opinion have tools matured to help manage data retention practices? Are there any that you’d recommend?
I have seen various levels of maturity across the data protection market, as data privacy and data security become a real challenge for organizations with both C-suite and company board’s taking interest in the topic. Solutions across all segments are evolving to help customers with this data security responsibility.
Ground Labs also provides a solution in this space which is designed to search for over 300 types of personal data from 50 countries, across most major storage platforms. Our technology presents the results of what it finds through a single pane of glass which can be divided into different views for each type of stakeholder and unique department. This capability can be further extended to very large organizations with many teams and end-users who need to make decisions on data.
There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?
The recent cybersecurity incidents making headlines have only supported the advice we give to businesses of all sizes located in any geography. Since Ground Labs’ inception, companies have believed they can prevent a data breach by building stronger walls around their fortress to keep cybercriminals out.
History has proven that no network is unbreakable, and tomorrow’s vulnerabilities and exploits are yet to be discovered. When you approach security from this viewpoint, it becomes very clear that the best strategy to minimize the risk of suffering a data breach is to focus on why the cybercriminals are attempting to break into your network — it’s about your data. Data is the most valuable asset in a company’s possession. This is why many organizations have diversified their investments in security beyond the network perimeter and instead, they are shifting to data-centric security to better protect the core asset that malicious actors are attempting to steal and monetize.
By fully understanding all of the data assets that must be protected, and then placing the right level of controls around the data itself and reducing the number of locations where that data is allowed to exist, organizations can dramatically reduce their attack surface leading to improved management of risk.
Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?”
- Do not rely on assumptions or what you think to be true about what data your business holds. Assume everything is in scope until it is proven otherwise.
- Follow an evidence-based approach by conducting a data audit across every piece of data in every location.
- Build your compliance and security program around the data you can prove you have. This is built from the evidence generated by a robust data discovery approach.
- Once established, automate that discovery process so that it happens continuously without using your internal resources. Make sure it notifies relevant stakeholders directly when findings are identified.
- Get the entire team involved. This goes back to the saying “Security is not an IT problem. It’s a business problem.” Make each department accountable for ownership and awareness of their data.
Bonus tip: What you are doing with data today, may be different tomorrow. Be prepared to change and improve your security practices as your data landscape evolves. Change is the one thing that you can bet on.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
As a business, do you want to make the world a better place? Then, do the right thing with people’s data.
When users share data with organizations, they are placing an enormous amount of trust in that business. We need to take that trust seriously, and truly respect the personal data being collected. This means looking after such data, protecting it as you would your own data, and only using it how it was promised to be used. Businesses are being confronted with a tsunami of data regulation legislation because in the past, they were given that trust and broke it.
If you wanted to take this beyond your own business and motivate others, a great place to start is by asking any third parties you provide data to. How are you protecting our data? What regulations do you comply with? What evidence do you have to prove this?
How can our readers further follow your work online?
You can visit www.groundlabs.com for more information on my company. It’s been a pleasure speaking with you.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!