Organizations should be familiar with the data they have and what systems they rely on to operate their business. They should be thinking about what would happen if their customer, customer list, pricing, or target list got into the wrong hands. Or what would happen if their competitors got a hold of their data. They need to ask themselves, “Can we get over that incident in a day, a week, or a year?”.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Vikas Bhatia.
Vikas Bhatia has over 20 years of enterprise information security experience with 30 firms ranging from law to healthcare. He previously held leadership positions at Capgemini, Deloitte and Kalki and has served 100+ enterprises of all sizes. After conducting hundreds of assessments, Vikas recognized the need for better assessment management and subsequently founded JustProtect Inc., headquartered in Tampa, FL. JustProtect is a SaaS platform that Cybersecurity, Compliance and Audit professionals use to centralize, simplify and automate internal and third-party risk assessments.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I actually graduated with an economics degree, because I had a vision of getting into finance. But while I was at university, I was fortunate to network with students who were computer science majors. That’s where my interest in tech and cyber enterprise technology really picked up. Instead of leaving school and doing two degrees, I just decided to see my way through my first degree, and self-teach technology, which is how I started in tech. Post-graduation, I was studying because I genuinely wanted to study not because I was forced. I excelled pretty quickly, because I was really interested in the things I was learning, and it was completely self-paced.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
When I started my professional career, cybersecurity didn’t exist at the time. It was considered information security or networks, and even information security was ahead of its time. The industry was more network and system security. I was actually an IT Support Specialist and was part of a firm that looked after 15,000 users and 25,000 mailboxes.
I remember being on the phone with someone who worked at another site, and we were talking about an IoT (Internet of Things) change within a particular system. I got an email from him while I was on the phone that had the subject line “ILOVEYOU” and then I got another email. Because I got two of them, we had been trained to look out for viruses or malware. It was actually the “ILOVEYOU” virus that hit my mailbox, which wiped us off the internet for four days. It’s probably one of the most impactful viruses that’s ever hit the enterprise level. Back in those days, we didn’t have a mature cybersecurity response program, so I was told to go to our data center and physically unplug 30 different servers. Because I was the most junior person and rotated the tapes for our backups, I knew where all of the servers were.
Can you share the most interesting story that happened to you since you began this fascinating career?
About three years after the “ILOVEYOU” virus, a company called Hydro One which oversees the Niagara Falls dam and the electricity production from the dam, was actually breached from the inside. One of my former bosses was working on that account and looking for people with a specific skill set to quickly join him for the remediation process. I volunteered and spent the next six weeks in Toronto, Canada helping with this breach remediation. That was within the first six months of me formally starting a security career which was pretty interesting.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I owe a lot to guy by the name of Neeraj Bahal, who is one of my best friends and I’ve known for a very long time. At the time I had gotten very comfortable in a particular role, and was succeeding, while he had moved over to the security organization for my company. I remember him saying to me, “You should really think about coming over to our security team.” I said, “Well, you know, I’m comfortable where I am and I’m doing some good things.”
Neeraj was and still is definitely an innovator. He could see what was coming down the pipe from a security perspective. His gentle nudges got me curious enough to want to leave the comfortable job that I had and move into an area that I was really unfamiliar with at the time. Had it not been for him and a couple of “ILOVEYOU” emails, I probably wouldn’t be doing security today.
Are you working on any exciting new projects now? How do you think that will help people?
After spending a little more than a decade in enterprise security, at some of the most sensitive organizations, I realized that risk assessment came before any action. The way that the whole industry had been conducting assessments was using spreadsheets and emails. This led me to realize that wasn’t going to be effective going forward.
Because of this realization I founded my company JustProtect, which is looking to completely disrupt the way that assessments are performed, distributed, and responded to. I think it will help not only organizations but also save a lot of people sanity, because who likes working in Excel? More importantly, it will allow businesses to make informed decisions much quicker and more efficiently than they have been to date, which should have an overall positive impact on the whole industry.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
The best bit of advice I got as a cybersecurity professional was to always consider the business first. We as cybersecurity professionals want to make everything secure but if the business is unable to function, then all of that security capability is worthless.
I would also recommend that my colleagues, particularly the newer entrants into the market, consider their career a marathon and not a sprint. Be sure to slow down, ask questions, and find yourself at least two or three good mentors. Pick people that have the battle scars of experience and are different from you to give you a unique perspective. I think I still have some scars from the “ILOVEYOU” emails, the stories, and the network.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
- The industry is evolving at a ridiculously rapid pace. With the swift adoption of IoT, cloud technologies, and the interconnected nature of businesses with their vendors, the volume and impact of the threats in this new landscape are going to keep everyone on their toes.
- Big data, artificial intelligence, machine learning, and federated information will really help to reactively and, in some cases, proactively combat some of these threats.
- The thing that excites me the most, is that anyone with a smart device, an email address, or social media account has the capability of being a cybersecurity professional. The fundamentals are the same whether you’re protecting a smartphone or a network of 10,000 users.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Unfortunately, people are and always will be the weakest link. As quickly as possible, the business should undertake a risk assessment identify where its threats lie, where its data is located, and who has access to that data. Then they should look to implement, at the very minimum, a fundamental training program for their employees and their third parties. Email threats or social engineering is probably one of the biggest threats that has been out there for a while.
But it really comes back to the risk assessment and asking where are your risks? How can you reduce your threat landscape? I think some of those fundamentals can be applied by anyone, if they think of it like a scenario of protecting your house. For instance, I might allow someone to my front door, but I won’t let them in. Or I let someone in the house, but I won’t let them upstairs. I’ll let them upstairs, but not necessarily in the master bedroom, and so on. If you start thinking about protection in layers, you can actually perform some of the basics without even calling in professionals.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
The Hydro One breach I worked on was actually a piece of malware called a logic bomb. This malware was released a few weeks after an employee was terminated. A former employee with access to the network created a piece of code or a virus that would self-detonate and went around the organization deleting critical data.
Key takeaways from this are to make sure you know who your employees are, and that their background is appropriately checked. Limit employee access and if you do need to terminate an employee, do so in stages to prevent a surprise if they leave bits of code lying around.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
You want to make sure that you have 100 percent visibility of all your assets whether they’re tablets, laptops, mobile phones, or cell phones and ensure they are constantly updated. Antivirus is the bare minimum. If you mandate a password manager and then that employee leaves, you can cut access to the password manager to limit exposure to some risks.
As your organization gets more mature, you could think about implementing monitoring tools, log management, and privilege escalation management. There are 16 unique categories of information security tools, with over 1700 vendors in that space so there’s no shortage of tools. Most importantly is understanding where the biggest threats are and putting in place solutions or processes that will help you minimize those threats.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
For the organization that has highly sensitive customers, operates in a highly regulated industry such as government contracting, financial services, or healthcare, the outsourced CISO or virtual CISO has become more popular and acceptable in the last few years. It would suit organizations that want to focus on their core business and not so much on the operational side of security. When the operational overhead becomes too much to manage or when there are constant security record requests coming in from either customers or regulators, that’s probably the time to find someone that can help on a more permanent basis.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Most breaches are detected and reported by external sources rather than internal. It’s important to educate your internal and external user population with a baseline of what to expect such as verifying the HTTPS certificate and seeing the lock on the browser window. There must be a procedure on how you report it if you don’t see the lock. If you see something, say something. Other daily actions, like logging into Slack can take a minute. But if you’re finding that it takes three minutes, that should be another indicator of a potential issue. Internal communications should track and build a picture of regular patterns that are happening through a help or IT desk. Education of these protocols needs to be at both the user and IT levels.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Ideally, the company should have an instant disaster recovery plan that should be immediately invoked. Once a breach happens, you can treat it like an emergency in a hospital where you assess how bad the problem is, what is required to solve the issue, then discharge once its resolved. For organizations that don’t have this plan, I would strongly recommend they use the countless free resources to develop a plan and internally test it.
We have put into place measures to separate certain data, limit the access to certain data, better understand reporting requirements in the event of a breach, and revise our terms and conditions accordingly. The New York Shield is another new act that’s coming out. It might take some time for the businesses to catch up and even work out what applies to them or not. At JustProtect, we like to think that we’re ahead of that curve because we help organizations conduct those critical assessments.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Visibility is a reoccurring key in cybersecurity. During the remediation process, typically unidentified applications, systems, or third-party vendors come to light as the issue in the breach. Other basics are keeping systems up to date, which is everything from applications to machinery. If companies think they can win by not renewing a license because all they get is updates, they’re leaving themselves really exposed. Another measure is making sure they are properly educating people on protocols.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Almost every organization, irrespective of size, industry, geography has moved from an office working environment to a home market environment. Now the boundary or perimeter is no longer the four walls of an office. The expensive firewalls and security precautions that larger organizations can afford, aren’t deployed in people’s houses. We’ve seen remote machines that aren’t able to connect back to the “mothership” for their important updates or backups.
This has now become a tremendous opportunity for added security, as organizations started to realize that the third parties they are assessing are now working from home. Organizations have had to increase their maturity quickly, and they’ve been forced into this digital transformation because of COVID.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs to Know to Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- I would really hope that every organization, irrespective of their size, has moved away from the “It’s not going to happen to me” mentality. If you have any sort of technology in your industry, whether you are a store owner or own a farm, it drives your business and could potentially put you at risk.
- If you know how to use a smartphone, you have an email address and use social media, you already have the basic fundamentals of technology. You should keep these systems up to date with the latest software and be aware of any related security issues. Likewise, to protect your business, you should work out a process of how to manage and update your systems.
- Organizations should be familiar with the data they have and what systems they rely on to operate their business. They should be thinking about what would happen if their customer, customer list, pricing, or target list got into the wrong hands. Or what would happen if their competitors got a hold of their data. They need to ask themselves, “Can we get over that incident in a day, a week, or a year?”.
- Be careful when choosing allies. Make sure they have the right set of skills because it is really important in security to trust the professionals. Again, leverage the resources that are available online to manage these risks.
- Lastly, I would say that we shouldn’t be scared of cyber-attacks. If someone wants to get you, they’ll get you. What we can do is remind ourselves, remind our family, remind the people that we network with to implement fundamentals like updating your software, not using the same password everywhere, and running antivirus software. Those three things are a great foundation for security and can help implement more protocols in the future.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
I would say be a mentor to someone who needs it. There’s always someone who can benefit from your skills, knowledge, and expertise. Finding a mentor might not even have to be career related but could assist in developing professionally. I think that would invoke a huge pay it forward movement and could be quite viral.
How can our readers further follow your work online?
You can follow @JustProtect everywhere on social media and say hello to me on Twitter @vikasbhatiauk.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!