Bad data privacy protocols can become an identity fraud disaster

[00:00:03] Chris Sienko: Every week on Cyber Work, listeners ask us the same question. What cyber security skills should I learn? Well try this, go to infosecinstitute.com/free to get your free Cybersecurity Talent Development ebook. It's got in-depth training plans for the 12 most common roles, including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder and more.

We took notes from employees and the team of subject matter experts to build training plans that align with the most in-demand skills. You can use the plans as is or customize them to create a unique training plan that aligns with your own unique career goals.

One more time, just go to infosecinstitute.com/free. Or click the link in the description to get your free training plans. Plus, many more free resources for cyber work listeners. Do it! Infosecinstitute.com/free.

Now, on with the show.

Today on Cyber Work, I welcome Steven Cavey, Co-Founder and Chief Evangelist of Ground Labs, to talk about the jagged jigsaw puzzle that is data collection, data privacy and the dozens, if not hundreds of privacy regulations and frameworks that govern them. Steven and I talk about the bad old days of indiscriminate data collecting, grossly insecure payment processes. And we also address the places where the privacy experts of the future will shape the use and protection of personal data in all industries. That's all today on Cyber Work.

[00:01:34] CS: Welcome to this week's episode of the Cyber Work with InfoSec podcast. Each week, we talked with a different industry thought leader about cybersecurity trends, where those trends affect the work of infosec professionals, while offering tips for breaking in or moving up the ladder in the cybersecurity industry.

Ground Labs’ Co-Founder and Chief Evangelist, Stephen Cavey, leads a global team empowering enterprise organizations to discover, manage and secure sensitive data. He has deep security domain experience focused on electronic payments and data security compliance. He's a frequent speaker at industry events such as PrivSec Global. And prior to Ground Labs, Cavey held leadership position at Paycor. An integrated electronic payment processor. He also served in engineering roles with Webpay, a payment service provider. Later acquired by Fidelity. And Webtel, an early Australian ISP.

Stephen, we’re going to be talking today about data collection and identity fraud. And I'm looking forward to it. So, thanks for joining me today. And welcome to Cyber Work.

[00:02:34] Steven Cavey: Chris, it's a real pleasure as well. Thanks for having me.

[00:02:36] CS: My pleasure. So, I always like to start off giving our listeners a sense of our guests’ origin story, superhero story. What first got you interested in computers and tech? And what drew you to a career in security in data originally?

[00:02:54] SC: I think, in life, sometimes there's something you're born to do. And for me clearly, it was always something to do with computers. I remember just in my primary school, sneaking into the computer room at lunchtime. I think that's how I got my first detention. Not that I was a bad kid or anything. I was a really good kid. But when it came to computers, I just had that curiosity.

And I didn't get my own computer until I was about 12-years-old. So, clearly, the natural fascination I had. And after I got that first computer, which was a 386SX 16 with – What did it have? A 30-meg old ATA drive, and 2-megs of RAM. And I used that computer for a long time.

And by about the mid-90s, when I was a teenager, I started a BBS. I started getting into modems. And getting dial-up lines into my bedroom. And upgraded the computer. Had a whole bunch of phone lines. It was running 24/7. And everyone was downloading games and whatnot from my computer. And I was learning tons from DESQview on DOS, and OS2 eventually.

And that’s probably where I got a lot of my early networking chops. And as one might expect, that kind of morphed into becoming an ISP. I actually got a job through this network of people that I knew at a computer shop. And by getting that job, I was introduced to one of my earliest mentors. And it was with him and a couple of other guys that I was good friends with that we started this ISP.

And so, that became, I guess, the next level of education for me. And it was the right time, right place. Because in 1996, 1997, that was kind of internet pioneering time when everybody was just starting to get online, every family. It was a really good experience for me to go through the rise of the Internet and then witnessed ecommerce, witness payments. And that very much explains how the rest of my career kind of developed.

[00:04:56] CS: Yeah, yeah, yeah. How did you transfer from creating Webtel, or working with Webtel, through WebPay, and then, especially, the shift toward privacy as your primary focus at Grand Labs?

[00:05:09] SC: Yeah. The ISP business went on for many years. And we became exposed to a lot of business customers. And they started wanting to host the ecommerce websites with us. And so, that naturally progressed to questions about how do we do payment? And at that time, the way you did payment was you had a form on your website. It collected the customer's details, their credit card number, and then it shot an email to you. And then you would manually postprocess that credit card number in the background. That was ecommerce in the 1990s. Very few people had a live payment link through to their bank. You could do it, but it was expensive.

[00:05:45] CS: That was a Wild West, man. I remember, late 90s, and just like sending my credit card numbers in three emails to a record store or something like that, and hoping that they didn't get intercepted.

[00:05:57] SC: We all did it. Absolutely. And that was the norm. And it was actually the guys I was working with sort of, I guess, asked the simple question, “Hey, what if we started getting a link to a bank and offering live payments as part of our service?” And so, that's where the idea for the whole payment gateway, payment processor began, which is actually where WebPay was born out of. So, we had Webtel, and then WebPay was born out of that.

And the ISP – when the ISP business went into decline. Because, basically, if you're still in the dial up world, all of your customers were migrating to DSL, ADSL technologies. And that you had to be one of the big guys to have access to that infrastructure. And we were still relatively small. But we saw a lot of promise in this payments idea that we were running.

And so, that morphed into a fully-fledged payment processing business. The team started writing their own payments, switching technology to take payments over high latency internet links. Because at that time, internet was a bit slower.

One of our earliest larger clients was actually an auction site. And they were hosting all of their infrastructure out of, I think, California. But the payment had to go back to Australia to be processed in real time. And they just couldn't get it working. It kept dropping out and timing out. And so, we came out with this technology that could handle high latency networks and still get the payment through reliably.

And so, that became something that we got a knock on the door one day from one of Australia's large banks saying, “We'd like to put some money into you, and then have you start selling this software to the rest of the world, to banks all around the world.” They thought there was a huge market in the fact that, at the time, banks were on old legacy infrastructure, mainframes, and so on, for their payment switches. And we were this small agile company running Intel servers, Linux, Java. and we had all of this cutting-edge ecommerce technology.

just suddenly, before you knew it, we were in the payments game. we were no longer in the ISP game. And that journey split in two directions. The bank said, “Right. The software business goes off separately from the payments processing business.” And so, I chose to stay with the payments processing business. And so, we basically just continued to offer payment processing services to merchants, large and small, around the country. And towards the end, we were processing about several billion dollars a year in value. So, it became quite a successful business.

[00:08:31] CS: Yeah. Did you have any sort of hurdles along the way in terms of like the scale up? Because when you hear a major bank say, “We'd like to throw a lot of money at you.” Like, that is sometimes the success story. And an awful lot of times that's like, “Okay, there's still something wrong here.” Were you able to take that investment? And if so, how did you avoid that trap of like all money, and no time, or no schedule, or whatever?

[00:08:56] SC: Yeah, it's good question, Chris. For context, all of that capital injection was really for what they were interested in, which was the software business. And so, that capital stayed over there. And they continued on for some years. And they ended up being acquired by Fidelity, which was called eFunds at the time, which was a big bank software company.

And so, yeah, that was a good fit over there. But the direction I took was on the services side where we’re processing payments in return for a clip fee, a 50-cent clip fee at the time. And that continued to be organically funded and bootstrapped. And so, basically, it did end up getting bought into a family office. And so, they gave us some additional capital to start driving that a little bit larger and put some management infrastructure. We were all very young at that time.

And so, it was good for me, because it meant that I was being put around some more experienced people. I learned a lot more through that journey. And a big part of that journey ended up being a pivot to needing to focus on security. One day, Visa knocked on the door and said, “Look, you're connected to our network. You’re processing all of these payments. We have no idea how secure you are.” And at that time, they were just starting to see fraud go through the roof because of card not present ecommerce payments on the internet.

And so, Visa, MasterCard, Amex and all of the other major card brands said, “We need to fix this problem.” Because if we – If no one can no longer trust using their credit card, then no one's going to want to hold a credit card in their wallet. So, they took control of the situation. Started certifying anyone that was connected to the network. And then they started wanting to check the security of every ecommerce and other form of merchant out there in the world.

And I could see this coming as I – I was one of the first people in Australia to be assessed under what is now called the PCI Security Standards, which is – Pardon me. The payment card industry.

And so, through that journey, I learned an awful lot about what you had to do to make a network safe for credit card processing. And suddenly, I was consulting to all of our clients that were being knocked on the door and had to do the same thing. So, quickly developed an expertise in the area of payments security.

And just seeing firsthand how businesses were handling such sensitive information, like payment cards, was the biggest eye-opener in realizing that everybody was so desensitized to handling the state of the way we work for so long. Just emailing it to each other. Dumping it out into Excel spreadsheets, and just sharing it around anyway with no encryption, because we were behind the firewall, and we thought it was okay.

And it's so – I mean, therein lies the problem, right? That's why fraud was going up. It was so easy to break into networks. Still is. But at that time, it was even easier. And so, just going through that, I saw the opportunity and got together with a longtime friend of mine and cofounder to create a piece of software that would scan for credit card numbers stored on computers. Simple concept, except that there weren't many viable out of the box options at that time.

And so, we created a commercially-grade tool that was simple, accurate, fast. Didn't use much in the way of resources. You didn't need to install it. You just ran it off a USB stick. And it became very popular very quickly, particularly through the security auditing community. They really got behind that tool and then spread the word globally. And before you know it, we had Ground Labs. And Ground Labs was a global software company that only took a few years for us to have a global client base and start acquiring staff. So, accumulating staff to help us, because we're getting way too busy as a pair of co-founders.

So, yeah, I very much attribute all of these little steps on my journey from the BBS, to the ISP, and then to an early stage payments business, to then going through the rise of how security became a big problem in the world of payments in ecommerce, to how Ground Labs was founded. And now, we fast forward 10, 15 years later, the problems are completely different once again.

[00:13:09] CS: Of course, yeah. Well, let's do it then. I think it's what we're here to talk about today. So, as I say, data privacy is certainly all over the news. And it's all over our podcast as well. And, obviously, you know, why not? It's a big deal in the industry. So, we recently spoke with people like our own instructor, Chris Stevens, on privacy certifications, [inaudible 00:13:31], nuanced and safe collection of application of user data for the purpose of analytics, Mark Kapczynski on removing your personal data from public internet sites and others.

So, Steven here came to me and said he'd also like to extend a few of these past discussions into some new areas and maybe build on them. So, that's what I'm looking forward to doing today. So well, I highly encourage our listeners to check back on Chris [inaudible 00:13:53] and Mark's episodes, as well as our episodes on GDPR and other privacy laws and frameworks, to dig into this topic the way we want to we’re really going to have to sweep everything off the table, I think, and start over with some very fundamental premises.

So, at the very start, we need to consider almost radically why companies feel the need to collect and store data in the first place. So, Mark, why are transactions involving PII not single use and immediately destroyed? I mean, you can speak to this better than me. But thinking back to the early days of the Internet, data collection was just – it seemed like it was something that was done out of hand, just in case we might need it later. So, can you talk about how this early Wild West approach to data collection, which of course you've seen from the very beginning there, has brought us to this place we're at now?

[00:14:38] SC: It's like many things, Chris. I think it comes on the back of a legacy problem, old habits, bad habits. But we didn't know there were bad habits back then. And suddenly we find ourselves in a new world where we have privacy laws coming out of every corner. And we have to retrospectively try and comply with those against all the bad habits that we've been doing for so long.

I think it goes back to attitude, which is, back in the day, you would want to collect as much data of your customer as you possibly could get away with. The more data you had about your customer, the more you knew about them. The more you could learn about their habits. The more you could maybe figure out how to market to them. Or even just laziness perhaps. You could even just say, "Data's cheap. Data keeps getting cheaper. Or storage is cheap. It keeps getting cheaper. If there's no one that's telling me that I don't need to get rid of this data, then maybe I might need this data one day." So, it's easier to store it.

[00:15:36] CS: And at the beginning of the sort of big data boom, like, I feel like there was also this sort of speculative sense of like if we can't use the data now, there's probably going to be an application five years down the line that's going to be perfect. So, we'll be glad that we kept it.

[00:15:50] SC: Exactly. We'll probably get in trouble if we delete it. And then we'll have to answer harder questions down the line. Why didn't you keep that that data? We need to use it now.

So, we've come from that background where the cost of storage just keeps going down and down. There's been no real mandate for us to do anything other than keep it for a rainy day. And worst case, archive it off. But just keep it over there in case we need to bring it back.

And unfortunately, the people that managed data all those years ago, for many companies, they're no longer with you. And so, there's been so many things that have been going on over time as you go through different generations of staff. And companies are not tracking what they've been doing with data. They think they know where a lot of that data is. But they don't have absolute certainty.

And yeah, we at Ground Labs, started doing surveys over the last couple of years of different audiences, but mostly professionals, either in privacy and security. And we just ask them a simple question, which is, "Do you think your company knows where it's storing all of its personal and sensitive data?" And the common answer is, "Yeah, we don't think our company knows where all of that data is."

Normally, it's about 70% of the audience go in that kind of direction. And even the ones who think they do know where that data is, I often ask the question, "Well, how have you come to that conclusion?"

And the normal way that most companies would do this, is they'll go around and ask the business, "Hey, where are we storing data? What do we do with it? What did we collect? And what's our business process that we follow with that data?" And you get lots of different answers across many different parts of the business.

Unfortunately, the people that are giving you those answers, it's based on what they know to be the case right now. They weren't aware of perhaps what was going on five years ago. And furthermore, even the IT security team aren't aware of every data process that's happening, or even the CSO isn't aware of every single little data process that might be happening. So, we talk about shadow IT and all the fun things that come from that. Well, that includes data.

And so, there is so much data that businesses have, organizations have and deal with and process. And some of that data is very sensitive. And the biggest risk that many organizations are coming to realize, as we're starting to see a lot more privacy laws and data protection laws coming out, is that they're sitting on massive amounts of regulated data.

And unfortunately, it often takes an event like a data breach for the organization to now learn what they were really storing. And we've worked with many organizations in that situation. And we might have been talking to them in the years prior or maybe even working with them on a very lightweight basis just helping them assess areas of the business that they did have concerns about, but ignoring the areas of the business where they believed there would be no concerns. And it's those areas where they assume that there's no concerns. There's no data being stored. That can often be the riskiest.

And so, as a result, these organizations that subsequently suffer a data breach will come back through the door and say, "Right. Let's get rid of all the assumptions. Go back to the beginning. And let's look at every bit of data across the entire organization. And let's get some evidence. And let's start to make some real decisions about what the risk is we have in the business." Now, we can start to put the right security controls around it.

In a nutshell, Chris, that's a very basic explanation of largely why we've seen so many data breaches over the last number of years and continue to. I just saw very recently, as probably did you, we've just seen a major ride-sharing app have an issue in this part of the world. A very well-known coffee brand that everyone's familiar with just had an issue out here. And in security, we don't like to name and shame. It's just not cool anymore.

And frankly, it continues to be that question of it's not really a matter of if, but a matter of when. And it's just about, "Well, how do you minimize the damage that could come from an event like that?" And our company's old logo used to be "Sorry hackers, we found it first." And we were simply saying, "Look, isn't it better if um if you're asking the question where are we storing sensitive data before we have a data breach, rather than having to wait until the data breach happens and then asking that question." That's unfortunately the worst possible time.

[00:20:20] CS: Yeah. Yeah. I mean, this next question, I wrote before we were talking today. So, I feel like we're already going in a different direction. But I’m going to kind of ask it as is, and we can adjust as necessary. But one would hope that companies, when creating their data collection and storage protocols, and now we're realizing maybe they don't even do that, that they're 100% knowledgeable and up to date with all security compliance frameworks they're regulated by.

But clearly, that's not the case. And in some cases, they might not even be thinking about those things. So, why does it look like a lot of organizations don't even know about the privacy regulations they're breaking? And can you tell our listeners the ways that evolving and changing privacy laws are making it harder to be sure that you're on the right side of the regulation?

[00:21:01] SC: Absolutely. That's a really big question, Chris. So, I’ll answer it in the most straightforward way I can. Because frankly, this is the exact challenge. You're a business owner. You're really good at what your business does. You're not thinking about data privacy laws and frameworks. And the other side of this is that there's no one from these respective governments that are publishing these laws and requirements saying, "Hi, we're from the government. So, how are you going with complying with this new data framework that we've put out?"

And so, there's no one following up. And then the penalties are there to catch you only after the worst-case scenario has happened, when a data breach has happened. And unfortunately, it's the wrong way to go about it.

I'd go back to my payment security days. The reason why the the PCI and payment security world has done a reasonable job at creating something that people have to follow and then they write it in a way that's very prescriptive, so it tells you precisely what you must do. What controls you must put in place in order to ensure that payment data is correctly secured? And it was being enforced and mandated through the banks.

So, every business was being contacted by their bank saying, "Right. If you wish to continue having your e-commerce website connected to our bank to process credit cards, you must show us evidence that you are secure. Because we can't trust you if you don't show us that evidence." And they had a commercial relationships –

[00:22:28] CS: Yeah. That's on [inaudible 00:22:30] side of things.

[00:22:31] SC: Exactly. And they had a commercial relationship under which to levy fines, or non-compliance fees, and all sorts of other things. And that's why that ecosystem worked. Now, for the governments, it's a different story. Trying to tell every business that you must comply with this law regarding personal data of our citizens, because that's what we're trying to protect, is a much bigger undertaking.

And so, I think in terms of how do I as a business or do you as a business have to think about this. Firstly, it obviously starts with the data. A data security law is triggered as soon as you come into contact with someone's personal data, okay? That what it's worried about. Personal data is defined as something that it can identify an individual. So, if you're collecting people's name, their address, some sort of an ID that can link back to them. And there's not necessarily complete limits on what constitutes personal data, but a lot of the data standards out. They define it quite well.

And the other side of that is what customers are you servicing? And where are they in the world? That's the other most common misconception. So, if I’m a California business, for example, then I might have heard of the CCPA, the California Consumer Protection Act. And so, that's kind of a starting point. Well done. If you do know what that is, and you've started looking into that.

But if you're selling to customers in Europe and you have an e-commerce website, you've got some sort of business, and you are collecting data from a customer in Europe, then you also have to be concerned about Europe's data security laws, which are far harsher. The GDPR is one of the toughest data security laws in the world.

Again, without getting into a deep standard by standard breakdown, because it can get pretty dry, to be honest, Chris. Some of the key things really do concern: Are you collecting that data with people's permission? Do you have a data protection officer in place? Are you putting the right security controls around that data that you've collected? And are you getting rid of that data when it's no longer needed? When you no longer have a legitimate purpose?

And the more difficult side of this is some of the things that have come out of this European law that other countries are following including U.S states that are implementing data laws, which is if a consumer would like to know what information a business has collected about them, they have a legal right to be able to contact that business and say, "Please tell me what you have on me." And this is a very, very different place we're in now. And an average business is really struggling with this notion of, "Well, what information do we hold about each and every customer? And where are we storing it?" And most of those organizations –

[00:25:12] CS: Yeah. We're not maliciously hiding it from you. We really don't know.

[00:25:15] SC: We really don't know. And the larger the organization gets, the more complex the problem gets. And this is why we've seen the rise of the CISO. Now we're seeing chief privacy officers appearing in larger organizations. And it's one of the best times to be in data security. If you're embarking on a career into data security, these challenges create immense opportunities, because there are so many problems to be solved. And there's a lot of good work that we can all do.

[00:25:45] CS: Yeah. Now, maybe this is a captain obvious question here. But it's like when you said that if you're a European – if you're a California company, you have to know about CCPA. And if you're European Union, you need to know about GDPR. But am I right in thinking that, also, if you're a European company that takes orders from people in California, you also have to be – your data has to also comply under CCPA if there's something more different in there from your sort of primary compliance? Is that right?

[00:26:16] SC: Yeah. And there are nuances between some of the data laws as to who they apply to and in what scenarios it's triggered. So, to keep it simple, the mindset that I always put people into is exactly as you described it, Chris, which is, first and foremost, you need to understand what data of people from around the world you're collecting, okay? And that starts to give you an understanding of how many different data laws may apply here.

Now, you're in average business, you can't possibly now have to go out there and look up every single law and comply to it. But if you are at least aware of some of the toughest ones like the GDPR in Europe, and CCPA is starting to get tougher. And we're even talking about a national U.S law that covers all citizens across the US. It's going to be interesting to see how they implement that given how the states and the federal frameworks work. But all in all, it is a good mindset to have to say, "Right. Well, if I have a customer from country X, I should at least be aware that if we were to suffer some sort of a data breach, I’m probably going to have to contact their regulator and advise them that we've lost X thousand records of people from that part of the world. Because these are some of the basic things that exist when you have these types of events. And this is part of the reason why, in the past, there used to be data breaches happening all the time. Companies were sweeping it under the rug. And it wouldn't be until you've suffered some sort of identity fraud that you would find out.

And so, now, at least, there's an onus on these companies to have to proactively notify everybody that's been affected. Correct. And then put in place like protection monitoring and whatnot. Yeah, data identity monitoring and so on. It's a different world. But the ability for your average business to comply with this myriad of regulation, we have a long way to go.

[00:28:07] CS: Yeah. Well, okay, to that end, do you foresee a universally-adopted privacy standard coming out of all these fractured and location-specific frameworks? Or do you think it's – You said like with the US, obviously, it's going to be hard to even just blanket that, let alone multiple countries. Do you think this is just going to be the way of the future that someone is going to need to be burst in all of these different ones and are going to be able to sort of juggle as well at the same time?

[00:28:32] SC: Yeah. Look at it, Chris, is a little bit like virtual CISOs that we're seeing a lot more of now. Security is getting harder and harder. The threats are getting worse. And so, companies are realizing that they may not have the resources to hire a highly experienced security professional. But maybe they can get one to come in X days a month just to come in and assess what's going on. Make sure the right things are in place. The same thing goes for privacy. You're starting to see virtual DPOs or outsourced DPOs, data protection offices. So, someone who just comes and says, "Right. Let me just review the way you're handling your data. Let me review your policies. Let me do some training for your staff off. And let's just get the awareness of this."

Because I think the biggest change of mindset that needs to happen in every organization is that if an employee comes into contact with someone's personal information, whether it's a customer, or whether they're working in HR dealing with an employee's data, that's sensitive. That's toxic data. It's funny. At the moment, we're having a conversation out there in the world. Everyone's been talking about data is the new oil.

Well, if you're a chief marketing or chief data officer, that's how you would typically see things. If you come from outside of the world, then you're seeing it as uranium. You're seeing it as a very toxic substance that needs to be treated and handled with the utmost care. Because to mishandle it can create a data spill, a toxic spill. And that has repercussions for a lot of people when that happens. So, every organization just needs to become a lot more aware of the data that they're handling and collecting. And just even start to take basic precautions around saying, “Right. Well, let's not just email someone's record to my colleague through a simple email. Let's not just have spreadsheets of people's information just lying around in my documents." Yes, that's not the whole story. But it's a big step forward.

We at Ground Labs, we help companies to scan data everywhere. So, we'll scan a laptop. We scan servers. We scan their Office 365 mailboxes, and OneDrive, and Google and many other common locations that businesses use to store all of their data, and then just try and reveal where all these bits of personal data are coming up and hiding and then try and make it easier to clean that data up. And in more than 50% of cases that that we'll find, the best decision is actually to delete that data. And that makes the risk go away. You probably find that you didn't have a business justified reason to collect that person's information back then. Or maybe you did back then but you no longer do.

And so, there's just a lot of good basic common sense, things that organizations can do that puts them in a strongest position to be safe and secure with their customers' data. And also remember that when a customer has given you their data, they've trusted you. They've assumed that you have put in the right policies, procedures and security to make sure that you don't lose that data.

[00:31:31] CS: So, again, I keep using the sort of image of just wiping the slate clean and starting over. And I think that's going to be useful in terms of thinking of like the sort of platonic ideal of data collection and security here. Rather than sort of tinkering with a hypothetical existing company, if you were to start a company today that had to collect data as part of its business model, what are some basic organizing principles or advice that you would have for companies on sort of what data to collect? How to collect it? How to secure it? How to store it? Do you have any anything that you think – you know, if you were to start clean that you could do really well and that maybe someone who's bogged down right now could maybe sort of tighten it up.

[00:32:22] SC: Sure. I mean, I would look at it the other way, which is if you're starting fresh, then you need to ask the question what is the absolute essential data that we need to collect to deliver the product or service that we have to deliver. And let's not go beyond that, unless we've got a very, very strong, justified reason to do it. Because, unfortunately for the organizations that do get breached, when they've suffered a breach that involves many different forms of PII data and they've effectively over-collected the data, they've gone well beyond the scope of what they should have done, the regulator looks at that and says, "Okay, well, I’m now putting you in the upper end of the category for fines. Because, clearly, there are just things here that you should never have done in the first place."

The thing about data breaches, and when regulators look at it, is that they accept that the world isn't perfect. And mistakes can happen. And things can happen. What they're looking for is did you consciously have the controls in place that you should have to try and protect that data. And was it just a failure of a control? Or did you have nothing? Had you even thought about how are you protecting people's data.

Again, back to Greenfield. Number one, just collect only the data that you must collect. Know exactly where it's ending up. Okay. So, put in place measures to be on the lookout for personal and sensitive data in locations where you're not expecting it, because it does turn up for the strangest of reasons.

And then just some other general security practices we're seeing now. I’m sure you've had this topic in some of your other talks about cyber insurance. You can't get a cyber insurance policy now from a lot of insurers unless you've got multi-factor or two-factor authentication enabled. Because one of the most common ways of compromise is to take over someone's identity and then just log in looking like a valid user. That's the easiest way. And so, having those practices in place when you're accessing systems that store this sort of data are essential.

[00:34:22] CS: Yes. Sorry. I was looking at the next one. I was listening, but I was also doing – So, we've talked about different roles that touch these issues. And your point here, you mentioned sort of several different job roles. There are the professionals in charge of data collection and storage. They have a set of skills all their own that doesn't necessarily overlap with privacy managers or compliance officers. This can sort of also pull in related areas like risk managers, and identity access managers, and storage, and recovery and more.

For our listeners who are interested in this topic, data security, and this type of work at these various entrance points, what are some universal and transferable skills that are going to help you if you're trying to get into this area of work? Whether it's hard skills, like understanding and implementing privacy regulations? Or soft skills, like the ability to communicate risks with stakeholders or an affinity for reading of hundreds of pages of privacy legalese.

[00:35:18] SC: Yeah. And I think you just explained it nicely there, Chris. I see it in two two key tracks. I think you've got the technical track of all of this, which is where I hail from. When I talk about this, I always put on the technical hat. I can't help it. But I’ve had to come to understand some of the legal side of it. But I still – it's funny. You still feel imposter syndrome when you talk about certain standards, because the standards have a lot of wordage in them, and you really have to be more so aligned to that side of the skill set.

Typically, we're seeing privacy people, privacy experts being aligned more so to legal. Or they're coming from a legal or regulatory compliance background, and they're less technical. And you need both sides of the equation. In fact, you need the two groups working together.

I mean, one bit of advice I give to people who particularly are earlier in their career is this whole introduction of privacy laws creates a fantastic opportunity, because a lot of organization are now, to a point I made earlier, required to appoint a data protection officer or a information security officer. And for those that are really interested in this and are progressing their career, it's a great chance to step up and say, "I’ll take on that responsibility."

Because for most organizations, it's not a full-time dedicated role. It's in addition to what you're doing. But it just means that you start to be a lot more exposed to this problem and having to read through the relevant standards that apply to your business and start to talk to the business about, "Right. How can we improve our posture? How do we start to understand what data we're collecting? How do we make sure that we get rid of data after we no longer need it and that we're not over-collecting data?"

And that if there was something horrible that happened , we have procedures ready to follow that says, "Right. If we believe there is a compromise, here are the steps we follow. And here's how we contain the situation as quickly and possibly as possible whilst remaining calm." Because that's one of the biggest challenges, is if you're not ready for that and then it happens, well, you're in reactive mode the whole way through.

[00:37:27] CS: Yes. Yeah, yeah. Our incident response guest, Ketron Evans, basically said like the first thing you do is just take a deep breath. Like, you can't be more breached, you know? Start working on the problem. Don't jump right to the self-recrimination phase.

Well, to that end, if data privacy officer isn't necessarily something that's the person's full-time job, does that suggest that this is a type of work that you could do on kind of a consultant, consultancy, like, freelance basis? If you got really good at this, could you sort of advise data privacy strategies for a number of companies? Is that a viable work option?

[00:38:07] SC: That is absolutely a viable option. As I said before, organizations are struggling with the skill set that many organizations simply don't know what to do or where to start. And they're looking for advice. And in some cases they might call their lawyer and say, "Right. What do we do?" And the lawyer will help them make sure they've got the right policies in place and maybe give some guidance on other fronts. But these outsourced data protection officers or outsourced information security officers that are aware of data privacy laws, they bring a really interesting skill set to the table to say, "Look, let's just start at the beginning. And let's walk through and figure out the journey of how data enters your business and when it should be leaving your business. And then we'll work back from that. And we'll just put in place to begin with entry level controls. And then as time goes on, let's up the maturity and get you guys to a level that would be far and ahead most of your peers in the same industry." Because the fact that you've made that reach out and said, "We need your help. Come in and help us out." is much better than putting your head in the sand.

And unfortunately, a lot of organizations, as you've touched on earlier, Chris, just aren't fully aware of the obligations that exist now when it comes to handling people's data.

[00:39:23] CS: Yeah. I feel like it's kind of like driving without like a driver's license or something. It's like you can keep doing it as long as you don't get pulled over. Like, you shouldn't. But realistically, that's I think it seems like works for people who are – their heads are. I’ll find it later. I’ll deal with it later. But right now, I got to get these groceries.

[00:39:42] SC: Yes. Or speed camera versus actually being pulled over by the cop. The two scenarios have a very different impact on whether you're going to think about doing it again or not.

[00:39:52] CS: Yeah, yeah.Totally. Looking to the future, where do you see these issues and solutions going in say the next 10 years? Do you think data collection and privacy and identity theft will look completely different a decade from now?

[00:40:05] SC: It'll keep evolving. So, they're always looking for the lowest hanging fruit. And as we plug one hole, they're moving to the next hole. So, in the world of payments, we've gotten rid of the mag stripe, or we've stopped using the mag stripe on the back of the card, which many of you may notice. That was due to security. That was a security-driven initiative. So, that shut that angle of fraud off.

So, now we've switched. And rather than trying to get into networks and steal the data, all we're trying to do is lock down the data and then ransom it on you and then get you to pay us in Bitcoin. These are the different tactics. And the attack point will continue to move around.

I think we need to – in the US, we need to get to a national data privacy law I think. Having 50 states, each with their own data law, is going to be too challenging for most organizations. Unmanageable. Let alone, if you're in a specific history and you're dealing with HIPAA. You're in the healthcare industry. Or you're in the gaming industry and you've got gaming control laws, control board laws, to deal with. And various other industries; banks, financials, investment bankers and so on. They've all got their own unique sets of laws and regulations concerning what you can and can't do with data. And then to layer on 50 states worth of laws, it's not a practical problem. And then we go broader into the rest of the world.

I think now, over 70% of countries have modern data privacy laws. Over 130 countries now. So, I think just to bring it back to simple concepts here, ignore that for a moment. Just think about what data do we have. And if you can get over this problem of understanding what data we have and then start to put the right controls around it and get rid of the data you no longer have, you've already taken a ginormous step forward in addressing this global privacy problem that many businesses are facing. And you're doing the right thing by your customers at the same time.

[00:42:09] CS: All right. That's a great place to end here. As we wrap up today, tell us a little more about Ground Labs and some of the products and projects you're excited to present or talk about in the months to come.

[00:42:20] SC: Yeah, absolutely. Ground Labs, we're a software company. We're across different parts of the world. We have offices in Australia, in Singapore, in Ireland, in UK, as well as Austin, Texas. And these days, being a distributed workforce, we have people in many more states and locations than that. Companies who buy our software are companies that are trying to find where the sensitive data is hiding across their organization. And once they've found that data, whether it's up in the cloud, or on their servers, desktops, in their databases, in their emails, and many other interesting places, then we can start to help them come up with a way to clean that data up or even do things like lock it down, which is what we call remediation.

It's about trying to provide a single pane of glass that shows you where every data risk is across your whole organization. And then start to assign responsibility onto different people across that organization to fix it up. And then we do some other things around data classification, data risk mapping, and a whole data around analytics piece that you can plug in to visualize what you've got, and where it is, and what we should do about it in interesting and different ways.

[00:43:28] CS: All right one last very, very important question. If our guests want to learn more about Stephen Cavey and Ground Labs, where should they go online?

[00:43:35] SC: Groundlabs.com. Start there. And if you want to connect with me on LinkedIn, please do. I welcome it.

[00:43:42] CS: Love it. Stephen, thank you for your time and insights today. I really appreciate it.

[00:43:45] SC: Thank you, Chris. It was a real pleasure.

[00:43:47] CS: And as always, I’d like to thank all of you for listening to and watching CyberWork on an unprecedented scale. Our numbers have jumped like crazy the last couple months. And I’m so glad to have you all on for the ride. So, I want to let you know that if you go to infosecinstitute.com/free, you can get your free Cyber Security Talent Development ebook. It's got in-depth training plans for the 12 most common roles, including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder and more. We took notes from employers and a team of subject manager experts to build training plans that align with the most in-demand skills. Use plans as is or customize them to create a unique training plan that aligns with your unique career goals. One more time, that's infosecinstitute.com/free. Click the link in the description below and get your free training plan. Do it. Infosecinstitute.com/free.

Thank you once again to Stephen Cavey and Ground Labs. And thank you all so much for watching and listening today. We'll speak to you next week.