Episode 4

How to minimize the impact of a data breach through data management | Josh Mason, RecordPoint

RecordPoint VP of Engineering Josh Mason discusses how to minimize the impacts of a data breach through proper data management and preparation.

They also discuss:

  • How to prepare yourself to withstand a data breach.
  • The importance of establishing an incident response plan ahead of a data breach.
  • Why you need an external partner for incident response services.  
  • How to gain a picture of how a data breach has impacted your organization.
  • The importance of having a single control plane for data breaches.  
  • The importance of employee security awareness training.

Links

Resources

🎧 FILED S01:E11: Automating ugly freight in an evolving world | Cate Hull, Freight Exchange

🎧 FILED S01:E01: AI perspectives from a records commissioner | Pauline Toole, City of New York  

📨 FILED Newsletter: ChatGPT: Is this popular new technology a threat to data privacy?

📨 FILED Newsletter: Generative AI will offer up identifiable data if you ask nicely

Transcript

Anthony Woodward  

Welcome to FILED, a monthly conversation with those at the convenience of data privacy, data security, and governance. We're doing something a bit different this month. I wanted to share with you a one on one discussion with RecordPoint's VP of engineering, Josh Mason, where we discussed data breaches and the role that real preparation can have in minimizing their impact.

We originally published this as a video on our YouTube channel, but we've had an amazing feedback from that publishing. And I thought we should get this out onto our FILED feed. So, the podcast listeners could be part of the discussion also. If you're missing my co-host, Kris Brown, rest assured he'll be back next month. But until then, please enjoy this episode of FILED.

Today, I am very excited to have our VP of engineering, Joshua, Josh Mason. Joshua Mason, got that correct? Yeah. I had to let Josh introduce his amazing history. And we're going to dive today in a conversation around data breaches and some planning and thinking and conversations in that realm. But Josh, tell us about yourself.

Josh Mason  

Yeah, thanks. Thanks, Anthony. Yeah, so I've worked for a number of years now. In the records management space right now, before that coming from service management from companies like Cherwell and Avanti systems. I always like to think that service management is like a, a cousin to records management and basically running really large global teams, working with the financial industry, working with healthcare companies, really across the gamut of government agencies at those places.

And you're dealing with a lot of the same problems. In the service management companies that you do in records management in terms of like understanding your I. T. domain and space like that. Before that, I spent a lot of time working—almost 10 years—in travel. In corporate travel, luxury travel, and a lot of that also jumping between full time business intelligence companies.

I worked at a really interesting company called 23 Touchpoints, which was we basically had built a pretty sophisticated model that said, look, if we know 23 things about you, within a 90 degree percent of accuracy, we can predict where you might want to travel next. And we proved that out, and we, yeah, made those services available to cruise lines and, you know, travel partners and travel agencies who, you know, needed that kind of information.

And yeah, before that, I spent a lot of time working at Getty Images and came from Microsoft. You know, we're here in Seattle right now, so any, any engineer, anybody in the tech space that's You have to pass through Microsoft to kind of stay in the industry. So, yeah, that's my background.  

Anthony Woodward  

Yeah, and we've been working together for almost a couple of years now.

And I know in your background, you've really focused on engineering, highly accurate, highly stable, large scale applications, you know, and that's really this evolving space of data management, and it really needs those skills.  

Josh Mason  

Mm hmm. Yeah, yeah. I mean, definitely here, you know what we do at RecordPoint.

Obviously, we're connecting to a massive amount of systems, massive amounts of data, looking at petabyte volumes and billions of records and figuring out how do we move that data from the content source? How do we analyze that data? How do we enrich it and provide value? And how do we store it and maintain trust of that data, you know, on behalf of our customers?

And that's really the same type of thing that I've been doing for the past 20 years at the other companies as well. Whether that was pulling in IT records or, you know, all the travel records for very large organizations. This is the same type of thing where you're, you know, you have to put a model in place and have controls in place to protect that data and scale to meet those kinds of, those kinds of demands.

Anthony Woodward  

Well, that's fantastic. It's great having you as part of the team. I know everybody, everybody here's Absolutely enjoys working with you today. We obviously want to on a deep dive for the audience around data breaches and, you know, the types of things we've been doing and the types of things we've been solving for customers when a data breach occurs, but I want to start at the very beginning of a data breach and kind of break it down for the audience around how you can think about setting yourself up When a breach happens, and then we'll talk later about how you might be able to create some precautions for those data breaches occurring.

In your experience, you know, what have you seen the kind of classic breach? I mean, there's a, you know, I think the stats I was looking at earlier today is about 45 percent of all organizations out there have already had a data breach. Most of them haven't reported. And the expectation is that over 80 percent will have had a data breach by the end of 2025.

And that's some data from Gartner. You know, does that shape to your reality? And how do you see that evolving?  

Josh Mason  

Yeah, absolutely. I mean, the amount of data breaches that are occurring is increasing. I think in 2022, there was 1800 data breaches just in the U S alone. Another thing, the U S probably isn't happy about leading the world on, but you know, 4, 000 breaches worldwide, 1800 of them just in the U S with, you know, billions of documents that are, that are, that are floated out there into, into, into the world, into the ether.

So, yeah, I mean, as far as like, once a breach occurs, there's some stuff that you have to take care of. So, the first thing you want to do is be able to contain the breach. And what you really want to have in place is an incident response plan that you've kind of thought about these things beforehand and that you have Identified who are the people that need to be involved in these conversations that you're gonna pull together when the breach occurs So, people from your legal department your cap management team your engineers, obviously But you have those people recognized what the roles and responsibilities are, and then you have a communication plan.

The communication plan can be really tricky on what to do with the data breach. And that's because, you know, you're trying to maintain public trust through this. So, you know, when do you disclose? Do you disclose it right away before you have all the information? Do you wait till it's more well known? You may have contractual obligations you've made with your customers that are, you know, force you to give out this information.

There's obviously regulatory and legal things that would force you to, you know, get that information out there and disclose that information. And so, you really have to have those things kind of figured out and know what you need to do in the moment. The other thing is that you need to have the actual, what are the response and mitigation things that you will do to contain to contain a breach.

Part of the thing that's going to determine the amount of money you're going to pay out in this breach, which are generally in the millions of dollars, the faster you can identify the breach occurred and contain it and reduce that scope, the less money it's going to cost. Right now, it's looking at, you know, the cost of data breach report from IBM that they put out every year is looking at about 180 per record.

That is lost, you know, that is that is leaked out there. So, it's very expensive So, if you can if you can narrow it down quickly, you know You're gonna reduce the overall expense being able to narrow it down also means that you know where the data is I think we'll get into that in a moment And another thing about mitigating and containing is that you've made decisions as a company or like what are the options that are available to?

You beforehand like can you just pull the plug and shut the whole thing down? You don't want to spend, you know, if that, if it occurs in certain systems, you don't want to spend four or five hours waiting to get hold of the right people and approvals and things like that. You want to have that in place.

So, so the companies that generally have the, the, that kind of incident response process in place is going to, is going to do, it's going to be better off. And I'm answering this along here, but the last piece of this is having a, you know, an external partner that you have made arrangements with beforehand that provides incidence response services.

And it can do forensics and stuff is a really good thing. So, companies like Mandiant is one that I've used before at a previous company. Even CrowdStrike has resources available. SecureWorks has people available because what's happened in the breach is that you've, you've lost public trust, right? So, everything that you stayed out there, and you put in the press afterwards is going to be taken with a bit of a grain of salt.

And so by having that third party who has also come in that's not only just helping you really, you know, retain the records and do a mitigation, they're also helping you with some of those public statements as almost as a third party auditor to say that corrective actions have been taken, and here's really the scope and it's been verified in an outside thing.

And it's good to have those resources found ahead of time because cybercriminals, unfortunately, don't wait to do things only between nine to five during the week. So, you want that relationship to be in place, you know, all the time. So, if it happens in the weekend or after hours, you can, you can make it happen. Can react.  

Anthony Woodward  

Yeah. So, so, you know, for an organization that's had a breach, they've. Executed their incident plan, you know, and they're, they're in the process of thinking about communicating to their different stakeholders, whether that's in contracts or whether that's customers or, you know, even just constituents they may have interacted with, how do they get their hands around the impact?

You know, how do you know what's occurred? What? How do you get that analysis?  

Josh Mason  

Yeah. Yeah. So, this is a big part to actually understanding what your data inventory is. And knowing where all of the data exists across your entire ecosystem, right? Where are all the databases, whether they're, you know, kind of on prem within your own ecosystem.

And those database systems that exist, you know, out there in the cloud and within the SAS systems. So, it starts with that. That's one piece of it. It's like, okay, now I know my data is across all of this. The next part is really this data discovery piece of really knowing, well, what are actually in those systems?

And what is the type of data that's in those systems? So, these are the systems and records that actually have personally identifiable information or payment card information that's actually stored in here. Okay.  

Anthony Woodward  

And for our non-US residents, that's P.I. information versus P.I.I. information.  

Josh Mason  

Thank you, yes, yep.

Yeah, so, so, having systems that can identify all those things, yeah, social security numbers, phone numbers, addresses, you know, recognizing any of that type of thing, so you know where your most sensitive things are, and you can also direct your response, right, so that you're not trying to look everywhere at the thousand different sources, you're redirecting those responses to where your most sensitive data is, is there, right, it allows you to then, you know, focus your efforts on, on those particular audit logs  

Anthony Woodward  

No, and I suppose, again, building on the layers here. You've now been able to discover the content, you know where it is, you've mastered it, you've been very hygienic over those processes.

What can you do to mitigate this kind of this risk in the future? So, if we were to think about what are the things we can do to prevent, because in fact, in this stage around a data breach, prevention is far better than the cure. Yep. What are the kind of activities that we can go on to create some prevention mechanisms?

Josh Mason  

Yeah, so I think in the it's kind of a broad question because there's so many there's so many things that that can be done here if we kind of stay in the records management piece, you know, part of the scope of impact in the and the size of the breach is going to be a lot based on the corpus of documents that was actually breached into.

So, one important part of the records management is actually having the disposition and having disposition schedules in place so that you're eliminating documents. And logs and other types of data in your, in your environment so that they're not just sitting around to be picked up. You know, some, some of the data breaches from like from a Yahoo or Google, where they've released, you know, 52 million, 350 million records out into the market.

Those, that information is then getting picked up and used as stuffing attacks. Later, where they take those same, you know, username and passwords and, and, and break into other systems, many of those accounts closed for years, just floating around in a system. So, they're going to be paying that 180 per record, you know, for data that they didn't need to have around and shouldn't have around.

Anthony Woodward  

Yeah. So, it was costing them money to store it. It was costing them money when it was hacked. And now it's going to cost them the money again to pay out on the, you know, the class action, the litigation. You know, I think you, what, what are the wrap up strategies then to, to kind of close this notion of data breaching out that companies can really think about in that prevention mechanism?

You know, clearly, we talked about inventory, we talked about data disposal, but the one thing that, that I think There's a gap there for a lot of organizations, is actually having control, so having a control plane that allows you to understand and execute those things in a systematic way. Is that your experience and what did you do in your previous organizations or even here at RecordPoint to deal with that?

Josh Mason  

Yeah, for sure. The control plane is important because as you start to one, try to classify all this information and these documents, how are you going to decide what kinds of things you need to retain and which things you need to get rid of? You have to classify it all. You have to set up the access controls and different systems and all the different security levels.

So, if you can imagine it. Like a previous organization, I worked with New York City Department of Education very deeply in Los Angeles County Office of Education and just those two as an example, you know, they have over 1000 enterprise applications that they're utilizing just within those departments and so you can imagine the volume of data so you can imagine as a as a records management person or IT person trying to set up controls in 1000 different applications trying to set up a classification system in 1000 different things or how they tag and manage security are very different across all of those. Companies that tried to manage that independently without having actually that single pane of glass and a single control plane.

Are not going to be very successful because they're going to miss something. It's impossible to keep them synchronized. Businesses change over time and trying to go, you know, business will change over time and then trying to go back to a thousand systems to make changes. It's impossible. So, I think it's critical that business, especially ones that have large amount of numbers of enterprises need a, need a single control plane where they can integrate and pull things from all the different places that all the different data sources that they have.

Anthony Woodward  

Isn't that fantastic? Yeah. And a quick top three. I always like a top three to wrap up a podcast or the end of FILED Live. What do you think are the three things that organizations are getting wrong around data breaches? What would be your top three?  

Josh Mason  

I think not having an incident response plan and one that they've actually exercised.

So, you'll find that companies, a lot of times they've, they've created an incident response plan. They have one kind of put together generally the things that they do, but they haven't actually one, haven't reviewed it and updated it. Organizations change. That's the thing we have to recognize. And, and the processes and how we respond change over time as well.

And it's different to go through the exercise when you're not under the stress of an actual cyber-attack. Then it is to do it in, you know, outside of that pressure. So, yeah, so running through those and that same cost of data report from IBM, you know, talks about that there's, I think it was like a 40 percent reduction, you know, millions of dollars in reductions to the total cost of the breach for companies that actually have an exercise incident response plan, not just one that's incident response.

I think the second one in terms of like preparedness in some ways is, is not really doing a sufficient enough job around. Employee security awareness. A lot of companies will do, you know, a small amount of, I call it a small amount of training, you know, you watch the cartoon videos or kind of learn what phishing attacks are and, you know, how to do your passwords.

Those tools are awful. Yeah. Oh, they're awful. Yeah. Nobody likes doing, I mean, most people, you know, as soon as you get in, you're like, how do I just slide to the end of the video, right? How do I just get this done? And they're, they're barely reading it. And, and so what happens is, you know, again, if you're, if you're trying to also really, if you truly want to understand your risk and you want to monitor your risk.

It also doesn't provide a real way that you can measure your employee security awareness and how good they are at it. And like you said earlier you know, I think you said this earlier, but basically, you know, 50 percent of the attacks that are coming in are through phishing type attacks and through your employees, right?

So, if you could use software like PhishMe and Phished and KnowBe4, which are companies to be used. The benefit to those types of programs is that you do watch some of those videos. I would say they're a bit better with like, with like a no before, but the big benefit they come with it is that they set up real actual training, right?

There they, you can set up a campaign where they send actual phishing attacks to your staff, and you can increase the difficulty of it. So, they'll start off with, you know, sending a picture of a unicorn asking you for passwords, you know, and the employees are, you know, are going Yeah, probably not. Not that I always give my password out.

Yeah, exactly. Yeah, probably won't disclose it. They'll forward it onto security and say, this looked weird. Right. But then you crank that up over time and eventually those phishing attacks look very close to what a real cyber-attack will look like, which is, it'll look like it comes from your logo.

It looks like it came from your it department, you know, but it's not. And then these systems know before. We'll track how many people actually opened it how many people interacted with it yeah, how many people actually disclose their credentials so and I can tell you working from companies I've been very, very surprised even at a company that that's primarily engineering even to not have everybody pass You know past those things and so this is a way to measure that risk And, you know, on an ongoing way and do the training, targeted training on specific individuals, maybe, and then watching, you know, that, that score increase.

Anthony Woodward  

That's perfect.  

Thank you for going through that today. I really appreciate the, the, the insight that you bring through, through a lot of the experience you've had. If I can wrap up to say that, you know, with our ongoing series here at File, we're going to continue the conversation around data breaches and different approaches to data breaches.

There's a whole plethora of activities I think that we didn't get a chance to discuss in, in, in what is a very short timeframe for today's episode, but stay, stay connected, subscribe to what we're doing and certainly you'll see more from us, but thank you very much. Yeah, thanks. Thank you all for listening to this edition of FILED.

We'll be back next month. I think Kris Brown's actually going to join us with more discussion on data privacy, data security, and governance. Please remember to follow us on social media and please share this podcast with all your colleagues and friends. If you get a chance, we'd love a rating in your favorite podcast app.

Enjoying the podcast?

Subscribe to FILED Newsletter.  
Your monthly round-up of the latest news and views at the intersection of data privacy, data security, and governance.
Subscribe Now

We want to hear from you! 

Do you have a burning topic you'd love to hear discussed?
Submit your topic idea now to help shape the conversation.
Submit your Topic