Analysis and Lessons from Kiteworks Top 11 Data Breaches in 2024 Report Artwork

Kitecast

Kitecast features interviews with security, IT, compliance, and risk management leaders and influencers, highlighting best practices, trends, and strategic analysis and insights.

All Episodes

Kitecast

Analysis and Lessons from Kiteworks Top 11 Data Breaches in 2024 Report

April 15, 2025 • Tim Freestone and Patrick Spencer • Season 3 • Episode 43

In this insightful episode, cybersecurity experts Mike Crandall and Arun DeSouza join host Patrick Spencer to analyze Kiteworks' Top 11 Data Breaches in 2024 Report. Rather than just focusing on the number of records breached, the report introduces a sophisticated algorithm with seven key factors to score breaches on a scale of 1-10. This method provides a more comprehensive understanding of breach severity by evaluating financial impact, data sensitivity, regulatory compliance implications, ransomware involvement, supply chain impact, and attack vector sophistication. National Public Data topped the list with a score of 8.93, followed by Change Healthcare and Ticketmaster, both scoring 8.7.

A significant finding discussed by the experts is the shift in industry targeting patterns, with financial services overtaking healthcare as the most breached sector. The conversation emphasizes how credential theft continues to plague organizations despite sophisticated controls. Five of the top 11 breaches resulted from credential compromises, including attacks that bypassed multifactor authentication. Arun highlights that despite years of security awareness training, approximately 25% of incidents remain attributable to human error. He warns of the growing sophistication of social engineering with AI-generated phishing that will soon include voice modulation and deepfakes, making attacks increasingly difficult to detect. Mike recommends leveraging AI defensively to detect anomalous behaviors that humans might miss.

Both experts stress the critical importance of data protection and classification. Arun advocates for AI-powered data characterization and governance platforms that can proactively identify sensitive information requiring protection. Mike emphasizes the need for proper data classification, noting that organizations often struggle to differentiate between critical and non-critical data. He recommends data minimization strategies including cold storage for inactive data to reduce the potential attack surface. The experts agree that building enterprise-wide risk awareness requires collaboration across departments rather than treating security as an isolated IT function.

The panel concludes that organizations must prioritize zero-trust architecture implementation, adopt data minimization strategies, and enhance incident response capabilities. Arun frames this as a comprehensive coalition of "people, process, and technology safeguards all working together." Mike adds a sobering perspective for businesses that might not see themselves as targets: "These weren't the 11 hacks of 2024. These were the top hacks... there are literally hundreds of thousands, if not millions more. And that's you."

Top 11 Data Breaches in 2024 Report: https://www.kiteworks.com/top-data-breaches-report

Arun DeSouza LinkedIn: https://www.linkedin.com/in/arundesouza/

Mike Crandall LinkedIn: https://www.linkedin.com/in/crandallmike/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Patrick Spencer (00:01.378)
Hey everyone, Patrick Spencer, co-host of Kitecast. We're excited to have our audience joining us today. I have two fabulous guests, Arun Desuza, who hails from up in the Michigan area, and Mike Crandell, who's in the Colorado Springs area, if I remember correctly. Gentlemen, thanks for joining me today. Mike, I'll do a quick drive-by and then I'll let each of them introduce themselves. They'll do a better job than me. They both have really

Mike Crandall (00:20.558)
That's correct.

Patrick Spencer (00:31.342)
impressive careers, lot of experience are going to add a lot of value to today's conversation. We're going to focus on our top 11. I'll tell you why it's 11, not 10. Data breach report in 2024 is actually a good story, I think it is. Arun, he's a former CISO, among other things, I he's the CTO. Those of you who've had a chance to check out the podcast episode with Arun from

a few issues ago, make sure you do so if you haven't. If you have, you might want to take a listen again, because we covered a lot of ground during that conversation that I think the audience will find helpful. He's former CISO. He's a board member and advisor for a number of different companies, both startups as well as high velocity tech companies. And he presents at a lot of different conferences I'm on. I follow him on LinkedIn. It seems like every day he's presenting at some different event.

Arun DeSouza (01:25.154)
Ha ha ha!

Patrick Spencer (01:26.67)
and having some party or dinner. So he's a much more exciting life than me anyway, maybe not Mike. In my case, the co.

Arun DeSouza (01:29.464)
you

Mike Crandall (01:34.57)
I want an invite, sorry, I just want an invite now.

Patrick Spencer (01:39.19)
Mike, a 20 year impressive military career. He transitioned out of that. He co-founded and is the CEO of a company called Digital Beachhead. And they provide a lot of different services, including the virtual chief information security officer services, but there are three CPAO among other things. I'll let the two of you introduce yourselves and what you guys are up to currently. Arun, let's start with you.

Arun DeSouza (02:07.684)
Yeah, hi. Thank you, Patrick. The last podcast, was great fun and I'm looking forward to repeat now more fun with you and Mike. And I think you spoke a lot about me. So I just wanted to say that long career in cybersecurity and the thing I like best of all is making new friends like Mike today.

Patrick Spencer (02:26.83)
The other two of you have not surprisingly met each other before.

Mike Crandall (02:31.16)
Although we both look familiar. funny enough. Yeah. And I think you did a great job, Patrick. Yeah. Did 20 years in the military doing cyber before it was a term. Starting in the first Gulf War, running around, breaking into thin-net cables that everyone was using as their network pre-CAT5. To now just helping out small to medium-sized businesses that are working within the defense industry base plus other commercial entities.

Arun DeSouza (02:33.016)
Yes, yes.

Patrick Spencer (02:33.07)
Thank you.

Mike Crandall (03:00.44)
build that cyber strategy that, you know, they somehow know they need, but don't always have in place.

Patrick Spencer (03:07.544)
Yeah, very true. And on the CMMC front, you guys are doing a lot of work there. So if someone's looking for help with CMMC, Mike's organization is one you definitely need to get in touch with.

Mike Crandall (03:19.311)
We have gone through that journey, yes. Maybe we can help hold people's hands as they go through theirs.

Patrick Spencer (03:21.774)
Thank

And successfully at that, right?

Mike Crandall (03:30.318)
That's the goal. That's always the goal.

Patrick Spencer (03:33.848)
So we have last year, I came up with this idea, some of our audience know this, of evaluating the top data breaches that occur in the Identity Theft Management Center, I'll get that right, they have an acronym like everything in cyber ITMC, publishes a half year report as well as an annual report. So they had their first half of 2024 and...

I had this idea that, you know, there's all this interesting data. It has to be more than just records breached or the number of people impacted. Right. There's a lot of different factors involved. So I turned to my, my friends, Chachi BT and Claude and others then told her, I want to create this fabulous algorithm to score all these different data breaches on a scale of one to 10 from least to most serious. Obviously, since these are all in the top.

10 or 11, they have top 10 in theirs. And I created this algorithm that had six factors involved. And we published, some of you may have read the first half 2024 report, which I thought it was interesting. And it had an algorithm that was based on those different six components. And we did it again this year for the entire year of 2024 when ITMC came out with their latest data.

and research. use that as a starting point. We augmented with data from IBM. We augmented with data from Verizon and so forth. And my friends came back and said, six isn't enough. You need to have eight. So we came up with eight components that comprise the algorithm. I'll just run through them quickly so the audience has some context. And we'll talk about some of the findings with Mike and Arun because they're really the experts. Like, number of records exposed, the weight is 15 % there. Financial impact and estimation,

Mike Crandall (05:16.172)
and I'm glad that you chose me.

Patrick Spencer (05:21.646)
the weight's 20 % there. We're obviously using some IBM data there to augment the findings from IT and C. Sensitivity classification of the actual data, which is a really important topic. And I think Arun and I talked a bit about that and Mike and I maybe in the webinar we did on to focus on in 2025, was confusing my webinars. We probably talked a bit about that as well.

That's 20 % regulatory compliance implications, ransomware involvement, 10%, supply chain impact assessment, 10%, attack vector sophistication. That was 10%. That hopefully added up to seven or eight there. Maybe it's seven, seven, not eight, pardon me, that we came up with. And that's actually detailed in the report. So the report's linked at the bottom of the podcast. All of you can click on it you can read the report at your leisure. And that's on page five, if that is helpful.

And then we went through and looked at, they had 10 in the ITMC report and looked at those 10 different data breaches from the vantage point of those seven different elements. And we scored them on a scale of one to 10. then one of my colleagues came and said, well, how about the national data, public data breach? It was huge. In fact, I was hacked, he told me, and all of my bank accounts have been frozen.

So yeah, that wasn't included in their data. So we threw that into the mix and that's how we ended up with 12, 11 rather than 10, which is hopefully an interesting story for our audience. And ironically enough, national public data ends up at the very top of the list with a score of 8.93 on a scale of 10, one to 10. And then we can go through the others, whether it's change healthcare was 8.7 and Ticketmaster Entertainment was 8.7.

8.5 for AT &T and you can go down the list. That's on page six in the report if that's helpful. So no one will have to listen to me talk, especially myself, but probably the audience as well. Let's dive into some of the details Arun and Mike have digested the report. Let's start by looking at industry shifts and trends and then we'll look at some other elements later on in the podcast.

Patrick Spencer (07:38.562)
But financial services, if you look at it, seem to overtake healthcare, at least in the findings we had when you look at the top 11 now. If you go and look at Verizon or IBM, they still have healthcare there at the top in terms of the total costs of a data breach, which I suspect won't change this year. Things may be changing. But three of the top 11 were in the financial industry.

Let's start with you there. you have any thoughts? know, why is that the case? Are cyber criminals paying more attention? Seems like healthcare breaches are in the news every day still, but are they paying more attention to financial services because there's more money there? There's more data that's sensitive?

Arun DeSouza (08:20.366)
Well, yes, I agree. But I think you see immediately that you want ROI in a bad investment or bad attacks of the time they're making is much, I mean, arguably easier to go after the banks because they have a lot of money. Health care, on the other hand, you know, trying to get money from them may not be as easy because they have trustees, board, HIPAA and, know, and they probably will not pay you, right?

Banks are more liable to pay you. think that's really what it is. The immediacy and the quote unquote, the return to them in the shortest period of time, I think. And I believe that banks don't want to be down too long if there's a problem because obviously they have a lot of unhappy customers. Now that's not to say healthcare, is now demoted to number two, doesn't have a problem. There's patient health and everything. But I think the issues that...

they won't get paid very fast.

Patrick Spencer (09:19.618)
No, that's a good point. Mike, on that note, we look at the types of attacks. A lot of this involves data exfiltration, right? They're stealing the data and they don't want to give it back. one of the other findings in the report was it's more than just the financial impact, right? We always talk about the financial impact. It's XYZ. IBM has their fabulous report they publish every year on the cost of a data breach.

which is really interesting to see how that's changed over the years. keeps going up obviously, but operational impact, you you look at the change healthcare breach was speaking of healthcare was really huge. You know, do you see a shift there where, you know, it's very malicious in many ways. And when you're talking about healthcare, you know, it's an attack where they can't deliver healthcare, you know, life saving activities sometimes can be obstructed.

Mike Crandall (10:15.788)
Yeah. And I think, you know, the one thing I learned, you know, 20 years in the military is the enemy is always going to adapt to your tactics and procedures that you've put in, in defense. And so they move from healthcare because like Arun's saying, they're not paying, their insurance is probably not going to cover it. And then in that shift, well, if they're not paying ransom, what else can we get them with? And that's got now into that extortion, right? We have your records.

and we're either going to just sell them because why not, or we're going to try to extort you out of a payment and then maybe still sell the records. But that's more their goal, I think now is that extortion to threaten you with, we've got your records. If you don't pay, we're going to release them and just cause the damage. then it's more, you know, beyond financial, it's your reputation. Although,

I'm beginning to see that breaches happen so often that that reputation damage seems to be lessening. Right? Because everyone's been breached. So now when you get that letter saying, hey, we've been breached, we're sorry we lost your records, we're like, okay, again, versus how dare you and I'll never trust you again.

Arun DeSouza (11:21.562)
Hmm.

Arun DeSouza (11:31.77)
And a little tidbit, a few years ago I was at one of the conferences that Patrick was talking that I speak at and there another speaker there that actually had done a study on companies that had been breached and what happened to the stock price. Well, expectedly it went down, but what was shocking to me is the stock price rebounded in, I won't say almost no time, but

Patrick Spencer (11:33.784)
Yeah, yeah.

Arun DeSouza (11:58.38)
Relatively almost no time because to your point I think reputation is kind of okay while it goes At the end of the day people said do we really want the services have they done me a call for and people just forget People's memory shot so I think you know the reputational impact doesn't have the same Gravitas is used to in the past. I don't think

Mike Crandall (12:12.76)
Yep.

Patrick Spencer (12:20.198)
I think you're right. I remember doing a webinar with Charles Carmichael from Mandiant. It's probably been two years ago or so. It has been a year and half ago. And he noted in some of the supply chain attacks that they were seeing that more and more organizations were opting not to pay the actual ransom. And that that was a potential trend that was taking place. Maybe we see that happening here where, you know, we'll risk it. We'll take the brand impact. It'll wear off after.

Mike Crandall (12:20.802)
What?

Arun DeSouza (12:40.1)
Mm-hmm.

Patrick Spencer (12:49.324)
six months and maybe organizations from a perception standpoint, which is usually true, not always. If you've been breached, it actually may be a flag that you've hardened your security. You may be in better shape than those who haven't been breached. They just don't know it because you've actually gone through that process. You have a...

Mike Crandall (13:08.152)
Well, and I think you, yeah, I think you began chasing your tail. Like on the list was AT &T. Well, the year before it was T-Mobile. So all those people who are like, I'm leaving T-Mobile because, know, damn, this happened to me, moved to AT &T or whatever. then, you're next. So unless you want to change carriers every year, you're going to have to just learn that this stuff happens, right? And that, that becomes our mindset.

Patrick Spencer (13:25.454)
It's fine.

Arun DeSouza (13:28.473)
Thanks.

Arun DeSouza (13:36.41)
In the report, there is actually a very tangible, solid example of exactly what you just said, Patrick or Mike or the company are paying and that's Loan Depot. And Loan Depot, the demand rises, they didn't pay. But I'm missing that not only because of the fact they didn't pay the ransom, but how did that compromise happen? It's through a phishing campaign targeting Loan Depot employees, right? Where they...

moved the lateral network and know, in 48 hours and very help was created. Now, why is it important? You know, I've been tracking this factoid since 2013. Mike probably have to see IBM index of what percentage of incidents are attributable to people. And God bless us all. Every year it comes at 25%. It's like a statistical anomaly, it's almost a truism now.

The point is, you know, the greatest ROI as we know is by tuning the human firewall, doing training and awareness and everything, right? But I think the thing is sometimes people don't remember, they're too much in a rush. And in yet another of the breaches here, you know, we'll talk about the MFA.

fatigue where they keep bombarding you with these MFA stuff. Now how many times have probably you and I trained the users, right? So sometimes the simplest things that get you because you're in a hurry or in a rush, but I think tuning the human firewall is so very important, right? And training and awareness.

Mike Crandall (15:19.5)
Well, and the adversary is getting smarter about learning about us. know, LinkedIn, great networking tool, we're all on it. But it also is a great tool for like, wow, Patrick, I see you were just hired by, know, Kiteworks. Guess what? I'm your CEO, and I want to tell you something.

Arun DeSouza (15:37.786)
But not to belabor this phishing statement, yet another of the breaches is giving me a second time to remember. It was actually at Dell, a full technology company where a bunch of execs, was fear phishing campaign targeted against them. And through that, they were able to, I believe, impersonate a technology partner by doing very sort of probably AI-generated convincing communications that led to

Credential theft now, you know, it's gonna say room. you missing it again? Well, the fact of the matter is, know When you talk about defenses and training people training cannot be one size fits all so these folks That are more highly exposed. I call the VIPs or very attacked people. need to train them more you need to have higher level of Controls against them. Maybe they have stronger multi-factors or dual factors or triple factors

And so everything more of it, more training, boot camps, you know, controls and more challenge response and things like that. And of zero trust, obviously my favorite subject, one of them.

Patrick Spencer (16:48.322)
Well, about half of the results of a credential theft, which usually goes back and you have multifactor authentication. Everyone has that in place now, but credential theft continues to plague organizations. you five of the 11, why do you think that's the case?

Mike Crandall (16:48.898)
What happened?

Arun DeSouza (17:07.354)
I think because, you know, it's social engineering, right? Social engineering, these guys, like you mentioned earlier, Mike, and I was paying rap attention. You're on Twitter, you're on Facebook, you post all these different things. And typically, you know, for example, when people are trying to compromise, go, what's the name of your favorite dog? Well, your favorite dog name was where again? On Twitter. Your birthday was where? On Facebook. And it's so...

so much easier for people to harness information now, right? I mean, I remember last year, was this two big casinos got hijacked or hacked last night. I don't want to mention the names. One, of course, refused to pay and the other said, can accept it. The other paid. But how did that actually happen? By this exact thing, social engineering, where of all people, they fear fished an IT employee, if I remember correctly, at least in one of the places, right?

Mike Crandall (17:48.354)
Yes.

Arun DeSouza (18:06.074)
One would think that, OK, IT people are, quote unquote, better, more aware. But hey, they're people too. They forget. They're tired. Who knows? So I think social engineering is the biggest threat. And I think with AI coming, the thing that I really worry about is the attacks against Dell become so much more sophisticated. And it will become omnichannel. What I mean is it won't just be through passive email.

I believe it also happened through wishing the voice, right, by deep fake videos. you know, and then what they may even do is they may play a message that imitates your dad, for example, your mom or something, and then actually through a voice modulator, then ask you a trick question, right? You think you're talking to your dad and things like that. This thing, yeah, I love AI, but just sometimes I wonder, you know, is it friend or foe? Of course, I think it's largely friend, of course, but it's like nothing else.

And the point I mentioned that is training and awareness is one side, but governance, putting the guardrails, policy-driven, super-wise AI and everything, you need to do all that. Does any of that resonate with you, Mike?

Mike Crandall (19:17.368)
Yeah, and I like to say that for everyone that's had their credentials stolen, they have to buy a new dog. To your point, I need a new dog now because I have to change my passwords. And for me, what I'm seeing is they're getting more clever, of course, with AI and ChatGVT. They're not as obvious. They used to just train us.

you can obviously tell when the Nigerian prince is sending you the email and it's, you know, so poorly written. Well, that's changing. And we've seen a rise in to get around the two factor. You know, they get into one account and then that emails another account, but they're emailing as a, as a, you know, encrypted message or click this link and it's coming from a friend. So you, you don't distrust and then they just kind of perpetuate until they find the person with the purse strings. And that's when they lie in wait.

take action. it's, they're smart, right? We gotta, we can't leave it up. It's no longer that poor person, you know, sending the bad email, asking you for a million dollars.

Patrick Spencer (20:23.648)
And organizations have MFA in place and they still are being hacked as a of that, like to your point. Kaiser, was a, know, MFA fatigue situation that resulted in that hack, is one of her top, top of it. So what do we do? You know, we know there's a problem. So we constantly throw more technology at it. We throw training at it. We try to, you know, shame employees that, you know, do dumb things. We do the training.

Mike Crandall (20:29.25)
Yeah, because you can capture it in the middle, you know?

Mike Crandall (20:35.992)
Thank you.

Patrick Spencer (20:53.262)
Hopefully it happens when we're doing the training, not the actual real life attacks, how do we address this? Because we've been talking about this, well, since all of us have been in fiber, which is over 20 years in all three of our cases.

Mike Crandall (21:08.622)
Yeah, I would say one of the things, we got to start leveraging that AI to look at this anomalies that are coming in emails. This person hasn't emailed you in 27 days. Their typing of the email was erratic. Or when you're logging in with a password that wasn't an actual type password, that was a replay.

Arun DeSouza (21:09.006)
Yes, it is.

Mike Crandall (21:34.456)
You know, there's little things that AI can pick up a lot quicker than our normal tool kits. I don't want to rely 100 % on AI. We do need that human intervention. My wife still looks at our security cameras and says, I love you, AI overlords. So that way she says when Terminator comes, she gets the green screen around her head and she's saved. And as a cyber guy, I'm the one that's getting taken out. But I do think we need to develop, you know, keep up with tech because the enemy will.

Arun DeSouza (21:43.342)
Yeah.

Arun DeSouza (21:54.19)
Yeah

Arun DeSouza (22:03.45)
So I think it's a multi-part answer. First I'll start at the lowest level. We talked earlier about the human firewall, people as the first line of defense, training and awareness, complemented and supplemented by AI-powered training, AI-powered anomaly detection. But...

Zero trust is a big thing to me, right? Because the companies that adopt more zero trust, I'm not talking just the multifactor. I multifactors can be low tech. People still, I can't believe it, using the text message, they need to get rid of all that stuff, right? So stronger multifactors. But the principle of zero trust, I think you touched upon it earlier, Mike, is the fact of the matter is that I talk about the identity coin, right? The person, device, location. But the logical side is much more important to me, the context, role.

attribute and behavior so that every connection in fact is done on the trifecta of identity, device, posture, and session risk. But that's easier said than done, right? So A, you need the people. Now, you need the business process because you need AI, government policy-driven AI, the governance. also most importantly, at the end of the day, most of the breach is what are they about data? So data sovereignty is important.

Mike Crandall (23:04.726)
is better than none.

Arun DeSouza (23:19.31)
Data classification important, business partners is important because at the end of the day, all of us know, yeah, you can talk zero to us all you want, but if you haven't done the proper work to have the proper policies and the proper business engagement, it's not going to happen. Now, obviously, you can't classify all your data manually. You're going to lose that battle. So that's why, like you said, Mike, yeah, it's important because you're able to then determine, you know, are the proper controls in place.

or like you were saying earlier, anomalous behavior is happening, Systems is okay. Arun typically works from eight to eight, seven to three in the morning and he downloads one gig of data a day. He's logging at four a.m. in the morning and downloading 10 gigabytes of data, right? So immediately what he does, he's blocking. So I think it's a comprehensive coalition of people, process and technology safeguards all working together all of the time, right? But I think at the end of the day,

Identity is digital perimeter for sure. Zero Trust is sort of the biggest coalition. And then of course, SASE as well, because the thing is today, you're not in the castle involved. You're not like safe in your office and you're working from anywhere. The office is anywhere, right? So SASE and anytime, anywhere authorized access, know, purely borderless work in a secure manner.

needs all of the things we were all talking about, if that makes any sense.

Mike Crandall (24:48.898)
Yeah, with the CMMC, that's the scoping. And if they don't have some sort of sassy solution or zero trust solution, I'm like, when you're working from home, you realize your children are now on your corporate network. And we have to address them. And I love my family, but I don't trust them. That's what I tell them all the time. That's my zero trust.

Arun DeSouza (25:02.97)
Thank

Patrick Spencer (25:03.534)
And neighbors,

Arun DeSouza (25:11.992)
Ha ha ha ha ha.

Patrick Spencer (25:15.79)
How do we, Arun talked a bit about this in terms of governance controls and so forth, but we've always thought zero trust in the network because of, know, Forrester, the Palo Alto, you know, and how everything derived on that front. But now organizations, and we're big advocates of this, obviously, it's tied to our business. know, zero trust must extend to that data layer. So you have all this data and when you look at all top 11 data breaches, it's different types of data.

We'll talk about data classification sensitivity here in a moment if we have time. I'm sure we will. But how do you extend that zero trust layer to the data, just not the network? That's where I think we need to be headed.

Arun DeSouza (26:00.98)
So if I may take that, think first of all, it has to come from the place that regulatory compliance, and it's talked about in the report, is one of the key factors, right, along with risk and data sensitivities. You've got to understand that, especially understanding which regulations are affecting you. So once you agree to that, you will see a common theme across all these regulations, the fact that you need to respect data sovereignty.

you know, everybody is there. so going into the future, I do believe that self sovereign identity can really help that because today we have 20 possible 20 systems will have a digital passport that we're not there yet. In the short term, what can we do? Like we were talking earlier, Mike said it, you said it, Patrick, we're not able to manually classify every data. It's just simply not possible, right? So what you need to do is realize that there are two channels of data, right? Just keep it simple. One is data in transit.

So you need to encrypt the communication and transit. In the network layer, you need to have AI, network observability to see those anomalies, like you said, to catch data exfiltration and stop it in its tracks by pattern and anomalous behavior, or even the user anomalous behavior. But to me, think the flip side is sort of really boring, is the data address problem. Data address, now remember, is data in the cloud.

Of course, right? So we need the governance again when you go to systems in the cloud, making sure that when you sign a vendor, there are proper controls, all that has to be done. But, or data on campus, but in order to understand what you really have, because you can't be shining the light, flashed into every nook and cranny, you don't have enough people, what one needs is really a no-fooling data characterization governance platform powered by AI that can go out there and then discover the anomalies

and actually calibrate it on an as-is basis with your data classification policies and say, well, gee, I think this data looks like social security number. It's not protected or that HR data is on this file server, there's no protection. By the way, we think you need to do something. So I think the heart of data and the data characterization governance platform needs to be able to classify, characterize, and with the notion of observability proactively to the extent possible,

Arun DeSouza (28:25.092)
fix the data problem as well. We're not there yet, but I think it's all of those things. Mike, does it make sense?

Mike Crandall (28:32.162)
Yeah, and I think where we're lacking now is a lot of, know, I'm sure we've all done it. We've asked our client, so what's your important data versus your not so important data? And they either tell me it's all important or none of it's important. No one cares about it. And that's how they treat it on their systems. You know, they'll have a repository and 90 % of the employees can get into it. So until we start thinking about zero trust internally, you know, like

You know, poor Arun, doesn't need to see this file. That has nothing to do with his work and we can properly restrict it. Then we can do that externally too and say, okay, using all the tools you said, you know, we got to be smarter about it, but it needs to start internally where we know, no, this, this stuff only 10 % of the company needs to see. And then in addition to that, what is your scale data? Arun, when you talk about data at rest, we have.

Arun DeSouza (29:25.06)
Mm-hmm.

Mike Crandall (29:27.886)
probably less than 20 % of the files and data that we have that we use on any regular basis. So how can we archive and put into some sort of cold storage this data that we may need to keep, but we're not going to be accessing it? So that way it's kind of out of touch, out of line, and we can segment it out and keep it away. Then your protection footprint is much smaller because you've got stuff kind of cold storage away.

Arun DeSouza (29:52.026)
Absolutely. Nielsen.

Patrick Spencer (29:53.484)
Great point. Well, we'd argue, know, Arun said data in transit, data at rest, we would say data in use to your point, Mike, right? You have some data that is used, that 20 % or whatever that percentage looks like that is used internally, but also externally with third parties, which is another aspect in the report, you where you open up all these third parties who have access to data. And if you're not using the right governance controls, like Arun referenced,

Arun DeSouza (30:01.722)
Mm-hmm.

Patrick Spencer (30:22.22)
then you're exposing it to risk because there's people who are looking at it who don't need to use it should not be looking at it. And they might be forwarding it or changing it when you don't want them to do so. You know, what what was your sense in terms of third party risk is governance, you know, comprehensive governance, the answer to solving that problem.

Mike Crandall (30:43.884)
think governance is a good step, I believe that we sometimes implore governance instead of security. And you need governance with security. I joke, two-factor authentication we brought up earlier, my wife recognizing me in the morning is not one factor. It doesn't count. It does nothing towards security. But I might say I'm compliant as a two-factor authentication. So we have to look at our compliance.

Arun DeSouza (30:44.021)
Arun DeSouza (31:03.555)
Thank

Mike Crandall (31:13.086)
and our governance in such a way that it has both teeth and a true security mindset behind it, you know, instead of a tick box.

Arun DeSouza (31:25.782)
So one of the things that...

Patrick Spencer (31:26.062)
And influx in fines and penalties that we've seen over the last couple of years and this year, I haven't seen the summary for 2024 yet. It depends on the regulation, those are up. You think that's starting to put some teeth into some of these regulations where organizations will be forced to adhere to much stricter security controls or we still have a long way to go there.

Arun DeSouza (31:50.746)
I think they will because I mean, the one thing that I wanted to say earlier is I talked about encryption for data transit, but you need data at rest as well. And it's also very important now because with quantum computing coming, you need a higher level of encryption. By the way, I'm not an expert in encryption for quantum, but for example, homomorphic, I think it's called encryption.

Patrick Spencer (32:18.156)
Encryption, yep.

Arun DeSouza (32:20.056)
Right, and speaking of multi-factors too, we need to train people to get rid of the low-tech multi-factor security question, my God. You can hack that by social media accounts or the text messages, but going into more stronger, like authenticator, biometric things like your face, et cetera. Now, I say that not tongue-in-cheek, I realize that you've got to put the guardrails around AI, like supervision, you also need.

the same level of due care and due diligence from a privacy perspective using biometric. But the of the matter is, everything else being equal, your biometric passport, your biometric signatures, very, very important. And so the reason I mentioned that is we see some of the breaches, I think, to the change health care, the whole entire ecosystem got torched, just like you said.

Mike Crandall (33:04.942)
Thank

Patrick Spencer (33:13.358)
Not for Mars.

Arun DeSouza (33:15.62)
So a chain is as strong as weakest link, you know, and how do you assess the risk posture of all your suppliers? How do you do that? Right. It's very, very difficult because I mean, the way that some of the big companies do is they send you this weekly 300 question or 20 page questionnaire to fill and they say you have put in, we may audit you. That's not the way, right? That's just not the way. I mean, it's a partnership. mean, it's almost to the extent that you've got to

Mike Crandall (33:15.718)
But in some cases, probably, it's not as

Mike Crandall (33:27.703)
Thank

Arun DeSouza (33:45.211)
I think this is where I think public private and private private partnership can come and there's sort of industry specific coalition. mean, kind of taking the thing from the cloud, where you have public cloud and private cloud, but you have community clouds. So taking the same principle thing in action across the supplier and manufacturing ecosystem, have those communities of practice, right? Where people come, they share everything.

No one is smart enough to say they know everything. So I think what we need to do is not only just focus on the technology and encryption, but really building the partnerships across public, private, and private, private, so we can all work together in what I call the power of federation, if that helps.

Mike Crandall (34:28.812)
Yep. Yeah. And I like to say that the problem that we're having is, you know, so many companies feel like an island on themselves, but they feel that they've spent money and therefore they have cybersecurity. And I like to tell people cybersecurity is a myth because you're never getting there, right? It's a journey, but there's no end point. You're not going to spend enough.

Arun DeSouza (34:39.95)
Mm-hmm.

Patrick Spencer (34:51.97)
constantly evolves.

Arun DeSouza (34:54.254)
Well said.

Mike Crandall (34:55.598)
You're not going to outspend it. Understand your risk and understand what you're doing to prevent things, but know that the new thing is coming. Quantum, I use my Arun, the can of worms. When you said quantum, I'm like, oh no, he's opened that can of worms. Encryption's dead. Because it is. We have to figure out what's next. What's next? If we're always saying I've spent, therefore I'm safe.

Arun DeSouza (35:12.186)
I wouldn't have to.

Mike Crandall (35:24.999)
You're not there, you you got to constantly be looking forward.

Patrick Spencer (35:28.684)
Well, one thing we looked at, talked about maturity of security and documentation and encryption for that matter. This is music to both of yours. We just published not this report, but we published a report on the state of CMMC 2.0 maturity or preparedness. think it was a preparedness in the DIB. And those organizations that said they worked with experienced third party providers like you guys.

came back and they had much much I mean we're talking twice as many in many instances better You know comprehensive security controls in place encryption in place You know what? Why do you think that's the case and do too many organizations? Forget that step on the CMMC front you've probably seen that Mike you're being called in but beginning to panic We don't have CMMC compliance. We're gonna lose our business with the

DoD, if we don't get this CMMC by the end of the year and you're peeling back the layers and it's a train wreck because they haven't worked with an experienced third party like yourselves.

Mike Crandall (36:34.894)
Yeah, and I think that goes to so many senior leaders that think the IT department are omnipotent and know everything about everything that has to do with IT. And they just go, they've got it. And if you look at some of these regulatory controls and implementation of those controls, it can be so nuanced that an IT person might just say, and bless them, they're doing their best, but their job is to keep the bits flowing, right? The printer's printing.

the boss happy and they're like, yeah, we're doing that. We have to factor, but what is it? And is it meeting the intent of the control and, you know, digging deep into like in CMMC, the objectives under the controls. And I think what we're seeing is a lot of those people who don't have that expertise brought in are relying on what they consider to be their experts, which they are for what they're doing, but they don't understand that whole compliance side of things. And

That's where that gap is, that gap in what we're finding is they're not doing it because they don't want to. They think they're doing it, but they don't have a full understanding of what it really is.

Patrick Spencer (37:46.988)
Is it because of cyber, I'm interested in both your opinion on this, is because the cyber folks just haven't aligned completely with the compliance components yet that, you know, they've been focused on cyber and now they're realizing there's a compliance element that needs to be wed to cyber and they're just beginning to do so. that, is that the case?

Mike Crandall (38:03.914)
and it is beginning to explode.

Yeah, I think that in the, you know, a lot of the times we're just getting the job done. And when you come into compliance, there's a lot of paperwork and the prove it. And, you know, Patrick does it because he's the admin doesn't really cut it or, know, Patrick's the person who monitors the logs. Awesome. show me the last thing you took action on. like last week I did something, you know, and you're like, nope, that has to be documented. We have to.

What actions did you take? Were those actions approved? Did it go through a change management process? You you start incorporating that guidance in there and it moves away from you doing your job, just doing your job.

Arun DeSouza (38:38.308)
Thank

Arun DeSouza (38:49.828)
Yeah, I think it has to change, For example, we take the example of OT security, right, in manufacturing, the OT people versus IT people, not everywhere, right? Because each are doing their own thing, and then you may have breaches to suppliers who come in through unsecure networks and so on. So I'm going to postulate that companies need to understand that there is an overarching umbrella. And what is that umbrella? The umbrella of enterprise risk.

So if you agree to that sort of umbrella, then under that umbrella is security, privacy, audit, governance. They're all part of the stuff. I think normally what happens is enterprise risk is in companies is basically like check the box, like throwing darts and say the risk is this, this, and this. But at the end of the day, there's got to be at least a programmatic level collaboration across those functions because of multidisciplinary problem, right?

Because not any of the functions can know everything about everybody else. But if there's the mandate that comes from the board or the audit committee or the chief risk officer to say, guys, you've got to play nice. We need to make sure, OK, what's our balance scorecard to minimize risk across the entire thing? What are risk minimization goals for this year? What are the initiatives? What are the processes? What are the investments you have to make? That's going to be the conversation. So back we come full circle again.

So the notion of the partnerships now inside the company, intra-company partnerships, which I think too often don't happen because like you said, Mike, we're all very busy, or Patrick. But I think the fact is we keep having to do more and more, less and less. And if each of us functions an island, how's it going to work? The whole thing is going to come crumbling down. And I say that also because I read an alarming article in LinkedIn the other day that the CISO is being demoted in the organization.

which already under IT demoted even further, some cases reporting infrastructure or whatever. But the thing is that's to me and antithetical to the notion that enterprise risk is where every company should pin their hopes to drive their mission and vision forward.

Patrick Spencer (40:46.915)
Hmm.

Patrick Spencer (41:06.358)
Yeah. And how do you ensure that that's the case where you have all those islands interconnected? You have bridges built between those islands. Unlike here in the Pacific Northwest where we don't build bridges. You have to get on a boat to visit the islands. How do you build those bridges? Do you have any suggestions there?

Arun DeSouza (41:18.785)
Hahaha!

Arun DeSouza (41:24.474)
Well, can, I mean, in the absence of the fact that there's no corporate sponsor with the CRO or the board audit committee, right? I think personally, my opinion, in my opinion, the chief information security officer should be that evangelist storyteller and relationship builder, because no one else is going to do it, right? Because, and it's important to take that and I've done it also building those partnerships, relationship at a time, because when you build those relationships, you know, it's...

A rising tide lifts all boats, right? So when all of us are riding the same tide like surfers, right? I think we are much better off. So I think rather than saying what we can do, how much more we can do together. But for that, I think the CISO should be the thing. honestly speaking, think some corporations are already there where the security officer is a peer of the CIO. And in fact,

or directly for chief risk officer. Because there's come level of corporate sponsors, we've got to elevate the conversation. Because otherwise, know, it's like the beatings will not stop, right? You can't work like that all the time. It's demotivating. You know, you can't be a scapegoat. You've got to be an equal partner, then well, you should be invited to be a partner. But it's not always going to happen. We know that. So if you want to be more successful, you've got to make that investment of time and effort. And look, everybody's not going to be a friend. You're not asking them to be a friend.

What you're trying to paint to them is that I am your ally, I'm your partner, I'll help you, let's work together. And some may not jump, but largely speaking, most will. So I think the principles I would say is, know, vision, collaboration, execution. You paint the vision for these guys, power relationship, commit to collaboration, insist on it even, even if they extend going to lunch or going to coffee or inviting them to your own round table.

the CSO round table once a month or whatever. Because once you do those two things, then the strategic roadmap to minimize enterprises with the security plan, et cetera, can be executed in the proper way with balanced scorecards and those things. Patrick, does that make sense?

Mike Crandall (43:21.816)
Yep.

Patrick Spencer (43:35.596)
Yeah, that's that's exceeding. That's a whole white paper. We transcribe it, we put it into a cloud or chat GBT and we got a white paper from everything you said. That was great.

Arun DeSouza (43:39.076)
The next part you'll

Mike Crandall (43:46.798)
Exactly. I was just going to say, we fight hard, play hard. So that's military training. You do the work, but then you also go out after work and you build your teams that way. You have to have that connection as people.

Patrick Spencer (44:03.026)
That's very true. One of my guys who's a coder and focused on delivering on some projects, he complains when he goes to the company events, everyone sees him, they talk to him and now they know how smart he is and they come to him wanting help on their projects. But maybe that's causing for a seizure.

Mike Crandall (44:20.018)
He's just got to learn to dumb it down in public. That's all. You just got to know your limits. It's part of that team building.

Patrick Spencer (44:27.278)
Exactly. Well, we're about out of time. This has been a fascinating conversation. Before we wrap, just, you know, we'll start with you, Arun. You have any thoughts in regards to the report? Anything that we missed or, know, key takeaways for you? You guys have talked about some of them already, but anything that we may have not touched on yet that you think is worth mentioning?

Arun DeSouza (44:47.642)
I think I have a few things in my mind, starting what I got from some of the high level attacks, you know, in no particular order. think the API economy, we talked about the API economy, and you and I talked about in the last podcast, API security. I think, you know, some of these breaches could have been prevented if they had stronger API security, making a commitment to that.

You talked about cloud misconfiguration. People take things for granted. So I think we need to strengthen that security posture. we've flogged this ad nauseum. Identity is a digital perimeter, but this identity-based attacks keep going up all the time. And yet our controls are not keeping up. We're not adopting zero trust fast enough. We're antiquated multifactors, right? And then, of course, the thing we didn't talk about, we touched upon is the notion of patch management, right?

Because you need to be making sure because how many of these stop breaches are done by misconfigurations and vulnerabilities, right? And the thing that's interesting to me is that some of these breaches, they're not just, you know, it's not like a one and done. Like I think you mentioned it earlier. It's like they're patiently waiting, they're evading you, they're sitting in your home, you know, so how do you do that, right? The stealth mode, they're there. And then...

I think some of the other things that we can do is commit to zero trust for sure. And then Patrick, talked about it earlier, data minimization, the minimum necessary. think you talked about it too. But that data minimization, whether it's data in use, like you said, or data at rest, or whatever has to come from the foundation of data characterization and proactive governance through an observability and AI-driven platform, I would say, for sure.

And then of course, I think you've mentioned earlier, committing and investing in advanced threat protection technologies, right? Because why should only the bad guys have AI? Good guys should have AI too, right?

Patrick Spencer (46:55.822)
Mike, any thoughts building on some of runes takeaways? Your thoughts on the

Mike Crandall (47:00.952)
Yeah, for me, for me, these reports come out and I think a lot of senior leaders look at them and go, well, that's not me. I'm not, I don't have 9 million records. don't have a hundred million records or whatever. And, you know, I want people to take away, this is your top 11, but breaches are like oceans 11, the movie it's that's the, what we see in the news are those high intensity, you know, hacks that have the big score at the end that were complicated and you know,

had professionals doing it, but we don't learn about how many convenience stores were robbed last night. And that's you as a business. You're not making the top 10, making the top 11. You're not being the news, but trust us, there are many more. These weren't the 11 hacks of 2024. These were the top hacks. There are literally hundreds of thousands, if not millions more. And that's you. So take this away and learn from it, but don't...

look at it and go, whoo, you know, I'm never going to be that. So, you know, look at it and learn from it, but know that you are in that group.

Patrick Spencer (48:09.496)
That's a great point because these are the ones where the most malicious activity and the biggest impact was seen. We can take lessons from each of these and bring them back into our organizations. These are things that we want to ensure we have locked down, that we've hardened. We have the right governance controls in place so that we minimize those risks. We'll never get rid of the risk. Never will happen. But we can minimize it.

Arun DeSouza (48:09.647)
Yeah.

Mike Crandall (48:31.234)
Right. And to that point, when you say these are the biggest impacts, these are the biggest impacts on scale, but not necessarily the biggest impacts because a small business that gets breached could be going out of business, which is a much bigger impact than we had to cover, you know, this kind of damage, which these multi-billion dollar companies do.

Arun DeSouza (48:34.254)
But.

Patrick Spencer (48:53.154)
You know, very, very, very true. I know my number one takeaway was a hashtag from Mike, PW no dogs.

Arun DeSouza (48:54.178)
And yeah.

Mike Crandall (49:03.662)
That's right. How many dogs can you have in a household? You can't have that many dogs in your household for the number of times you're going to lose your password.

Arun DeSouza (49:14.138)
If I may say one or two more words because I lost my train of thought earlier, think if you're going to minimize enterprise risk, you've got to focus, in my opinion, the trifecta of monitoring, continuous monitoring, but not just passive monitoring, but embracing observability so that you can take changes correctively. Robust access control that are being tuned all the time and adaptive cybersecurity frameworks.

for sure because that's how you're going to be able to fulfill your regulatory compliance in your business vision and vision.

Patrick Spencer (49:53.551)
Those are great points. That continuous monitoring and observability across your entire environment is critically important. Mike, how can folks get in touch with you if they're interested in engaging your organization? What's the best way to do so?

Mike Crandall (50:09.626)
The best way is just reach out to either me on LinkedIn or at our website www.digitalbeachhead.com.

Patrick Spencer (50:16.898)
Great, and Arun, I assume it's probably similar for you.

Arun DeSouza (50:19.866)
Yeah, mainly to LinkedIn. think that's where people find me fastest, right? I think everyone's there. Thank you, Patrick, for this opportunity. And Mike, thank you also collaborating on this. It's been great fun, really. I had no idea what this was going to be about. But man, we had a great conversation and a ton of fun.

Patrick Spencer (50:40.394)
I don't think we followed the outline at all that we put together, but an engaging conversation and hopefully your audience found it helpful. The report, make sure you check it out. It's a link for audience at the bottom of the podcast page and check out Mike's organization as well as Arun's profile on LinkedIn and engage them because these guys are very knowledgeable and have years and years of experience in cyber as well as compliance. For those in our audience interested in checking out

other Kitecast episodes go to kiteworks.com slash Kitecast. Thanks for joining us and we look forward to having you on our next Kitecast.

Arun DeSouza (51:17.924)
Thank you.

Mike Crandall (51:18.552)
Thank you.

People on this episode

Patrick Spencer

Co-host

Tim Freestone

Co-host