Security is everyone’s job in the workplace

It isn't just good code that helps a hacker break into systems, it's also about understanding and preying upon human behavior. The threat to businesses from cyberattacks is growing as companies shift to hybrid work.

JohnScimone, senior vice president and chief security officer at Dell Technologies, says security is everyone's job. Building a culture that reflects that is a priority because cyber attacks are not going to decrease. He says that technology and data is growing in volume, variety and speed. The increase in attacks means an increase in damage for businesses, he says.

The shift to hybrid work and the talent shortage experts have warned about for years are compounded by the new challenge of ransomware. One of the main challenges we've seen in the IT space is labor shortages. The lack of cybersecurity professionals is one of the main vulnerabilities within the sector. Both the public and private sectors have been warning about this crisis for a long time.

Investing in employees and building a strong culture can help with the fight against cyber threats. Over the last year, Dell has seen thousands of real phish attacks that were spotted and stopped as a result of our employees seeing them first and reporting them to us.

It's against the backdrop of a culture that every team member knows they have a role to play in cybersecurity, so training is essential.

Show notes.

The data is a problem.
The data protection index is global.

Full transcript.

Business Lab is a show that helps business leaders make sense of new technologies coming out of the lab and into the marketplace.

The strain of the work-from-anywhere trend on enterprises is our topic today. The need to secure a wider network of employees and devices is urgent due to an increase in cyberattacks. Keeping security top of mind for employees requires investment in culture as well. Two words for you. The workforce is secured.

JohnScimone is the senior vice president and chief security officer at Dell Technologies. He was the global chief information security officer for Sony.

Business Lab is produced by Dell Technologies.

John, welcome to the world.

Thanks for having me, John. It's good to be here.

How would you describe the current data security landscape, and what is the most significant data security threat?

For anyone who can watch a news outlet today, we see that these attacks are hitting closer to home, affecting public events this year, threatening to disrupt our food supply chain and utilities, and we see cyberattacks hitting organizations of all sizes and across all industries. The landscape of cyber risk is divided into three areas. How vulnerable am I? How likely is it that I will be hit by one of these attacks? So what if I do? What are the consequences?

Technology and data is growing in volume, variety, and speed as we consider the vulnerability that industry and organizations face. In today's on-demand economy, nothing happens without data. Businesses are overwhelmed by data, according to our recent study. More than half of respondents said that the Pandemic had increased the amount of data they needed to collect, store, and analyze, but also in the security implications of having more people working. More than half of the respondents have had to put emergency steps in place to keep data safe outside of the company network.

We followed up with a study on data protection. Organizations are managing more data than they did five years ago, according to the global data protection index. The majority of respondents are concerned that their existing data protection solutions won't be able to meet all their future business challenges. The increase in the number of employees working from home is thought to have increased the organization's exposure to data loss from cyber threats.

We see that vulnerability is growing. But what about chance? How likely are we to be hit by these things? It's a question of how motivated and capable the threats are. The risk to these criminals is low and the reward is high. Cyber attacks are estimated to cost the world trillions of dollars this year, but very few criminals will face arrest or repercussions for it. The tools and know-how to perpetrate these attacks are becoming more widely available. The threats are getting more sophisticated.

When organizations are hit, costs are going to rise, whether it be brand reputation, operational outages, or impacts from litigation costs and fines. The average cost of data loss in the last year was a million dollars. Over the last year, the average cost to have systems down was over half a million dollars. There were many cases this year where companies were facing extortion demands over $50 million.

These consequences will only get worse. I think that the greatest risk facing most organizations today is the threat of ransomware. Most companies are vulnerable to it. It's happening with increasing prevalence and consequences are rising, hitting some organizations to the tune of tens of millions of dollars.

With the global shift to working anywhere and the increase of cyberattacks in mind, what kinds of security risks do companies need to think about? How are the attacks different from a few years ago?

As we saw a mass mobility movement with many companies, employees shifting to remote work, we saw an increase in the amount of risk as organizations had employees using their corporate laptops and corporate systems outside of their traditional security boundaries. It's unfortunate that we would see employees use their personal system for work purposes, and their work system for personal purposes. Many organizations never thought about a mass mobility remote workforce. The vulnerability of these environments has increased.

Criminals feed on uncertainty and fear, regardless of whether it's physical world crime or cyber crime, creating a ripe environment crime of all sorts. Uncertainty and fear have been abundant over the last 18 months. Cyber criminals have taken advantage of companies' lack of preparation, considering the speed of disruption and the proliferation of data that was taking place. It was a good place to be a hacker. In our own research, we found that over half of businesses have experienced more cyberattacks in the past year.

That's significant. IT supports have to support all of these additional nodes from people working remotely while also addressing the additional risks of social engineering and ransomware. How has the combination increased data security threats?

The shift to remote work was one of the effects of the Pandemic and it was an important part of traditional IT initiatives. Digital transformation in IT initiatives may have been planned or in-progress. Resources are stretched. There are challenges in the IT space and particularly in the security space around labor shortages. The lack of cybersecurity professionals is one of the main vulnerabilities within the sector. Both the public and private sectors have been warning about the crisis for years. A study done last year by ISC2 found that we are 3.1 million short of the trained cybersecurity professionals that the industry needs.

We estimate we will need to increase talent in the US and worldwide by about 41% and 89%, respectively, to meet the needs of the digitally transforming society. From a vulnerability perspective, labor is a key piece of the equation. We want to start organizations in a better position. Building security, privacy, and resilience should be central to the offering, starting from the design to manufacturing, all the way through a secure development process through supply chain, and following the data and applications everywhere they go. This strategy is called "intrinsic security" and it is building security into the infrastructure and platforms that customers will use, therefore requiring less expertise to get security right.

The attacks are not slowing down. Social engineering is a top concern. Criminals use social engineering to trick employees into handing over information or opening up the door to let criminals into their system, which is one of the most popular methods used by hackers to get their first foot.

Is security by design similar to security by design, where products are built with a focus on security first, not security last?

That's correct, John. It is easy to do the right thing from a security perspective when considering using these technologies because they are designed by default. It means an increase in security professionals across the company, but also ensuring that security professionals are touching all of the offerings at every stage of the design and making sure that best practices are being instituted from the design, development, and manufacturing stages all the way through. The challenges our customers are facing in finding the right cybersecurity talent to help them protect their organizations make us think this is a winning strategy.

The security hiring and rescaling challenges have been around for a while, so I'm assuming Dell started thinking about this quite a while ago. It takes more and more good people to stop the bad actors. With that in mind, how do you think the focus has been sped up by the epidemic? Is this something Dell saw coming?

John said that Dell has been investing in this area for a number of years. It's clearly been a challenge, but as we've seen, it's certainly accelerated and amplified the challenge that our customers face. It's more important. Over the years, we've increased our investment in both security talent engineering and acumen. We'll continue to invest because it's a priority for our customers.

That makes sense. How is Dell ensuring employees?

Do they take data protection seriously and not fall for swindle attempts? What kind of culture and mindset is needed to make security a priority?

Everyone's job is security at Dell. It's not just the security teams within our product and offering groups. Every employee has a responsibility to help protect our company and our customers. We've been building a culture of security where we give our employees the right knowledge and training so that they can make the right decisions and help us stop some of the criminal activities that we see. The training program that's been very successful is thePhishing training program. In this, we are constantly testing and training our employees by sending them fake swastika-laden emails, so they can better spot swastika-laden emails. We saw more employees spot and report the simulation test in the last quarter.

The training activities are making a difference. Over the last year, we've seen thousands of real phish attacks that were spotted and stopped as a result of our employees reporting them to us. Training is important, but it's against the backdrop of a culture where every team member knows they have a role to play. As we look at October as Cybersecurity Awareness Month, we're increasing our efforts to promote security awareness and the responsibilities that team members have, whether it be how to securely use the VPN, securing their home network, or even how to travel securely. It starts with employees knowing what to do, and then they understand their responsibility to do so.

That shouldn't be a surprise. Dell is a large global company, but at the same time, is this an initiative that employees are starting to take a bit of pride in? Is there less complaining about "Oh, I have to change my password yet again" or "Oh, now I have to sign into the VPN?"

The increased attacks on the news every day have an effect on the everyday person at home. It's affecting whether people can put food on the table and what type of food they can order. Over the last couple of years, awareness has increased. We've seen a rise in the attention and pride of the employees because of the understanding of why this is important. We have internal scorecards. We make it a friendly competition where each team can see who is finding the most security tests. They love being able to help the company, and more importantly, help our customers in an additional way that goes beyond the important work they're doing day to day in their primary role.

That's great. I like to ask security experts if they see so much. What kind of security incidents do you hear about from customers and businesses in the industry?

It's an unfortunate reality that we get calls every day from customers who are facing some of the worst days in their corporate experience, whether they're in the throes of being hit by ransomware, dealing with some other type of cyber intrusion, or data theft. One of the messages that rings true through all of these engagements is how they wish they had prepared a bit more. They wish they had taken the time to have certain safeguards in place, whether it be cyber-threat monitoring and detection capabilities, or increasingly with ransomware, more focused on having the right storage and data backups and protection in place, both in their core on-premise environment.

It has been surprising to me how many organizations don't have data protection strategies. If you have a backup that is 300 miles away from where your data is stored, then it's safe. Humans who find your backups wherever they are and seek to destroy them in order to make their extortion schemes more impactful are not being thought of by people. It's surprising to me how few people are educated about modern data backups and cyber resilience.

With increasing prevalence, we're having these conversations with customers, and they are making the investments more proactive before that day comes, and putting themselves on better footing for when it does.

Do you think companies are thinking about data protection differently now that the cloud is involved? How will the cloud help companies keep their data secure?

There is a general realization that customer data is everywhere, whether it's on premises, at the edge or in public clouds. Consistency across all of the different environments is one of the benefits of a multi- hybrid cloud approach. The security benefits that come with a multi-cloud approach can be seen as a reason why people are taking it. When we looked at our global data protection index findings, we learned that applications are being updated and deployed across a large range of cloud environments, and yet confidence is often lacking when it comes to how well the data can be protected. Many organizations use multi-cloud infrastructure, deploy application workloads, but only a small number of them are confident in their cloud data protection capabilities.

One-fifth of respondents said they had some doubt or were not very confident in their ability to protect data in the public cloud. It's quite alarming when organizations use the public cloud to back up their data as part of their disaster recovery plans. They're copying all of their business data to a computing environment in which they have low confidence in the security. Organizations need to make sure they have the right solutions in place to protect their data in the multi-cloud. Our focus is on building security resilience and privacy into the solutions before they're handed to our customers. The less customers have to think about security, the better.

Selecting the right partner is one of the strategies to consider. The cost of data loss in the last year is four times higher for organizations that are using multiple protection vendors as compared to those who are using a single vendor approach. Everyone needs a data vault. A data vault that's isolated off the network is built to deal with the threats we're seeing. This is where customers can put their most critical data and have the confidence that they're going to be able to recover their known good data when that day comes, where data is really the lifeline that's going to keep their business running.

Is the data vault hardware or a cloud solution? Maybe it depends on your business.

There are a number of different ways to build it. There are three key considerations when building a cyber-resilient data vault. It has to be out of sight. Anything on the network is at risk.

It has to be immutable, which means that once you back up the data, it can never be changed. You can't change it again once it's written on the disc. It has to be smart. The threats that are going to be coming after them have to be designed to be more intelligent than these systems. It is important to design the data backup systems with the threat environment in mind.

I can see it. It sounds like some government agencies work offline.

The world has come to that. Again, there's no sign that this is changing. The incentives that cyber criminals face are incredible. The consequences are low. It's the largest, most beneficial criminal enterprise in the history of humankind in terms of what they're likely to get out of an attack versus the likelihood that they're going to be caught and go to jail. I don't think that will change soon. Businesses need to be prepared.

It's true. We don't hear about all the attacks, but there is a reputation cost when we do. The water treatment plant in Florida was attacked earlier in the year. Do you think there will be more focused attacks on infrastructure because it's easy to do?

This is not the only problem. Regardless of the nature of the business you're running and the industry you're in, there's often something to be had if you look at your organization through the lens of a criminal. There are few companies that can say, "I don't have something that a cybercriminal would want." That's something that every organization needs to contend with.

As companies incorporate machine learning, artificial intelligence, and like you mentioned earlier, edge and internet of things devices, there is data everywhere. With that in mind, how can companies best protect their data?

John says it's a double-edged sword. Dell has been able to witness the digital transformation firsthand. Digital transformation and the benefits are tremendous, as we've seen in improvements in quality of life and the way society is transforming through emerging technologies like artificial intelligence and machine learning. If it's invested in and deployed in a way that isn't secure and isn't well prepared for, it's potentially new risk. According to our full data protection index, a majority of people believe that these technologies pose a risk to data protection, that these risks are likely contributing to fears that organizations aren't future ready, and that they may be at the risk of disruption over the course of the next year.

The lack of data protection solutions for newer technologies was one of the top three data protection challenges organizations cited. Investing in emerging technologies is important for digitally transforming organizations and not likely to survive in the era we're looking at competitively. It's important that organizations make sure their data protection infrastructure is up to date with their digital transformation and investment in these newer technologies.

When we think about all of this, do you have any tips for companies to future proof their data strategy?

There are a few things that come to mind. It's important to keep a constant eye on priorities from a risk perspective. We can't secure everything perfectly, so prioritization is important. You have to make sure that you're protecting what's important to your business. Having regular strategic risk assessments and having them inform the investments and priorities that organizations are pursuing is an essential backdrop against which you actually launch some of the security initiatives and activities.

Practice makes perfect, that's the second thing that comes to mind. Exercise. Is it possible that you could recover if you were hit with a computer virus? How sure are you of that answer? We find that organizations that take the time to practice, do internal exercises, do mock simulations, go through the process of asking themselves those questions, do they pay the ransom? Do I not? Is it possible to restore my backups? How confident do I feel? Those who practice are more likely to perform well when the day comes where they are hit by a devastating attack. Most organizations will face that day.

It's important that security strategies are connected to business strategies. If the data that they rely on is unreliable, most strategies will fail. Security and cyber-resiliency efforts can't be done on an island of their own. They need to be aware of and supportive of business priorities. I haven't met a customer who still has a viable business strategy if they're hit by a data protection threat, and they're not able to quickly and confidently restore their data. How confident are you in your ability to respond in the event of a disaster, in light of everything that we've been talking through? How are you changing your cyber-resiliency strategy to better prepare?

That certainly is a key lesson. It's more than just a technical problem. It's a business problem. Everyone has to be involved in the thinking of the data strategy.

John: Absolutely.

Thank you very much, John. It was great to have you on the Business Lab.

John said his pleasure. I would like to thank you for having me.

I spoke with JohnScimone, the chief security officer at Dell Technologies, from Cambridge, Massachusetts, the home of MIT and MIT Technology Review, overlooking the Charles River. This is the last episode of Business Lab. I'm your host. The custom publishing division of MIT Technology Review is called Insights. The Massachusetts Institute of Technology was where we were founded. You can find us at events around the world. Please check out our website for more information about the show.

You can listen to this show wherever you get your podcasts. If you liked this episode, we want to hear from you. Collective Next produced this episode. Business Lab is a project of MIT Technology Review. Thanks for listening.

Insights is the custom content arm of MIT Technology Review. It was not written by the editorial staff of MIT Technology Review.