Michael Sampson, Osterman Research: "a significant proportion of organizations are not sufficiently proactive"
Digitalization has brought immense opportunities to make the ways we conduct business, complete day-to-day tasks, and spend our free time more efficient and simple. But it has also brought about previously unseen challenges to our privacy and network security.
Threat actors are actively exploiting technology to profit financially or collect data on organizations and users. In times when data is the new oil, it’s worrying that many companies still focus on the after-attack recovery rather than prevention.
Today we’ve talked with Michael Sampson, a Senior Analyst at Osterman Research, to provide you with insights about emerging threats, effective cybersecurity solutions, and tips on how to protect oneself against cyberattacks.
Tell us about your journey. How did Osterman Research originate?
Michael Osterman founded Osterman Research in 2001. He had been working for other market research companies before founding his own firm, but he saw an opportunity to invest his considerable research and analysis skills under his own name. The rest is history, as they say, and hundreds of research projects later, we continue to pursue insights to help technology vendors get better and organizations improve. There have been some research themes that have come and gone over the years. For example, we do almost nothing now on market sizing for messaging and collaboration tools, which were of higher interest in our early years. I started working with Michael Osterman in 2008, although it wasn't until the beginning of 2021 that I stepped into a Senior Analyst role.
Can you tell us a little bit about what you do? What are the main challenges you help navigate?
We do primary market research, such as surveys, on three core topics – cybersecurity, data protection, and information governance – and share those findings in white papers and webinars. We frequently work with technology vendors who want to understand the state of a market segment and the trends in the market, both to shape internal product and service deliverables and also to educate their market on current issues. We also conduct market research on topics of more general interest that multiple technology vendors sponsor. For example, we have recently released multi-sponsor reports, including Privacy Compliance in the United States, Cybersecurity in Financial Services, and How to Deal with Business Email Compromise.
In your opinion, what industries should be especially attentive to the IT market trends and conduct research regularly?
Industries that are characterized by rapid change of various types are best served by regular research to stay current. That change might be in the form of novel cybersecurity attacks that impact some industries much more than others (e.g., healthcare), or it might be those industries that are subject to greater levels of regulation and need to understand how regulatory changes will impact their customer base and revenue models. In short, the more that industry is subject to changes in market, regulatory or other conditions, the more it should focus on good research to understand how those changes will impact its ability to generate revenue in the future.
Did you notice any new cyber threats emerge as a result of the recent global events?
In the early days, unsecured Zoom rooms were a big problem with newly virtual teams. The education sector also saw this with remote learning, where people who should never have access to children were able to compromise Zoom-based classrooms and display pornography or worse. The ongoing cyberthreat, though, is the use of unsanctioned cloud apps or collaboration/chat tools by employees and business units for conducting official business. Although not a cyber threat per se, organizations must also understand the implications of new tools and their requirements to archive business information generated by them. For example, if an organization is required to archive business communications from Zoom calls and fails to do so, it could run afoul of its regulatory obligations to retain data. Similarly, if that organization does archive these communications but experiences a ransomware attack and loses their archived data, they could face the same regulatory consequences.
Despite all the solutions available today, some companies and individuals still refuse to update their cybersecurity tools. Why do you think that is the case?
I'll give an easy answer first: some will never change unless caught up in an incident that causes them direct and significant pain. No amount of warning, cautioning, risk mitigation, or best practice advocacy will ever be enough to get some companies/individuals to change. Our research has shown that a significant proportion of organizations are not sufficiently proactive. They tend to react quickly and with an adequate budget when hit by a major ransomware attack, for example, but tend to be far less proactive in preventing these types of incidents.
Another of my answers is more nuanced and multifaceted. Cybersecurity is a complex and ever-changing field that can be difficult for many companies to understand, given the wide range of security solutions available and the enormous number of vendors that offer competing solutions. For example, and quite conservatively, there are at least 2,500 different cybersecurity vendors operating today. It’s a nearly impossible task for the IT and security decision-makers to fully understand the offerings from all these vendors, compare them properly, understand how they will integrate into their current security infrastructure, and so forth. That results in suboptimal decision-making by many, and it can lead to a sort of decision paralysis where there is too much information to process, and so, decision-makers do nothing.
Keeping up with data protection requirements can sometimes be complicated. What details are often overlooked by organizations?
Agreed, it is complicated, and we've written lots of reports on this topic. The shortcoming that I see most often is a lack of maturity in underlying data disciplines, such as:
- Not having an up-to-date data audit that shows what data you have and where it’s located.
- Ignoring commonly used systems that increasingly contain data that requires protection, such as cloud storage services, unsanctioned cloud apps, mobile apps, etc.
- Not having the tools to automatically discover and classify the data across all systems and data repositories.
Peter Drucker famously said that you can't manage what you can't measure, and if seeing precedes measurement, then the lack of insight and optics into data is a fundamental stumbling block to meeting new and emerging data protection regulations.
What are some of the best practices organizations should adopt to protect their workforce and customer data?
I would recommend following these tips to improve the company's cybersecurity posture:
- Train your employees to be security-conscious and aware of security threats.
- Encrypt more of your data at rest, in transit, and in use.
- Stop using only a username and password as the way an employee gets access to systems, applications, and data. They are too easy to compromise through a whole collection of attack types.
- Adopt passwordless authentication, modern authentication approaches, strong multi-factor authentication, biometrics, and hardware-based security keys. They are all much better approaches that decrease the likelihood that the wrong person will be able to impersonate someone else to access their data.
- Limit access to sensitive data and systems to those employees and others who need it, and not provide access to resources when it’s not necessary. Reducing the attack surface in this way can help significantly to reduce exposure to cyberattacks.
And for casual Internet users, what security tools should they implement to stay safe online?
These, in my opinion, are the most necessary security tools for everyone:
- Password managers. Use a password manager to store your account details and passwords. Modern password managers mean you only have to remember one password; the password manager does the rest. They also make it super easy to use passwords of 20 characters or more, which are a billion times harder (literally) to crack than shorter passwords.
- Multi-Factor Authentication (MFA). Use MFA everywhere you can; stronger forms of MFA essentially eliminate the risks associated with phishing and credential attacks.
But beyond tools, there are security-minded principles too. These are the approaches I would recommend following:
- Be aware of unofficial app stores. You may save a few dollars by getting a cheap app, but it comes at the cost of having your data stolen or malware installed on your device to steal account details.
- Be aware of links and attachments sent to you from unknown parties. Organizations increasingly use advanced email security tools to check links and attachments before delivering them to employees; consumer email services are less likely to have these.
- If an offer seems too good to be true, it probably is. Don't bite the hook! No rich widow that you don't know or Nigerian prince or lawyer for the same is going to wire you $45 million.
- Be skeptical of almost everything you encounter online. Think about and check out links you receive in email, on Twitter, on Facebook, etc. Most are benign, but the small percentage of those that are malicious can be very damaging.
Tell us, what’s next for Osterman Research?
Our recent research has been very oriented around cybersecurity, complemented by several programs on data protection and data privacy. Over the past 18 months, we have done less on information governance. I'd like to get back into research on that, while not letting go of our focus on the other two. However, regardless of what might change in the topics we research, what's next – the sense that we will always strive to deliver profound insight to the clients we serve and the organizations with which we work to make successful.