In today’s digital landscape, organizations need to build a secure foundation to protect their data. Yasir Ali is the Founder and CEO of PolymerHQ DLP, a company that offers a unique approach to data loss prevention designed for SaaS applications. He brings valuable insights about protecting your organization’s data and his approach to data loss prevention. He also shares emerging trends impacting the future. Yasir also draws the curtain to show how PolymerHQ DLP started. Join us in this conversation about protecting your organization’s data.
—
Watch the episode here
Data Protection: Protecting Your Organization’s Data In The Digital Age With Yasir Ali
Welcome to another episode of the show. I am John Riley. We have an amazing guest who is a former finance professional who has practiced yoga enough to qualify as a pretzel. He loves expanding his mind with such good books that he sends his customers one on an annual basis.
‐‐‐
Welcome, Yasir. How are you?
I’m good, John. Thanks for having me. I’m really excited to be here.
I’m George Usi. Sometimes, every once in a while, we do these episodes and John forgets to introduce me. I pay him back the favor from time to time as well. It’s a pleasure to have you here.
George, thanks for having me. It’s nice meeting you as well.
We’re going to jump right in here. Yasir, how would you explain the difference between what cybersecurity is and what cyber risk is if you’re talking to an executive?
As an executive, cybersecurity ends up becoming a ball of headaches and some form of risk, although it’s not quite well-defined in people’s minds. Cybersecurity is an overall umbrella construct that talks about anything related to my data being at risk. The risk is quantifying what that looks like and what that means for someone’s organization.
What cybersecurity risks do you see companies facing? What are the most significant ones? Where do those risks come from for the most part?
There are numerous. The cybersecurity breaches have been triple digit percentage increase year over year in 2023. We expect the same to happen this 2024. With the adoption of AI, not only are enterprises getting tools to make their life easier but also the bad guys are. The ability to do social engineering to hack in and use someone’s password to be able to go after a soft target in the enterprise, and then be able to breach or create malware that can then lock you as an organization out of your own data and stop operations altogether.
UnitedHealthcare, which is one of its partners, cannot service tens of thousands of customers on the billing side. Microsoft has an ongoing breach going on, which is mindblowing. It’s been months in the making. It’s still going on. These are the ones we know about. As a small business, mid-sized enterprise, or large enterprise, you are as strong as the weakest link in your organization. That usually means the employee who has not changed the password in some time, someone who is using the same password everywhere, someone who loves to shop online and click on every offer that is sent to them on their email, or can pick up the phone and diverge their social security numbers to anyone asking. The risks are numerous, but human risk is probably the biggest footprint out there for any enterprise.
I saw something that said 65% or 70% of breaches are caused by humans at this point. You’re right. During that chain of risk transference, there’s a potential even if you’re using Microsoft or some large company that they’ve got some sort of breach going on that they may or may not know about. You can transfer some of that risk by using online providers, but you still have to make that decision, be cognizant of what data you’re sharing with them, and make sure that they’re doing all the right things.
Third-party risk is probably the other 30% or 40% of the risk bucket. Coming from finance, third-party risk or counterparty risk was a piece. Any trade you get into with a counterparty on a derivative or you buy a bond or sell a bond to someone on borrow, that counterparty goes down. You get the financial crisis, for example. That was one major use case of how counterparty risk can affect the entire environment.
As an enterprise data, you’re sharing with a third party. You have data processing agreements in place. In the EU and the US also, a lot of companies are demanding it. Those are scratching the surface in terms of understanding what that risk is. We see that risk transference piece of the risk that is not quantified very well in organizations in general.
Agreed. When you’re talking to CEOs, do you feel like they’re prioritizing that cyber risk? Are you seeing it where they’re causing sales, especially with third-party risk transference and using third-party vendor management? What are your feelings on that?
Yes and no. There is a board-level action item at every board meeting talking about cyber risk. Cyber insurance used to be a piece where I’ll take cyber insurance and I’m good to go, but people have woken up to that that might not be enough coverage for the mission-critical work they’re doing with companies being locked out for tens of days from doing any business, which could be the Achilles heel of killing a business in many cases.
I’ll give you a perfect example. When you think about counterparty risk, it’s about, “Who are the contractors from the third party? Who is accessing our system?” That could be one angle of the risk, but no one is talking about my Microsoft 365 and how I’m sharing my documents with a link with my counterparties or third parties and my partners and my wider partners. Those partners are sharing those links, my data, with the third party ahead of that. The chain event of counterparty risk transpires from there on. People don’t have any understanding of that in the marketplace. That’s one example of that.
You have to be very careful about what data you’re storing and understand what that is and then who you provide access to, whether they’re a partner or not, or whether there’s an NDA or not. Even if you have an NDA, are they sharing it? It all depends on who you’re sharing it with.
In finance land, which has been ahead of the game from a data protection perspective by at least twenty years to the rest of the market, the idea around data retention policies is that after seven years, you’re required to delete or purge the data. In some cases, in the EU, some organizations made it a point to purge it. The more data you store, you are adding more risk to it.
It’s great. I can look back at my analytics engine and see a graph that goes back an extra ten years, but the reality is the value of that beyond seven years in many cases, other than looking pretty and making the graph look smoother, might be de minimis. You’re adding a lot of risk to your own enterprise by storing and never purging it.
I’m curious. We always have these challenges with cybersecurity. I refer to it as the footprint of protection. Ultimately, the bigger risk is these looming sanctions that are coming down. It does make me question. Why would an organization not want to improve its data protection position knowing that the sanctions could be so incredibly steep that it’s mere pennies to make that investment for data protection as well as policies, procedures, and programs to make sure the organization is handling sensitive data carefully?
What’s your perspective on some of these sanctions? Let’s call them cyber laws or regulations. Some of the things that you see in the news every day about companies being fined, what do you think that’s going to do to impact these more medium-sized businesses that are out there? Do you think they’re going to have to pay the price?
Ultimately, it’s small guys that have had to pay the price. The regulations come in because some big companies have caused the leak to happen and everyone else needs to suffer from it even though there may be a less ideal target for the large hacking groups. To answer your question on why it’s not being done or why it’s not being done to the extent it needs to be done, a lot of it is related to complexity.
I’ll give you a perfect example. I used to do a lot of master data management program work in my past life as a consultant at large banks and insurance companies. To even understand what you need to protect, you need to know what systems you have in your environment, who’s using them, and what data is in them. Even that simple exercise, which can even be step one to do anything else beyond that, very few organizations had a full handle on that.
This exercise we were doing to try to see what can be moved over to the Cloud, what data needs to go there, what privacy policies get impacted if you move it to maybe an AWS environment versus locally in your Equinox center, for example, there is a sheer complexity of it. A lot of times, these programs were run very bureaucratically. What I saw from firsthand experience in the trenches to be the main cause was sheer understanding, having a classification, having a glossary of what you even possess in a nice, neat format was the biggest stumbling block.
Sometimes, I wonder if organizations realize that their data flows like water, or even worse, like a soda spilled in a car, it goes into the carpet or it goes into the floorboards. It’s unstructured. It goes wherever gravity takes it sometimes. Organizations that aren’t really focusing on that are understanding where their data is. They’re the ones that are going to struggle. What do you think they should do to fix that? What do you think they should do to address it?
Historically, when people talked about data protection or data privacy, it used to be around, “Let’s go scan our databases,” where the golden sources of copy used to reside. A lot of work is happening with documents that come in an email. Maybe they’ll make their way into your OneDrive or SharePoint, and then they’ll get edited there or collaborated over there, and the final document will go via email. Nothing will happen with the historic database environments, which used to be where a lot of transaction information used to sit.
More information is happening unstructured, and organizations are finally waking up. It’s changing. We are seeing it changing where there are AI-enabled services available to understand what is in those documents, what is being said, how is it being at risk, and who’s it being shared with. There are tools available. Organizations are finally catching up to it, but hopefully, it’ll be done sooner than later.
From your perspective, what emerging trends do you see that are having a profound impact in the near future?
Emerging Trends
We talk about AI a lot. That is getting a lot of middle management and senior management time and board-level time in terms of how an AI strategy should look like. One of the impediments we are seeing from the market is exactly what the White House is talking about, what the regulation is talking about, and what George hinted at a little bit from an AI governance perspective. It is around what data is going into the LLM model or third-party LLM model and what can be extracted out of that with some clever prompt engineering.
It comes down to a very simple heuristic. What information is loaded in the model and what information can get out of the model by my employees, someone else, or maybe some other organization if it’s a third-party tool? That’s where understanding what information I possess needs to go in training the model and understanding where that information resides that needs to improve.
We’ve had legacies in technology out there that have tried to do it and have failed. It is understanding what’s sitting in your most collaborative and most rigorously used workflow environments. I can name them in two hands. It could be Microsoft tools or your ServiceNow ticketing system, for example. It could be your CMDB. It could be a Salesforce environment. It could be your email systems. That’s where most of the information, your golden sources of copy, are sitting. Understanding what’s in there and how that’s being transacted is probably the first step.
The second step is if you are looking to deploy AI, if you are looking to deploy or build services yourself or use a contractor to build some AI chatbots that your customers or your employees can use, then having some sense of what data is going into those training models is where I see to be the biggest opportunity, which kills 2 birds in 1 stone. It makes you more AI-enabled also for the future. It also future-proofs you of any AI investments by understanding these big systems or big platforms you’re using which can contain customer data or your company data.
I’ve seen where there’s a certain pushback from an employee standpoint when they’re training AI to give it false information on purpose to try and make it so that it has false information. Overall, if you’ve got multiple sources and everything else, you’ll be okay. I understood that. Have you worked with a company or been around a company that’s had some sort of disaster? What does that disaster journey look like for them after a hacker succeeds in stealing sensitive data and that feeling of their heart dropping or their jaw dropping? Have you been around anything like that?
Yes, and it’s not fun. You have multiple levels of these kinds of transgressions that take place. You might have a UAT environment or a testing environment, which is non-prod. It is where someone comes in and starts to mine Bitcoin. You won’t even know it for months. Your Cloud bill has gone into hundreds and thousands of dollars. That is not uncommon. I would seriously encourage your audience to look at the Cloud bills more aggressively on a monthly basis because of that risk by itself. It’s one of those things that they can keep humming along in the background maybe with some kind of variance that you wouldn’t even know it.
In catastrophic environments, we would get involved in some cases. It’s not our main bread and butter, but it’s not pleasant. You have business owners who think they might be going out of business. Your transaction system, inventory system, or order system does not come back online, but you have to shut it down because the hacker is going in and encrypting your hard drives or Cloud drive information wherever the access is still available.
Having good backups has been a good fallback. Maybe it’s not a backup from yesterday. Even if it’s a backup from last week, at least there’s some sort of comfort like, “I can go back to some data if I need to restore it. Once I can identify where the hacker came from, I can plug that hole in.” The advice I have and what the practitioners have given to customers has been to assume you’re going to have this and be ready for it as a disaster recovery plan.
In the old days, we used to go to a data center in Mahwah, New Jersey, sit in a terminal, and do the disaster recovery from post-September 11th, 2001. That was one method of doing it. After Hurricane Sandy, we did a similar analysis. Banks used to do that all the time. They still have these backup facilities in the data centers available. In terminals, how can you work with multiple apps on one small screen? Same advice I will have for what will happen, what will our mode of action be, and what is available in employees’ devices themselves they can use if they have to go down to a backup service assuming that their main systems are down.
It’s very much like trying to plan for that. If you haven’t practiced, it’s going to be a rough challenge not knowing who to contact when and where, and what an actual emergency is. It is something to be practiced within an organization. Yasir, tell us. How did you get started? Tell us a bit about you, your company, and where you come from.
PolymerHQ DLP
I used to be in the finance world. I was a bond trader and a developer building mortgage systems. I saw counterparty risk work its way through the system in a spectacular way with the financial crisis when I was trading subprime mortgages on a proprietary trading desk at Barclays circa 2008 through ‘10. I used to lead a bunch of hedge funds before.
What led me to what I am as a Founder of a cybersecurity company called Polymer, we are a data security platform. These are learnings from ten years of consulting work I did for large financial services organizations and technology firms thinking about data privacy, technology, and tooling around that and saw what was missing. One of the big pieces was understanding unstructured data sets.
That is what led to Polymer. We launched this company a few years ago. It’s VC-backed. We service large enterprises in, number one, data observability, understanding what information you or your employees have in their emails and file storage systems like OneDrive and Google. We are able to detect anytime sensitive data or customer data is leaking, being sent, or being downloaded and then be able to stop it also.
One of the innovations we have in our product we are proud of is bringing in employees as part of the solution. Historically, security teams would do this as a whack-a-mole exercise, which is not quite scalable. The employees, if they are doing something wrong, usually don’t mean it. 80% of the time, it is sloppy behavior. It is nudging them and training them like, “You are doing something wrong. You might want to retake another look at it,” or, “There might be a better way to do it.”
Gentle nudging goes a long way in making sure these events don’t happen in the first place. That’s what has resonated in terms of educating your employees to be better data citizens. It comes down to, a lot of times, a lack of understanding of what is right or wrong. We have seen information security training programs fail in how best to use SaaS products especially
Cyber Security Breach
Sometimes, when somebody’s told to go through a training session, they gloss over some of those how-tos to stop the leaks or what information they shouldn’t necessarily share. When the phone rings, they want to be helpful. That’s where you want to answer the question and try to be the best you can. Sometimes, it is a leak of who the CFO is or maybe not publicly available information that can cause some issues. I’m going to ask an abnormal question. Is this something that runs on a desktop or is it something that runs on the server, your application, or both?
It’s pretty straightforward. We are Cloud-based, so it’s an easy install. We need the admin on the customer side for your Google and Microsoft products or whoever is the system admin to handshake without APIs, and then we are in business. The installation takes about fifteen minutes even for the largest organizations. We’ve done it for companies like CVS Pharmacy, Edward Jones, and Addison Security to name a few. After that, it’s a pretty fairly straightforward way. We have a bunch of templates and a bunch of roadmaps for people to get going and be mature in the data governance program. It’s pretty straightforward to use. There is a slight tightening up of the dials as the journey progresses at the organization.
Also, tell us a little bit about how you got into yoga and that part of it.
It was a pure accident. You needed something to do. My friend said, “There’s a Bikram yoga class,” near where my house is. I started going. I went once and the teacher laughed me out the door because I was in so much pain. I didn’t do anything for a couple of years but then I got back into it. That’s been a great way to keep the mind sharp and keep the stresses away a bit.
It also keeps the body more flexible, right?
The body more flexible also and the strength that comes with it.
If you’re working on all these things, what’s the thing that you’re most excited about in what you’re working on?
We are really getting a lot of pull from the market and doing a lot of AI enablement safely. Rather than going and getting a third-party service to connect to your enterprise data set directly, we provide a very easy way to do it through our guardrails which can monitor the data flows. We make sure what’s going in the third-party models and what’s coming out is governed. We have easy ways of zapping out sensitive data if you set up the policy that way also. I am pretty excited about that work to allow businesses to safely enable AI fast.
We’re getting towards the end here, but tell me. What’s one action item that you would want our audience to be aware of? Specifically, what advice or tips would you give for reducing cyber risk?
From my viewpoint, take a look at what’s sitting in your SaaS environments and who has access to it. Your head of IT or even your CIO might not even know what’s sitting in your OneDrive, where the files are being shared, and how long they’ve been shared. Even after the contractor is no longer working with your company, you’ll be surprised how much data is sitting out there that’s accessible from the outer world. That will be step one. It’s a good proxy also for the risk of your overall data profile from a data security posture perspective for the wider organization, that one simple test.
We appreciate your time. Thank you for your insight on this. We’ve got a great future with AI. It sounds like your tool is great at finding the data and pulling that in. We appreciate it. The audience, we thank you for tuning in. If you’ve learned something, laughed, or smiled, please tell somebody about this show. There it is. This has been another great episode of the show. We hope to see you next time. Thank you, everybody.
Thanks, Yasir. I appreciate you.
Thank you.
Important links:
About Yasir Ali
Founder and CEO of PolymerHQ, he worked in finance, enjoys yoga—he has practiced so much he could be a teacher—loves to read, and he sends books to his customers every year.