Cyberattacks are an inescapable part of business life. But whether a data breach severely disrupts an organization’s daily operations to the extent that its customers, board members, and employees lose confidence in the company’s executive leadership rests on how well-prepared the business is for an attack.
As it turns out, most organizations aren’t. In a recent survey conducted by data protection company Rubrik’s newly launched research department, Zero Labs, 92% percent of security and IT leaders expressed concern they would be unable to maintain business continuity if they experienced a cyberattack.
According to Zero Labs’ State of Data Security report, ransomware attacks are among the most common and thus the source of considerable concern. As ransomware attacks deny organizations of their data, they require immediate and effective intervention. And yet, even though many leaders are aware of the increased threat of ransomware attacks, most reported a misalignment between senior IT and security operations teams in defense plans. As a result, more than 75% say they would simply resort to paying the ransom, further exacerbating the risk.
Unsurprisingly, many of these leaders believe their board has little faith in their ability to recover critical data and business applications following an attack, and about a third of those surveyed reported leadership changes in the aftermath. Beyond the business implications, 96% percent of leaders surveyed experienced significant emotional or psychological consequences following the attack.
With the frequency of attacks at record highs – nearly all respondents experienced an attack in the past year – the potential for significant impact is a top concern for many organizations.
“As an entire industry, we’re still really dealing with the ‘knowns.’ The things that are already out there are the majority of things that are waking our bosses up at night affecting our organizations.” says Steve Stone, who recently joined Rubrik to lead Zero Labs. “We’re years into this ransomware issue and we still see a real large challenge with organizations not having the highest degree of confidence in how they want to respond to this,”
Stone and Rubrik CEO Bipul Sinha sat down with Greymatter to discuss the findings of the report, the aim of Zero Labs, and outlined strategies for organizations to prepare and protect their data from attacks. This episode was guest hosted by MarketWatch reporter Jon Swartz. You can listen to the interview at the link below or wherever you get your podcasts.
Hi, and welcome to Greymatter, the podcast from Greylock. I’m Jon Swartz, senior reporter at Market Watch and your guest host today.
On today’s program, we’ll be discussing the ongoing challenge that businesses, government agencies, and public institutions face when it comes to keeping up with cybersecurity threats. As our technologies become more sophisticated, so too has the level of cyber attacks, and many organizations feel ill-prepared to keep up.
Joining me to deep dive into this topic are Bipul Sinha, who is CEO of cybersecurity company Rubrik, and Steve Stone, who just joined the company to head its newly-created research department, Zero Labs.
Bipul, Steve, thanks so much for being here today.
Let’s start with the first question. Rubrik provides data protection and recovery for large organizations across numerous industries. In the past decade since the company was founded the nature of what that looks like in practice has continually evolved. At a high level, what are people worried about today?
Thanks, Jon, and thank you so much for this opportunity.
Just by way of background, I’m an engineer-turned-venture capitalist-turned-entrepreneur, and I started Rubrik with three of my friends almost nine years ago with this vision to transform data protection into a full on data security company.
Rubrik is a cybersecurity company and our mission is to secure the world’s data. We believe that the future of cyber securities is data security because when your data is secure, your business is secure. And as we have seen in the last several years, cyber breaches continue to happen unabated in spite of businesses spending collectively $50, $60 billion for cybersecurity tools and platforms, as well as installing 30, 40 different solutions.
So what’s really going on? What is going on is the prevention and detection technology that everybody has been buying is not foolproof, and businesses have to rethink their cyber strategy specifically around resilience. How do they keep their business going even when the cyber breaches are happening?
So we’re going to go over to Steve. Steve, you joined Rubrik just a few months ago. Tell us a bit about Rubrik Zero Labs and what it does.
Yeah, I would love to, John. Thanks for having me. Excited to be here.
One of the really neat things that we’re doing at Rubrik is creating this Rubrik Zero Labs from the ground up. And that’s both a daunting task that we’re starting something so big from the ground up, but it also gives us a really interesting touch point where we could start this report by saying, let’s take a step back. Let’s not start diving right into a specific problem, a specific threat, a specific technical aspect. We got to really take a macro view of the landscape and not just the threat landscape, but the risk landscape and the impacts to people and teams.
Steve, Tell us a bit about your background
My background is pretty unusual, as in you wouldn’t really put out a career path for how I’ve got from A to B (although there’s quite a few of us that have had pretty similar backgrounds starting in cyber security). This still feels like a pretty new industry overall, so I think you’ll see a lot of folks like me that have had a pretty wandering journey.
My background really started in the U.S. military. I started out in law enforcement, nuclear security, moved into being a special agent with the Air Force Office of Special Investigations. There’s quite a few OSI agents or former agents moving across this space. A lot of great experience coming out of different cyber aspects and forensic aspects, but I wasn’t that kind of agent. I was a very standard agent. I worked crimes against children, I worked counter-terrorism, I worked counter espionage and was really focused primarily on the counter-terrorism mission space for most of my career and ended up really backing into cybersecurity. I ended up working as a case agent, with several of the nation state intrusions against the U.S. government, not because I was qualified (and I wasn’t at the time; I just had the right number of clearances based on what I was doing for counter-terrorism work).
I really kind of split time between these very, very different worlds when I was in the military. I left the military, joined the U.S. intelligence community on the government side – again, ostensibly as a counter-terrorism expert and was reflagged immediately into cyber intelligence. And I didn’t really have a background as an intelligence professional and I didn’t really have a background in cyber security, but it was just there was a lot of need. There were a lot of emerging areas and anybody that had any experience and was willing to try. It was a different time. So I spent about five years in the U.S intelligence community.
I stood up at a cyber intelligence shop at one of the combatant commands and really focused on some high level intrusions. And what sounds crazy today is we spent a lot of our time back then discussing “Why is this happening, what does it mean? Is this real?” You just heard Bipul talk about just the vision and how this landscape has changed.
We just didn’t talk about it. It wasn’t a thing. And so I spent quite a bit of time doing that in the government and joined the private sector.
I joined a company called Mandiant. We were later acquired by FireEye and then later on Mandiant retained as a brand and ended up selling off FireEye. So I spent time at Mandiant, FireEye, back to Mandiant, and also some time at IBM working intelligence there for IBM X-Force Iris. And really what I’ve done in the private sector is [focus on] the intersection between threat intelligence and event response – whether that’s incident response, managed defense operations, product telemetry at scale – how do those worlds come together? And then ultimately how do you make that actionable and tangible for the right set of decision makers.
So that’s what my background has been, very much on the “bad guy” side of this industry. And when I came to Rubrik, I did very much the same thing. I came to Rubrik to really bring that expertise and pair that up with where Rubrik’s focus is with data security, and I really try to apply a lot of these lessons we’ve learned in other pockets of cybersecurity and bring that to Rubrik.
Can I ask you a quick follow up question? Based on your background, has there been a large influx of folks like yourself who work for the government who are now going into cybersecurity and the private sector?
I think that’s a really great question. I would say it’s almost the inverse. I would say early in the industry a lot of people came out of the government. I think if you look at the employees (and a lot of the founders of what are now these very mature cybersecurity companies) have very heavy government footprints. It was almost the only place where a lot of this talent was coming from. And a lot of what was coming out of the government came out of the military and it was almost always second and third careers. It wasn’t unusual that you’d have someone who was a communications specialist and then go into IT and then into cybersecurity, or someone like my background. Everyone kind of had these circuitous paths. I don’t think that’s so much the case now. I think there’s still a strong public-private overlap, but the landscape’s changed. You can go to school for this. There’s great programs, there’s internships at all these major vendors. So I think that pipeline, while still there, has really been augmented by these other viewpoints.
Okay. I’m going to ask you, Steve, about the Rubrik Zero Labs fall report called the state of data security. How is this different from other reports out there and what did it find?
So I think it’s different in one major way. We really had a novel opportunity to say, “We get to do this for the first time from the ground up, so let’s really just listen. Let’s look at what we are hearing from a wide range of experts.”
We specifically wanted to look at senior leaders. We wanted to really focus on what organizational leaders, what are they feeling, what are they seeing, what are they experiencing? And those are very different things, and that’s what I think is neat about this report is we were able to combine those and really kind of look at that and say this is the impact of this. It’s not just a dollar amount, it’s not just a resource amount, it’s not just a particular intrusion technique. This is what this looks like at scale. And I think that’s really the unique part here that we’ve done with this report.
One thing that you dwell on – and I think it’s something that’s ubiquitous – is ransomware that’s mentioned quite a bit in the report. And for those who are uninitiated, or haven’t been victims of it particularly, what is it and what should the reader take away from this and what your report found about ransomware?
So I’d say a few different things about ransomware. So let me answer the second question first, what is it? Ransomware at its most base level is really just denying an organization their data. It’s encrypting files and machines so the actual owner cannot access it and then they pay a ransom to get it back. That’s really what ransomware, by and large, refers to.
But as an extension of that, we’re seeing that really change and grow over the years. Now, it’s not just denying access to that data, it’s also threatening to leak that data, expose the organization, and do some follow-on things. So we’re actually seeing multiple types of ransoms with one technical event. So I would say that it’s a dynamic topic. It’s not just the encryption events that we know about.
The last thing I would say about ransomware is I’ve been doing this long enough that I can say I’ve been wrong more than once.And one of the areas I’ve been wrong at was when we really started to see ransomware emerge and become dominant several years ago. It wasn’t that it was new – I mean ransomware in some form has been around for a long time. It’s just really taken on this pervasive aspect the last few years. And I think if we could all go back to two, three years ago, I’m not sure anyone saw how dominant of a topic it would be.
And I think that’s what’s really interesting is it’s dominant for two reasons. One is it’s one of the few intrusion types you cannot look away from. You can miss lots of intrusions and just not know they’re there.
I think that’s the first part. The second part is when we look at it, it produces these really profound events. Going back to Bipul’s earlier comment, this is about data. And if you don’t have access to your data, if you don’t have confidence in your data being secure, it drives profound operational and business impacts. And I’m not saying other intrusions haven’t done that. They definitely have but not like this. So I think that’s why we see ransomware. Not surprised, but why we see it so much in this initial data security report that we focused on here at Rubrik.
Yeah, it’s interesting. I mean as long as this problem has been around, if anything, it’s getting worse, right? In a sense it’s metastasized into other types of threats. Is that what’s happening? Because as much as we hear about what cyber security companies are doing about ransomware and as much as we read about the cautionary tales, it seems to be reaching its tentacles deeper into companies. Is that right? And why is that so?
I think it’s right to a degree, and I would pull the punch a little bit to say here’s why I think it’s right: everyone’s learning that this is really effective. And I say everyone, meaning both those of us on the defender’s side and those on the adversary side. There’s this old term, they teach us very early in the military, that, “The enemy gets a vote.” And we’re seeing that with ransomware. This is an effective way for threat actors to monetize their work, which is typically one of the more challenging things with cyber crime.
In the olden days, we would talk about a cyber criminal group that would go after credit card data because they had a way to monetize that and different groups would do it. We still see a lot of business email compromise and fraudulent wire transfers. Well, that’s how those groups can monetize that. And we saw these different pockets targeting ATMs. Ransomware has shown a number of threat groups. There’s a range of ways they can monetize this, especially cryptocurrency, and it’s just easier for them. They get to focus on the things that they’re good at and not have to be exposed to in other areas. So I think that’s a really, really big deal.
The second thing is it goes back to my earlier comment about you can’t turn away from it. You have to address it. You absolutely have to get your arms around this, and I think that attracts a lot of attention.
The other piece I would say too though, and this is why we pull the punch a little bit, I think what we’re also seeing is what we would consider to be ransomware is actually pretty diverse.
You can also look at what this effectively can do is a data denial, which can be used by a range of other groups for other purposes. We’ve had multiple geopolitical conflicts with data destruction events. Some of those have used the exact same basic technology that’s deployed in ransomware.
So I also think it’s important that we keep in mind that our discussion of this has evolved a lot and has expanded greatly. So what we were talking about as ransomware three years ago, we’re still using that same term, but we’re rolling lots of other things inside that umbrella as well.
One takeaway, one interesting statistic [you found] before we go onto the next question is that on average IT and cybersecurity leaders were made aware of attacks 47 times in the last year, 52% suffered a data breach and 51% dealt with ransomware in the same timeframe. So that gives you an idea of the depth of the problem.
I’m going to go to Bipul. The narrative around cyber crime and cybersecurity tends to be around the business, the downtime, and other companies or customers impacted. So it’s interesting to shed some light on how these cyber attacks impact the people involved. Can you explain to us what these findings say about the people that need data to do their jobs, the criminals who threaten it and the people who protect it?
Indeed, John, if you look at the human side of cyber crime or cyber attack, cyber breaches, it’s the biggest untold story of our time. If you just look at the findings that our report had, a third of the board and executives have little to no confidence in their ability to maintain or keep their business going during a cyber attack. That’s massive. It’s like a third of the organization believe the business would not be an operating business in case of a cyber attack. And it really speaks to an area where the cyber community can do better. How do we drive confidence and peace of mind to this community so that they can actually keep the businesses up and running?
The other thing that I found very interesting was 96% of the respondents reported emotional or psychological impact because of an attack. Just think about it, we have a severe shortage of expertise in cyber, human expertise in the overall cybersecurity area. And if 96% of people are reporting emotional and psychological impact, we need to reinforce this team. We need to reinforce this critical expertise and these critical people.
But here is the thing, this is not all bad news.
And that is the big deal where people are openly discussing and talking and figuring out how we collectively address this issue. It’s a partnership among companies, it’s a partnership between government and private sector, it’s a human equation that is going to be a big answer to this challenge.
Hey, can I just go back to, you mentioned the 96% number, which just is glaring, is there, if we could unpack that a bit, I don’t know if you can go into much detail, but when you say emotional or psychological impact, do you mean the people who were responsible, who felt responsible for a breach had an emotional response or what, maybe I’m misinterpreting. What does that mean precisely?
What it means is that people (96% of the people) actually reported that when such an attack happens, it impacts them emotionally as well, and/or psychologically as well, which means that this is not purely about protecting the business, but they also associate their own ability to drive a change, their own ability to protect the organization is questioned by attack and that is the profoundness of this number.
So, consistently, the message with some of the findings of the report is that, as you said, it’s not just a financial impact, there’s a human toll that’s associated with this that we may sometimes overlook.
Absolutely, that’s what I was saying. It is the biggest untold story because if you think about cybersecurity,
And when an attack happens, it actually impacts people, because it impacts them psychologically, emotionally, it is very stressful, not just because sometimes people question their own abilities, but also organizational, like resetting, people have the concerns about losing their jobs and all sorts of things.
Interesting, interesting. So Steve, are there some other key findings from the state of data security report that you found revealing and that surprised you?
There were. So the first one I would say I think is revealing (but did not surprise me) is how much of this is coming from known vulnerabilities or things that we already know.
As you mentioned earlier, you know IT and senior cybersecurity leaders had cyber attacks brought to them about 47 times in the last year. So that’s their own organizations deciding this is impactful enough of an event, we need to tell the boss about this and we need to wake them up and get them involved in this. Now of those events, only about one-third of them involved a zero-day exploit. And for those who aren’t familiar with zero-day exploits, that’s effectively a way to run a cyber event that isn’t known. It’s hidden. People don’t know what’s out there. You can’t patch it. And this is what we talk about a lot in this industry – we talk a lot about zero days. It drives a lot of the news and it should rightfully so. These are the things that we don’t know about and they can have really profound impacts.
But let’s run the inverse of that. That means that two thirds of these 47 cyber attacks a year going to key senior leaders were from known vulnerabilities. Things that we already knew about. That doesn’t surprise me. We continue to see that be a really big struggle. And I don’t think this is a matter of organizations not doing the right things. These things are really hard. It takes a lot of work. You can’t read any vendor’s white paper or blog on a recent intrusion that doesn’t, say, use the latest patches, update, or do these fundamental things. The challenge is that those fundamental things are really, really difficult. So that didn’t surprise me.
Now, some things that did surprise me, one was we heard pretty loud and clear, again, going back to these organizations, 98% of them dealt with at the senior leader level a cyber attack. And that had in almost every instance, a negative impact on those organizations. What I found really interesting was that almost at the very bottom of that was the stock price. Only 5% of impacted organizations listed a stock price drop based on one of these events. That’s typically how we tend to look at it. We read a breach in the news and everyone goes and looks at how their stock is performing and what we’re hearing from these leaders is it’s inconsequential. On the other side of this, what was consequential, more than 40% of these same organizations lost clients over these events.They had profound impacts to their revenue. They had these impacts on their teams and their people that Bipul was just referencing. So we talk about 41% of the affected organizations that lost a client or clients based on this, and about a third of them endured some level of leadership change inside their organizations based on these cyber attacks. These are some pretty profound impacts and those are surprising me.
The other one I would throw out too, and I think it just goes back to what we’ve been talking about here, is we’re years into this ransomware issue and we still see a real large challenge with organizations not having the highest degree of confidence in how they want to respond to this. One of the things we heard is that about three out of four organizations would consider paying the ransom demand. About 76% are at least going to discuss paying the ransom.And about half of those organizations (right around 52%) said they would be either extremely or very likely to pay the ransom. Those ratios are even higher in newer organizations. So in essence, the newer you are as a company or a business or organization, the more likely you are to consider and or pay the ransom.
I think those numbers are pretty shocking where we are now. If I’d have seen those numbers the first really big year [of] ransomware [attacks], I wouldn’t be surprised. But we’re multiple years past that. And I think that’s telling us we’re not doing enough things well. And I don’t mean the victims, I mean all of us. We’re not providing the right solutions. We have not figured this out as a community. If three out of four targets are still considering paying the ransom, we have a lot of work left to do. So that was a surprise.
And then the last surprise, and I’m just going to steal what Bipul just said, it’s the accumulation of the wear and tear across these organizations. We’re hearing that the individuals that are having to work these events are just worn out. The teams that are working these events are worn out. The organizations that are funding these efforts are not sure of what they’re getting in return. That’s a really surprising accumulation of all of the wear and tear that we see from all these events. And that was the single most surprising thing for me in this.
What’s interesting is that, as you said, three fourths of those affected by ransomware would consider paying. Now is that a reflection of – I’m not sure how much on average they’re being asked to pay – I guess, maybe the decision-making processes that we’d rather pay and keep this secret rather than lose 41% of our customers, or eventually take a stock hit, or lose members of our executive team ,or have to go through some sort of reorganization? I wonder if they think that just hush money basically is their easiest solution, hoping that they’re one and done. Maybe that is what’s going on in that scenario?
That may be an element of it. I’m not sure how much of the preponderance that is. I think that’s definitely a component. I think some other components that we hear pretty routinely is that some of these organizations just don’t even have the ability to get their data back. So if they haven’t already invested in mechanisms that allow them to recover and work with their own data, they might just be out of options. They might not want to pay these ransoms, but they don’t have a choice.
The other piece too is this shifting ransomware. We see organizations that have invested in the ability to recover and get their data back up and get back in the game, but now they’re dealing with the data leak problem. That’s a fundamentally different challenge. So they’ve prepared and solved one problem. Well, now the attackers are pivoting and they’re creating a second problem and a third problem and these other things.
And so I think this is a pretty complicated topic for a lot of these organizations that are dealing with this. And we’ve all been this way in a range of scenarios. These are easy things to talk about in the light of day when you have nothing but time, but when you’re in these, when you can’t open your store, when you can’t ship your products, when you can’t serve your customers, the things that you would never do before you might have to do now. And I think in the heat of these moments, we’re hearing pretty loud and clear that a number of organizations are still looking for better ways. They want more options for their decision makers.
And the companies that are more likely to pay – do those tend to be smaller companies that don’t have the resources or don’t have the technology, as you said, to regain their data?
I think in general, yes. I think you’ve hit on a pretty profound topic that we talk about a lot at Rubrik. And we’re not the only ones here. Wendy Nather, she runs a CISO advisory board over at Cisco. She’s coined a term called the cyber poverty line, which has really stuck with me since I heard her discuss it in the keynote. And the premise is exactly what you’re saying.
who we see struggling with this in the news.
So I do think that is why we see the smaller organizations, the younger organizations, be more apt to consider paying these ransoms. They just don’t have all the resources and they’re effectively below that cyber poverty line and they’re having to deal with every threat that you can possibly imagine.
What’s a typical ransomware demand in terms of dollars?
So it’s really all over the map. And I say that because there’s a range of ransom actors out there. We’ve seen anything from, when ransomware first started taking off, it actually targeted individuals. If you go back probably three-ish years, ransomware was actually pointed at individuals and you would look to pay three or $400 and get your own data back. And then the threat actors figured out that it was much more profitable to go after organizations and those numbers just started creeping up. It was in the hundreds of thousands. We’ve seen multiple millions. The news is full of different ransomware demands for $2 million, $20 million, $30 million and up and up and up.
So we really see the whole gamut, and I think what’s really, really fascinating there – it shouldn’t surprise us that the numbers are going up that I think makes sense. We’re also seeing the ransomware actors start really paying attention to critical moments. There was a big event over in Europe the last couple of weeks where an organization had made a public announcement that they were being acquired for a cash settlement and all of a sudden they had a ransomware event and the ransomware actor asked for a specific number based on what was being discussed publicly about that company being acquired for. So everyone’s paying attention to business, This isn’t in isolation.
Interesting. Interesting. Hey Bipul, what strategies and recommendations can cybersecurity leaders take away from these findings? Because we have this problem that’s growing, it’s becoming much more sophisticated and even tied into the economic model of the victims.
One thing that is clear is that cybersecurity is a universal problem. It impacts everyone from your largest global bank to your smallest school in your neighborhood. So the breadth and the scale of this problem is daunting. So for different organizations, the strategies that they’re thinking about are not only preparedness and cyber readiness, but also thinking about incident response and crisis management. Because it is now a two-sided problem. Everyone knows that the breaches will happen. So when breaches happen, how do you bounce back? And to improve the overall cyber resiliency, you need to combine the cyber readiness plus incident response crisis management plans.
What is also interesting is that, as Steve was describing, data is often the passive victim of cyber events. And the ability to directly observe data in terms of what is happening to it, who is doing what to your data. Organization can really reduce cyber risk because at the end of the day, data is the most critical asset. And if you secure your data, you can rest assured that you can bounce back.
What’s next for Rubrik Zero Labs? Steve, What else can we expect from them in this cybersecurity research unit?
So the first thing is, as we take out this report and go public with this and discuss these findings, we’re going to apply these findings to ourselves. One of the big things that we’re focused on at Rubrik Zero Labs is this needs to apply to us as well as the larger industry and how we apply to our clients. So that’s the first thing we’re going to do is get this material out there, talk about the parts that we think are really impactful, and also run that drill internally.
We’ll have those same conversations with our senior leaders about how does this look? What do we need to change based on this? In the report, we make several recommendations that we’ve heard repeatedly from experts in this field on ways that we address this and we’re going to ask those same questions to ourselves and do that. We’re also going to start really focusing on Rubrik Zero Labs as the threat research element here at Rubrik.
And we want that to have impacts across both our clients. That’s first and foremost. We have an obligation to those organizations, but also to the larger community. We want to be good partners in this space and we want to be able to talk about what we’re seeing, how we think that can improve things both from a data security standpoint and also from a zero trust standpoint and put material out as quickly and as consistently as we can. And then we want to really focus on foundational pieces as well that can help drive forward collective understanding and give us solid touch points.
The next one I really want to look at is what’s a really good baseline for data security? One of the things that’s a challenge is we tend to talk about anomalies. We tend to talk about specific intrusions or specific impacts, but it’s hard to categorize those if we don’t understand the baselines, if we don’t understand what typical looks like. And now we can measure anomalies and impacts. So we really want to focus on that baseline for data security from both a threat and a defensive standpoint with Rubrik Zero Labs. Those are our next focus areas.
Okay, great. Bipul, just wrapping it up, what’s next for Rubrik? Where’s the company going and what do you have in your immediate plans?
What we see is that
And if you think about organizations around the world, they actually want to address these two-sided dilemmas of preparedness and ability to do incident response and bounce back. And what we are doing is fundamentally driving that cyber resilience, that business resilience so that you can continue to operate even in the presence of cyber breaches. There is a huge potential to apply machine learning, artificial intelligence directly to your data to drive security intelligence out of it. And that’s where we are spending a lot of time.
Well, this is very interesting. It is a real threat not just to companies from a financial point of view, but to their employees and their state of mind and their state of health. Thank you so much for your time and participating in our podcast.
Thanks for having us, John. This has been great.
Our mission is to help
realize rare potential.
© Copyright 2022 Greylock Partners
Building Cybersecurity Confidence | Greylock – Greylock Partners
Cyberattacks are an inescapable part of business life. But whether a data breach severely disrupts an organization’s daily operations to the extent that its customers, board members, and employees lose confidence in the company’s executive leadership rests on how well-prepared the business is for an attack.