Workday Podcast: How to Think About Cybersecurity in 2019

Cybersecurity continues to be front and centre after a number of high-profile global breaches. But how should businesses be thinking about this topic?

During Workday Rising Europe late last year, I sat down with Archana Ramamoorthy, director of product management at Workday, to learn more about the IT security threats facing businesses and how organisations can have a key role in fending off cybersecurity attacks. Take a listen here:

How to Think About Cybersecurity in 2019

More of a reader? Here’s the full transcript:

Steve Dunne: The year 2018 was quite a year for cybersecurity, from the high-profile Cambridge Analytica data leak to the global WannaCry ransomware attacks, and exposure to other IT vulnerabilities. Organisations have their hands full just to stay on top.

I’m Steve Dunne from Workday. Today on the Workday Podcast, we’ll learn more about the IT security threats facing businesses, and also why organisations play a key role in fending off cybersecurity attacks. We’re joined by Archana Ramamoorthy, director of product management at Workday, who, amongst other things, helps set security product strategy and deliver the Workday security product vision to customers across the globe. Welcome to Vienna, Archana.

Archana Ramamoorthy: Thank you so much for having me. It’s great to be here.

Dunne: Diving straight in, I mentioned briefly at the top of the show that it’s been quite a year in terms of cybersecurity. Can you talk us through some of the main threats that we’ve seen, and about the security landscape more broadly?

Ramamoorthy: This has certainly been the year that’s made CIOs sit up and actually re-evaluate what their business applications are doing. We’ve seen widespread hardware vulnerabilities. We’ve seen high-profile phishing attacks. We’ve seen data leaks and data breaches almost everywhere in the world, and hardware and software are both being targeted. And the primary motivation, of course, is money. So, these people [cyber criminals] want to extract as much data as possible and make as much money as possible.

DunneAccording to Cybersecurity Ventures, cybersecurity spending will exceed $1 trillion from 2017 to 2021. Is this due to the sophistication of new cyber criminals, or is it the threat within organisations that is still a major area that businesses have to tackle?

Ramamoorthy: I think it’s a mix of both, actually. It starts with employees, of course, and we have a very global workforce these days. And the proliferation of devices is the next thing. There are so many devices that people are using every day. And the financial motivation behind extracting data is, of course, a huge thing for the cyber criminals, if you think about it.

And with a globally dispersed workforce, it’s super hard for us to define boundaries and parameters for access within organisations. So what this leads to, along with the number of devices that people have, is people using their own personal devices to access work information. There are no boundaries. We also see that a lot of money is actually being pumped into black-hat activities, and this is mainly because of the profit margins that they’re seeing. It’s really high value for them to attack one company, have a very sophisticated way to extract information, and then use that piece of information to gain access to identities in the world.

And just look at some numbers to see the impact. We see that about 45 percent of IT professionals—people working within companies—are knowingly circumventing their own policies. When one person does it, they probably don’t think about it as much, and they think, “It’s just a small thing that I’m doing, and I’m doing this in a slightly different way to get things done faster.” But think about the staggering number of 45 percent.

It’s the same thing with people that are aware of the effects of phishing, yet still clicking the phishing links: 78 percent of people click on phishing links when they receive an email with a link they don’t recognise. And the worst part—or the number that scared me the most—was the number of days for which a lurker actually stays within your network, which is 140 days. So, someone could be hiding within your network for 140 days, extracting as much information as possible.

And we’re seeing the effects of almost all of this in the widespread data breaches and leaks that you mentioned, like Cambridge Analytica.

To summarise, it’s extremely critical for companies to act quickly and employ better mechanisms to prevent and detect these breaches so when they realize it is happening, they can actually take action.

Dunne: I’ve heard you talk a few times before about how humans are generally the weakest link when it comes to security. Can you tell us a little bit more about that? I’m probably thinking of myself and, you know, not changing my passwords or leaving passwords on sticky notes on monitors, and so on. How is that important as these phishing attacks increase?

Archana: I’m going to ask you a question back. Have you watched the movie, “Catch Me If You Can”?

Dunne: I have—the one with Leonardo DiCaprio.

Ramamoorthy: Yes. So, if you think back to the person in the movie—Leonardo—he plays the role of Frank Abagnale, one of the most reputed authorities on the subjects of forgery, embezzlement, and secure documents. But if you rewind the story and go back to when Frank was 16 years old, you see that he didn’t start out his career as a security specialist. Instead, he understood that almost all systems in the world were reliant on human trust, and he took advantage of that and learned how to break those systems. He was successfully able to forge checks. He was able to fly illegally on 250-plus flights. He was able to forge his identification, switch careers without qualifications—he pretty much did everything you could think of, and not much has changed today.

A lot of us, in fact, are willing to click on email links even if we aren’t expecting that urgent package delivery. And curiosity, unfortunately, makes us the weakest link in the chain. And this lets the hacker community exploit this weakness.

However, it’s not all bad. We do learn from our mistakes, and that’s exactly what we saw in Frank’s story. He was only able to keep up these activities until people realised that he was doing this over and over again. He was caught, and he was punished. And this makes it important to raise awareness around phishing and social engineering attacks within companies. This is a classic example of how global internet protocols rely heavily on trust. It wasn’t a breach, but it was just us relying on systems that are completely based on trust.

Dunne: Very interesting. I think Frank Abagnale is now a well-paid security advisor for some of the biggest organisations in the world?

Ramamoorthy: He is.

Dunne: So in terms of how aware businesses are to these threats—do you think they still have a “it won’t happen to us” mentality?

Ramamoorthy: We’ve certainly seen that “it won’t happen to us” mentality a lot. And cybersecurity is lucrative for a reason. It’s lucrative because a lot of companies are not tuning in as they should be. In fact, Infosecurity Magazine published some staggering stats that show about 76 percent of companies have been attacked at some point. And 25 percent of these attacks come from internal actors. These are the people that we talked about—the people that are circumventing their own policies, not because they might have a malicious intent, but because they want to get their work done faster. But that results in some of the problems that we’re seeing in the industry.

And the “it won’t happen to us” attitude has to change, sooner rather than later. Simple measures can be taken, such as enabling MFA [multi-factor authentication] for all users to protect customers, their employees, and their data. Of course, it’s not the perfect solution, and there is never going to be a perfect solution with security given how much the threat landscape changes every day. But it’s better to start somewhere.

Dunne: I know you spend a lot of time looking at the Workday product, speaking to people within the industry and to businesses about how they’re dealing with the threat of cybersecurity. What do you hear from them about why they’re not acknowledging it, or what their biggest challenges are in stopping these threats?

Ramamoorthy: We actually did a lot of user research last year, talking to some of our customers about what they think when it comes to security. One of the common themes or trends we’re seeing is that almost everyone is aware. Everyone understands that there is a ticking time bomb. Everyone understands the security landscape is ever-changing. There’s certainly a sense of uncertainty around what might happen tomorrow, and they understand that there’s no single solution to fix everything. I believe that is the first key step to solving some of these problems.

Recognising that a problem exists, understanding what the problem might be, and then realizing what needs to be done to have a strong security strategy that’s not static, but more dynamic, is what’s going to get us further. I think our customers are in a better position because of the awareness we raised from a Workday standpoint as well.

Dunne: I think that this is not something that just gets solved once, and it’s done, right? Cybersecurity is something that’s constantly evolving?

Ramamoorthy: Absolutely. I think you hit the nail on the head. There is no single said-and-done strategy when it comes to security, and people have to constantly evaluate their posture. If you make a business decision that will no longer be viable five years from now, you change your business strategy. The same has to be the case with security as well.

Dunne: In terms of that kind of future, there’s a lot of talk this week obviously here in Vienna with Workday Rising Europe about the potential of machine learning, fraud detection, and other areas of security. How do you see machine learning, artificial intelligence, and other technologies coming into the security mix?

Ramamoorthy: Machine learning is something that’s been in the works for the past few years. Everyone talks about it. Everyone understands that it’s important for us to recognise and learn about our historic data. And that’s exactly what machine learning can do even on the security side of things. So, Gartner describes a step-based approach for understanding people and their use of the product, and using that information to build machine-learning models.

Again, the goal for us is to move away from static rule sets to a much more dynamic setup that understands you as a person and then applies rules for your access into the Workday system or any system, for that matter.

Let’s say, for example, that we have a knowledge graph around me, and we see that Archana logs into her system at 4:00 a.m. every day—she is a manager, so she likes to proof things at 4:00 a.m. Let’s say that she always logs in from Pleasanton, but if there is a deviation from that setup, and if Archana is logging in at 3:00 p.m. from Vienna, then you know there is possibly a risk factor associated with that particular login.

Using historic data that’s been built off me as a person, I can now say that I probably shouldn’t have access to certain things because I’m coming in from a location that’s unknown at a time that’s usually not the time I log in, and maybe I’m given restricted access to the system.

And that’s the way Workday wants to go. We currently have a lot of static rules, so we provide our customers with the capability to set up those rules based on what their businesses do. But we also want to equip them with information about what their users are doing within the platform. And then we can use that information to generate risk assessment scores for each one of our users, and then let our customers define what they want to do with those scores. So that’s definitely something we’re investing in and designing over the next few years.

Dunne: One thing I’m hearing loud and clear from the sessions here at Workday Rising Europe, and particularly your session, is that security is now a partnership. It’s not just about IT enforcing and putting the smackdown, if you will, on employees. It’s a partnership that involves employees. Can you tell us about that and how it comes together?

Ramamoorthy: This is certainly one of those areas where the Workday Rising theme of “Go Further Together” fits in really well. And one model hardly ever fits everyone when it comes to security. Each business is run in a different way. We have customers who have their own business requirements. They have their own way of defining their users. They have different locations from where these users come in. These users have different roles and responsibilities within their organisations based on where they are in the world, and there is no way in which we can have a single set of security configurations that validate or work for all of these users.

It’s important for us as Workday to provide our customers with all the interesting, important, cool features, but then we need our customers to come back to us and use these features; otherwise, I could be sitting here all day talking to you about the investments we’re making, but nothing’s going to reach our customers if they don’t come forward and take the functionality that we provide.

I think it’s extremely important that as a community we move away from the mentality of security setups being just a one-way street. We want a constantly evolving model that will help us fight these problems together.

Dunne: Makes perfect sense. We’re here in Europe today, and the GDPR came into force this year, so I think it’s worth spending some time talking about regulation. What are your thoughts on what organisations are doing around the GDPR and how that’s coming into force?

Ramamoorthy: With the GDPR going live in May, almost every company in the U.S. and Europe is thinking a lot about how to implement some of the regulations and restrictions around data access and data extraction. It’s interesting for Workday at this juncture because we go back to what we thought about when we built our foundations with trust and security at the centre of everything. And privacy was woven into the very fabric of our offering, and, of course, all of this is centred around our employees or our end users. Workday ties everything together really well, and I feel like it’s one of the areas where the investments that we’ve made in the past have definitely helped us today.

Dunne: That’s great. I get the feeling from our conversation that cybersecurity is not going away  anytime soon, so as organisations look to face cybersecurity head-on in 2019 and beyond, what would you say in terms of advice or things they can do to get ahead of the curve?

Ramamoorthy: I would say start with investing that money today because we’re seeing what the cybersecurity spend is going to be in 2021. We can see that the threats are not going down. They are only going up. And this means that a quarterly review of security settings, not just for Workday but for any business application that a customer might be using, is extremely critical.

Investing in awareness training for employees is also the next thing that I would say is probably something that customers should look into. Having internal phishing campaigns by sending them phishing links and seeing how they react, giving them feedback on what they should and shouldn’t be doing, and then probably having an incident response playbook.

Think about what happens if you have an incident. Who are the people that need to be involved, and what kind of interaction should we have with those people? And last, I would say have a clear incident response team that handles some of these cases that might come forth. Putting together a team after something has happened is really, really hard, and so having that all in place is really going to be important.

Archana: And, of course, giving back, right? It’s important for us to solve this problem as a community. It’s not a fight that we can have individually, so sharing on Workday Community or other forums about how we can solve this problem better; sharing anything that customers have done that might be beneficial for us or for all of our customers, is certainly something that we can always refer to. I would say that working together will certainly move us from being the weakest link to first-line defence.

Dunne: That’s perfect. Well, that’s all we have time for today. I want to thank Archana Ramamoorthy from Workday for joining us at the Workday Podcast. If you’d like to hear more, please subscribe to our podcast. I’m Steve Dunne, and thanks for listening.