GeoLang’s Ascema platform protects sensitive information at the content level by identifying, classifying and tracking data across the corporate infrastructure, both inside and outside the enterprise firewall. In this interview, GeoLang founder and CEO Debbie Garside discusses the ways in which organizations are handling sensitive data, and offers an elegant solution that puts the user back in the driver’s seat.
Please describe your background and the story behind the company: What sparked the idea, and how has it evolved so far?
GeoLang came out of the work that I was doing with the Internet Engineering Task Force and things like ICAN and ISO. I could see that there were a number of problems that were very much IT orientated and that these problems were growing as the use of computers became predominant.
I could see that there were going to be more and more problems with interoperability, standardization, communications and security. I started out working on the standardization side of things in order but quickly moved into the security side of things.
We had an opportunity to work with Jaguar Land Rover and the University of Surrey on a specific problem of protecting data within supply chains and in the cloud. Our Ascema platform was born from this collaboration.
In 2015 we launched the Ascema platform which offers data loss prevention and data discovery solutions.
In 2018, we were acquired by the Shearwater Group plc. We’re now part of a much bigger group of companies. Although we weren’t looking to be acquired, it seemed like the right time to come under a bigger umbrella in order for us to scale our offerings to the market.
It was just before we were acquired that we moved into the data discovery side of things. This includes sensitive data discovery, and particularly, sensitive data discovery on endpoints, which was a big whitespace at the time and continued to be so up until this week when Microsoft decided that they are going to release an endpoint DLP solution as part of their E5 AIP stack.
One of the things we do that you don’t get on Microsoft E5 or AIP tools, is that our solution is very elegant and simple to both deploy and use. That makes GeoLang accessible to everyone; you don’t have to have a big IT department or somebody who knows programming or somebody who’s IT literate in order to be able to use our solution. It’s built for hands-on use by the people who need to use it.
This was partially driven by the General Data Protection Regulation (GDPR) which came out in 2018, followed by the recent California Consumer Protection Act (CCPA). Unlike Microsoft, who use things like Powershell, we’re putting these tools in the hands of people who actually need to find data, who are doing data subject access requests, or eDiscovery/eDisclosure, and who actually need to use them; as opposed to having to turn to the IT department, tell them what they’re looking for, set up a search, and bring back a load of information, which they then have to scroll through.
GeoLang is built for the end-user to be able to decide what they are looking for, where they should look for it, and to make it very easy for them to quickly view, filter and extract that data.
We find that whilst IT departments are very good at what they do, they’re not the experts when it comes to data subject access requests, PCI compliance, or Freedom of Information. When it comes to those types of requests, they’re just doing what somebody else is asking them to do, and that means they won’t be able to make intuitive decisions around data. Putting those tools in the hands of the people who need to do the job, in such a way that it becomes an extension of them, that makes it a very powerful solution.
Below are some screenshots from the GeoLang dashboard:
If you were a policymaker. What would you change in the way Cybercrime and cybersecurity are handled by the authorities?
There’s always been a lot of work going on behind the scenes. I know that there are various authorities and police departments who are all working together to bring down hackers and criminals who are trying to infiltrate systems. Also, not many people know this, but the larger companies like Microsoft and Google work very much hand in hand with authorities like the FBI, the NSA and organizations like the GCHQ here in the UK, with a view to protecting the general public.
While the big players work together with authorities and governments in order to try and tackle this, there are new threat actors every week. Whilst there are certain channels that you can try to monitor, essentially it’s down to the companies that offer the solutions to malware and ransomware, who are the experts in their field. Sadly, it’s an open forum for hackers to think of ever more devious ways to get into that perimeter.
We are also living in a very de-perimeterized environment now. It is no longer the case that everything is behind a firewall. We’ve got stuff in the cloud and in servers which may or may not be private. At the bottom line, there’s always a way in, and very often it happens through public IP addresses so it’s very easy to find servers. You obviously need to keep these servers secure and up to date.
It’s very much a layered approach that is needed these days and I don’t think there is one solution that can solve everything. I think it’s a matter of everybody keeping abreast of what’s going on.
This morning, I was reading about Wasted Locker, the latest ransomware. They’ve attacked Garmin, a GPS solution provider by encrypting all their data and demanding a $10 million ransom request. Obviously that demand was to be paid in Bitcoin.
Realistically, we’re going to see an end to this. I don’t think there’s anything further that government organizations and the experts who are producing malware type tools can do, other than to keep abreast of it as much as they can; find and lock down those loopholes, access points and people responsible, so that the threat space becomes smaller.
So what you’re saying is that we need a technical solution rather than a policy one?
That is correct. There are policies in place for data sharing between organizations about attacks, in particular larger organizations. For instance, groups of banks that talk to each other and as they start seeing phishing or hacking attempts, they alert each other in the same way that authorities and policymakers are also doing in order to solve this problem. But it’s really an unsolvable problem. You just have to try and keep up with the problem and keep mitigating the risk as far as you can.
Which trends or technologies do you find to be particularly interesting these days around your field of work?
What excites me is developing solutions that bring the end-user into the equation. Giving the data owners the ability to remediate on sensitive data that is discovered within an organization is the fastest way and possibly the only way to deal with the problem.
Just looking at some of the problems that I’ve come across in the last month or two, even though large organizations have lots of tools in place, all these tools do is produce thousands of lines of reports every day. There may be an ability within the tool to encrypt or quarantine sensitive files, but you can’t remediate on it automatically, because that interferes with the day to day workflow of your end-users, and when you do that, you’re interfering with the capabilities of the organization as a whole, and that’s not acceptable.
For solutions to be attractive nowadays, they need to stop feeding thousands of lines of reports into SIEM’s where they’re never going to see the light of day. Start working with the people who actually own the data. Data is not just part of a data lake. There is an owner somewhere. They may own their data within Office 365, endpoints or network drives, and they have their own spaces within them.
Yes, there are also other data lakes that have been powered over years, often, but the day to day generation of your data is very much around end-users generating that data, and it’s going into your central repositories. To bring those end users into the equation, when dealing with sensitive data, and to guide them very simply through our process of remediation, is what excites me today, and that’s what we’ve been working on.
Our latest solution will alert the end-user when they’ve got sensitive data on their machine or within their cloud repositories and will take them, at the click of a button, to where that sensitive data is, allowing them to obfuscate, delete, or make decisions around that sensitive data, based on policy and education, which are also available within our system. This way, they can see where they should be going, and report back to the system once it’s done.
Our tool not only finds the data and alerts the data owner, but it also allows the data owner to report and remediate. All the system security analyst has to do is to see that that data has been found, remediation has taken place and the risk mitigated. That can be a bonafide line of report back to a SIEM. That’s where I’m working today. I’ve spoken to so many companies that have literally millions of documents in the backlog that they have no chance of reviewing.
How would you say COVID-19 impacted your business particularly and the industry as a whole?
Obviously there is the human cost which has been disastrous for many and it goes without saying that we owe so much to those on the frontline and our thoughts are with those who are suffering or who have lost family and friends to this awful virus.
From a business point of view, the impact is varied. The pros are that it’s a lot easier to get hold of people. Being able to do conference calls, people seem to have more hours in the day because they’re not traveling, so they’re more readily accessible. I think people have changed their attitudes as well. People are more receptive to help other people and to take an interest in what they’re doing. So whereas before you might go on to LinkedIn, and message somebody and they would just ignore you, now people are perhaps responding to be kind, to be nice, and to be more interactive with people. That’s one very positive side of COVID-19. It’s as if people now have the time to be more empathetic.
I also noticed that people are very accepting of the fact that children come in when you’re in the middle of an interview or a meeting. I’ve been in high-level conference calls where every so often a child would come into the screen. I think we’ve all become much more accepting of the fact that people are people; we live in houses with other people; we have children and pets and we are real people. So that’s the plus side of COVID-19.
I think the downside of COVID-19 is obviously that a lot of industries have had to send their workers on unpaid leave. Here in the UK, we’ve had the furlough scheme which is great in some ways in that they’ve got their jobs protected. However, that protection can only go on for so long. Inevitably there will be redundancies made. Companies will be reducing their workforces. There will be a downturn in trade.
Another thing that probably affected the entire IT industry is that many companies were so far down the track of procuring solutions, and as soon as COVID-19 struck, everything was put on hold in response. If that response was work from home if you can, that meant that any solutions that would support working from home were very high on the agenda. Anything that wasn’t deemed to be as important from COVID-19 work-from-home response, has obviously fallen onto the back burner.
One of our sister companies, SecurEnvoy, offers MFA multi-factor authentication, and they saw a huge upturn in their business. We’ve also seen a huge upturn in the requirements for cloud DLP solutions, but I’m sure that there are a lot of other companies out there that have seen a downturn, as companies paused their procurement processes.
Finally, agility was definitely the order of the day with many companies implementing an entire digital transformation strategy and moving into the cloud over the course of a few weeks where usually it would often extend into an 18-month process.
Would you say that the corporate community understands the importance of having security measures in place?
I think it’s still a battle of the boards. Often, you see that individuals on boards who have certain expertise will push the security agenda in the way of their particular expertise. I think there are still boards where they don’t truly understand the need for so much security.
Budgeting often sees IT security as an insurance policy: they’re weighing how much a data breach would cost as opposed to how much it would cost to make sure it doesn’t happen. So you’ve got that bean-counting going on and that’s the way of industry.
What they don’t see is all the behind the scenes stuff that they would have to deal with in the case of a breach. The customers who would be calling them to ask if their data is affected, so having to put on an Incident Response Team to deal with the influx of calls from customers; having to put resources into the investigative team that is going to do your internal investigation, and then having to deal with the investigation from the external parties which could be Information Commissioner’s Office in the UK, for instance, so there’s a cost to that. Then, having to deal with fallout in terms of class actions which are becoming more prevalent nowadays. Having to deal with the legalities of all that means you need to also have a legal team. And of course, there is the cost of the legal action itself and if it succeeds. And it will always succeed in part. Even if it’s only $10 or $20 per person. If you’ve got hundreds of thousands of people affected, that mounts up. All of this is detracting from your actual business. So whilst you’re putting all your resources into dealing with this particular incident, you actually can’t put the resources into growing your business. I think that’s one of the biggest factors that boards don’t take into account when they’re looking at budgeting for IT security – the business interruption factor.
How do you envision the future of GeoLang?
For us, the future will always be about staying ahead of the competition. Innovation is key. You have to be constantly innovating and you can’t afford to be sat on your laurels; You need to be listening to your customers; You need to be able to pivot very quickly so that, as things come online and problems are identified, you can move into those areas very quickly. That is why we follow an agile development and innovation approach and we move with the times.
The future of the industry is very much around staying ahead of the big players like Google and Microsoft. You can do that, even as a much smaller company if you work in an agile, innovative way and pivot when you need to. Move to the next thing, because you will always be faster than the larger companies. Yes, they’ve got lots of resources, but they are very slow. There’s a much greater level of detail in terms of project management so they cannot pivot as easily as the smaller companies. That’s an advantage that we maintain by being innovative.