Data Privacy compliance is one of the biggest risks facing Small and Medium Businesses today. Especially for Managed service providers, knowing how to audit data and proactively avoid the liability is key to long term success. As more and more businesses are adopting BYOD as part of their ongoing workflow, I sat down with Guy Bavly, co-founder and CEO at Actifile, to discuss some best practices that SMBs can adopt to maintain data privacy across their data flows.
Please describe the story behind Actifile: What sparked the idea and how has it evolved so far?
Actifile has a technology that can monitor file flows; any type of file from any source, web or local, whether it’s file repositories like Windows Server, OneDrive, or other applications. We can monitor where files come from, analyze their content, and see whether they actually departed from the organization to whatever destination they go.
When I joined Actifile, about three years ago, we were using this technology to make better decisions about backup. So if the file was changing or if it came from a sensitive source, that would be a reason to back it up.
One day, one of our customers spoke to us about sensitive information. He was worried about information being misplaced, leaked, or stolen, and he asked us to provide a solution that would monitor the status of sensitive files. So we started building a solution around that technology that helps to discover, monitor, and reduce compliance-related risks for small and medium businesses.
Nowadays, we serve about 130 customers in the US. We work primarily with managed service providers and serve small and medium businesses as their outsourced IT department. Our solution is helping our customers not just to secure their data, but also to comply with the different data privacy regulations that are very prevalent today all over the world.
Here’s a video that explains the concept behind Actifile:
What challenges are SMBs facing these days with regards to data privacy?
I’ll focus on US-based customers primarily, but what I will say is probably true all over the world.
Firstly, in the last few years, many new data privacy regulations and laws have been introduced into the market. In the US, there are over 15 regulations, which include both state-level regulations and federal ones, like HIPAA or NIST 800, 171, and others.
Companies that operate in global markets also have to comply with regulations outside the US, for instance, GDPR in Europe, PDPA in Singapore, etc. All in all, the number and the complexity of data privacy regulations has increased tremendously in the last few years.
Secondly, many small to medium businesses are part of what is called the supply chain. They actually work with bigger enterprises and organizations as subcontractors who provide a service or a product. Given that, they have to align and comply with whatever the enterprise is doing.
To give you an example, there is a new government privacy-related law in the US that each and every SMB has to comply with in order to exchange documents with the Department of Defense. These are not top-secret documents, but they are still classified, so they need to be monitored and tracked. This means that small-medium businesses that are part of the supply chain must adhere to this policy, or they will find themselves incompetent to do the job.
We have a customer who’s making parts for the F16, subcontracting for McDonnell Douglas, who is actually a provider or contractor of the Department of Defense. So by inheritance, the smaller organization has to comply because the documents, by definition, are part of a chain of evidence that they need to produce at any given time.
Thirdly, the regulator is no longer giving SMB’s a slack, so to speak. In the past, if you had 100 or 150 employees in your organization, you could skip the compliance audit every other year and not worry so much about breaches. That’s not the case anymore. The regulator is not giving anyone slack and they have to be audited on a yearly basis.
This is true not just in certain verticals like financial, healthcare, or government subcontractors, but for any service organization. There is a sentiment in the market right now whereby consumers are very worried about their privacy. Employees of an organization, even a small one, are worried about their data privacy. So, it comes from different directions, and because of all the reasons I mentioned, it’s no longer an option for SMBs to secure the data and comply with data privacy regulations, it’s actually become mandatory. At the end of the day, it will help their business, not just because they need to comply, but because if they don’t, their partners will not work with them and their customers will not see them favorably. Eventually, it becomes not just about compliance but about gaining a competitive edge.
And, last but not least, if a small organization is breached, they won’t pass the audit and are likely to go out of business. Unlike large organizations that have big departments with people taking care of privacy and enough money to pay for attorney fees, for some small organizations, an upcoming audit can be a very stressful financial situation.
In your view, what are the most fundamental factors to consider when building an organizational security strategy?
Organizations that have 50, 100, or 150 employees might have data in two places. One is in repositories, most commonly cloud repositories like the OneDrive file system, their CRM in Salesforce, their ERP in Business1. All of those repositories are managed, secured, and have built-in tools and mechanisms to perform scans at any given moment to find what we call PII- Personally Identifiable Information. This might include social security numbers, email IDs, credit card numbers, and so on.
So the repository is pretty much manageable and secured, and can be scanned at any given time. The problem starts when those organizations become more cloud-savvy, and this is something that was largely accelerated by COVID-19.
They’ve become what we call “outside the LAN organizations”. So people are starting to work from home and from collaborative offices like WeWork, without a LAN or firewall in place, to protect their data flows.
So what does data flows actually mean? It means that users take data outside the cloud repositories. Let’s say they take a document and append some financial information and send it to the accountant, or they do a records conciliation and send it for billing, or they do all kinds of other things with data and data flows.
I’ll give you an example from one of our clients, a big urinal testing lab in Oklahoma. They do drug testing using urine samples. They gather a lot of data from different sources, and extract data from their partners: they do the billing, and they then move that to a big contractor and the data flows through them as well. Hence, the most important thing for an organization in that situation, as cloud-savvy as they might be, is to first discover their current position.
Discover where you are right now. Measure the data you have outside the repositories at any given time and put monitoring tools on top of it. By alerting building cases and measuring the risk in US dollars, we can convert the number of potentially sensitive records into a tangible risk number that you can actually test against your insurance policy and eventually put risk reduction tools in place.
We do what we call transparent encryption, where the users are not involved. Once a file is created, extracted, or moved through the organization, it will always be protected by strong encryption. The users just work as usual with no interruptions whatsoever. And if this information needs to live in a non-organizational repository, then we know how to move the files and remove the encryption. That way, we actually transfer the liability, because it’s all a game of liability. If I hand over the data to someone I trust, there is no problem removing the encryption because that’s a trusted target and I move the liability to them. So to summarize, discovery, ongoing monitoring, and risk reduction, usually with encryption, that’s the work pattern that we recommend and have been using with our customers.
You mentioned the fact that more and more people are now working from home. How would you advise on interacting with all those cloud-based applications that people are using to make their work safer?
That’s one of the beautiful things about Actifile. We have a patent-pending technology that requires no integration whatsoever. Actifile is based on two components: One is a cloud multi-tenant, Azure-based management environment where each and every customer or partner has their own tenant with their own configuration; and the second one is an agent, a small component that we install transparently in the background for each and every endpoint. The beautiful thing about it is that in terms of Active Directory, it requires no integration, meaning you don’t need to be part of the organization.
Let’s assume I’m a health clinic and I’m working with doctors that are part-time contractors. So, I can give them Actifile and only monitor the information from my repositories, without invading their privacy. So this component knows how to listen to those repositories. Based on the operating system activities, I can analyze the information flowing through this endpoint. For instance, if I copy-paste something from a cloud-based application, or if I manipulate a file that was on a shared folder on OneDrive, the file is immediately tagged and monitored through all its permutations. If someone saved, copy-pasted, or somehow modified it, those actions will always be tagged and monitored.
Within your industry, which trends and technologies do you expect to see more of in the coming years?
Beyond the quick adoption of the cloud, by SMBs particularly, and especially in the US, I think what’s even more important is COVID-19. What we see is that many employees have started working from home. We believe, and we can see already, that things will not come back to the way they were before COVID-19. People see that there are a lot of advantages to working from home. Many of our customers have become interested in not just maintaining access control, like with a VPN, but also creating policies for employees to use their own devices at home. They want to know that people aren’t misplacing or leaking sensitive information, whether intentionally or unintentionally. So BYOD (Bring your own device) and working from home is going to increase, as well as the demand for data security and compliance solutions like Actifile.
That’s especially true for organizations that are based on agents, meaning, a technology that runs on endpoints. The reason I’m saying that is because in the past, there were LAN-based solutions, but when so many people are working outside the office, a LAN based solution will not technically be capable of doing what we’re doing right now.
Even though we’re endpoint-based, we’re looking at the flow of data. So it’s not just about protecting the information on the endpoint, but also protecting the information that flows through the endpoint, from one endpoint to another, and from the endpoint back to the cloud. So I would say we’re sitting on the flow stream of the organization’s data, which is now a virtual organization, because people are sitting in different places and not necessarily in one physical location. The only way to do it is to have a software component and agent sitting on each and every endpoint because the data flows through there.
Looking further, how do you envision the future of your industry?
First of all, everything will be cloud-based. People will actually work from everywhere. It’s a kind of mantra that’s been going on for years, but I think COVID-19 has accelerated it. I expect non-high-tech industries, which, until now were not accustomed to working remotely, anytime, from any device, will start doing so.
I think the emphasis will be on making sure we understand the data because right now, cybersecurity is all about posture, vulnerability management, and making sure that nobody is overtaking the computer. But especially in the SMB space, only 15% of organizations actually understand what data they have, and where it is tweaked. They don’t have data governance policies and techniques in place. So my projection is that in five years, about 60-70% of those organizations will have data governance and data security tools in place. This is where Actifile will come into play.