The following interview appeared in Cybernews on 22 March 2022.
Grant Elliott, Ostendio: "the average Internet user can protect themselves with good password hygiene"
Grant Elliott, Ostendio: “to make this new hybrid work environment successful, companies must implement data security and risk management programs that account for this change”
Cyberthreats have been around for as long as the cyber world existed but even with the pandemic causing the shift to remote work, not many companies understand the impact that such attacks can have.
Organizations can encounter various threats in the online world, some of the most dangerous being ransomware attacks and data breaches. Without proper security, a business can end up experiencing reputational financial damage.
Some of the solutions to fight threats can be as simple as getting a first-rate password manager, implementing Multi-Factor Authentication (MFA), or investing in data security and risk management solutions.
That’s why today, we talked to Grant Elliott, who is the CEO and Chairman of Ostendio – a company that provides Security, Risk Management, and Compliance services. We discussed the cyberworld together with its threats and security importance for businesses.
Tell us about your journey throughout the years. How did the idea of Ostendio originate?
Ostendio was formed to solve one of the key challenges I encountered in my previous role as the COO and CISO of a successful healthcare IT company – to help any organization regardless of size build and operate effective data security and risk management programs. Ostendio MyVCM was created to help solve that problem by allowing companies to easily build their entire security program in a single platform and provide a simple way to demonstrate this to critical stakeholders including their board, customers, and auditors.
When I founded Ostendio in 2013, it was also important to me that we build a positive work culture. I have worked for some great organizations and great leaders, but over a 25-year career, I have also experienced my fair share of the opposite and I would often be frustrated by an inability to fix that. At Ostendio, we have developed our core values as a team and they drive the work that we do. We also joined Pledge 1%, a global movement that encourages and empowers companies of all sizes and stages to donate 1% of their staff time, product, profit, and/or equity to any charity of their choosing. In addition, Ostendio recently became a Mission Corps company and now offers all employees 6 days of paid time off to volunteer in their community.
Can you introduce us to your platform? What features make it stand out?
Ostendio MyVCM is a services-enabled technology platform that makes it easier for organizations to build, operate, and showcase their information security and risk management programs. Organizations of any size that need to demonstrate compliance to security standards internally and externally can benefit from Ostendio MyVCM. The platform provides a single solution that incorporates users and requirements from across the enterprise. Ostendio MyVCM helps companies: identify and quantify enterprise risk; quickly build and deploy security assessments; manage and respond to security incidents and breaches; and align vendors and suppliers to security and compliance standards. Ostendio MyVCM maps to over 125 security standards and regulations.
Ostendio also established the MyVCM Trust Network which allows any MyVCM customer to establish a trusted connection with their auditors and their vendors to request and share relevant security and privacy information. The MyVCM Trust Network is rapidly becoming the default security and risk management ecosystem in North America.
The MyVCM platform stands out from the competition because it is a truly operational platform that offers access to real-time data, meaning your data security program is always on, always secure, and always auditable. It also offers features such as Auditor Connect – the first online marketplace where customers can connect and engage with the infosec audit community.
Have you noticed any new threats emerge during the COVID-19 pandemic?
One of the major cybersecurity threats that increased during the COVID-19 pandemic was driven by a surge in remote (home) working. Two years into the pandemic there is a new normal in which many employees are spending their time both at home and at their office, or a workforce is split with some people in the office and some fully remote. In order to make this new “hybrid” work environment successful, companies must implement data security and risk management programs that account for this change. For example, are employees up to date on security training so they can spot a phishing attempt, or is their home network password-protected to prevent hackers? Now that many employees access information and store information in the cloud, companies should have a record of who has access to which systems and know where data is stored in order to prevent hackers from stealing valuable data.
MyVCM helps companies build comprehensive data security programs and pass complex security audits, such as SOC 2, that not only protect their business locations but also across their technological and vendor ecosystem, regardless of location, to give them a competitive advantage in the marketplace.
What dangers can customers be exposed to if a company they trust struggles to ensure compliance?
When it comes to managing risk and data security, companies often fail to recognize the risk posed by vendors. A 2020 study by the Ponemon Institute showed that 51% of companies have experienced a data breach caused by a third party. The cost of a data breach can run into millions of dollars and affect a company's reputation as well as its financial standing. Although an organization may run a robust security program, this does not guarantee that their vendors will do the same, thereby potentially exposing the organization to risk.
Ostendio helps companies manage that risk with the Vendor Connect feature of the Ostendio MyVCM platform. By using Vendor Connect, companies can invite vendors (at no cost to the vendor) to create and maintain online records of their security and compliance readiness via assessments. Vendor responses are linked to supporting documentation that is easily accessed and kept up to date. Companies can designate assessments to vendors based on specific regulations or tailor them to their specific requirements.
We also suggest running a risk assessment on a regular basis. We all see the news on a regular basis about organizations suffering data breaches for various reasons. Hackers and other bad actors have become more prevalent than ever before and are working at warp speed to try to attack your organization. Keeping risk assessments up to date on an annual basis will help your organization see where your vulnerabilities lie and help you address them.
Which industries do you think should be especially concerned with implementing proper risk management solutions?
Risk management is important to all industries, but obviously, there are some that need to focus on this more than others. We work with companies across many industries including healthcare, finance, IT, and medical devices. Building a risk management program has become a business necessity for all industries.
In a recent Gartner report, Competitive Landscape: Integrated Risk Management published on December 6, 2021, analyst Elizabeth Kim calls out the Ostendio MyVCM solution as innovative, stating “Ostendio’s innovative approach across its MyVCM platform and MyVCM Trust Network helps organizations save time and effort by creating a network of vendors and auditors to reduce the amount of assessment that needs to be completed.”
Besides quality risk management systems, what other security measures do you think should be adopted by every company nowadays?
In today's more complex cloud-first business environment, understanding supply chain risk has become critical. This was highlighted in 2019 with the SolarWinds hack, and even more recently with the Log4j exploit. It is critical that we better understand all the components within our complete supply chain, as we are seeing how exploits one or two steps removed can have a profound impact on our own security. It is essential, therefore, we are not just assessing the risk of our immediate vendors but their vendors, and so on, as well.
In your opinion, what kind of attacks are we going to see more of in the near future?
The biggest change we’ve seen in terms of attacks recently is less about the type or veracity of attack and more about who is being attacked. Previously, hackers went after specific targets, for example, organizations that held something of value e.g. money, credit card data, corporate IP, etc. Political or ethical motivations have also come into play with some cyberattacks, DNC email hack or Greenpeace as some recent examples. This meant that target organizations tended to be bigger or more prominent, and those less prominent organizations would be spared an attack. However, since the ease and cost of executing an attack have reduced exponentially, hackers can now set up mass exploits targeting a broad range of organizations knowing that at least one will have a vulnerability. This is the equivalent of the predator simply charging the herd and then picking off the weak and the vulnerable. This means any organization, regardless of size or reputation, is just as likely to be attacked as any other. Organizations must all implement effective protections, such as effective training to prevent phishing, MFA (multi-factor authentication) to prevent account hijacking, and routine patching to prevent the exposure of software and firmware vulnerabilities.
Additionally, what can average Internet users do to protect themselves from such threats?
Be on the lookout for suspicious emails or SMS requests, and never click on links you are not sure about. Use a good password and use a password manager. Don’t use the same password multiple times, and never write it down! The best passwords are a phrase or sentence that includes uppercase and lowercase letters and numbers and symbols. The average Internet user can protect themselves with good password hygiene. Finally, implement multi-factor authentication (MFA) wherever possible. That way, even if someone does get your password, they still can’t hijack your account.
Tell us, what’s next for Ostendio?
We just announced our Audit Guarantee for which we’ve already received great feedback from security auditors and companies who are considering a complex security audit. Unlike other providers who offer to “automate” your audit, Ostendio Professional Services experts will work closely with our clients to help guide them through a security audit to ensure they pass the first time, or we will remedy it for free. Using MyVCM Auditor Connect will also save our customers time and money in preparing for an audit. Ostendio plans to add more audit companies to the already growing list of approved auditors.
We’re also preparing to launch a MyVCM platform refresh which will make the platform even easier to use and offer more features and functionality to our customers.