In this conversation we are glad to introduce our guest Aidan Simister, the Co-Founder and CEO of the leading AI power data security solutions provider Lepide. Established in 2015, Lepide empowers organizations with cutting-edge data monitoring, governing and securing strategies.
Aidan, as an accomplished IT professional, has been driving growth to Lepide since 2015 across the US and European markets. In these conversations, we will dive into the key aspects of aspects and challenges of data security, governance, generative AI security, and more.
Welcome Aidan, we are super excited to host you today.
what are the most common yet devastating data security and governance threats that have impacted organizations across industries? What tactics can help mitigate these risks?
And then the second thing is, well, fundamentally the entire reason for being of cybersecurity is to keep data safe, to make sure you can prevent data breaches, right? And given that like 90% of the world's data has been created in the last two years, it's out of control. So, make sure that you've got very specific controls in place around the actual data itself, the stuff that you really want to protect, like that's really fundamental to be effective today when you're thinking about these evolving threats.
And then as I mentioned briefly earlier, the fact that there's this huge wave of everyone talking about AI, wanting to put AI in place inside their organizations, that's fine, but don't let your security get outpaced by your AI initiatives. Do not do, do not roll out tools such as Copilot unless you thought deeply about your data security initiatives and data governance initiatives. Doing that will just lead to another level of threats like people have never seen before.
And that's kind of what we're already seeing as well. So just focus on the two things that matter the most, and that is your identity, very specifically your Active Directory and security, that really matters. And then make sure you've got the right, very specific controls in place around the data itself.
Those are the two things that you should start with, in my opinion, and then you layer everything else on top around those things.
Host: Yeah, that was quite insightful. Moving ahead, effective governance is essential while adopting a strong security framework. What challenges do organizations generally face while integrating resilient governance strategies?
Aidan: I think one of the main challenges is, it's all very well and good understanding who's actually got access to things that they shouldn't have access to, but it's actually, how do you solve that problem? And how do you solve that problem at scale? It's who should make those decisions as to who should have access?
And how are you making those decisions? And do you have the right tooling in place to actually resolve and automate those types of challenges? So quite often the problem, the people kind of struggle with that dynamic, they're like, well, I know maybe that person shouldn't have access, but what do I do about it?
How do I resolve it? And not just an individual by individual level or a resource by resource level. It's like, well, how do we make decisions?
How do we use technology to automate this process of removing access where it's not needed by being able to proactively make sure I can keep track of these things, not just on an annual rate. So, it's making sure that you've got the right tools in place to be able to automate that decision-making framework to remove access where it's not needed. It's a very, very challenging problem to solve.
Because again, the other really big challenge is around who should make those decisions as well. Like whose responsibility is it to say that they should or shouldn't have access? It becomes incredibly problematic to try and do that.
So, make sure that you choose tools that automate, tools that enable you to delegate down to line manager and business line manager level as well. So, then you can start to engage the whole of the business into your data governance initiative.
Host: Yeah, absolutely. Feeling the gap of choosing appropriate tools and decision-making is absolutely a great challenge in data governance.
Aidan: Yes, I agree. I think the one thing I will say is start with your plan, start with your strategy first and then think about tools. The amount of times where my team are engaging with companies and they think what they need is a tool and it's not, they need a strategy and then they need a tool.
Make sure you thought deeply about like a business level. What is it you're trying to do here before even thinking about putting any tools in place? Tools without strategy will fail.
Host: Absolutely. Next up, how does Lepide's generative AI security work? What is its significance in contemporary times?
Aidan: If the question you're asking is like, how do we help protect against threats created by generative AI? Fundamentally, like the way that we think about this is how can we, there's a few things like to be ready for generative AI, you need to make sure you've got the right data governance controls in place. So that's one of the things that we do to help you make sure that you actually really do know who's got access, whether they should have access to data.
You don't get that right before you're thinking about rolling out generative AI, then you suddenly create a whole wave of other problems by people having even more prompted access to data than ever before. So, you get your data governance right, so you can think about getting generative AI right as well. So, one of the things.
And the second thing is like, well, okay, let's just say we've made the decision and taken progress, made progress in say rolling out Copilot as an example. But how are people using that as well? So, kind of questions that our solution like ours will answer is like, who's searching for what within Copilot?
And are they abusing the way that they're using Copilot? So, for example, are they asking questions of Copilot like, can you tell me how much the CEO earns? Can you tell me like, you know, who our most profitable customers are when they may not actually be allowed to ask these questions?
Can you tell me if there are issues I may be on a layoff list? Like, can you tell me what if there's anything likely to happen to our share price in the next six months? Like they're using Copilot for some rather abuses or rather misuse type use cases.
And we can help you literally understand if people are abusing the levels of access they have to generative AI. So essentially, auditing of prompts, reporting of prompts, alerting when people are misusing generative AI in those ways.
Host: Yeah, totally agreed. Integrating AI into a security framework is surely an innovative idea, yet its appropriate usage is important.
Aidan: For sure.
Host: Yeah. Moving further, what are the identity-based attacks? How can Lepide's Active Directory Risk Assessment solution be advantageous in addressing such risks?
Aidan: So when I think about Active Directory, I think sometimes even some of the most basic things, basic hygiene things that companies need to do, they kind of rely on either PowerShell scripts or they've got some form of technical like event view or something that they already have out the box. But it's not enough because some of the most severe attacks have happened just because of basic AD hygiene problems. Even things, for example, like making sure you don't have inactive users in your AD, making sure you know who's got what levels of access in your AD, like what users do you have with admin privileges in your AD and making sure you're reducing that.
Being able to detect suspicious or anomalous log on and log off sort of activity around when people are logging on and what they're doing as well. So, getting some of the fundamentals right around authentication in your Active Directory, getting some of the fundamentals in place around these controls like can significantly reduce the likelihood of your AD getting compromised in the first place. So, we do these risk assessments with prospects where we literally kind of go through their AD from start to finish.
It usually takes a couple of hours. And then we can start to help them really map out what the actual risk and the implication is of like these very specific controls around their AD. That's sort of really how we think about that.
Host: It's truly interesting to learn how Lepide is helping in overcoming identity-based attacks.
Moving ahead with hybrid and remote work environments being in trend, what is your opinion on surging hybrid workplace vulnerabilities? How threatening can insider threats be here?
Aidan: Yeah, I mean, that's an interesting question. I mean, obviously, I think there's still a lot of organizations that are moving into having a more hybrid environment. And again, that creates even more complexity, even if I think about the context of, say, Active Directory or EnterID or whatever it is, or whether you've got on-prem file servers or, say, your Microsoft 365 or whatever.
Now, it's just creating more consoles that you need to try and log into to work out what's happening for these things as well. So, it's just created another level of complexity that wasn't there before as a result of hybrid working. And I think that, say, you've got more consoles, more dashboards, more alerts, often not integrated.
So, it's like, well, it's even harder now than ever before when you're trying to run an investigation to work out who's done what. It's even harder now to detect if someone is doing things with your data, maybe within your AD, that they shouldn't be doing. And yet, it's also you're more at risk of these things happening more than ever before.
We've been seeing quite a significant rise in insider threats, certainly over the last little, like, I don't know, 10 to 12 months. We've really been seeing this kind of quite a rising trend. I can't honestly tell you why that is, but we've definitely been seeing that trend.
We've also been seeing quite a rising trend of attacks on on-prem AD as well. There's been like a 60% increase in on-prem attacks in the last six, eight months as well. So, I think it's very difficult nowadays to operate in a hybrid environment.
Host: Yeah, absolutely. Remote work culture and workplaces, hybrid workplaces are surely trending, but prioritizing security is also crucial. Moving ahead, awareness and appropriate understanding are crucial while implementing robust data security strategies.
How Lepide help individuals and organizations access the correct information for effective data security?
Aidan: Yeah, I mean, I think one of the things about the whole data security market as a whole is we're at least three to five years of mainstream, of any kind of mainstream adoption. Like, we're still, like, in a lot of regards, very early on in the journey. And I think that one of the things that we try to make sure that we spend time with prospects is trying to help them understand, well, what is it that you actually want to protect?
What's important to you? So, and understand the business drivers and the challenges they're trying to, the business challenges they're trying to face rather than talking about any kind of, like, technical solutions. And I think that that's fundamentally important to data security as a whole.
So many data security projects fail because they have not scoped out what the actual business problems are, the business initiatives that underlie the project. So, I definitely feel that, like, one of the most important things to make your data security project or your data security products actually work for you and deliver value is you need to establish, well, what's the problems we're trying to fix? Forget about the products.
What's the, what actual challenges? What are we trying to enable in the business? What are we trying to protect?
Why do we want to protect it? And then, and then from there you can work out, well, actually, what tools do we need to put in place to achieve those goals? So, for me, like, that's, they're the things that really matter in making your data security projects a success.
Host: Yeah, totally agree. Cyber awareness is essential for businesses that, which are looking for robust data security frameworks.
Aidan: I think you've just got to make sure you're asking, the education piece is important, but I think it's more about, like, making sure you've got proper deep engagement with the rest of the business to make sure the project will work. So, we have to spend a lot of time educating and working with our prospects to help them sort of define out, define their projects, but not just at a technical level, like at a deeper level in terms of a business level. That's very important as a part of the education to make these projects successful.
Host: Totally agreed. Lastly, you have been advocating the concepts of data-centric security and protection. Why data is important here and how do you think the future will look like for data security and protection?
Aidan: I mean, the great thing is that I think we're entering into like a whole unstructured data security. Like I think that we're about to go through an incomplete revolution when it comes to how people are thinking about data. And I think generative AI is creating lots of threats and lots of risk, but what it's also doing is it's creating lots of awareness about, well, driving forward data governance initiatives that we should have been doing anyway.
So, I think that the, I think that the route of travel is absolutely on the right path here. I think that data security as a whole is just at that cusp now when organizations realize that this is not a nice to have, this is something they need to do. Like just as every organization in the world would buy antivirus or buy a firewall, I think we're getting to that point now when they're realizing that they have to do this.
They have to adopt data security for them to retain their competitive edge, for them to roll out generative AI, for them to really truly be embracing the data that they have inside their organizations, but doing it in a secure way.
Host: Yeah, absolutely. As we previously said, data security threats are evolving every day. And so, staying alert and adopting robust mitigative measures has become very essential for businesses.
Aidan: Visibility is everything. At the end of the day, you just need to make sure you've got the right controls in place to understand, to actually understand your data, to understand who's got access to it, who has access that doesn't need access, to understand what it is that they really want to protect, to make sure they've got the right controls, to answer the basic questions like who's really doing what with the data that we care about the most, and just having the right business processes surrounding those things to be effective.
Host: Yeah, visibility and control, access control is at prime while looking for robust data security strategies. That's a wrap. Aidan, thank you for joining us and sharing your knowledge on data security and governance strategies.
It was indeed an informative session highlighting the emergence of generative AI security tactics, identity-based threats and hybrid workplace vulnerabilities. Thank you so much.
Aidan: Thank you very much indeed.
Host: And a big thank you to all our viewers for tuning in to ExtraMile by SecureITWorld. See you soon in the upcoming discussions with industry experts for exclusive insights on compliance, cybersecurity, and tech trends. Until then, keep exploring and learning.
