Michael Crandell of Bitwarden: 5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity

Roll out a password manager. Now. And enforce two-step authentication wherever possible.

Implement a layered security strategy so that if one layer is broken, the damage is limited.

Conduct a review of who has access to what sensitive (private) information in your company, and make sure it is appropriately limited and controlled.

As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Michael Crandell, chief executive officer at Bitwarden driving overall company strategy and growth.

Before Bitwarden, Michael was the CEO and co-founder of RightScale where he led the vision and direction for the company as a cloud management platform during the first decade of cloud computing. He grew the company to 250 employees and a successful exit to Flexera in 2018.

Prior to RightScale, Michael served as chief executive officer at several Internet software-as-a-service (SaaS) companies and as vice president of software and executive vice president at eFax.com, where he was part of the executive team that took the company public.

Michael received his bachelor’s degree from Stanford University and completed graduate studies at Harvard University. He began his career as a software engineer, self-taught, coding in assembly language.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I grew up in the surf culture of southern California, with a mom who was an English professor who quoted Shakespeare while fixing dinner and let me take anything apart and try to put it back together (“try” being the operative word). Though I didn’t fully appreciate it at the time, I was blessed to have broad exposure to nature, language arts, and technology from an early age.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

The software revolution has brought us not only unprecedented convenience, power to scale, and innovation, but also unprecedented vulnerability. As we’ve seen, in one fell swoop, a single hack can expose hundreds of millions of social security numbers. I first became fascinated by cybersecurity when I implemented encryption technology as part of a document storage system. The idea that I could make a document completely inaccessible to anyone, including the system where it was stored, and then return it to readable form for verified users — that really inspired me. I saw how multiple layers of protection could be created for sensitive information that would be much more secure.

Can you share the most interesting story that happened to you since you began this fascinating career?

I was surprised to learn the sheer number of password websites that we all use in our daily lives. Most people use between fifty and one hundred, and professionals often have several hundred. There’s simply no way a person can remember that many passwords and still have them be unique and secure — you need a password manager to do that.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

Our founder and CTO at Bitwarden, Kyle Spearrin. He’s always fostered a strong belief in the value of the open source community that uses and supports Bitwarden, and that’s become a guiding principle for us. So, I’d have to point to him as an individual, and the whole open source community behind Bitwarden that he helped foster, for helping us grow to where we are today.

Are you working on any exciting new projects now? How do you think that will help people?

We’ve got several exciting projects in the oven right now — one of which will launch in March. You’ll see that they expand beyond password management to other tools that help people to access and share their sensitive information securely in different ways.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

Find the right team and be explicit about the values you all share. At Bitwarden, we emphasize GRIT: gratitude, responsibility, inclusion, and trust. Those values, when combined, help enable people to sprint when it’s crunch time, focus on what matters most, and also count on team members to help out when needed. It’s a great antidote for burn out.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

It really boils down to one thing, namely, products that allow you to do business faster, safely. Specifically, I’m excited about solutions that add layers of protection to your daily work but don’t require extra effort to implement. The most promising products are those that use zero trust approaches to limit the attack surface hackers can target.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

Yes, there are — and we can already see that with the explosion of the work-from-anywhere trend, companies need to protect their employees and their data in a more distributed way. The days of the firewall perimeter being enough are long gone. We need to combine multi-layer protection with more frequent and extensive employee training.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

Here’s a personal story — a few years ago I got notified that LinkedIn had been hacked and my username (email) and password had been exposed. My immediate concern was not about my LinkedIn account being compromised, but whether my login and password that had been exposed was used for any of my bank accounts. Since I was using a password manager, I had unique passwords set up for every site, so I realized I only had to update my LinkedIn password and problem solved. I know at Bitwarden we provide the same protection for millions of users every day.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

I use Bitwarden for password management, unique passwords for each and every website, and have two-step authentication enabled wherever possible. That means when I login with my unique password, I also get prompted for a separate temporary one-time code that authenticates me. It’s an example of an extra layer of protection that I mentioned, and it applies both to my private login credentials and any websites I share access to with colleagues or family members. At Bitwarden, we also use an outside company to provide frequent phishing awareness training at work. And I use an unlock code to access my laptop and encrypt all information on disk.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

Many security products offer a ton of valuable information on their websites, including Bitwarden. Also, managed service providers can add value to packaged products in the form of installation, onboarding and training without costing an arm and a leg. Implementing the simple measures of password management, two step authentication, laptop lock codes, disk encryption, and phishing awareness training is a great start — and doesn’t require a CISO.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

A lot comes down to the classic “sniff test.” Does something seem unusual, atypical, out of the ordinary in terms of the way your system is behaving or what’s being asked of you? If that’s the case, just stop right there, and check things out from a separate communication channel. For example, did you get an email from your boss asking you to approve a wire transfer — but that’s not how they are normally approved in your company? Did you receive a fraud warning asking you to click a link to immediately check your bank account? One important protection password managers provide is that they automatically check that you are on the real website you intend to be on — instead of a lookalike site — before they will auto-enter your credentials.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

After a data breach, you can shut your systems down, turn off access, inform customers and suggest that they take steps to protect their affected data. But the horse is out of the barn at that point. A much better approach is to proactively add layers of security to your systems as described above in order to limit what might be exposed in a breach.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

We are compliant with these privacy measures and they have not affected our business. They govern how customer data can be gathered, tracked and used and what customer permissions are required, so they have greater impact on businesses focused on advertising, consumer preferences and behavior, etc.

What are the most common data security and cybersecurity mistakes you have seen companies make?

They don’t follow the simple steps outlined above to protect themselves. For example, 80% of people know they shouldn’t use simple passwords that are the same across multiple websites, but only 20% do anything about it. It’s unfortunate that learning a lesson from bad password practices can be a very expensive form of tuition.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

Yes. The Covid pandemic has also brought a cybercrime pandemic. Cybercrime reports to the FBI rose 400% to 4000 per day, Microsoft reported phishing attacks rising to 20,000–30,000 per day and cybersecurity firm MonsterCloud reported ransomware attacks up 800% during the pandemic. This has been driven by the sharp increase in people working and shopping from home, and becoming more digitally connected and reliant than before.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

1. Roll out a password manager. Now. And enforce two-step authentication wherever possible.
2. Use encryption and zero-knowledge security approaches wherever possible.
3. Implement a layered security strategy so that if one layer is broken, the damage is limited.
4. Conduct a review of who has access to what sensitive (private) information in your company, and make sure it is appropriately limited and controlled.
5. Train your employees to be security conscious. Start with phishing training.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)

For starters, let’s get every single person to stop using “123456” or “Password1” as their password! If we started with that, it would increase awareness of the reasons behind it, security consciousness would take a great leap forward, and so would the online safety of millions of people. Imagine a world where no one got hacked — wouldn’t we all be a little bit nicer, and able to focus more of our time and energy on making things better for everyone?

How can our readers further follow your work online?

Follow me on LinkedIn or blog.bitwarden.com

https://www.linkedin.com/in/michaelcrandell/

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

About the Interviewer: Jason Remillard is the CEO of Data443 Risk Mitigation, Inc. (Publicly Traded as Symbol: ATDS). Data443 is a leading Data Privacy and Security company with over 40,000 customers worldwide.

Formerly of Deutsche Bank, TD Bank, RBC Bank, IBM, Dell/Quest Software, TUCOWS and others, Jason has been in information and data security for over 30 years with customers in virtually every country in the world.

Trusted to deliver — All Things Data Security — he is leading the charge in bringing data privacy as affordable, deployable and realistic solutions that every business owner can take advantage of.