Raju Vegesna of Zoho: 5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity
An Interview With Jason Remillard
Turn off unnecessary tracking and location services on phones and computers.
Apps and even services on your smartphone are constantly tracking your locations and many consumers don’t even know this. Of course, while location tracking can be convenient, it also is a huge privacy and security issue. There are many articles online on how to turn off these features and I highly recommend looking into turning these off and making sure that you’re prioritizing your privacy.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Raju Vegesna.
As Chief Evangelist at Zoho, Raju Vegesna plays a leading role in presenting Zoho’s message to the business market worldwide. He has been with Zoho nearly 20 years, and in that time he’s seen the company grow from being a few-app SaaS vendor to a global technology company, providing more and 45 applications as part of a deep tech stack, built entirely in-house.
As a longtime privacy advocate, Vegesna has spearheaded the company’s many initiatives and industry-leading policies, most recently removing all third-party trackers from every Zoho product. While deeply knowledgeable about technology and critical to the engineering and marketing process of each new app or service, Vegesna is also heavily invested in the culture, supporting and initiating programs that not only benefit Zoho’s more than 7,000 employees but also communities in which they live.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in India, where I got a BS in Computer Design. What I was learning in school didn’t feel all that useful, and I ended up failing Networking class three times. My least favorite subject was AI because it didn’t make sense to me then. That experience shaped my philosophy on education and has influenced the course of my career. There is no replacement for on-the-job training and real-world problem solving.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
Early on in my career I started a company doing email hosting for the education market. It was in doing that job, and absorbing so much information while building skills, that I realized the full potential of software and technology. I also learned that the other side of that potential is a risk, and that the need for cybersecurity was tremendous.
Can you share the most interesting story that happened to you since you began this fascinating career?
Last year, Zoho purchased a large plot of land in a rural part of Austin, Texas, where we planned to build our US headquarters. After talking to employees and rethinking the tech campus model, we decided to use the land and the small farmhouse on it to create a new kind of work environment. We decided to use the land for sustainable farming. Now we have a flourishing farm full of vegetables and fruits all grown by employees. Some may be surprised to hear that one of our forms of collaboration and connectivity with employees during the pandemic has been tending to our farm and growing crops. It’s given our employees the chance to connect with one another through sustainability and better yet lessen our carbon footprint. It also works to provide a glimpse into our vision of the future of work being done in open spaces with a connection to nature and in smaller teams.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
Sridhar Vembu, Zoho’s CEO and Co-founder, has been my mentor every step of the way. We sat next to each other in the office for over 17 years, and throughout that time I’ve learned so much from him, not just about software but about life and what is truly valuable.
Are you working on any exciting new projects now? How do you think that will help people?
We’re currently working on a global growth strategy called Transnational Localism, which focuses on moving out of urban cities and into rural communities by initiating satellite offices. These offices provide opportunities for smaller communities that do not have access to the same technology in urbanized locations. Sridhar Vembu left his home in the Bay Area earlier this year to set up a satellite office in a small village in India. There, he is currently training locals on engineering projects, coding, and more, while employing several others to do engineering and even farming. I’m focused on applying this strategy in the US. So far we’ve opened up an office in New Braunfels, Texas, and have hired 7 local employees, who we’re training in pre-sales engineers, SDRs in sales, and support engineers.
At the same time, we are continuing to push our focus on privacy and bring more awareness to the topic. While the news continues to play up Big Tech’s role in the collection of consumer data, we want to make sure there is also a focus on adjunct surveillance and employee privacy. Adjunct surveillance is the surreptitious capturing of user data via social share buttons and through cookies embedded on company websites and within business applications. Essentially employees and consumers alike are being tracked, and while this behavior is currently legal, we contend that it is not moral, and with more awareness we hope to bring changes and the eventual end to adjunct surveillance.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
With our company of 8,000+ employees going fully remote in just a month, there were major changes that had to be made both on the employee side and the company side. Because of Zoho’s company culture, the nature of remote work actually aligned very well with Zoho’s values. We have stressed the importance of flexible work environments, and have actually encouraged our employees to design their own schedules. We understand that life is not the same as it was eight months ago, and we want to make sure that our employees can take time out of the day to help their children with remote learning, spend time with their families, etc. Yet, to make this flexible model work effectively, we have put a large focus on communication. Communication among employees and their managers, communication between employees and customers, and so on. To avoid burnout we find that listening to our employees’ needs and practicing transparency in expectations goes a long way in combating burnout.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
When it comes to cybersecurity, it’s been interesting to see the creative approaches enterprises are taking to stay one step ahead of hackers. Many organizations are hosting hackathons or taking a page from the FBI playbook and hiring hackers to stress test their security systems. This type of proactivity is so critical while much of our workforce is operating remotely. Cybersecurity is no longer an afterthought, and I think that is one of the most important trends in the industry right now. But we can’t overlook the other challenge when it comes to protecting data — which is privacy. We don’t want hackers to get their hands on our data, but consumers also are tired of having their data sold to marketers. I’m excited about the attention being paid to consumer data privacy protections right now, from a policy standpoint and steps from companies taking matters into their own hands. The conversation is evolving from “here’s why this is wrong” to “here’s how we change it.”
At Zoho, we personally take privacy and data protection very seriously. We have never sold customer information to someone else for advertising, or made money by showing customers other people’s ads, and we never will. This has been our approach for over 20 years, and we remain committed to it. We don’t see many companies taking this philosophical stance when it comes to protecting consumer data because it doesn’t make financial sense — but that’s starting to change, and it’s encouraging to see.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
It’s clear that our workforce will be forever changed post COVID-19. Many organizations are still scrambling to bolster security due to how suddenly we had to shift to remote work back in March. Companies are also rethinking how they structure the work day, where they cluster talent, and what tools they need to power a more distributed workforce. Our workforce is mostly remote now and these software tools are an essential part of doing business, but come with risks when it comes to privacy and security. This is especially true when leaders take shortcuts and rely on free tools instead of investing in more sophisticated infrastructure to give employees the tools they need to be productive. Typically when a software is free, you’re giving up huge swaths of employee information and data to a third party.
I think the biggest threat leaders should watch for is surveillance within workplace software tools, which can erode employee and customer trust. In a recent survey by the Pew Research Center, 74% of US adults, said it is very important to them to be in control of who can get their data and personal information. As more companies and consumers learn the true cost of free, we will see people start opting for more private and secure platforms to digitally run their businesses.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
There was a time in my career when I was in charge of managing all data operations at Zoho — mind you this was in 2005 before we had a Security team. There ended up being an incident in which hackers were trying to gain access into our system, and remember I was responsible for leading security. What surprised me was that I expected customer networks to be more secure. In those earlier days, not a lot of SaaS companies had the capital to invest in secure systems, but we were always trying to change that. And the truth is, how many SMBs can actually afford security teams? From then we learned that security was something that we needed to provide for our SMB customers.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
In a perfect world, consumers would not have to take extra security steps to ensure their data isn’t stolen. Unfortunately, we know many breaches occur from human error and scammers are very creative and smart in their email phishing attempts. Zoho takes cybersecurity very seriously, and because of this we make sure all the tools we use have strong security functions built in and automated. Our software uses two factor authentication to ensure secure logins, password management tools to ensure passwords stay safe and protected, and more. We know that even with the best intentions, people can forget or make mistakes and that is why we use software that automatically provides protection.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
There are two points a company, even if small, can focus on to make sure their cybersecurity practices and tools are in top shape. The first is that the company itself and employees need to be alert and educated about not only cybersecurity but also how it relates to data privacy. Educate yourself and your business on what to look out for like examining third-party privacy policies, searching for applications that don’t collect data, and even creating a privacy pledge for your company. These practices will limit the amount and makeup of data that can be breached. The second part is using smart software tools that do some of the cybersecurity work for you. You’ll want to use tools that are serious about protecting your information and make breaches and attacks nearly impossible. Look for software that has AI cybersecurity functions, monitors logins, and alerts you of suspicious behavior.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Some of the most common signs that something could be amiss within your cybersecurity are unusually slow internet or devices, locked user accounts or trouble logging in, and your computer is acting strangely. If your computer is running slowly or you notice that many computers within your organization are running slowly, this could mean that your company is experiencing a data breach, as network slowness can be generated by transferring files outside the network, or it can indicate onboard malware or viruses or suspicious outbound traffic. Another sign is locked user accounts and/or trouble logging in. This is a common problem when cyber attackers have attempted the password too many times and now you are logged out, or the hacker has already gained access and changed the password, so that you no longer have access. It is critical that passwords are changed often, implement multi-factor authorization, and make sure that passwords include letters, numbers, and special characters so that they are harder to access. In addition, IT teams should always check in to passwords that have stopped working to ensure there has been no breach. Computers acting strangely is one of the most common ways to know if your cyber security is at risk. Pop ups, ads, antivirus warnings, new toolbars, and the cursor moving on its own are all indicators that something could be amiss.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Number one, alert their IT teams and get them working on the issue right away. Then you’ll need to assemble a team of experts and get them working on this as well, and start fixing your data vulnerabilities. After your team has found and fixed the issue, you’ll want to start testing those fixes before making anything live again. Make sure that they are strong and don’t rush, take your time. Then you’re going to need to alert authorities and any affected customers. This is very important and you should always make sure that any affected personnel are made aware of the situation. The best thing you can do is build a better, more secure, and more private connection moving forward. Always have a plan in place, and always work to innovate and strengthen your security and privacy policies.
How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?
At Zoho, we see the GDPR and CCPA as important privacy measures that align with our values. We hope that new policies that may emerge will force businesses to rethink revenue models that don’t rely solely on selling customer data. In our nearly 25 years as a company, we’ve never sold customer data or made a single dollar from ad revenue, and we never will. Because we’re not here to make money off of your data, we’ve never made compromises with your privacy or collected more information from you than we needed. We’re proud to continue that commitment to you by living up to the CCPA’s standards as both a business and as a service provider.
Zoho has worried about customer and user privacy long before it became fashionable, politically correct, or legally binding to take such a position. We ask for only the least amount of information necessary, gathering only what we believe is essential for doing business, or for the specific transaction at hand. We let customers know the information we have on them and allow them to opt out of specific engagements. We’ve removed all third-party trackers from our properties. But, by far, our biggest commitment is that we do not make a single dollar from advertising revenue, not even from the free editions of our products. This means we avoid the fundamental conflict of interest between gathering customer information and fueling advertising revenue, and the unavoidable compromises in customer privacy that it brings.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Not surprisingly, COVID-19 has created a fertile environment for privacy abuse and security failures. Troves of personal information are changing hands regularly as governments and healthcare workers use data to slow the spread of the virus. Recently the US, UK, and Canada have all said that Russia has launched cyberattacks on COVID-19 research centers, targeting this data. The immediate concern may be data security, but some technology being introduced to track the spread of COVID-19 in the first place raises troubling privacy concerns as well.
In Europe, the General Data Protection Regulation (“GDPR”) requires businesses to protect the personal data and privacy of its citizens for transactions that occur within EU member states. Recently Swedish retailer H&M got fined $41.3 million for illegally surveilling its employees in Germany. It was determined that the company was found to have excessively monitored hundreds of employees since 2014. The monitoring included extensive recordings of details in their private lives.
I think businesses make security mistakes when they put profits first and when they rush to market, even if the product is a well-intentioned app to, say, reduce the spread of a virus. And the other mistake is thinking somebody else is going to protect your company’s data. People and businesses need to stay vigilant in updating their security software and protocols to keep pace with evolving threats.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Data becomes particularly vulnerable during and immediately following an emergency. Whether natural or man-made, disasters and the resulting confusion and fear have a way of leading to relaxed data privacy and security protocols. Due to the current COVID-19 pandemic, the window for new abuses and misuses of data has been open for seven months now and continues. The decisions citizens, businesses, and government organizations make (or don’t make) today to protect data and privacy will determine when this window of misuse shuts, if at all. The mistakes of the past should inform those decisions.
Working from home has unintentionally spiked rates of security breaches. Too many organizations have left themselves wide open for attack. Understanding the pathways for access within a company’s data network is a valuable lens for businesses and agencies to avert leaking their own assets.
Public sentiment and adherence to much needed data privacy statutes such as the GDPR in Europe and California’s CCPA are improving around the world. Companies are starting to comply with these measures to continue doing business in places like Europe and the United States. Very few non-compliant companies, however, have been fined by regulators so far, and it’s clear that in order to fully dissuade businesses who trade in user data from breaking the law, policies like GDPR need more public support to effectively hold businesses accountable. At a time when the current crisis further threatens to erode privacy and security, calls for compliance and vigilance need to get louder.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Use ad-blockers and anti-tracking plugins on web browsers
Of course, most of the websites we enjoy are free, but like I’ve mentioned earlier, most free products still come with a price, and that comes in the form of ads. As harmless as many online ads are, some pop-ups tend to overload your browser and can become extremely frustrating. Cookies and other ad trackers are notorious for being cybersecurity threats and weakening your online privacy. Ad blockers are great at protecting your privacy online. The more advanced ad blockers and anti-tracking apps let you block irritating ads, make your computer run more smoothly, and stop those annoying pop-ups.
2. Vet user agreements thoroughly and make software decisions accordingly.
One thing that makes consumer privacy very tricky is that consumers are signing terms and conditions that are allowing these companies to collect massive amounts of data and sell that data. So technically, what they are doing is legal. But if consumers and companies took the time to thoroughly read these terms and conditions and user agreements, I think they would find a lot that they disagree with, and may be more cautious with what software they feel comfortable downloading. You may not think you’re vulnerable, but anything connected to your organization’s network is a potential threat to you and your company.
3. Turn off unnecessary tracking and location services on phones and computers.
Apps and even services on your smartphone are constantly tracking your locations and many consumers don’t even know this. Of course, while location tracking can be convenient, it also is a huge privacy and security issue. There are many articles online on how to turn off these features and I highly recommend looking into turning these off and making sure that you’re prioritizing your privacy.
4. Opt-out of information sharing on websites whenever possible.
Most websites on the internet constantly collect data and information. Some websites can even collect data from your open tabs, so if you care about being in control of who uses your data, take time to understand what information you’re giving up. You can use websites like “Simple Opt Out” that make it easier for consumers to opt out of data sharing with more than 50 companies. For instance, you may not realize that Chase Bank may share your account balances and transaction history with non affiliates to market to you. Similarly, Crate & Barrel may share your personal customer information such as transactions, email and home address with other select companies.
5. Business leaders should invest in remote software solutions that protect employee privacy and data.
With 2020 forcing most businesses into remote working, the need for remote software solutions increased, exposing a new area for privacy and data misuse.. As we adapt to the “new normal” security and privacy concerns for businesses must become a priority. Malicious activities from hackers, phishing scams, and more are increasingly becoming smarter and more frequent. Businesses need to look at remote software as not only a tool to help employees stay productive, but also ensures security and safety for both the company and its employees. 2020 has revealed the flaws in software security and privacy and shown us that we can no longer ignore the importance of keeping information safe.
How can our readers further follow your work online?
Twitter: @Rajuv
https://www.linkedin.com/in/rajuvegesna1/
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
About the Interviewer: Jason Remillard is the CEO of Data443 Risk Mitigation, Inc. (Publicly Traded as Symbol: ATDS). Data443 is a leading Data Privacy and Security company with over 40,000 customers worldwide.
Formerly of Deutsche Bank, TD Bank, RBC Bank, IBM, Dell/Quest Software, TUCOWS and others, Jason has been in information and data security for over 30 years with customers in virtually every country in the world.
Trusted to deliver — All Things Data Security — he is leading the charge in bringing data privacy as affordable, deployable and realistic solutions that every business owner can take advantage of.
