The Hidden Risk in Your Data: Rethinking Cybersecurity with James Oliverio

Show Notes

What if your company’s biggest cybersecurity threat isn’t your network… but the files your team uses every day?

In this episode of Return on Insights, David Lindover sits down with James Oliverio — founder of IdeaBox and creator of ActiFile — to uncover one of the most overlooked vulnerabilities in modern business: unstructured data.

From spreadsheets and PDFs to internal reports and shared documents, James explains why the files organizations rely on most are often the least protected. Drawing lessons from major breaches like Sony and Equifax, he reveals how traditional cybersecurity strategies continue to leave critical gaps exposed.

But this conversation goes beyond fear and headlines.

James introduces a smarter approach to data protection through ActiFile’s agent-based encryption technology, which secures sensitive files from the moment they’re created — making stolen data unreadable and effectively useless. He also shares his powerful “Return on Mitigation” (ROM) framework, helping leaders rethink cybersecurity not as a cost center, but as a measurable business investment.

The discussion also explores the growing risks created by AI, the challenge of managing expanding data footprints, and why companies need to understand what data they have before they can truly protect it.

If you believe your organization is secure, this episode may challenge that assumption — and change the way you think about cybersecurity, risk, and business resilience.

🎧 Listen now to discover:
• Why unstructured data is the next major cybersecurity battleground
• The hidden weaknesses in traditional security models
• How AI is amplifying data risk inside organizations
• A new framework for quantifying cybersecurity ROI
• What businesses should be doing now to protect sensitive information

Our Guest:

James Oliverio: https://www.linkedin.com/in/james-oliverio-7659ab/

Follow our hosts:

David Lindover: https://www.linkedin.com/in/davidlindover/

Erin Abbatangelo: https://www.linkedin.com/in/erinabbatangelo/

 Return On Insights, a property of Partner Marketing Works Int’l. Inc. is a collaboration between Erin Abbatangelo and David Lindover, operating as a media division of Partner Marketing Works.

Transcript

SPEAKER_01 0:01

Welcome to Return on Insights, the show where candid conversations with bold founders and leaders spark actionable insights for your business. I'm David Lindover.

SPEAKER_00 0:11

And I'm Aaron Abitangelo. Every week, we pull back the curtain with leaders who are scaling teams and shaping the future, sharing the insights that create impact far beyond the bottom line.

SPEAKER_01 0:22

Discover how high-performing companies build enduring cultures, inspire teams to think bigger, and turn vision into action. If you see storytelling as your strategic advantage, you're in the right place. Welcome to Return on Insights Podcast. I'm David Lindover, your host for today's show. Our guest today is James Olivario, founder of IdeaBox and cybersecurity innovator behind a company called Actophile. He reveals, pardon me, why traditional cybersecurity misses the mark, focusing on databases while unstructured data in spreadsheets and docs drives the massive breaches like Sony and Equifax. He highlights Actophile's agent-based platform, which discovers, values, and encrypts sensitive files at the source, creating a Netflix moment where stolen data becomes useless. James shares his engineering roots, the return on mitigation framework to prove security's ROI, and strategies to overcome MSP agent fatigue, targeting mid-market firms and regulated industries who are hungry for real risk reduction. Welcome to the show, James. Good to have you.

SPEAKER_02 1:31

David, thank you for uh for allowing me to join today.

SPEAKER_01 1:34

My pleasure. So, first off, walk us through a real-world breach where unstructured data was the silent killer. How did it slip past the perimeter defenses?

SPEAKER_02 1:45

You know, in most breaches, uh, you know, it's always done in the rearview mirror. It's it's you know, a breach occurs. It's not if, it's when it's when. And when you look at you know, how most firms and why it created IdeaBox is, you know, is that things are gonna happen. And it's really, I think, about the unstructured data, the spreadsheets, the Word documents, the files that's actually stolen. So if you look at the traditional breaches of the past, present, and future, right, we want to prevent the future. So it's what's happening or occurring is that data is stolen, not the databases, it's stuff in the spreadsheets, the word documents, the PDFs, that creates the greatest risk for companies. So in the instance of Equifax or Sony, or even the NSA, it was in the spreadsheets. It was the most valuable data, the most sensitive data stolen.

SPEAKER_01 2:36

So, what sparked your shift from engineering to founding IdeaBox and building Actophile? What problem was keeping you up at night?

SPEAKER_02 2:45

I think the problem is that when I looked at and studied uh several years ago, I was invited into a program at Harvard University on mitigating risk in the information age. We took apart all these major breaches at the time, Sony, Target, Equifax, and the NSA. And what was very daunting was that they had all the great tech. They had all the solutions, they had the best tech. But why were they still being breached? Why was data being stolen? So three things occurred. It was one, separation of duties. I think this out of that program, which we look at the markets today, you can't be the CIO, the security officer, and the and the chief information officer. I think they've separated those roles. If you look at any major institution, I believe this program had an impact in the markets and firms woke up. So a CIO used to have the C CISO report into them. Now that's changed. It's I think the CISO reports into legal or risk or the board of directors and has a dotted line into the CIO, but they've separated those two things. Two, the amounts of data that was stolen when they peeled it back, when they forensically looked at the data that was stolen, it was the unstructured data. And then lastly, how do we make some rubric, how do we build a rubric around this and explain it at the sea level? That's where ROM comes in, return on mitigation, explaining the ROI of cyber. So that I think those are the three things, those are the elements that uh takeaway. But the key thing, even today, a breach occurs, they peel it back, they get a sense of what data was stolen and it was used against them. And so it's where where the knowledge workers work. And that's I think that's the biggest challenge. And I'll talk later, I guess, in this podcast. The greatest risk now, artificial intelligence has arrived if they're taking information and throwing it up on these large language models. Firms are it's an awakening. Uh, I uh at uh it's it's coming.

SPEAKER_01 4:42

Yeah, it is. So, so break down this ROM framework return on mitigation. I'm I'm I'm fascinated by that idea. Um, and how do you quantify unstructured data risk in dollars to sell security as a profit center to the CISOs or the CIOs?

SPEAKER_02 5:01

That was the body of work. I got involved with a company called Actifile several years ago. They reached out and said, we love your return on mitigation story. You know, the message you're trying to change the conversation. And we built a platform that actually goes out, looks for PII, PHI, and using the Fair Market Institute puts a value on the record inside the file. For example, if there's a hundred date of birth records, we value the date of birth record at$10. Where we got that metric was from the Fair Institute, where it says look at the we look at prior breaches, and breaches with date of birth or other types of data, we value it with the legal cost at that dollar amount. A credit card valued at$100, so on and so forth. So getting it down to a record level and then assimilating it and calculating it up is part of the ROM calculation. So when you look at ROM and its core, what value are we gaining by reducing our risk exposure? So for example, if I've got a million dollars of risk and I make an investment of$100 to mitigate that risk, that's a 10x return, right? So it's putting it into some language to the board, to the owners of these businesses, that no longer are they navigating in uncharted waters because we're asking, we ask and answer a fundamental question down that wrong path. What data that's coming in and out of your ecosystem that creates your greatest risk? So that's where the active file technology goes out. It was able to build that data risk assessment and start the conversation, right? Did you realize that this file just came into your organization has 500,000 rows of data? And then most of those rows of data are patient records, their date of birth, prognosis. I'm using the medical example, which we uncovered, but that's that's the key, that's the key elements. Getting the conversation towards what's meaningful to the C-suite.

unknown 7:03

Okay.

SPEAKER_02 7:04

Interesting.

SPEAKER_01 7:05

So uh generally speaking, what kind of initial response do you get from the C-suite when that's the conversation? When they have that aha moment and think about all of those unstructured pieces of information that are flying in and out of their organization. What what do they say to you?

SPEAKER_02 7:26

It's it is the aha moment. If they allowed us to come in and put our agents out there and set our classifiers, look for PHI, look for PII, look for credit card information. If you have, if that particular client had a patent or a trademark, we'd build a special classifier to show them here's who's working on those documents in your environment. When we show them and map that, we we put a data risk assessment together, and that's metrics, right? These are the KPIs that we believe are important. For example, here's an assessment. We've got X amount of millions of records in a few hundred thousand files across your environment valued at seven million dollars of risk. We took a look at that data set that we detected, and it it's aged. Most of the data is really old. Again, most of the data that sits on networks is old. It's aged. In some cases, it's years old, right? Of the data set, we took a small sampling, the top 25 risky files. Look at the age of those files, and it's they're spread across all of your network on the downloads folder. Here are your top users interacting with that data. So when it's it's it's really an eye-opener, because now they're looking through for the first time, instead of technical jargon, wait a minute. So this is the data that's coming in through Outlook and Messages, up on SharePoint, up now they're starting to get Dropbox, Box, the cloud. Yes, these are the files, right? And here's what the risk factors are. In some instances, we've walked down the path with a lot of the clients. They go, hmm, I don't understand why this person in my shipping department has risk on their machine. I said, you need to go investigate that. True story. And it was they were put in the wrong group inside the company, and that person in the shipping department was surfing all sensitive files of the company. A simple fix, right? But you don't know, you don't know until you do it. So I we think a key element that why most firms get suffer is they don't really deal with the core of the matter. It's the unstructured data, right? We've been, you know, schooled and put up a firewall, put up, you know, egress in and out. But the truth of the matter is they're gonna get in. Okay. What better way to have a preemptive way to like build we built the technology that follows the file. If it's supposed to be protected, we protect it. So if it's stolen, that's the Netflix moment, and what we call a category data loss prevention. We don't block it, so they take it. They can't use it because they can't read it.

SPEAKER_01 10:06

Right.

SPEAKER_02 10:07

It's exciting.

SPEAKER_01 10:08

So so with remote work and AI tools amplifying opportunities for human error, give us your top prediction on the next unstructured data threat.

SPEAKER_02 10:19

I think AI will become the the biggest data exfiltration engine in history accidentally. Because when you think about it, that people are today taking bits and pieces of information. For example, I'll use a company that deals with contracts, contracts, financial data, medical records, and they're throwing it up on ChatGPT, Groc, and large language models. And you go to these companies, what's your AI strategy? We don't have one. So they're letting the patients run the asylum. Employers are feeding the AI models and tools. So unstructured data now is more important because it's a fuel to AI. And right now nobody knows what fuel is being loaded. But we have we solved that equation.

SPEAKER_01 11:09

Yes. Very good.

SPEAKER_02 11:11

So we think that's the that's the biggest thing coming. And um firms need to figure out what data they have internally. They want to maybe not become part of that AI learning and use it for their benefit, not against them. That's all.

SPEAKER_01 11:26

Got it. Um, I understand from uh our our prep conversation that you've got some PE interest brewing in your organization. What what makes Actafile a prime target for mid-market medical, financial, and governments?

SPEAKER_02 11:41

I think I'll start at the very high level, recurring revenue, compliance pull, and AI relevance today, right? Because our model is recurring. It's it's an always-on type of solution you're you're delivering. So we discover, classify, and value, and encrypt that data, right? And what's driving those those elements, right, and PE firms are in tune with this. You've got compliance, you've got the FC, F E F you know, FTC, SEC, healthcare, and now you've got CMMC and C UI, government, et cetera, right? The mid-market and enterprise, you know, they're drow they're just drowning in data. It's dre it's it's it's growing exponentially. And then we solve a category problem, right? We're not just malware, we're not a DLP, and we're not just encryption. Right? So we're different we're a little bit different because some of the people behind this platform of Actival came out of those platforms like DLP and other competitive product security and decided to create the Netflix moment in our category. A category we created, which is data risk assessment, data management for compliance, and other. It's something that's really making itself into the C-suite to whether you're a small operator to a board. Some of the work body work that we work on today is going into boardrooms. They want to see what their latest risk assessment looks like, right? Even though they're thinking protecting, you never know what's coming into your environment, whether someone's pulling it down through a website or someone sent it in an attachment. So, example, I'll pivot real quick. Imagine your company on our platform has you know five million dollars of risk and it went up 10x. Right? We're able to see what came in and have a conversation about it. Do you realize that we always you're you always hovered around here? We narrowed it down to it looks like it came in through a bunch of attachments. True story. So when we pointed the client towards the attachments, those attachments, we can't see the contents of it, but it tells us it's got P H I, P I I, 500,000, 600,000 rows of patient data. They were able to make a decision. You know, we don't need to have eight copies of this. And secondly, let's make sure it gets protected. So make sure the classifier is turned on, that no matter who's working on it, it's protected. That's a different way of sitting back, if you're in this the this decision in when it calls cybersecurity, it's a very broad market. Oh, we have a cyber risk policy that's gonna protect us. No, it's not. Someone when someone says, Oh, we've got we've got cyber risk policies, well, let's talk about that, right? Look at the the the history and the data that's out there. Only 44% of claims in 2024 were paid out because the insurance companies woke up. They figured out whatever forms you filled out, you whatever boxes you checked, there's outs. The game has changed. And we believe it's all about the the knowledge workers. Now that with COVID and everybody shelter in place, they're working on spreadsheets, Word documents, confidential information that's sensitive, that we can now protect on the fly.

SPEAKER_01 15:10

It's a very compelling story, James. I appreciate your time today. I hope our audience got a lot of value. I know I did, and uh hopefully we'll get to talk to you again. Best of work in the future, and hopefully that PE funding comes through soon.

SPEAKER_02 15:23

Yes, thank you. Appreciate it.