Publish date: March 7, 2024

Webinar Overview

This insightful Cybersecurity Roundtable featured guest speakers Freddy Feliz, CIO & VP of Information Technology of Mortgage Bankers Association, Bruce Phillips, SVP & Chief Information Security Officer of MyHome (A WFG National Title Company), and Bob Stone, VP of Snapdocs, focused on proactive strategies to mitigate risks in today’s changing cybersecurity landscape. 

Panelists explored the impact of escalating cyber attacks and the rapidly growing annual cost of cybercrime. During the webinar, panelists discussed the critical components of an effective cybersecurity strategy and outlined the role technology plays in protecting sensitive company data.  

Key Takeaways

1. An Effective Cybersecurity Strategy is Constantly Evolving: Cybersecurity strategies should be treated as "living, breathing documents" that evolve with the changing threat landscape. A successful cybersecurity program has a lifecycle that includes ongoing inspection, regular testing, and frequent updates.
   
   
2. Humanize Cybersecurity Training: Cybersecurity training should be humanized and realistic. Training should be frequent, using believable real-world examples, and should consider the mindset of people who might fall for such scams.
   
   
3. Clearly Communicate Risks to Leadership: Executive buy-in for cybersecurity initiatives is crucial. This involves frequently communicating security risks, outlining recommendations, and establising the level of risk the company is willing to accept.
   
   
4. Industry Collaboration is Important, but Challenging: Cybercriminals actively share information, resources, and tools to execute increasingly sophisticated cyber attacks. In contrast, industry regulations and lack of transparency make information-sharing challenging. Being open about cybersecurity incidents, vulnerabilities, and strategies is key to improving security across the mortgage ecosystem. 

Read the full webinar transcript:

Freddy Feliz:
Welcome everyone. Let's jump right in. During today's webinar, we'll be discussing three proactive strategies for guarding against cybersecurity risk. I'm honored to be joined here by two fantastic colleagues, Bruce Phillips and Bob Stone. We'll do a quick round of introductions. I'll start. My name is Freddy Feliz. I'm the CIO and Vice President of Information Technology at Mortgage Bankers Association. I'm responsible for all the technology at MBA, which is a very interesting job in this particular climate. Bruce, would you like to introduce yourself?

Bruce Phillips: 

Thank you, Freddy. My name is Bruce Phillips. I'm a Senior Vice President and Chief Information Security Officer at MyHome, the Williston Financial Group Company. I'm effectively responsible for all of the cybersecurity for all of the Williston Financial group of companies. I've been doing this longer than I'd like to admit, and I'm really looking forward to some of the conversations we're going to have today. Bob?

Bob Stone:
Bob Stone, VP of Engineering at Snapdocs. I oversee our product and platform engineering teams as well as InfoSec and IT.

Freddy Feliz:
Thank you, gentlemen. Let's move to our agenda for today. As I mentioned, we have three main topics: the impact of cyberattacks on our industry, the strategies we use to safeguard our organizations, and recommendations on security best practices. We'll save some time for questions at the end for a live Q&A session.

The impact of cyberattacks on our industry

Let's set the stage here. First, we wanted to mention a few recent cybersecurity stats, and these numbers are never fun to share. 91% of cyber attacks continue to start with phishing emails. It seems to be a very easy and relatively inexpensive way to get in. Another interesting stat is that it takes 62 minutes on average from the initial breach to a lateral move. And as we all know, once the lateral move starts, it becomes more difficult to contain the threat. Lastly, the annual cost of cybercrime is projected to reach $10.5 trillion by 2025. This is a 38% increase year over year. Bob, Bruce, any comments on these stats?

Bruce Phillips: 

Every time I look at stats like this, it just amazes me. We wonder why cybersecurity is becoming such a big threat. When you look at that $10.5 trillion that's increasing at 38% per year. If it wasn't illegal, most business owners would love to get into this business, and that's exactly why we're seeing such an increase. There's money to be had, and who knows where the top of that number is going to be.

Bob Stone: 

I agree. It's an intense number and set of figures, and it's really what keeps me thinking. We have to continue to drive our security posture forward and be vigilant at all times within our company.

Freddy Feliz: 

Absolutely. And as we see in this slide, it's definitely top of mind with some of the recent events we have seen in our industry. This is a very good segue to discuss how we're thinking about cybersecurity in our organizations given these recent events. Bob, I'll start with you.

Strategies we use to safeguard our organizations

Bob Stone: 

My mind goes to what our industry is - it's a multiparty, high-dollar value transaction. We must be passing data and documents back and forth across multiple organizations throughout the process. You've got title companies working with multiple lenders, you have vendors either in the middle or as point technologies. And so much of it is coordinated through email, which, as we all know, is definitely not the most secure interaction out there.

With that as the stage, what I'm thinking about at Snapdocs is that we have our existing SOC 2 and the frameworks that we run. To me, it's a moment to inspect. We want to take a look at shoring up every process that we have. If we're doing third-party risk management reviews, are we sure that there hasn't been one that somehow missed our process? We're trying to make sure that we are shoring up the edge. It's effective and efficient to understand our risk profile and to act when different things are happening.

And so to me, it's a big moment of inspection. The other thing that I really think is it's a moment to elevate the conversation, making sure that my executive team understands the landscape, understands the risk profile, understands what kinds of things we need to do as a company, and elevating that conversation across the business as well. It's not just our senior leaders who are going to get phished, it's every employee who might get phished. So we're trying to make sure that we are elevating the conversation and ensuring there's education. Bruce, what about you? What do you think?

Bruce Phillips: 

One of the things that keeps coming to my mind is that I've been in this industry almost 25 years now, and I remember 24-25 years ago, having conversations with my colleagues that were in other industries and  chuckling because they were having all the attacks, they were having all of the problems, and no one really understood the industry that we are in. And so we've been skating, frankly. We didn't have to deal with a lot of the things that were targeted at other industries. Well, that's all changed. Now criminals know what we do. They know that there's money in what we do. We are the one-stop shop for identity theft. They see the value in this.

So now we're the ones that everyone's chuckling at because we're extremely in the crosshairs, and the challenge that we have is how do we step up a little bit and get better at what we are doing, reviewing our processes and procedures, reviewing our technology. We're in a  a change in what we're seeing from the cybersecurity landscape. For several years, it was just social engineering to enable wire fraud, and that was pretty much it. It really wasn't even phishing.

Well, now you're seeing a lot of phishing. Why are they phishing? To steal your credentials. Why do they steal your credentials? So they can get into your network. Why do they want to get into your network? So they can drop ransomware, steal your data, and then extort you for more money. And that's really what we're seeing today. It's almost a shift that we haven't seen yet in our industry.

So it's no longer "this is something that might happen to us." This is going to happen to you. You will get attacked. You will have someone try to drop ransomware on your systems. You need to be prepared. If you don't have an incident response plan, if you don't have a disaster recovery plan, you're behind the power curve. That's the shift that I see we're in.

Freddy Feliz: 

Thank you, Bob and Bruce. Excellent points. The only things I would add, and I'll start with your last comment, Bruce: Definitely, it's no longer a question of if, it's a question of when. Ironically, we have spent all of these years training our staff on how to identify phishing, how to look for broken images and typos. And now we have AI helping the bad actors to make these emails look almost perfect. I've seen emails that look better than the original emails. So definitely a shift of mentality there.

It's also the worst time for our industry. We all have experienced contraction. Budgets are smaller, resources are less, and we continue to have to respond to increased regulation and increased requirements from a middle management standpoint. So all of this is creating this perfect scenario for the bad actors to take advantage of these situations that make it difficult for us to address.

Another interesting fact that I always like to mention is that as an industry - and this is not only in our industry, this happens in almost every industry - every company has a secret sauce and they have their secret method of protecting their resources and their network, and it happens to be very similar. But we don't share that information, we don't collaborate. Meanwhile, if you look at some of the online resources, the bad actors are sharing everything. Once they find a weakness, they make it public. Once they figure out how to exploit somebody, they share that information. So it's a difficult battle and as an industry, we probably need to collaborate more and participate more to make sure our peers are protected.

Recommendations on security best practices

Freddie Feliz:
We gave you some bad news. Now, we want to give you some good news. So how do you ensure we have a solid cybersecurity strategy? And the good news is we have some best practices for you. Now with best practice number one, which is talking about processes and infrastructure, I'll actually have Bob guide us through this.

Bob Stone: 

When I think about inspection, the first step is understanding your current world. So what is the journey that data or documents travel through? What systems exist in your organization? Do you have a good data governance understanding of what is the full picture of what data is sensitive and how is it protected? And you really can't get into how it's protected if you don't know where it is. Freddy or Bruce, do you have anything to add to mapping out data and documents?

Bruce Phillips: 

Yeah, that's the number one thing. If you don't know where your data is, you can't protect it. And especially where we are as an industry, it's harder to make money. So you're trying to find more ways to make money and somebody's going to come up with this idea that we have all this data. How can we make money off of all of this data? You need to know that that increases your risk if you're not talking to your security team to say, "Hey, I want to use the data like this."

I also hold the title of Chief Privacy Officer. So you need to talk to your privacy team also, because sometimes the data you want to use, you can't unless you notify the consumers. But you have to understand where your data is, where it moves, who has access, and what you're doing with it so that you can then have the processes to protect that data.

Freddy Feliz: 

And I would add to that, in addition to knowing where your data is - knowing what type of data it is. I think many times organizations don't classify the data. So in a crisis or emergency, knowing which is more critical or could get you more trouble from a privacy standpoint, it's a good thing to know. Also know what your vendors are doing with your data because you might think that you have data on points A, B, and C, but your vendor might have a backup on two or three other locations.

Bob Stone: 

For the next point, identify the least secure activities and scenarios. So if we have the full map's journey of where data and documents go, what is the most risky action that's taking place? Are people emailing documents that have extra sensitive information? Is printing happening? Are they downloading, and it's sitting on their hard drive in the downloads folder and nothing's clearing that out? As you're leveraging your data passing back and forth, how does each of those open up risks? So if email is a way that you're sending information back and forth, well, then you might be more susceptible to phishing because an email from the appropriate company and an email from an attacker might look the same and you're used to just sending the data out. That's the activity that might be least secured and might be a place to focus.

Bruce Phillips: 

The very first thing I said to all the employees at WFG when I came in over nine years ago is that email is evil. We rely on email, we can't run our businesses without email, but it is evil. There are a couple of features that even make it worse. Reply-all is the most dangerous thing in email. Email is easily spoofed, it's easily manipulated. You have to understand what you're looking at and anytime you put sensitive information in email, you're just really increasing your risk. But that's all about understanding how you do business, what are the things that you are doing that increase risk? How can you reduce that risk? It's tough to do, it's tough to go back to all of your employees and say, "Well, what are you using, what is your secret sauce to make your job easier?" so that you can understand how people are using your data.

Freddy Feliz: 

And speaking of evils in the email world, one that I really dislike is out-of-office. I know people forward to their personal emails when they go on vacation or try to bypass controls. And the second one I'll mention is using email as a storage system. We should not be keeping everything on emails or keeping it beyond a certain number of months or years. To your point earlier, Bob, we need to start deleting things, not just keeping things indefinitely in the download folder.

Bob Stone: 

Finally, applying solutions that can better protect those areas. Are there technologies or protocols that can decrease the risk of social engineering? How do you choose the right ones? How do you have confidence in their security? When I think about this, I think about medieval times and you're in a castle and the enemy is at your gates. Well, each thing in front of you serves a different purpose, right? You have a drawbridge, you pull it up, you have a moat that serves a purpose. They have a trebuchet or a catapult, and inferior siege weapons, and they're going to hit the walls. The walls serve a different purpose than the moat. But all together, as a whole, that's what will keep you safe. And you have to understand where the risk is. How would you walk the walls before they show up? Can they get in the sewer grate? I'm sorry, I'm off on a Game of Thrones tangent here, right? But they blew up the sewer grate, right? That was the weak spot in the entire security. Well, the enemy knows how to find it, so you have to walk it, think like the enemy, and make sure you can apply some solution to make that vulnerable area a little stronger.

Bruce Phillips: 

One of the things that I always like to take a look at, using that analogy of walking the parapets of the castle, is the easier it is for you to come into your castle, the less secure that castle is. And so if you really look at the idea of the moat, the drawbridge, the actual castle walls, the inner keep - it's harder to get into the inner keep. When only a few people within the castle had access to the inner keep, it was harder to get in there. So the easier it is for you to do something, the less secure it is. The more secure it is, the harder it is to accomplish. And that's how you have to look at it. I love the idea of thinking like a criminal. Unfortunately, I get paid to do that and it really has people looking at you strangely when you start thinking like that and talking like that. But that's really what you have to do if you're looking at your business with a critical eye on how do I keep my most sensitive information mine.

Freddy Feliz: 

I was really hoping that Bob was going to mention some dragons on that bridge. I'm glad you made the Game of Thrones reference there. The only thing I would add is it is okay for us, the IT team, to be the least popular people in the organization. It's okay to secure print, it's okay to block emails, and to block attachments that are not recognized. So I highly encourage that, and some of these items we discussed, it is okay to disable them and get buy-in from the staff. In the long run, I think users will also appreciate it because it reduces that attack surface area.

Okay, moving on here. We'll go to our first pre-submitted question. How can we put title companies and lenders at ease in knowing we are taking all the precautions available? I think Bruce, this would be a good question for you.

Bruce Phillips: 

I have to laugh when I see that. One of the challenges, and we mentioned it a little bit earlier, is we need to be able to communicate better. We're all doing the same thing when it comes to security. The secret sauce isn't how we secure our information. The secret sauce is how we differentiate from our competitors in doing our business. And we need to understand that we need to be open. What am I doing? What am I concerned about? What are you concerned about? 

Whenever I answer questions from lending institutions, real estate institutions, and others, they're asking the same questions that I'm going to ask somebody else. We need to be communicating openly in saying this is what I'm concerned about. Here's how I protect my data. We do our SOC 2 every year. We provide that. It shouldn't be a one-upmanship or I'm looking to break what you're doing, but understanding what you're doing and then making a risk-based decision. So really, how do you make me comfortable? Be open, and communicate. We're trying to do the same thing at the end of the day. I'm trying to protect the data that we have on consumers and I'm trying to make it as hard as I can for criminals to be successful so that they don't make money.

Bob Stone: 

I was really hoping you'd give me the answer so that next time we have our third-party risk review with you, I know exactly what to do here. But as a technology provider, I see SOC 2 as the starting point of the conversation. It's nice to get one. It's nice that it has good detail. It's nice that it's long. Tell me more, right? And so as we try to answer all the questions that we get in questionnaires, as we try to provide information to our customer base of why we think we are implementing the most secure practices that we can, we make sure that we put out there, this is what we're doing. And be open to continuing that conversation, going a layer deeper. I think that's a big one for me here.

Bruce Phillips
Yeah, in full disclosure, I think that the first conversation that you and I had was about third-party risk management.

Freddy Feliz: 

I'll give my two cents here. The scariest thing for me is a SOC 2 that has no findings or no areas of improvement. So it is okay to have flaws as long as we see that there is remediation or there are actions to improve those controls over time.

Bruce Phillips: 

Yeah, that's the funniest thing that people think. There are different levels of findings within the SOC 2 and everyone is always going to have an observation or a finding around something. That doesn't mean it's bad. It means that you're actually being truthful, the way I look at it. And then what are your remediation plans? How are you going to fix that? Just because I say I have a SOC 2 doesn't mean I'm doing the right things.

Freddy Feliz: 

Well, let's move to the next question. What is the preference for using a platform for communication versus regular email? Bob, I think this is a good one for you.

Bob Stone: 

I think it's more of a case of right time, right place. When I think about regular email, it is fast to get information back and forth, but it's not the right place for sensitive information to travel back and forth, right? So leveraging a platform, interacting with that platform, and not relying only on emails. The platform might send - like an analogy I have on this one is I will sometimes get an email from my bank. And it says something like "Go check on something."

I've never clicked a link in that email, but I will log in the way I always log in and I will look for an error message. I will look for an alert, I'll look for whatever was in the email that they might have sent. And so to me, leveraging email as a mindset of like a notification and not a step where then I click this and do the next, it's more of a reminder. I think that's really where my mind goes with that one.

Bruce Phillips: 

Well, yes, that's actually perfect. Right. If you have to communicate something that's sensitive, email is not the medium to do that. And I'm sure someone's thinking, "Yeah, but I use email encryption." What email encryption really does is ensure that what you're sending is encapsulated so that no one else can see it.

However, email is insecure by nature. So if you have the wrong email address and you're sending that secure document to criminals, it's not stopping the criminal from reading that email. All you're doing is sending them encrypted data. You need to get away from using email for this sensitive type of stuff. Any financial information should never be in an email. What we do at WFG is we will never send you wire instructions via email.

We have a portal, you can log into the portal, and you can get our wire instructions. We would prefer you to get your wire instructions to us on our portal. Simply because we know who's accessing that, we know it's secure. We know the trail that it's gone through to get there. It's really the right technology for the communication that you need to do.

Freddy Feliz:
I couldn't agree more. And I see it every day, someone using an email to transmit something that should not be in an email. And I just think of all those emails that people are reading on their personal devices or on their personal computers or on their mobile devices.

So definitely, no, it's not the place for that information. So thanks for that. Let's continue here. Best practice number two. Bruce, can you walk us through these steps, on how to treat cybersecurity as a living, breathing document that continuously evolves?

Bruce Phillips: 

One of the things that you need to look at when you say, "Well, I have security. I'm good, I'm going to go do other things." The threat landscape that you operate in changes - it can change daily. At a minimum, it changes almost monthly. And so you need to understand that there are frameworks that exist, whether you use the NIST cybersecurity framework, ISO 27000 series, or whatever framework you're comfortable with, you build your cybersecurity program around that framework.

As soon as you build that framework, you need to take a look at it and you say, "Does this meet my business needs?" Then you need to practice and test that framework and then you need to refine it based on what you've learned and then you go back through and you redo it. And that's not just your cybersecurity program but your incident response plan and your disaster recovery plan. And if you have one, your pandemic response plan is a living, breathing document. 

Things change, the attacks change, and what your business is doing changes. As you change through all of these things, you need to periodically review your strategy, your programs, your policies, and your procedures, and test them. If you have a procedure for backing up your data, have you ever tested it? Have you ever tried to go get that backup and load it in and see that it's actually worked?

A lot of people get surprised when they try to use it because of a problem and it doesn't work anymore. And then identify the things that work well, identify the things that don't work well, and then update your plan. Review it at least annually - you need to review your policies and procedures. And in some cases, even more frequently than that.

Bob Stone: 

I completely agree. If I think of a specific example, for a number of years we were checking the box in our framework around phishing because we had one training course and we took it every December or at the start. Well, an onboarded employee takes, I don't know, 20 hours of training right away. What are the chances that sunk in?

We need to improve our cybersecurity training approach. Instead of annual sessions covering just the basics, we should offer more frequent, realistic, and relatable training. It's crucial to understand the employee's perspective when encountering phishing attempts. Our goal isn't simply to check a compliance box; we must prioritize actually preventing employees from falling for cyber attacks. Effectiveness matters more than mere compliance.

Bruce Phillips:  

That goes back to the discussion around SOC 2.  Yes, I phish. Well, how often, and what do you do with it? Are they realistic? How do you measure the effectiveness of it? Those are questions that aren't in questionnaires that we need to share and share best practices, so we can all get that.

Freddy Feliz: Excellent points. I would add one thing to the practice and test. Most organizations just test the plan as it's written, but when you have an incident, it ofen doesn't happen during business hours. It doesn't happen during weekdays. It doesn't happen when everybody is in the office. It can happen when someone is sick or when it's raining outside or there's a snowstorm.

So try testing those plans under different conditions. I like to pull someone away from my team when we do these tests, because in a real scenario, they wouldn't be there, or someone could be missing. Making sure everybody understands how to apply that plan, and how to execute it in the event of an emergency. 

Okay. We have another pre-submitted question. This one is; How do you control things outside of your sphere of influence? I'll take the lead on this one. In my particular case at MBA, I play different roles. So one day I'm a vendor, one day I'm a customer, one day I'm governing certain things. We have a smaller sub-organization that is drafting standards for the industry in MISMO. So it varies from day to day, but the important thing is making sure that everybody is accountable, and that everybody understands what you're trying to do. So it's not just the IT department or the technology department that is responsible. 

So make sure that we are all part of this process. I try to make sure that everyone knows what's going on, what the impact on the organization is, and what the impact on our customers is. In some cases, even things I have control of could vary when we have to deal with regulators or with other entities that reside outside or above our control, right? Or our members are subject to regulation also. The rules vary from regulator to regulator.

So I keep that communication channel open, making sure everybody understands what we're trying to do and in many cases over-communicate. So you can really make an impact in terms of influence. Bob, what do you think about this question?

Bob Stone: 

When I first read this question, I split it into two different responses. One was within my company. How do I consider other departments? How do I make sure they're doing what they need? And to me, the communication, making sure you can bring it to them in a way they can absorb. I'm a big fan of analogies as the castle analogy showed, trying to make sure that they understand at their comprehension level. Not everyone's going to be a cybersecurity expert. 

The second was around interacting with third parties where the best I can do is their security. Maybe they don't use SAML (Security Assertion Markup Language) or OIDC (OpenID Connect) for the machine-to-machine API integration. Okay, I wish you did. But what do you have? If there's at least some layer of authentication that makes me feel a little better. I'm going to cordon off that interaction very hard. So the surface area of an attack coming from that particular integration is super tiny and you deal with it because I don't necessarily have the communication skills to make another company change the way that their APIs work. I can try to, I can ask some questions, I can encourage some change but at the end of the day, I don't know their resourcing. So I'm just going to do what I can from my side to isolate that particular interaction as tightly as I can from anything downstream of it and make sure that the interaction is very functional but also isolated and secure.

Bruce Phillips: 

Yes, that stuff really is interesting. I look at third-party risk management from a slightly different perspective than a vendor like Snapdocs. I look at Snapdocs because we use them to do certain things, they have access to certain things, they have documents, and they have other things that we have to rely on. But at the end of the day, that's my responsibility to make sure that that data is protected.

Or I use third parties to build firewalls for me. I have third parties that build email gateways for me, right? And these are things that I need to understand what they do in their security around providing me with these tools. So I understand what risks I may be bringing into the organization by using that particular technology that they're using.

And then just like a lot of companies, we have vendors that we outsource different things to. As soon as I outsource something to somebody, I'm now at their level of security. So I need to understand what they're doing and maybe we say OK, you can do this but you can't do this because you don't have the controls to protect really sensitive data.

You have the controls, you can do closings or you can do just document processing. It depends on what you're going to do. You need to understand but understand when you let someone else do something for you, you are at the mercy of their understanding and security.

Bob Stone: 

I love that. I’ll just add on, that when I think about third parties I'm saying limit it to only sending what you need right now and I'm only going to receive back what I need from you. Shrink that API as much as possible. Whenever anybody sends me a 10,000-line API response, I feel like I probably shouldn't see some of these things.

I'm just going to ignore it because that's my best practice. But it's one of those areas where trying to make sure the data that passes back and forth matches the use case is a great call out.

Freddy Feliz: 

Yes, and definitely question that. I get a lot of requests where the scope is narrow and even within that narrow scope, they probably only need one variable. They don't need everything in that record. So it's okay to challenge your vendors in terms of what they really need.

Bruce Phillips:

It's a mindset change. 25 years ago we didn't think like this. We would give you the whole package. You'd give me the whole package back. We didn't have the controls that we have today. But now we have a really rough cybersecurity landscape that we're trying to navigate. The way you can reduce risk is to reduce the amount of data you're transiting back and forth.

The less data you have, the less risk that you have. If you don't need to send social security numbers, don't. If you don't need to have them, don't collect them. I don't want you giving me everything and letting me pick out what I need. I would rather you give me only what I need and you keep the rest of that stuff because I don't want to have to accept responsibility for protecting that data.

Freddie Feliz: 

Absolutely. Well, let's keep moving as we're getting close on time here. What are your thoughts on zero trust and how pervasive or impactful will it get?

Bob Stone: 

I really like this question but I think it's difficult because I think zero trust is a bit of a buzzword these days. There are architecture frameworks, that call themselves zero trust in the networking world, there's a lot of zero trust. But at the end of the day, the real question is whether there are enough hurdles in the way to get to the data to make sure that the attackers can't get there.

So, we have our internal systems, they still authenticate to each other. Even though in theory they sit in the same bubble, I should be able to trust that they're in the same bubble. Nothing else would be in that bubble. I don't want to trust that the only thing calling it is the only thing that has access to call it, we add that layer in, even though it may seem like overkill.

It's just making sure that every layer is protected. For me, it's the architecture. It's making sure that systems and people, the systems are always checking that it's the right person, device, and system that's interacting. To me, that's the start of zero trust. But I'm curious what you guys think.

Bruce Phillips: 

So, one of the interesting things that is going on now is that, at the start of the pandemic, everybody left the office, and everybody is no longer in the same physical location. We're not connected physically to the same network that we were, we're all someplace else, which means we're not all behind the same firewall or network, and have the same controls that are protecting us.

And then we're coming into the network that has the data, the systems that we need to use. So it's changed the way we look at it, right? And so how do you ensure that people can get to the systems and the data they need from disparate locations while ensuring that the criminals can't? So it's all now about ensuring that the right data gets to the right people at the right time based on the risk of that data and using the appropriate amount of friction to ensure that someone who doesn't need that access can't get through.

So how pervasive will zero trust be? It's going to be the way we do business. How impactful will it get? Hopefully, the impact is dependent on the level of risk of information that you're trying to access and then the appropriate level of controls are put in place, right? So if you're just trying to get to your corporate website, you should be able to just get there.

But if you want to get into your business operating system and access consumer data, you should have more points of inspection of who you are before I give you access to that. So that may mean a username, a password, a token, a certificate, some way of getting it through there and the level of friction is going to increase while you go out.

But hopefully what that will do is, as we build out better models, it is more risk-based. So you don't have the same level of interaction to get to low-risk data as you need to high-risk data, which is a long way of saying, let's hope it makes our lives easier.

Freddie Feliz:

OK, let's move on to best practice number three. So it is clear from the last 45 minutes that the weakest link is always going to be our users. So how do we prioritize internal education and training to prevent these things from happening?

Bob Stone: 

I'll take the first pass at this. I think it's interesting. The segue from the last question to this is a little box on the slide calling out the easiest workaround for staff is the easiest entry point for the attackers. So when we think about that friction and I have to get a text code on my phone again, all of those little things that make us more secure, getting around them, makes us less secure.

But I think the biggest thing is education, making sure people understand what they can do to help prevent this. Phish your own people, show them, and try to humanize it. Most employees don't realize that they're doing something that's risky, they're just getting their job done. And a day-to-day person might enter their password 10 times a day and they're annoyed because they're just trying to get their job done.

But if you can educate and reframe it to say the security measures aren't meant to make your job harder. It's making it more secure, it's making it so hackers can't get in. I think just trying to humanize it is a big deal. Do you guys have anything to add to the awareness, and the training?

Bruce Phillips:

No, I mean, that's really the whole idea. I hate the thought. Everyone says our employees are our first line of defense. The challenge with that is we don't educate our employees. So it's like we're throwing them out into a battlefield and we're giving them rubber knives. They're going to lose because not because they're bad.

It's just because they don't know why we're doing it. And that's part of what we should be doing when we educate our employees. It's not trying to teach them to be security professionals. It's about giving them the information to understand why we do certain things and then why certain things may increase risk for the company even though it's easier for your job.

For example, all these wonderful online web applications that are there to help you do your job. They're really giving you bypasses to the controls that I have in place to protect you and the consumer and I don't know what you're doing. I don't know how you configured them. I don't know what data you're putting up there. I don't know how that data is being secured. So we're increasing the risk. 

So our training has to be not telling you you're doing a bad job. You're my first line of defense, but explaining to you why we want to do things the way we do, and what the risk is so that you can become a part of the solution. Not feel like you're part of the problem.

Freddie Feliz: 

Absolutely. And it's good to remind users that all the controls, all the nuances put in front of them to make it more secure, they also apply at home. So if they follow all these great practices at work, but they have no passwords at home or no antivirus, they have the same problem.

So I try to, as you said, humanize it, but I remind them that they should be following the same standards on their personal devices and personal systems. So teaching their kids about this stuff is important.

Bruce Phillips: 

I've actually turned that around just a little bit. I don't try to train you in cybersecurity to protect me at the company, I give cybersecurity training to protect you and your family. If I can get you into that mindset, I get the benefit. So do you and your family.

Freddy Feliz: 

That's a great way to reframe it. So, Bruce, since Bob started, let's talk about executive buy-in. Everybody's listening now with all these incidents. So how do we ensure that the executives are buying into all of these priorities?

Bruce Phillips: 

Well, that's the fun part, right? We need to be clear and communicate the risks to leadership, right? My job is not to accept risk. My job is simply to communicate risk to the executives and then have the discussion. What level of risk are you willing to take? And that changes over time. And in my experience, it almost changes every quarter.

Every time there's a board meeting, the risk appetite of the company will change. But my job is to make sure that they understand the risks that something presents whether that be ransomware, whether that be wire fraud. I don't build systems to accept or mitigate risk. I don't make that decision.

But we have to make sure everyone understands the risks that we're accepting or that we're taking inadvertently or on purpose. It's almost another level of training and awareness, but to the executive team, to make sure that they can make the appropriate decision when it comes to cybersecurity. That's what they do every quarter at board meetings.

When it comes to, what am I going to do from a marketing campaign? What am I going to do in a product development situation? What am I going to do for expansion? All of these things are things that the board already does. We just need to make sure they understand the risks in terms they understand - dollars and cents.

Freddy Feliz: 

Thank you. And the only thing I would add is in addition to the buy-in, think about reputational risk. It's not just if something goes wrong, but we always think dollar amount, but in some cases, reputation may be impacted and that's in most cases even more difficult to restore and regain the trust of your customers or your vendors.

So definitely keep that in mind. We're getting close to the end here, so I'm going to keep us moving. Before we go into the Q&A segment, let's do a rapid-fire round of final thoughts. Bob, please kick us off.

Bob Stone: 

As it says on the slide, I think my biggest focus area right now is inspection, making sure that what we have runs well. We spent years setting up the foundation for our security programs and everything we're running and making sure that they meet the needs of today's business with the staff we have today, that's really where I'm focused. And I think that is a great starting point for a lot of people with their programs. Bruce?

Bruce Phillips: 

Sure. A lot of people have heard me say this: never let a breach go to waste. We need to learn from the experiences of others who have gone through this within our industry. There have been several within the last few months. And we need to understand what happened to them. What worked well in their recovery, and what didn't work well in their recovery? What worked well when they found out they had a breach and what didn't work well, that's what we need to be able to do.

And that comes back to what we had a discussion about earlier. Communications, how can we get better within the industry? We need to be more open and we need to communicate. So that I don't look at the recent breaches as a failure of those in our industry. I look at these as we are going against really, really, really good adversaries, we need to share information. So as we get better, they get worse.

Freddy Feliz: 

The last thing I would add is definitely broaden your scope. Security is no longer within our walls. I think Bruce touched on that earlier. It's more than that. It's our vendors, it's their vendors, it's our employees, it's their relatives, it's their mobile devices. So make sure that everything you're doing takes into account what is also happening outside of your firewalls and in some cases, for distributed environments or people working remotely in a more complex way.

But definitely keep an eye on that. 

Q&A

Freddie Feliz:

So let's move on to Q&A. We have been receiving a lot of questions, we will try to use the remaining time to answer as many as we can. And with that, let's start with the first one here. What is a SOC 2?

Bob Stone: 

I'll take that if you guys don't mind. SOC 2 is a framework for security. I think it was originally built by accounting as Service Organization Control type two. So it's a cybersecurity compliance framework and it just is a guide for the policies, what controls should exist and you try to meet those controls with what works for your business.

Get them audited every year so that you can prove you are meeting your controls. Does anybody have anything to add to what that is? I know we were tossing that around a lot.

Bruce Phillips: 

Back in the day, it was not very good when it was the SAS 70. It wasn't really a good document because you could just pick and choose what you wanted to have audited. Now, SOC 2 relies on trust service principles. There are five of them. And when you look at a SOC 2, you look at what trust service principles they are using: security, availability, processing integrity.

And I can't remember all the other ones. So it's a really good framework that is used to assess what people are doing. It's a great starting point to have the conversations. 

Freddie Feliz:

Excellent. Bruce, I think I saw something you wrote recently on this one. But where is the digital world moving in regards to MFA and 2FA?

Bruce Phillips: 

Yes, that is a great question. So actually, 2FA is a subset of MFA. 2FA is two-factor authentication, which means I have a username, I have a password and I have some other thing that I have control of that I use to authenticate myself. Multi-factor authentication is the same thing, but it actually inspects your computer if you have a certificate, if you're doing certain things, where it's coming from, when's the last time I saw you - a whole lot of other more rich data that I can make decisions on whether or not I'm going to allow you access.

If you are not using at a minimum 2FA for anything you're doing on the internet, stop what you're doing today and enable it. It's the only way that you can put the biggest, toughest roadblock to a criminal trying to gain access to your systems. Where is it going? I'm hoping it gets better and I'm hoping it gets to the point where it's no longer optional.

Bob Stone: 

I would agree. And just, again, different kinds of MFA, I love the one-time passcode. I have authenticator apps on my phone for various applications. I have text me a code because I've entered my phone number. Oftentimes I think it's also important to understand what makes it a second factor and not one factor twice. I feel there are some places where you end up with one factor twice more than two factor.

One other area I know is prominent in RON transactions. They have the KBA. So it's a knowledge-based answer as a form of final authorization to be the signer. It'll use information that hopefully only you would know. Have you ever owned a car, name one of these models. Have you lived on one of these streets?

Bruce Phillips: 

It's all those questions that people ask you on Facebook.

Bob Stone: 

Yes, they are a little social engineer-y. But yes, I'm just listing flavors. I'm not describing my preference for them, but that's okay.

Freddy Feliz: 

We only have a short time for one more question. Any recommendations on specific things we should target when running a phishing campaign to our users?

Bruce Phillips:
Well, I don't know if I could come up with one specific. I analyze the results of all of our phishing campaigns and if I can find a pattern that this one is more successful, I'll run that again. I generally start off with two different things. One, getting you to click the link download an app, or download a file.

And number two, trying to get you to give me your credentials. Those are two of the things that criminals are going to try and do. If they're going to get, they want to get your username and password so they can break into your system or they want you to download a file so that they can execute a piece of malware. So I start with those things, but then I analyze and tweak what my phishing campaigns look like based on how the user population deals with it.

I will tell you a secret: sex sells. If you use something risqué, ask if you want to see inappropriate Halloween costumes, you will get a lot of people clicking to see them. And that's a good way to reinforce that you need to be more circumspect when you click on links.

Bob Stone: 

I'll add one maybe a different direction than the Halloween costumes. They're a little risqué. But I think knowing the emails that you get, try to make it realistic. Going back to thinking like a hacker, the hacker might know what the emails that you receive look like. Try to make it look like that, try to make it so that it is tricky, and try to make sure that you can be realistic so that it is likely that someone's not checking the things they should check.

I think in the past, there were a lot of misspellings and whatnot, but as we talked about earlier, all of that's getting better. They might not - English might not be their first language, but ChatGPT speaks in English so they can form a really nice email. So I think trying to make it realistic is good.

Freddy Feliz: 

Thank you very much. Unfortunately, we're here at the top of the hour, so we'll have to hold off on any additional questions. We will follow up directly with users and answer any questions that we were not able to get to today. And with that, thanks everyone for joining us today.