Understanding Cyber Attacks and Strengthening Defenses: A Series on Cyber Security

Announcer  00:04

Welcome to the Treasury Update Podcast presented by Strategic Treasure, your source for interesting treasury news, analysis, and insights in your car, at the gym or wherever you decide to tune it. The ongoing sophistication, automation, and success of cyber criminals make a bad situation even worse.  Companies and organizations of all sizes are under persistent attack and surveillance at an increasing level. In this first episode of our new series, covering cybersecurity, Craig Jeffery of Strategic Treasure and Jo Jagadish of TD Bank discuss subjects ranging from the types of fraud attacks companies are facing to maintaining your team’s human firewall.

 

Craig Jeffery  00:47

Jo, welcome to the Treasury update podcast.

 

Jo K Jagadish  00:50

Thank you, Craig. Thrilled to be here.

 

Craig Jeffery  00:52

Jo, so this this cybersecurity series, I’d love to hear your thoughts on what the series is about and why it matters to TD Bank, particularly for the world of corporates and commercial clients that you have. But I did want to mention just a couple things to the audience that the idea of ransomware has been a big issue for some time. And we have communications from the federal government just recently aligned with the Russian invasion of Ukraine, about critical infrastructure industries having to strengthen their defenses. And there’s even reporting requirements on things like ransomware if you’re if you’re attacked, and how that follows up. So the threat level has increased generally, and certainly with mission critical organizations. And I know, yeah, we’re really focused here on corporate and commercial clients. So maybe we could talk about why this topic matters to TD and what this series is, is intended to do.

 

Jo K Jagadish  01:50

Thanks, Craig. And you’re right. You know, there’s just general heightened awareness across the industry. As we sort of saw this pivot to the remote work environment, in the pandemic, across all industries, there is definitely an uptick as we look at fraud attacks and cybersecurity threats. But at the same time, think the most recent geopolitical crisis has further augmented the need for us to have continued conversation and discussion around best practices around these threats so that our clients and frankly, the rest of the industry can be well prepared in creating the appropriate defenses to counter such attacks. So the reason this is incredibly important for us, like every, you know, prudent financial services institution, we want to make sure that our customers are aware around what those best practices are, what are the types of attacks that are proliferating in the industry, and ensure that you know, the existing kind of training, investment and cybersecurity capabilities, investment in infrastructure, etc, all of those are in line with the level of sophistication that we’re continuing to see in this space from these bad actors. So companies and organizations of all sizes, you know, whether they’re gas pipelines, whether they’re hospitals, whether they’re farms, believe it or not, are all under persistent attacks, and surveillance at a very, very high level, understanding these attacks and strengthening our defenses, it needs to be sort of an ongoing process, and ongoing evaluation of existing systems, policies, procedures, trainings, you know, internally as well as you know, across the different technology providers that our organizations are working with. And so, in this series, we’re going to talk about tactics such as man in the middle, ransomware, spoofing attacks, we’ll review some specific defenses, as well as the mindset required to maintain commercially reasonable controls, leading practices, and maintaining that human firewall.

 

Craig Jeffery  03:55

Yeah, excellent. You know, on the on the attack front, you mentioned man in the middle, ransomware, these spoofing attacks, such as business email compromise, what do you want to accomplish with people’s understanding through this through this series,

 

Jo K Jagadish  04:10

I think it’s important to really understand the tactics because understanding the tactics helps organizations and frankly, you know, individuals within those organizations really identify a pattern. And if they’re seeing that, you know, you can raise the red flag and call out that something’s not appropriate. So part of the series and I think part of what’s really important here is understanding what are those tactics that fraudsters and bad actors tend to use? So let’s maybe dig into each one of them a little bit. And then you know, this is more around the types of attacks and then we’ll talk a little bit about what are the appropriate defense mechanisms that companies can put in place to prevent such attacks. So let’s start with man in the middle. It’s it’s really a type of eavesdropping attack focused on intercepting communication between parties. One example could be, you know, a bank communicating with its customers, cyber attacks will cyber attackers, they’ll interject themselves into an existing conversation or data transfer. Once they’re successfully in the middle of the communication, meaning they’ve also appropriately obtained access to data, or communication channels that exist between those two parties, the attackers will act as both legitimate participants, enabling them to intercept information and data from either party while sending malicious links or other information in a way that may go undetected until it’s too late. Whether that is providing or obtaining sensitive information, such as one time passwords, whether it’s obtaining, you know, pushing a link over to the corporate infrastructure environment and having a user click on the link, and then hence going to being exposed to infrastructure susceptibility. Those are just examples of man in the middle attacks, where through social engineering or other mechanisms, these individuals were really tried to present themselves as legitimate parties trying to obtain sort of that sensitive information from the customer.

 

Craig Jeffery  06:21

Yeah, thanks, Jo, that that digital eavesdropping analogy was was great. I know ransomware is something that will be covered on this series. This is the idea of using encryption to lock down things is a security feature, but it’s turning that on a company so that they can’t access their data. And they hold it ransom to get the key to unlock it. And that’s been a extremely significant issue.  It used to only cost companies about $10,000 to pay the ransom, then it exceeded $100,000. And now by some measures, it costs companies for the ransom and for repairing their systems an average over a half a million. And so these are significant items. And then the third area of attacks that we’re looking at in this, like you said tactics or the criminal’s playbook was spoofing, and business email compromise. There’s been so many warnings about this for so many years. Why do we still keep talking about it? And I know part of it’s it’s so many people keep getting caught up in it because it’s the spoofing has has gotten so much better than when it was when it first began.

 

Jo K Jagadish  07:27

No, you’re absolutely right. I think ransomware is one that probably, you know, hits the press. And we all read about whether it was the Colonial Pipeline incident. And I know there have been several others that have really made made the press and you kind of see one, one or the other at least every week. But you’re right, you know, ransomware is really just to kind of explain what what it is it is a type of malicious software or malware that threatens to publish or block access to the computer system. And so companies aren’t able to access the information, the data, the infrastructure that they need to run their daily operations. And this becomes really pronounced when you think about the sensitivity of clients on the other side. So for example, if you’re a hospital, and you’re unable to now access medical records for your patients, because your entire IT infrastructure is under attack, that could have not just consequences materially to sort of the infrastructure in the organization, but to people’s lives. The same example goes for for several other industries where ransomware poses a significant threat to human life, but as well as you know, economic capital and just going to day to day nature of these businesses. Over the last several years, we’ve also seen fraudsters or the cyber attackers leverage cryptocurrency as a method of settling that ransom, the US government has gotten much more sophisticated in being able to track these payments in cryptocurrency. But having said that, you know, we continue to see just a significant sophistication in the method of attacking organizations. And hence, you know, going back to your point on spoofing or business email compromise, these ransomware attacks tend to also start with somebody clicking a link in an email that was sent to them that appeared legitimate, or clicking a link that seemed urgent and required an immediate response. So I think as we think about the various tactics that are being used, they’re just continuing to get more and more sophisticated because there is a, you know, abundant availability of information out on the dark web, as well as on the public web, around companies, organizations, employees, vendors, and I think that’s where just the need to be incredibly vigilant is increasingly important.

 

Craig Jeffery  09:54

So that’s the how some of the methods that these criminals are attacking organization Then the the other part of the series is about defense.  Preparing for the known and the unknown types of attack as criminals advance their capabilities, they become more sophisticated. They combine some of these tactics together.  There’s three elements that we’re that we have for this series. It’s commercially reasonable security, the human firewall, and the security mindset. And maybe you could say a few things about commercially reasonable security. And this, this idea of, because the attacks are increasingly sophisticated, and they’re more automated, you can’t sit still, you have to continue to improve what you do to stay at a commercially reasonable level. Maybe you could talk through some of your thoughts on this.

 

Jo K Jagadish  10:44

Yep, you’re absolutely right, Craig, you know, what commercially reasonable looks like today is probably the bar on that is a bit higher than what it used to look like several years ago. And I expect that that will only continue to go up. As technology becomes much more sophisticated, there’s more straight through capabilities, we’re all trying to get kind of to that next step a lot quicker. At the same time, like, you know, as customer expectations continue to evolve around, you know, security and convenience and user experience, we need to make sure that the commercially reasonable procedures of accessing data continue to be put in place. And I’ll give you a couple of examples of that. One is setting up multi factor authentication, I don’t think multi factor authentication should be limited to financial services. And I think over a large extent, that’s where we’ve seen some of these use cases really predominant. When we talk about MFA or multi factor authentication, we’re really referring to a process where you sort of have this dual level of control. So one is what you know, and then what you have, meaning what I know is my password, and what I have is the ability to authenticate myself over another channel or another device. And typically what happens is, when you have a multi factor authentication in place, the hacker is unable to access data without confirming the identity, which is sort of that next step in that security level, whether it’s, you know, biometrics eye scans, there’s a lot more what I’d call ease of convenience in using that second step of identity, you know, just given enhancements and technology, which I think are much more convenient to the end user, those should continue to be put in place as appropriate. The second one is using a virtual private network or a VPN, a VPN software really protects your information by masking your device’s IP address, it encrypts data, and it routes it through secure networks to the appropriate servers. This process hides your online identity, ensuring that you’re able to browse the internet much more securely and anonymously. So while you’re connected to your home, Wi Fi, your internet service provider can access all your internet data, companies are often susceptible to data breaches, which means your information may be at risk. The VPN layer just provides that next level of control, or next level of security on your existing home network. Setting up strong passwords. I mean, hopefully this one is fairly well understood, I think the standards of what a strong password continue to increase. There’s also a variety of software tools that are out there today, that, you know, provide the ability to generate much more complex sought passwords, every time you’re logging into some type of sensitive application. So these type of password vaults, as they’re called, are also another good option. But I’d say you know, sticking to the basics, making sure that you have a strong password, not using the same password across multiple channels. And that password is continuously updated is another best practice. And then finally, keeping software up to date, right. So it’s critical that whether it’s on our phones, whether it’s, you know, on the applications that we use, latest software versions continue to be installed, because many of these software versions have enhancements to security. They remediate any gaps or bugs. And that’s incredibly important, because if there’s a vulnerability in the applications, these hackers kind of tend to leverage them very quickly. And so keeping software up to date, making sure you have the appropriate version installed, that remediates bug fixes and any security vulnerabilities, is another very important step.

 

Craig Jeffery  14:34

Yeah, really good examples. I like your description of the VPN, blocking, creating that nobody can snoop on it or see what you’re doing type description.  The human firewall and the security mindset are two other areas. Maybe I’ll just ask you a question about the human firewall. I always think about Adrienne Terpak. someone on your team who uses that phrase, maybe even coined it just like you have a physical firewall or did digital firewall, there’s an aspect of humans need to be a firewall too, maybe you could share a few thoughts like a little preview of what we might hear when we get to that section in the series,

 

Jo K Jagadish  15:11

it is a great term. Because while you could have the best systems in place, at the end of the day, a lot of attackers also tend to get past that human layer, because that’s really where that real time decision and you know, ability to flag something that looks odd or suspicious comes into play. And so how do we make sure that you know, the business processes that intersect technology are identified appropriately. However, the human vigilance, you know, as that next layer can really uncover any potential hazards that the software piece could miss. And that’s really what we mean by the human firewall. So given the right tools and information in place, it’s incredibly important to make sure that, A, there’s appropriate training, there’s appropriate methods to escalate and identify any potential hazards. So even if you know your employees have found something that looks suspicious, if it’s incrementally difficult for them to report it, or do something with that, in that information, the human firewall is only as as effective as your people. And so making it easy to identify, providing the right training, and making sure that that’s just an ongoing best practice is what we really refer to as that human firewall. Because, like I said, there’s just a ton of information that’s available on social media on you know, on websites, such as LinkedIn, on the internet, social engineering is not is not very difficult to do.  Very easy to find name, address, date of birth, your mother, you know, your mother’s maiden name, and all of these things are just aspects that come into play, when a fraudster is looking to find that human element or find that human vulnerability to attack a given business enterprise.

 

Craig Jeffery  17:00

On the defense side, there’s the security mindset, the next one that’s identified in this series. But I want to shift to another question. There’s, there’s a lot of talk about the return to office or return to permanent hybrid environment. This this whole movement home, when COVID started, has a number of permanent changes to how we’re working. But the question I have here is how has the remote work environment had an impact on security? How has it impacted security and, and what’s changing?

 

Jo K Jagadish  17:32

Yep, it’s a great question. And it’s, again, just something that given the hybrid work environment we’re all in is incredibly important for organizations to understand. Employers need to continue to pay just that extra attention to making sure that the technology that the remote workforce is using is secure. The pandemics provided plenty of opportunities for criminals to exploit unsecured systems, overworked IT staff, and panicked employees who were now new to kind of working from home. These are new areas that organizations had been focusing on to shore up remote work cybersecurity during the pandemic. And this will likely continue as many people continue to work more flexible schedules.

 

Craig Jeffery  18:14

Thanks, Jo. Those are some really excellent points about the work from home environment. That’s a good it’s a good taste. I’m looking forward to each of these discussion areas in the series with your team. Thanks so much for joining me on this, this podcast today.

 

Jo K Jagadish  18:31

Thanks, Craig. It was a pleasure. And I really look forward to the rest of the episodes in this series because I think it’s tremendously valuable. So thanks for having me on and good luck.

 

Announcer  18:43

You’ve reached the end of another episode of the Treasury Update Podcast. Be sure to follow Strategic Treasure on LinkedIn. Just search for Strategic Treasure. This podcast is provided for informational purposes only, and statements made by Strategic Treasure LLC on this podcast are not intended as legal, business, consulting, or tax advice. For more information, visit and bookmark StrategicTreasure.com.