Episode 202
Security Standards Are Shifting: A Series on Cyber Security
Organizations of all sizes are under persistent attack and surveillance at an increasing level. Understanding these attacks and strengthening our defenses must include a process of steady updates to our systems, processes, and team members.
In this episode, Host Craig Jeffery sits down with Jonathan Doskocil of TD Bank and Christopher Gerda of Bottomline Technologies for the second conversation in this series concerning cyber security. This episode covers topics including changing security standards, growing risks, and the duty placed on companies to protect their people, data, and assets.
Host:
Craig Jeffery, Strategic Treasurer
Speaker:
Jonathan Doskocil, TD Bank
Speaker:
Christopher Gerda, Bottomline
Episode Transcription - Episode #202: Security Standards Are Shifting: A Series on Cyber Security
Announcer 00:04
Welcome to the Treasury Update Podcast presented by Strategic Treasure, your source for interesting treasury news, analysis, and insights in your car, at the gym or wherever you decide to tune it.
Craig Jeffery 00:19
Welcome to the Treasury Update Podcast. This is Craig Jeffery. Today’s session is part of a continuing series: Banks as Partners. It’s about a security, treasury, banking, payment security. I’m here with John Doskocil from TD Bank and Chris Gerda for Bottomline. Jon, welcome to the podcast.
Jonathan Doskocil 00:39
Thank you, Craig. Thrilled to be here.
Craig Jeffery 00:41
And Chris, I know we’ve spoken before, we’re looking forward to the discussion again.
Chris Gerda 00:46
Yeah, good to be here, Craig. Nice to see ya.
Craig Jeffery 00:49
Yeah, and before we get started, I think it’d be great to just begin with a quick overview of what you do at your respective companies. And I’ll go Jon, and then Chris, if you just tell everyone a little bit about your role at TD Bank or Bottomline.
Jonathan Doskocil 01:05
Sure. So thank you, Craig. Yeah, I work for a TD Bank within commercial distribution, which means I partner with our clients to discuss issues like fraud, and make sure that they are well educated on the industry trends and options to help protect their business. I actually came into banking through cybersecurity, I began my career in the Department of Defense where I built and defended expeditionary technology networks. So I think that gives me a little bit of a more holistic perspective on on what’s happening in the industry when it comes to bank fraud and cybersecurity.
Craig Jeffery 01:40
Excellent. We’ll, we’ll look for, for some of those things to be brought to bear. I’ve heard you speak a number of times. So you know of what you speak about. Chris, give us a quick intro from from your perspective.
Chris Gerda 01:53
Sure. So my role at Bottomline PaymodeX is leading the risk in fraud prevention efforts across our business to business payment network, which means staying ahead of the fraud, using technology to proactively authenticate vendors prior to payment, and controlling our entire payments ecosystem to prevent most particularly business email compromise fraud and fraudulent vendors from becoming a problem for our clients.
Craig Jeffery 02:20
Let’s get started. We’re going to talk about standards, the reasons for the shift and standards, this idea of increasing standards, you know, what was acceptable in the past may no longer be acceptable, we need a heightened level of awareness level of defense, and then we’ll touch base on responsibilities, support and the response. I’ll begin with you, Jon, and Chris, feel free to jump in on this first section about standards. But I’ll start with you, Jon, as we think about duties of companies to protect and to be a steward of their corporate assets, liquidity, data, etc. What do you tell your clients about your duties and the shifting standards? What? What is the guidance that you find yourself and your team giving them?
Jonathan Doskocil 03:09
As a treasury management professional at a bank, we most closely aligned with finance teams and financial practitioners within companies, right? These groups of people have been prime targets for cybercriminals, which really isn’t a surprise, given their role to move money and ensure that needs, it gets to where it needs to go safely and also the access that they have to financial accounts and financial data. And a recent study that I just read, it was something like 68% of companies had reported being targeted by criminals and 58% of accounts payables teams had been targeted by something, you know, business email compromise alone. So when it comes to what we tell our clients, the very first message is that we want to make it very clear to them that they are under attack persistently. The data that we’ve seen throughout the industry makes it very clear that it’s it’s not just a question of if but rather of when you or someone on your team will be attacked by a criminal. And we also add that entering into any sort of cash management agreement for services at any bank, binds them, and taking commercially reasonable security procedures to prevent these attacks from happening. This is important, I think, because it highlights that we all have kind of a unique role to play in protecting ourselves and each other when it comes to bank fraud and cyber attacks. You know, and then we usually end with making sure that we add that companies are not alone. There’s a full ecosystem of partners and stakeholders that they can work with. That includes banks to provide resources, get education and services to mitigate some of the fraud strategy and to help them keep that commercially reasonable. bowl procedures standard.
Craig Jeffery 05:02
Yeah, John, you know, there’s some some different terms, we sometimes use the term standards of good corporate conduct across the board. Others use the legal definitions of commercially reasonable. And there’s some elements about that, that say this is the minimum standard you should have, it’s unreasonable not to do these types of things put these defenses in place, like, it’s unreasonable not to have a door on your house or not to have a door that locks or a security system. So there’s certain things that are, why would you be sending payment files that are unencrypted, to have different elements? So maybe we could talk just a minute about what is commercially reasonable security with regard to cyber security? And how has this changed over time, I think we realize that the the criminals are far more sophisticated, they’re growing, they’re persistent, they’re automated. And this requires an adequate defense. And that defense has to be stronger today than it was two years ago, and the year and a half from now, it needs to be stronger than it is today. But maybe you could talk about what’s what’s been changing over time, in terms of a mindset that we should have, and perhaps actions.
Jonathan Doskocil 06:11
So when you think when when we look at cybersecurity, and what’s commercially reasonable from a cybersecurity perspective, I think that’s when things start to blend into a more holistic strategy. There are really three layers of security that we’re talking about here, we’re talking about, like a structural layer of security, we’re talking about a network layer security and human layer security. So to touch quickly on the structural layer, there are definitely a lot of very good services that banks provide. And they’re very effective to create a structure a layer of security. And I think that there’s a strategy around making sure that the right services are on the right accounts for the function in which clients are using the companies are using those accounts. But then there’s also what I’ll call the network layer. And within the network layer, that’s where companies are expected to ensure the safe storage of their data and the data of their customers and vendors. So the network layer includes things like firewalls, active passive detection systems and other security measures that keep themselves and their customers safe. And I think the expectation here is that what is commercially reasonable is that companies have these systems in place internally and that they’re, they’re staying up to date on the human layer side of things. This is probably the most difficult to build and defend. But this is also where there’s probably the most vulnerability and I think you know, we have other episodes that you know, I don’t want to steal Adrienne Terpak’s thunder here on the human firewall. But, but ultimately, this is all about getting employees trained, right? And then making sure that this training is conducted regularly. And it’s so hard to build, this part of the reason why I’m so excited about, you know, our work, TD bank’s work with you and Secure Treasury to make sure that there’s training that’s curated for financial professionals specifically, because a well trained employee is really one of the best defenses against against cyber attacks.
Craig Jeffery 08:09
You talked about structural network and the human element. One thing we’ve heard here is there’s the hardware, software, and wetware. I won’t say where because that annoys someone in the office, that’s the human part. But in terms of network and structure is that are both of those things, the hardware and software working together? Or is the network hardware and software and the structure is different elements you put together for your banking structure, how your group is organized, is there a way you would define that?
Jonathan Doskocil 08:44
That’s really where the bank comes into play and helps the customer build that level of security, right? It’s about the bank accounts themselves, and the payments that are coming in and out of them. I think we’re talking about the network layer, we’re talking more specifically about the perimeter and about securing the data within it now, where they all bleed together and I would add the human layer into this is that when the network layer or the human layer fall or when they fail, it provides a way for a criminal to subvert or avoid the structural layer processes, right? So, there may be positive pay, check positive pay, accounts blocks, filters, and that structure may be fully created and built. But if the criminal is able to create a synthetic identity by exposing weaknesses in the human layer and the network layer, then when they when that synthetic identity is applied, the the structural layer defenses like ACH positive pay, check positive pay, that we touched on before, don’t work, right? They subvert them, and they get through them. And I think that that’s where it all kind of comes together.
Craig Jeffery 09:53
Chris, I wanted to give you an opportunity to weigh in on any of the standards that Jon had talked about if you’d like I mean, there’s elements of what shifted. Anything that add on to what you’ve seen is shifting over time.
Chris Gerda 10:05
I think Jon did a great breakdown. Think about the three layers, you have structural, network, and human. How do you figure out what those layers are? You look at the attacker, look at who the fraudster is, look at the strategies that they are employing. Now you can reverse engineer that to create your layers. It’s almost like you have to become a victim, to figure out what you have to do to not become a victim. That is the power of partnering with the correct banks, fintechs, technology providers because they have the breadth and scope to bring that knowledge to bear. So you don’t actually have to become an independent victim, to learn what to do, we’ve seen it so we can implement it. When I think about structural, network, human and how the TD Bank and PaymodeX partnership works, really, we’re helping that structural and human piece by bringing this fraud prevention to the forefront that aids the human element so that they’re not, you know, just wandering around without the aid of technology that strengthens the structural element, because we’re sending out payments that are secure, not just processing them. And the network layers, really, you just have to have this right, you are encrypted with all the standards that you need to be, and really transparent about your encryption and cybersecurity with your customers. It’s an interesting thing. When we talk to clients today, you shake hands, and you say hi. And you’re like, oh, I have all these things that can do for your business. And they’re like, hold on, let’s talk about your security and make sure that you’re even there first, before I even hear what you can do for me, they’re leading that conversation to make sure that they’re partnering with the right providers. And that’s a big shift change that we’re seeing in the industry: security first. As we move to the reasons for the shift, the shift of standards, a shift towards more partnership. I’ll start with you again, Jon, and then bring you in Chris as well. So why has this changed so much? We talked about a little bit about that. And why is it changing? Maybe we can get into some examples, whether it’s with social engineering ransomware business email compromised, but with a little more granularity than that they’re more sophisticated criminals.
Jonathan Doskocil 12:22
I think it’s not really surprising that what’s commercially reasonable is shifting. We can think about it this way. When when you consider the amount of awareness that we all now have around fraud, the technology that’s available both in terms of the technology to attack networks, but also to defend networks. And then the what I would call the integrated digital economy now that we all operate in. So as Chris was saying about security first, that’s all about, you know, how we all now more than ever need each other to be taking cybersecurity seriously, just as much as we need to be doing it ourselves. Like there’s there is an element of responsibility for others, that we have just as much as we have an element of responsibility for ourselves when it comes to, to cybersecurity. So in terms of awareness, I don’t think there’s a financial practitioner out there alive, who isn’t worried about falling victim to business email compromise scam, right? We all know how significantly that negatively that can impact your business and even a career in some cases. And then in terms of technology, yes, hackers are becoming more sophisticated, there’s better technology than ever before. But companies have become more sophisticated in their technology that’s available, right. And this is not something that a company has alone in, I don’t, I don’t want to really steal Chris’ thunder. But the PaymodeX network has been incredibly secure for many years. And that’s part of the reason why I’m really proud that we partner, TD Bank partners with all of them, we can provide the customers access to that technology. And part of that is, I think, Chris, you were alluding it to it earlier, it’s when you go to make the payment, validating that account. So that’s one way where when I was discussing earlier about the failures in the network layer in the human layer to provide access for a criminal to subvert these other structural layers, well count validation can kind of protect you in a new way. That security first mindset is incredibly important, because that it’s the account validation piece of the PaymodeX network that I think is very, very powerful. It adds another layer where it I guess, strengthens the structural layer of security. In that regard.
Chris Gerda 14:34
I got a good add on to that. You think about like an old fashioned bank robber who gets really good at picking one type of lock, and then all the banks just don’t change that lock type. And he continues to rob banks that is email. What PaymodeX is doing, is we’re we’re really taking that out of the picture. All of your communication with a vendor can occur through us to your network, where a fraudster can hide in an email and be hacked into your email or impersonate you, you’ll never know what their digital identity and their fingerprint is. The reason for the change in the shift in that awareness is everyone’s seen a hacked email in their inbox last week or the week before, or they’ve had a phishing email sent to them. Probably in the last week, personally or at business. It’s really important to stay ahead of the changes. Think about, loop it back to commercially reasonable, commercially reasonable is definitely not doing business via email anymore. And doing authentication upfront, even past just the bank authentication. We see banks open accounts for fraudsters because they’ve actually created that synthetic identity to get that account open. And so it looks like they have that name. But there’s other digital pieces of what we do in validation that looks well beyond the account, and takes it a step further. So that’s a really big piece of it. And business email compromise fraud continues to be successful, because email remains the lock on the vault.
Jonathan Doskocil 16:09
Sorry, yeah, Chris, if I could just jump in there real quick, ’cause you talk about commercially reasonable, like email is not commercially reasonable anymore, and I totally agree with you. But I also kind of have empathy, right for that Accounts Payable person who gets that gets the email, that a vendor’s changing their banking information, and then now has to, you know, go authenticate it right, like, so if they don’t have access to some authentication technology that can derail their day, you know, in certain aspects. So I think that, like, there’s certain levels of inertia, right. And in the end, it’s the inertia that causes us to kind of operate in a way that’s not commercially reasonable, right? Like, you’re like, you’re saying, this, this, this inertia to you, I don’t want to take this much time out of my day. And I want to have to derail this. So I’m going to, you know, just take the vendor at their word with this email and go for it. So I think that’s really where this adoption of technology and that’s, it can really help, you know, especially like you’re saying the PaymodeX network employs this account validation technology, that’s the amount of time that people can save. By already Accounts Payable managers can see by using that, when they get some sort of request to change bank information is, is invaluable, because it saves them from having to, you know, make a mistake in a rush.
Chris Gerda 17:21
That’s a great point. I mean, one of the things that PaymodeX tries to do is, when you think of efficiency, you think of a security going down when you increase efficiency, and actually, security is the new efficiency, people will see them walking in tandem. And so we empower corporates to actually process efficiently and securely at the same time, you don’t have to sacrifice one for the other. Whereas if you increase security, you create a ton of inertia. And they can’t get anything done, because there’s too many roadblocks. So if you bring in digital authentication pieces, then you can actually keep your efficiency high, and your security high at the same time outside of that email.
Craig Jeffery 18:08
So part of this discussion was on business email compromise. A couple others that we could touch on would be social engineering, which is a perhaps a broader category that includes business email compromise, as well as ransomware. So Chris, maybe you could talk a little bit about what’s changing with ransomware. Ransomware is a situation where someone penetrates the system encrypts data, and they have the key and they don’t let you use it. So they’ve rendered your computer’s your networks like a giant paperweight. How can we think about that, because you’re, you’re subject to the ransom to get access to your data.
Chris Gerda 18:49
From a, I guess, a payables perspective, specifically PaymodeX is seeing this happened to customers, whereas they run their payables through us and so we are securely housing, their banking information in our network outside of their infrastructure. So when they did have a compromise, they did not lose any banking information from any of their vendors, any of those pieces of critical information, we held them in trust. The fraudsters are completely separate from our network. We’re regulated just like a bank. And our encryption standards are they speak for themselves very transparent. Again, like I said about our cybersecurity. And so they didn’t have to deal with that fallout of reputational damage because the banking information was held securely elsewhere outside of their infrastructure. I mean ransomware as it compares to business email compromise is a less monetarily damaging fraud from just a pure financial perspective, by far less. But reputationally in the business damage that piles on after that, that’s that’s a whole other quantification, and trust also, really a big piece of that puzzle as well, so how can you maintain consistent trust and protect your relationship with your vendors and the suppliers. When I talk about protecting payments, I actually talk more about protecting relationships and a payment is just part of that. So we’re trying to protect the payment, but also the communication, the invoice, communication back and forth. So the more that we can take the communication and where the fraudster wants to prey on someone out of the equation and into a secure area, the less damaging ransomware is, if they have that incident, so that they can move away from it. I can just like BC fraud, ransomware is a numbers game. So it is perpetuated by mass blasts of emails trying to get a backdoor in and exasperated by extensive social engineering through multiple different omni channels. Once they get one hook in there trying to dive into, you know, more and more pieces. One of the tidbits I give of advice I give to any large corporate is really relying on an external email solution provider to monitor your inboxes of your organization to get the bad links before they get into your inbox. And if those bad links do get into your inbox, be able to overwrite those links should threat intelligence come in saying that they’re later bad, you can actually prevent a click on one of those things. And that’s going to mitigate that overall. So you’re working multiple different angles, or there’s no one provider that fits all of those pieces. But it’s definitely what the banks are doing, specifically TD Bank is they’re partnering with the right providers to be able to offer all of these things to their customers to get them to what is the new commercially reasonable standard.
Craig Jeffery 21:55
There’s a lot of good things that both of you said, and when you’re talking about the emails, you know, we have a service and it blocks tons of stuff, if you’re looking to see how much it catches, it’s, it’s ridiculous to see the amount of traffic that’s nonsense. But every once in a while something gets by. And then you get this alert in saying, hey, this one got by, we’ve isolated it tells you what the threat level was, because somebody somewhere in some other organization clicked on something. And so that’s that’s part of the power of the network, whether it’s email filtering for business email compromise or networks like you’re talking about on your end, Chris. Let’s shift from the reasons for the shift to responsibility, support, and response. Now I’ll begin with you, Chris. What do companies need to do in light of this, this increased threat, the concern about being good stewards of our data, of our payments, what are some of the actions that that we need to be taking?
Chris Gerda 22:55
We’ll start with two categories to keep it sort of brief. One, communication category. Actions? Put multi factor authentication on everything. And by everything, I mean, your email, and your personal email, your phone, that includes your internet phone that you log into online, because many of us are working from home, you could just log in with the username and password, you’re on that phone, you have to actually toggle multifactor for most of those so that they’ll go to your cell phone. Also put it on your cell phone, one of the most prevalent damaging BEC fraud attacks over the last few years that we have seen attempted are the full takeovers of cell phones by having new SIM cards issued, and they can pass all of your codes to send payments out or update your banking information. So that’s like a number one, securing your communication, both your voice communication and your email communication. I couldn’t tell you the number of people I have in my personal life that come up, I got hacked. My emails. And I’m like, Well, what was in your email. That was my password list and everything else in my life, I’m like, Oh, my goodness, just toggle that multifactor on, that’s going to be critical. When it comes to payments, for checks, positive pay. I mean, that’s just like waking up and brushing your teeth in payments today. But when you think of ACH transactions, specifically, you have to do the validation upfront. As we move to more real time settlement engines as well. If you’re not pre validating, the faster the money leaves, the faster the money is taken out of that fraudulent account, the faster it settles, right. So you have to do authentication upfront and pay attention. And when you hear the word validation from any provider. Validation could be that the account is just open and eligible for payment. And that’s how a lot of people use it, it doesn’t actually mean that it’s in the name of that business. So ask critical questions of anyone you partner with to make sure that they’re really getting into the nitty gritty of what they’re doing and how they’re selling you something and how they’re providing a solution to you to make sure that you’re getting exactly what you need?
Craig Jeffery 25:01
So, Jon, you know, from a banker perspective how, how do you see that banks can help their clients develop a better defensive posture? What are the levels of security, or the ability to scale that you talk about Chris Chris talked about a couple of services that hit on the bank side, as well as some some outside traditional banking, like multi factor authentication,
Jonathan Doskocil 25:24
It does kind of blend together, like I said earlier, Craig. So Chris did a great job in identifying a lot of the different areas that businesses can kind of help themselves. So from the structure, structural layer perspective, I couldn’t agree more with what Chris said about positive pays each positive checks, block filters, but I think there is an element to of making sure that companies are engaging with their banking partner to ensure that that structural layer is where it needs to be running a kind of strategic look across all of the different bank accounts, and what in what way they’re using those accounts. And then making sure that they’re leveraging, you know, whatever technology may be available, that the bank may have, like we have, you know, provide our clients access to the PaymodeX network, and there are others, other areas that help businesses, you know, reconcile on a daily basis. That is something that clients should be doing, that’s just kind of like Chris said, from an accounting perspective, waking up and brushing your teeth. But also, I would say, you know, to take it a little bit further to treat your business network with the respect it deserves, right? So making sure that any access onto the network is through a trusted, you know, Wi Fi network, or a trusted, you know, a trusted secure network. And, you know, not working at Starbucks or something or anything like that. And then from a from a human perspective, and this is something that, like I said, like I said before, banks can help educate, can help educate clients about the risks that are out there. But also, you know, in partnering with Strategic Treasure, there’s a whole list of different courses that are curated to financial professionals, right, because what financial professionals are facing today is kind of like a heightened level of attack than somebody might be facing personally.
Craig Jeffery 27:11
That’s excellent. Thanks for the thanks for the shout out too. So, as we move towards the end of today’s discussion, anything else on responsibility support? Or how companies should react or move forward? Are we ready to go into final thoughts?
Chris Gerda 27:28
I’ll have one more, make sure you engage with your banking partner early, make sure they know about your business, make sure you know what to do if there’s a fraud. How do I recall funds? How do I call How do I get immediate action? What buttons do I press and check in with him? At least quarterly? What’s new? What’s coming? One of the things that we definitely see is continued focus on security. Just keep asking those questions demand more, I think it’s important, I think that banks are delivering on a higher commercialization standard, and the corporates have the opportunity to be ahead of that. And get in early. Something you saw, even think about the United Kingdom, they rolled out conformation to payee, which helps account validation. But a lot of the banks in the UK didn’t actually sign up for it. And a lot of corporates didn’t know it was available. And I think it’s great with this piece of education that we’re doing today and the ongoing education that that’s going to really lead to dividends and a lot less fraud.
Craig Jeffery 28:30
Excellent. Thank you, Chris. And Jon.
Jonathan Doskocil 28:32
Chris kind of opened the door for me here. But having a business response plan, a business continuity plan, in a plan to practice that is is incredibly important. And Chris touched on it a little bit. But when a situation happens when you’re faced, and like I said before, it’s not if or when, How do you respond, having that plan in place can allow you to respond in a way that is, as they say in the military, I had to bring it up slow is smooth, smooth is fast. When you have a plan in place, you can execute in a methodical way that will allow you to not make the mistakes that you would if you were if you were just reacting and it was chaotic. So having that plan is incredibly important. And then also a business continuity plan where you may be backing up data so that you can still operate your business, it buys you that amount of time, where you know, if you’re hit with a ransomware situation, you can, you know, notify your bank, notify the FBI, make sure people are aware and potentially resolve that without paying the ransom because you’re able to operate your business without, you know, on a separate piece or a separate service separate data. So I think that that’s incredibly important. So and then lastly, yes, practice, right. So if you have these plans in place, make sure that you’re practicing them.
Craig Jeffery 29:48
Well. Excellent. Thanks. Thanks, Jon. Thank you, Chris. Really appreciate the insight and end today’s discussion. I’m looking forward to the rest of this series on security. Thank you both.
Announcer 30:03
You’ve reached the end of another episode of the Treasury Update Podcast. Be sure to follow Strategic Treasure on LinkedIn. Just search for Strategic Treasure. This podcast is provided for informational purposes only, and statements made by Strategic Treasure LLC on this podcast are not intended as legal, business, consulting, or tax advice. For more information, visit and bookmark StrategicTreasure.com.
Subscribe to the Treasury Update Podcast on your favorite app!
Related Resources
Read our latest Treasury Perspectives Report today!
For the 4th year running, Strategic Treasurer and TD Bank are proud to present the findings from the Treasury Perspectives Survey with data from over 250 respondents operating primarily across North America and Europe. This annual study polls treasury and finance professionals on their views regarding the economy, technology, industry innovation, and regulation to better understand top challenges and opportunities in the marketplace.
Understanding Cyber Attacks and Strengthening Defenses: A Series on Cyber Security
In this episode, host Craig Jeffery sits down with Jo K Jagadish of TD Bank to kick off this new series of conversations. This series will cover topics such as MITM, ransomware, and spoofing attacks and will review specific defenses and the mindset required to maintain commercially reasonable controls and leading practices and to maintain the human firewall.