CFO Dialogue on Assessing and Securing the Environment: A Series on Cyber Security

Announcer  00:04

Welcome to the Treasury Update Podcast presented by Strategic Treasure, your source for interesting treasury news, analysis, and insights in your car, at the gym or wherever you decide to tune it.

Craig Jeffery  00:20

Welcome to the Treasury update podcast. This is Craig Jeffery, and today’s session is part of TD Bank security discussion series. It is a CFO dialogue on assessing and securing the environment. I’m here with Adrienne Terpak, from TD Bank and Robert Dennerlein for Mainetti.  Maybe we could begin with introductions about what each of you do. Let’s start with you, Adrienne, just your role at the bank. And then we’ll move to Bob so people can hear who they’re talking to.

Adrienne Terpak  00:49

Happy to Craig. My role at TD Bank is commercial segment manager in treasury management services, which is essentially part of corporate products, services and innovation. In my role, I typically assist with customer experience, working directly with our product managers, and our sales officers.

Craig Jeffery  01:15

Thanks, Adrian. I know you’ve been on this series before and some other podcasts. So welcome back again.  Bob, maybe give your overview.

Robert Dennerlein  01:24

So I’m the CFO of a manufacturer in the retail space called Mainetti. Prior to that, I’ve been a CFO when public and private companies for the better part of almost 20 years, mostly in the telecom and technology space. And now most recently, in the manufacturing sector.

Craig Jeffery  01:48

There’s a couple of sections I want to talk through and hear from both of you on one is issues experienced in your career. I think that’s helpful and insightful to the audience and just to hear where what you’ve experienced either directly or with other peers in the industry. And then I want to transition to securing the environment, and react and recover. Just to round that out. We’ll end up with some takeaways, but let’s begin with you, Bob, on some of the issues you’ve experienced in your career, and we talk about assessing insecurity in the environment. Security is a big issue. It’s, it’s grown in importance over time. I know we had some conversations beforehand. And that’s really part of the reason for talking on these topics. But maybe you could fill us in on some of your experiences.

Robert Dennerlein  02:33

As it relates to cybercrime, I think it’s no surprise that it’s rampant, whether you’re talking about national security agencies in the United States, or in the case of the major US pipeline cyber attack that occurred about I guess, about a year ago, and there’s been ransom attacks in, in the health care space as well. Surprise, surprise, it was always occurring somewhere else until it hit us in December of 2019. And quite frankly, we were caught by surprise.

Craig Jeffery  03:12

The vast majority of companies fit the model of what we’ve heard before, there are two types of companies, those that have been attacked, and those that will be attacked, and it’s probably becoming everyone’s attacked, and who’s going to be attacked again a second time. I know, we’d look in monitor and see what what kind of attacks are coming in. And the rate and speed is it’s unrelenting. And it’s massive, and we’re a we’re a much smaller company, is there anything, any kind of background or other information that you could share either, you know, in your role here and other roles, where you’ve seen different types of attacks, and how, you know, organizations are set to respond to them. There’s, there’s a myriad of examples.

03:54

When I was the CFO in the data center space, this was the model, there was more of a hosted environment, where you were hosting other clients’ assets, their servers, and the biggest threat in that environment was what we call the DDoS attack distributed denial of service attacks. When the bad actors can penetrate a system in a hosted environment, they can take you down to your knees just by pumping massive amounts of data into the system and rendering the bandwidth completely useless. Early on in my career, it was a highly competent IT organization within the data center group that put in some sophisticated monitoring devices to alert and to prevent bad actors from penetrating the firewalls. Here at my current company, we are a little bit less sophisticated. The company grew up regionally. So, we didn’t, and we don’t have a centralized IT function with a CIO in place. So what we’ve had to do is we’ve had to virtually create kind of a group, IT function, if you will, to roll out the proper defenses around the world in the company.

Craig Jeffery  05:23

Companies may start off small and they have no IT, they’re doing everything, virtual have no support, then they grow up to certain levels and have this CISO by team approach. And other organizations have 1000s of people in their IT groups, depending on the business and how that works. I think it’s useful to hear from companies at all stages, you know, kind of in the middle, to smaller organizations to massive organizations, that makes me think about the second part where we talk about both securing the environment, you know, as preparation, as well as react and recover. Bob, I’ll have you start with the discussion here. When we talked before, I know there was a aspect of assess and understanding you’ve, you’ve done this or worked on this in multiple organizations. So you can describe it as kind of this amalgamation or hybrid. How does that occur, I guess in the in the environment of protecting and then also so that that an organization is able to react and recover more quickly.

Robert Dennerlein  06:27

Sure, I can just give you you know, our story here and the learnings that came out of it. When this first occurred, it was really the perfect storm. We had no off site storage at this particular location. The bad actors had put shackles around the system, we were really caught by surprise, or a team had reached out. Fortunately, I had some really, really good contacts over at Aon, who had partnered up with a security firm called Stroz Friedberg. And the first reaction was, we have to deal with the situation at hand. And that was a ransom request. Thankfully, the ransom request was, you know, not what you read about in the newspapers today for public companies. But nonetheless, it was significant enough with the threat that if we didn’t pay within a certain period of time, that they would just go away and leave us with a shackled system. It was through these contacts that I was able to reach out to a New York firm, was able to arrange a Bitcoin ransom payment. And you know, the strange thing about all of this is here, we are dealing with bad actors. And they’re communicating in a very cryptic way through an email account. And suggesting to us that if we could pay within 24 hours, they would give us an early payment discount. They offer terms, which was unbelievable to me. And then their response was that this is just business, they have nothing personal, as a CFO. And as a management team, were here kind of swallowing all of this, and realizing that we had little or nothing else that we could do. So we arranged the payment, they honored their side of the bargain. And they allowed us to gain access back to the system. Again, we ended up spending significant amount of money, replacing hardware, replacing software, and putting in protection in this one location. But it sent a message to me that this was not the first and the only time that this was going to occur. So that was really the beginning of what I would call our cyber protection journey. While we were left with kind of holding our heads about what to do, I went back to my audit days. And for me, it was all about let’s assess the environment, let’s understand where we are, and then put in the proper capabilities. Not so that we’re best in class, but that we’re targeting a level of protection that is kind of right down the middle of the fairway. You don’t have to be the best of the best. So what we did was we brought in Stroz Friedberg, we decided to go through a I’ll call it a report card. It was a series of questions and interviews to look at where we stood against other manufacturers against the NIST framework. So that framework identifies whether the control is present or not present partial, or they use a category that they call risk informed. Where we’re aiming is to be kind of in that risk informed area, we did the assessment, we realized that we were weakest in the areas of detection and response and recover, we also realized that we, we didn’t need to be all the way over to the right side of the curve, which was, you know, in this kind of adaptive stage. But for a manufacturer, you know, kind of right down the middle of the fairway was where we needed to be. It was through that process, we realized we needed endpoint protection, we chose a company called Sign It, we deployed the endpoint protection to roughly about 1900 endpoints, or for the most part users. So that was step number one. Step number two, was we did a phishing campaign, we sent out emails with attachments, to see the level of employees that would open up attachments. We discovered that in any organization, your employee base is your weakest link.  With that we put in training and implemented a training program across the board. So with Sign It, we have a security operation center, we have prevention and detection coverage for all of the endpoint.  With security and awareness training, we have identified a baseline of proficiency, we are also targeting training for individuals that click on things that they shouldn’t, open up attachments that they shouldn’t. And through this process of repetitive training, we’ve seen the results improved significantly. The third leg that we’ve implemented, is multifactor authentication.  We actually went with a dual factor authentication so that when you sign on to your laptop, you will also get a code on your phone. It integrates nicely with existing technologies.  All of the company’s PCs and laptops will be protected with this. We’re about 90% of the way there.

Craig Jeffery  12:40

Yeah, that’s great. So the multifactor authentication, that’s gone from this is a nice to have to this is foundational, your comments about training people weakest link. They’re the ones who bypass security measures. So that’s, that was excellent. Now, I guess, I guess another question. I want to bring Adrienne into on this other devices or endpoints that are computers, did that also extend to phones with like mobile device management? Or is it really focused on people are working on their computers?

Robert Dennerlein  13:13

We’re also in the early stages of rolling out mobile device management.  I have an application on my phone called Lookout, many of the service providers are offering it for free. So that’s something that I would also highly recommend, because that’s another access point where bad actors can penetrate into your network. What I’ll say though, is is that all of these items that I’ve talked about so far, are what I would categorize as detective controls. The last piece of the puzzle that we’re also going to embark on soon, is penetration testing, you can do the best job of putting detective controls in place. But if you can get back to the root cause of how bad actors penetrate the system, and to the extent that you can limit access points, that will help improve the overall security environment.

Craig Jeffery  14:10

Excellent. So Adrienne, Bob talks about a number of items, every company and as a bank, as a leading bank on encouraging companies to follow good desktop hygiene, good payment security processes. What are some of the things that you would want to emphasize on securing the environment? And Bob, feel free to jump in as, as Adrienne steps through her thoughts on that?

Adrienne Terpak  14:36

Yeah, and we do hear this from our clients all the time, again, ranging from the small businesses all the way up to large corporates. They all have varying degrees of technical expertise or partners that they might work with. They probably also have different levels of vulnerabilities. And the idea there is really to assess those vulnerabilities and to fill those gaps and as quickly as possible, so no plan is not an option that’s negligence at the end of the day, and there are resources out there. So while it may seem as though this is just a job for IT, as Bob has pointed out, even as a CFO or other financial professional, it’s really important to understand sort of what’s could be impacting the financial the operations of the company, what could sort of paralyze you in that sense. And so we typically advise customers, again, from small business all the way to large corporate, and the industries run the gamut. It’s not just infrastructure type sectors, but it’s a whole host of businesses. And so we advise them that they really just take a look at what are those important assets? What do they need to get access to, to keep the business flowing? Obviously, payroll is a big thing, paying suppliers receiving payments, and whatever technology is in place today, assessing potential gaps, and then taking a measured approach, as Bob has done a multi pronged approach, if you will, really looking at each element:  hardware, software, training for employees, reinforcement of that training, fit phishing simulations. And I know that when right out of the gate, perhaps when Bob first experienced this, you’re not really sure of, you know, don’t necessarily have the holistic view, or know exactly where all the potential gaps could be. But it’s taking that audit approach or that risk based approach that we talked about, right, all of us whether or not we have risk manager in our titles, our risk managers, so really taking a look at what’s the inventory, for lack of a better term? And how do we go step by step to shore up our defenses for various, you know, various functions, whether it’s operations within finance, or across the board, within the company.  Call your banker lean on us, in terms of understanding some of that.  If you have a consultant that you can reach out to whether it’s for treasury management, or security is really important. You have insurance companies now with the cyber insurance. And I think Bob may talk a little bit about that next step, and making sure that the company has everything it needs to be able to qualify for insurance. And we did talk about that in our last podcast, whereby, you know, it’s no longer basically signing a quick application, and being able to get that insurance. But having to attest to all of these other controls that are in place before they will, in fact, insure you.

Craig Jeffery  18:02

Insurance companies do not want to pay out if you’re not being careful. That’s that is for sure.  Bob, any any other comments on the securing your environment front?

Robert Dennerlein  18:12

Yeah, I think in summary, it’s all about putting in multi factor authentication, endpoint protection, training, having a playbook in place for response and recovery is really, really important. When it happens. You want to know when I break the glass, what is my playbook, so that I know exactly what I need to do next. And then once you have all of that in place in a holistic way, then I would say the icing on the cake is the cyber insurance. Most of the carriers don’t even want to talk to you today unless you have the basic protections in place. And I look at insurance as really an Armageddon scenario where you’re sharing in the risk.  You need to be vigilant, you need to stay on top of it. And you need to train, train, train and repeat, repeat, repeat, because people get busy. And that’s when the vulnerabilities are at their highest is when I’ve got three things going on and I get an email that looks real. And I click on something or even go beyond that. And I answer the question, and I give away data where I give away sensitive employee information. It happens all the time. So it’s really remaining as vigilant as you possibly can.

Craig Jeffery  19:40

This idea of of teams or a team approach, if everyone’s responsible for security, nobody really is, but it seems like there has to be some type of of group and how do we assign those roles? How has how have you seen that to be successful as you stood up your defensive group in a much more robust manner. What are some things that others can learn from that?

Robert Dennerlein  20:06

Well, for us, it was the tone at the top, and giving it the highest level of importance in the organization. Otherwise, you know, sometimes these messages can fall on deaf ears. So it was myself and the CEO of the company that wrote a joint note to the organization, letting them know how important this is to the company. And that tone at the top is really, really important in order to get traction.

Adrienne Terpak  20:35

Without a doubt, I would say, again, in speaking with our customers, as well, whether it’s the CFO, controller, treasury manager, AP manager, if the message is certainly coming from the top, and there is a commitment to reviewing kind of what’s there, having the budget to be able to do it, and I know that budgets across the board have increased exponentially to protect companies, it’s, it’s not for the faint of heart, let’s put it that way.

Robert Dennerlein  21:10

There’s a cost of not doing it, which is really the scary part in all of this. And so when the board says to you, gee, this is really expensive to put all these protections in place, think about not having them in place. And in our case, it was an easier sell, because we were penetrated by a bad actor, and not only the ransom payment, but the downtime in the business and the cost to replace, what for exceeded the ransom payment,

Adrienne Terpak  21:42

And perhaps even getting a handle on what additional data may have been compromised in the process, whether it’s customers or vendors, if they can move laterally within the system, there’s sort of that question mark of to what extent have we been exposed?

Robert Dennerlein  22:02

That’s a really good point, Adrienne. And that’s where I think this penetration testing can be really revealing to companies because they can get to that level, to see the penetration that can occur across systems when you become lackadaisical, and you’ve got an individual with administrative rights and people that leave the company, and they’re not properly shut down in terms of password access, etc. Very important.

Adrienne Terpak  22:32

Yeah.  And that brings me back to a concept that I talked about in the last podcast as well as the zero trust model. And it may seem something you know, out of a sci fi movie. And people think it’s a bit daunting, but it’s least privileged access, it boils down to even access to your ERP system, your treasury management system, where you’re sending payments.  Based on a person’s role, they need a certain amount of access. But that’s your test model, really understanding to what extent they need that access, always verifying. And once they have a particular type of access, that they’re still doing the right thing.

Robert Dennerlein  23:13

This is a really, really important point that you touched on, because that’s also near and dear to our heart. Several years ago, a controller in one of our entities, one of our smaller entities was in the middle of it, he was very busy. And there was an actual transaction taking place. And again, a bad actor who had penetrated the system and had watched things for a period of time, became familiar with the transaction and sent a note an email to this individual and said, Oh, there’s a change of plans, please send the payment to this bank account, instead of that bank account. Again, the controller being busy, when went on approved a transaction and sent it out of the company, to the bad actor. So we’ve put a policy in place, that you will never accept an email, you will pick up the phone, you will call the person and verify that that change took place. Do not act on emails alone.

Craig Jeffery  24:12

Those are some really, really, really good principles. I also liked your comment earlier about the penetration testing where you have someone poking at your system to find that.  And same thing with data loss prevention. You know, we keep adding data loss prevention tool sets, and it blocks people’s emails.  They’re like, it says I sent a Japanese social security number out in this presentation I had.  It’s like, okay, it was a false positive. But everyone knows all those things are being reviewed. And it’s just a heightened, heightened awareness. And that’s a that’s a different type of footing. It’s like a war footing for data, for payments, and structures. Yeah, thank you both for your comments as we as we move to the the key takeaway section. Adrian, I wanted to Here, what are some of your recommendations for CFOs and treasures? Maybe give us a recap at the end, you’ve said some things or maybe some more that you want to leave with other, Bob’s and other CFOs and treasures throughout the world.

Adrienne Terpak  25:14

Sure. So we talk about being persistently under attack. The criminals, as Bob mentioned before, they talk about it being just business, not personal. And it is a multi billion, maybe trillion dollar business. The dark web is really home for for these criminals where they can purchase ransomware as a service, and a whole host of other products, including a great customer service support system.  We know that there’s no surprise there, we’re consistently under attack. And so what do we need? We need sort of that arsenal, and that arsenal includes people, process, tools and technology, people, meaning your employees, partners, that are experts in the industry, the process around what’s the right due diligence in our operations? What incident response plan, do we have? Do we practice it? Are we doing security sort of breach exercises as well. And then, of course, the tools and technology ranging anywhere from hardware software, but also the the human element. So we can’t, there’s sort of an overlap there. The tools that we talked about could also be the people. But certainly technology is a big piece of it. And other tools like insurance, and hopefully artificial intelligence will also come more into play in the future. So that’s really the arsenal absolutely should include those three main components. And not to simplify it because there are many layers underneath those various components. But it’s important to take that holistic view and do step by step in a disciplined sort of measured approach. It’s not going to be big bang, and it may seem very daunting at first, but you’ve got to take those steps. Because again, not having a plan or not taking those steps is really not an option.

Craig Jeffery  27:10

Adrian, thank you so much. Great insights. Bob, thank you so much for sharing. I think a lot of people will learn tremendously from this, your experience in the stronger posture.  Really appreciate both of you. taking your time to share this information.

Announcer  27:28

You’ve reached the end of another episode of the Treasury Update Podcast. Be sure to follow Strategic Treasure on LinkedIn. Just search for Strategic Treasure. This podcast is provided for informational purposes only, and statements made by Strategic Treasure LLC on this podcast are not intended as legal, business, consulting, or tax advice. For more information, visit and bookmark StrategicTreasure.com.