How Can We Securely Connect with our World and Securely Connect the World to our Business?


MODERATOR:
Jennie Duong, Head of Marketing at VISO Trust

PANELISTS:
Anne Bisagno, CEO of Xantrion
Imogen Cortis-Jones, Senior Risk Specialist, covering IT and Cybersecurity, at Federal Reserve Bank of San Francisco
Erin Donham, Senior Technology Consultant for Charles Schwab & Co., Inc.
Patrick Hennessey, Director of Business Consulting & Education for Schwab Advisor Services

Cybersecurity Panelists

Jennie Duong introduced the panel discussion, noting that the number of enterprise-level cyber-attacks on a global basis has risen exponentially in the past year; recent estimates put these numbers at more than 500 million worldwide. The sophistication of the attacks is very high and the techniques used are quite varied across email, social media, text, and websites.

The panelists shared examples of attacks, including:

  • A fraudster hacks into a client's email account, impersonating the client's financial advisor and directs them to transfer money. The client does not "stop, think and pay attention."
  • A terminated developer at a bank, on the last day of employment, emails source code for an application to their personal account.
  • A busy employee falls prey to phishing and does not pay attention to Multi Factor Authentication (MFA) request.

An interactive, lively discussion followed with the panelists addressing questions from the Moderator and the audience.

What are the holes in our cybersecurity that have led to these types of incidents?

  • It's the people element. Businesses must update their cybersecurity training on a regular basis to address the growing sophistication of attacks.
  • In California (since the 2018 California Consumer Privacy Act) consumers have control over the personal information that businesses collect about them, but people are not restricting permissions and most simply click "accept all cookies." It is important to spend the time to scroll down the webpage and limit the cookies. In addition, it is good practice to set up your browser to clear your cache on a regular, automatic basis. Yes, you might consider it a hassle, after clearing your cache, of having to re-input personal information, but the benefits of protecting your data clearly outweigh this minor inconvenience.
  • The zero-trust principle is paramount. Within businesses, account access must be specialized to include only what an individual needs for their role and nothing more. For example, a trader should not have access to the accounting system and the accountant should not have access to the trading system.
  • It is a question of when, not if, a company's data may be compromised and that is why it is important to have a trained person monitoring your systems around the clock to react quickly and also important to have insurance coverage.

What can be done about these holes?

  • Make passwords long, 18-20 characters at least and each must be unique for the site; do not use the same password across multiple sites.
  • Take advantage of biometric screening where possible – this adds an extra layer of protection.
  • Use a password manager and ensure that the password to access the manager is 30-60 characters (it can be multiple words strung together). Yes, it could take a lot of time and effort to enter all your new passwords, as you'll have to change all your passwords as part of the process, but the effort will be well worth it. One of the speakers described her weekend-long effort of two 6-8 hour days to complete the set-up of her password manager. Popular password managers include Dashlane and 1Password.
  • Multi Factor Authentication (MFA) should always be used. MFA reduces risk substantially, one speaker estimating 99% less risk with MFA. But fewer than 30% of individuals use MFA.
  • Pay attention to your gut! If you have doubts when clicking on a link or responding to an email or text, pay attention to those doubts. Sometimes it's your gut that is the only barrier protecting you, so slow down and avoid reacting to an email or a text. When in doubt, just delete.
  • Don't delay software updates.

In addition, for businesses:

  • It is important to take a risk-based approach. There are thousands of known vulnerabilities that are used repeatedly by fraudsters because they are successful. A business can prioritize protection on these actively used types of attacks and prioritize its budget accordingly.
  • Ensure there is adequate cyber insurance. And bear in mind that if there is a known vulnerability for your business and you wait too long to patch that known vulnerability, then insurance coverage is reduced.
  • Consider outsourcing IT services to obtain cost-effective expertise and keep current on rapidly changing technology and threats.

How better to communicate within the firm for better alignment?

All agreed that the messaging must come from the very top and that the communication should be in layman's terms.

 

Resources on Cybersecurity:

The Do’s and Don’ts of Preventing MFA Spamming Attacks
Bay Area IT Services, Support & Cybersecurity | Xantrion

Reduce Costs and Beat the IT Security Labor Shortage
Bay Area IT Services, Support & Cybersecurity | Xantrion

4 Critical Questions to ask Your IT Security Company
Bay Area IT Services, Support & Cybersecurity | Xantrion

Schwab Online Security Checklist

Government agency websites that provide useful information:
Cybersecurity & Infrastructure Security Agency (CISA):
• Multifactor Authentication
• Stop Ransomware
Federal Financial Institutions Examination Council (FFIEC):
• IT Handbooks
Board of Governors of the Federal Reserve System (FRS), Federal Deposit Insurance Corporation (FDIC) and Office of the Comptroller of the Currency (OCC):
Federal Reserve Board: Agencies issue joint statement on crypto-asset risks to banking organizations

Website by Kindem Design