FM: In many
ways, we seem to be talking about the same cybersecurity problems that have
existed for decades, such as user IDs and passwords, failure to patch systems,
lack of reliable backups and more. But now in a much more sophisticated and
complicated technology environment, what needs to change to make our
cybersecurity more effective? What are some common denominators of successful,
innovative cybersecurity programs?
Payton: We do talk about the same cybersecurity problems, and it’s maddening, isn’t it? We keep focusing on the user being the weakest link and that’s the absolute wrong way to design an effective cybersecurity program. The threat landscape
evolves as we add new technologies that are incorporated into our transactions and how we interact with the internet but also as we find ways to stop the adversary.
A cybersecurity program should have the basics, such as benchmarking against the industry best practices provided by the National Institute of Standards and Technology [NIST], but it also needs a focus on these questions: 1) What are your top three
most critical assets that if they were destroyed, held for ransom or leaked would cause major disruption to your business? 2) Who touches or accesses those assets and what safeguards are in place to make sure the assets are safe? 3) What creative
solutions are in place that can outthink and outmaneuver the adversary? 4) Have we designed a multi-layered strategy that incorporates a wide variety of solutions that can stop or detect and recover from an issue.
The layers could be strict user-authorization controls for transactions outside the norm, user-access controls appropriate to data sensitivity, regular and emergency patching, conducting a red team — bringing in an independent team to challenge your
applications — and application whitelisting — telling your network the list of what’s “trusted” — and behavioral-based analytics that look at logins, access, and data ingress and egress points.
FM: Can you give
a brief list of mandatory responses when organizations find themselves in the
middle of breaches?
Payton: When you’re in the middle of a breach, what you do will define your reputation for years to come. The best approach is to practice a digital disaster before you have a breach. You need to develop a playbook so that everyone knows
their roles and will highlight any gaps that exist in your cybersecurity plans. Determine what role you want external helpers to play for incident response, forensics, legal advice and cybersecurity fixes. Hopefully, you’ll never need the playbook,
but if you do, it should include your communication plan.
A communication plan needs to focus on when you need to disclose publicly to your employees, board, third-party vendors, regulators and — most importantly — your customers. Make sure you know how you’ll communicate. For example, for employees, will
it be an internal web portal or a phone blast? For customers, will you do a notice on your website, social media or do direct mailers? Know who your friendly press outlets might be. Have the phone number handy for your local FBI cyber unit.
Here’s what your playbook should emphasize:
- Assemble: Now’s the time to pull together the trained incident response team. Incident response requires co-locating the team even if via video conferences. Discuss the disaster, review possible remedies, discuss how this group will get alerts
and how the escalation process and approval process for ongoing internal and external communications will work.
- Transparency: Both internally and externally, communicate what you know, what you don’t know and when future updates will occur.
- Dig deep into details: Provide details when and where possible. The where and when might depend upon forensics and ongoing case work. Explain how you plan to avoid similar issues in the future.
- Feedback loop: Design and implement an incident response [IR] feedback loop. Tell customers how best to reach you — possibly via a toll-free number or social media. Walk them through the best way to be heard.
FM: Employees,
of course, aren’t automatons. They can be thoughtful, emotional, studious,
lazy, loyal, cunning, brilliant and dumb — sometimes all in one day. How do
fraud examiners and cybersecurity personnel treat employees as multi-faceted
humans when protecting organizations? You’ve said that many organizations’
cybersecurity briefings sound similar: 1) The sky is falling 2) Our data is at
risk 3) Attacks are worsening and 4) users are still the problem. How do
organizations get beyond these suppositions?
Payton: Have some fun with education. To most employees, cybersecurity training is so boring. They snooze and you lose! Focus on the digital assets and operations that matter most to the organization. Talk to your employees about what it would
mean if those digital assets were under attack and stolen. Then talk about tips to safeguard those assets.
Consider instituting contests, such as “The person who forwards the most spam messages to our organization spam alert account wins a free lunch this month.” Awareness and education shouldn’t be one time a year and solely focused on compliance. Consider
a curriculum that leverages many mediums throughout the year. Keep most of the messaging short and focused on one topic for easier retention.
Mediums you can use include delivering in person, video conferences, posters and internal memos. You can train them on: 1) your most important assets and how to safeguard them 2) how to protect yourself and your loved ones from online fraud (transferrable
skills that will help protect the organization) 3) local and federal obligations if you have a breach 4) reminding everyone that the security team is a small and mighty team so security is everyone’s job 5) train, explain, test and repeat!
FM: What else can organizations do to train their employees?
Payton: Cybercriminals can hack your employees’ devices — whether they belong to the individuals or the organizations. All of them have open platforms so they can upload operating system updates and security patches. However, their devices
are eminently hackable. Their latest apps can spell trouble for your organizations.
What are we doing wrong with these devices? We provide very arcane rules for employees to follow, such as having them devise 12-character passwords of non-repeating numbers or letters, etc. The complicated passwords actually feel designed to keep
the owner of the account out because they can’t remember them, and only the bad guy with a password cracking tool can get in. We must work harder to design security systems that act more as enablers and safety nets, rather than by rules that become
restrictive for people to gain access to do their jobs.
According to a recent Experian report, “Managing Insider Risk Through Training and Culture Report,” security and privacy training
professionals stated that just over 65% of their organizations’ employees are still the “weakest link” in cybersecurity. I realized that wasn’t really true when I worked at the White House.
The pivotal moment for me was when I shifted the design of a security strategy. We knew we had to address the hearts and minds of the staff at 1600 Pennsylvania if we wanted to protect their privacy and security. After all, if solving cybersecurity
and privacy issues were as simple as following security best practices, we’d all be safe. It's not that simple.
Two key questions came to me the first 90 days at the White House and I had to answer them or we would have had a major calamity: 1) Why, in spite of talented security teams and investments on security, do breaches still happen? 2) Why is it, that
despite hours and hours of boring computer-based training and security campaigns, we still make mistakes and click on links?
We need a new line of thinking. It’s the one that kills boring computer-based training courses. It’s the path that bans buying the latest fancy security tool if you haven’t used innovation to combat the human element. The new path is driven by a core
principle: “design for the human.”
I compare this line of thinking to installing childproof or safety items in your house for toddlers or pets. You still tell them “don’t touch this,” but just in case they do, you designed safety into your house for them in mind.
Design for your employees and for yourself. Just know they’ll use free Wi-Fi, they’ll recycle passwords, they’ll respond to emails that are tricking them into giving up information. They’ll break all the security rules because they aren’t security
employees. By the way, I am going to let you in on a little secret: Security employees break the rules, too!
"When you're in the middle of a breach, what you do will define your reputation for years to come."
FM: Can you
explain what you mean about conducting a “cyber walkabout”?
Payton: I often walk around a client’s building and ask employees simple questions such as, “How are we doing supporting you? Is there anything we ask you to do, in the name of security, that gets in the way of you doing your job?” Don’t try
to fix things right away. Just listen to their answers. You’ll learn so much about what you issues the organization has.
FM: How do
organizations bring in ethical hackers to test systems?
Payton: Before you bring in an ethical hacker, ask yourself, “If I were to ask someone to act like a cybercriminal, what’s my biggest fear of what would happen?” Pick a reputable firm that will ask you what you’re trying to accomplish. Discuss
with them about your top three most-critical assets and develop an incident response playbook. Make sure you have very crisp rules of engagement and expected outcomes. It should also be a coaching and mentoring exercise for your team. If it’s
going to be a “Wizard of Oz” exercise where you’re not allowed to peak behind the curtain, it’s not going to be the best use of your time.
FM: Our members
— fraud examiners — work hard to prevent and deter fraud in all sectors. What’s
the best advice you can give them as they fight daily in the trenches?
Payton: First off, remember that you picked a very noble profession! You’re helping fight fraud and reduce crime. Be a student of your job and keep up on the latest advancements that you can deploy to help improve your organization’s anti-fraud
posture.
Your job is fascinating and interesting. Don’t forget to use storytelling to help your customers and clients know why you implement certain rules or controls and how these rules and controls protect them.
FM: Dr. Joseph
T. Wells, CFE, CPA, began the ACFE in 1988 to preach the message of detection,
deterrence and prevention of fraud. How do you see the association doing in its
cybersecurity deterrence and prevention efforts? What can the ACFE do to
further help its members in cybersecurity?
Payton: I love the work that the ACFE has done for decades now in the detection, deterrence and prevention of fraud. I also love seeing the ACFE focus on the intersection of fraud-fighting discussions with cybercrime-fighting discussions. It
would be great to see the ACFE push the industry to look for just-in-time methods to push fraud indicators to the cybercrime-fighting side and vice versa. Additionally, how can we create new models for fighting fraud when interactions are now
machine-to-machine and how can we more quickly detect a rogue machine committing fraudulent transactions? Actionable threat intelligence in real time is key to winning the cybercrime war.
FM: Should
senior management of government agencies and private organizations be held
accountable and suffer consequences when they don’t adequately secure PII?
Payton: Whether it’s the OPM breach or another department or agency, the database of information stolen to date from government organizations is staggering. As fraud fighters, ACFE members should be concerned about the stolen data elements
that don’t really change and can be used within fraud schemes for several years to come. I can’t get a new Social Security number easily nor can I suddenly have a new residential history, mother’s maiden name, new date of birth or new handprints.
Following the OPM data breach, the government began a renewed flurry of activity to raise the bar on cybersecurity postures. As with anything of a massive undertaking, there are both progress improvements and areas not moving fast enough. The
U.S. Government Accountability Office conducts a review regularly and you can see the scorecards of departments and agencies.
Obviously, more needs to be done. Bad things do happen, and although we want someone to be held accountable, I know that U.S. federal departments and agencies work hard to protect the data they collect. However, they’re outstaffed by cybercriminals
and cyber operatives from nation states. When a governmental breach occurs, the affected department or agency should immediately release an after-action report and hold weekly oversight meetings to ensure they implement mitigating controls.
FM: Do you think
governments should impose criminal penalties associated with data breaches when
organizations are negligent in protecting sensitive or personal data? Should the
U.S. Congress enact harsher penalties for data breaches involving personally
identifiable information?
Payton: I’d like to see the U.S. enact a research and development tax credit for any company that spends money on cybersecurity. Of course, spending $1 on cybersecurity is $1 you can’t spend on PR, marketing, hiring, etc. to grow your business.
But we’d make significant progress in our private sector cybersecurity posture if we incented businesses to invest. Most businesses still don’t think they’ll be targets, so disincentives are going to be less successful.
FM: The Center
for Cyber Safety and Education predicts that by 2022, 1.8 million security
positions could exist. How will we be able to satisfy the demand for all of
these professionals that currently don’t seem to exist? How can government
agencies afford to compete for cybersecurity and digital forensics talent with
the private sector?
Payton: Recruiting at the White House was tantamount to our success. Finding colleagues who share your passion, your drive and your skills is tricky but not impossible. Chief information officers play a huge role in shaping the makeup of their
team. I often tell other CIOs and c-suite execs that they need to stop chasing the same résumés and the same degrees from the same colleges, and stop looking for the same certificates. Many of the best tech employees don’t have traditional backgrounds.
Consider re-training and re-tooling insatiable problem solvers. Hiring outside the mold is crucial to innovation and success.
We can also leverage artificial intelligence and machine learning to automate some of the entry level tasks to help supplement the teams that are stretched thin. I can’t wire a human to have that compass and to have that desire to passionately protect
and defend. If you see that in somebody, you can train them in cybersecurity.
Whether you hire for the government or the private sector, consider tapping into our U.S. military service members who might be leaving the service and need a job. They often still want to fight the good fight. Go to the bases where they’re detaching
from the U.S. military to discover how you can retrain them. Same thing with law enforcement. Whether they’ve spent a whole career or a couple of years, they might have the correct wiring.
FM: For years,
cybercriminals had targeted financial institutions. Now they seemed to have
moved on to health care. Why is that? How are health care organizations ramping
up their prevention faculties?
Payton: Criminals go where the action is, where victims are easy to find and where there’s value. They focused heavily on the financial services industry for decades. As the financial service industry hardened their defenses, cybercriminals
looked for new targets and hit pay dirt by targeting food, retail and health care.
When WannaCry hit, people heading into U.K. hospitals who were scheduled for surgery were told, “We can’t operate today because we’re in the middle of a ransomware attack.” This is where cybercrime gets real. A ransomware attack could endanger lives.
Yet security protocols can’t stand in the way of patient care. Health care institutions once used old-school rules; you could develop your firewall and hide the data behind it. The devices that are part of the “internet of everything” [IoE] or
the “internet of things” [IoT] have broken that rule. [See sidebar: “Three tips for fighting fraud and cybercrime at health care organizations,”.]
FM: What kinds of questions should our members be
asking their organizations about “kill switches”?
Payton: Do you want to be aggressive or not? In emergencies you might need to flip the kill switch and turn off the data. It will disrupt operations, but the consequences are better than finding out that leaving it on creates a much bigger
problem. You have to devise within your incident playbook how much you should turn off, what kind of functionality you want, under what circumstances would you flip the switch, who will flip it.
FM: What are
some practical ways that employees can protect organizational security when
they’re traveling for business or pleasure?
Payton: Ask for employees’ travel briefing when they go overseas so you understand the physical and digital threats. Update your devices, including operating systems, applications and browsers. Install your company VPN on all devices. Make
sure they travel with a hot spot on their devices for connecting to the network so they don’t have to use free Wi-Fi. Tell them they can’t have any business documents, email systems and apps on their personal devices. Instruct them not to leave
computers in locked cars, hotel room, etc. Nothing is truly locked. Instruct them to have the mindset that they’ll be targets.
Teresa Payton blazes trails in cybersecurity
Theresa Payton was the first female to serve as White House chief information officer where she oversaw IT operations for President George W. Bush during a period of unprecedented technological change and escalating threats.
IFSEC Global ranked her fourth among the top 50 of the world’s cybersecurity professionals. Security
Magazine has placed her in the top 25 Most Influential People in Security.
Payton co-authored two books: “Protecting Your Internet Identity: Are You Naked Online?” and “Privacy in the Age of Big Data: Recognizing Threats, Defending Your Rights, and Protecting Your Family.” She’s been a repeat guest on the Today Show,
Good Morning America, Fox business shows, Fox news shows, CBS Morning and Evening News, BBC TV news and radio, CBSN, CNN, NBC News, MSNBC and NPR.
Payton is the founder, president and CEO of the cybersecurity consulting company, Fortalice Solutions, LLC, and co-founder of Dark3, a cybersecurity product company.
FM: What are
your thoughts about the “right to be forgotten” clause in the European Union’s
General Data Protection Regulation?
Payton: The EU’s “right to be forgotten” sounds nice in theory, but it’s nearly impossible to implement because of the internet's ability to spread and otherwise disseminate information globally and instantly, and to store it indefinitely.
The clause sets an interesting precedent, not just for its member countries but for citizens around the world. It’s too early to know what the long-term impacts of the EU's decision to enforce "right to be forgotten" with where technology companies
will be. However, it's a safe bet the law will evolve and not disappear. There are concerns that giving you or organizations more control of their internet identity could lead to countries and firms censoring the internet. Free-speech advocates
around the globe are concerned that the lack of court precedent and the gray areas of the EU law could lead to pressure for all tech companies to remove results across the globe plus delinking news stories and other information upon an individual's
request.
A quick history lesson of how this law came about. According to a European Commission fact sheet, a Spanish citizen filed a complaint with Spain's Data
Protection Agency and indicated that Google Spain and Google Inc. had violated his privacy rights by posting an auction notice that his home was repossessed. The matter was resolved years earlier but since "delete is never really delete" and "the
internet never forgets," the personal data about his financial matters haunted his reputation online.
He requested that Google Spain and Google Inc. be required to remove the old news so it wouldn’t show up in search engine results. The Spanish court system reviewed the case and referred it to the European Union's Court of Justice.
According to the European Commission fact sheet, the EU court said in May 2014, that "individuals have the right - under certain conditions - to ask search engines to remove links with personal information about them. This applies where the information
is inaccurate, inadequate, irrelevant or excessive for the purposes of the data processing. … A case-by-case assessment is needed considering the type of information in question, its sensitivity for the individual's private life and the interest
of the public in having access to that information. The role the person requesting the deletion plays in public life might also be relevant."
In the U.S., implementing a federal law might be tempting, and I often get asked on the Hill if we should implement one. The challenge is that the ability to comply with the law will be complex and expensive. This could mean that the next startup
will be crushed under compliance and therefore innovation and startups will die before they can get launched.
However, we do need a central place of advocacy and a form of a consumer privacy bill of rights. We have remedies to address issues, but it's a complex web of laws that apply to the internet. Technology changes society faster than the law can react,
so U.S. laws relating to the internet will always lag behind.
The Better Business Bureau helps us with bad business experiences. We have the U.S. Federal Trade Commission and the U.S. Federal Communications Commission to assist us. Individuals need an advocacy group to appeal to, and for assistance in navigating
online defamation, reputational risk, and an opportunity to scrub their online persona.
I feel that it’s impossible to put the EU law into practice as it’s written, but I’d love a way for anyone to truly hit that permanent erase button to wipe out all records of a user's internet-based activity. This could clear up lots of social, emotional,
criminal and business concerns that affect many of us today.
FM: What are
some of the best ways for organizations and organization to protect their IoT
devices?
Payton: The IoT and the IoE are upon us. Businesses and the security industry were struggling to beat cybercriminals
before these technologies were introduced, and this just adds more new points of presence to worry about. We love the convenience, but the data the new technology creates and the complexity it adds to the workplace is creating a domino
effect of security and privacy issues.
This new technology doesn’t follow old-school rules. Now is the time to break all the security rules and try a different approach. The biggest risks aren’t so obvious. They hide in the least obvious places. Like in “smart” light bulbs installed for
energy efficiency or sensors installed under the chairs at the workplace!
While the chatty IoT devices talk to each other while creating treasure troves of data every millisecond to save money, improve safety, service and well-being, that’s all new data that needs protection. And those chatty little sensors seem innocent
enough. What harm could a seat or light sensor do? But, if you’re not careful in design, the IoT could be the new unlocked door spilling the keys to your secret stash of what you believe to be secured digital assets.
FM: After
graduate school, what attracted you to the cybersecurity field?
Payton: I was fortunate to begin my career at Barnett Bank — now part of Bank of America — on the cutting edge of technology and customer delivery, which allowed us to also be on the cutting edge of the methods of fraudsters, money launderers
and more. I then became a senior vice president at Wachovia Bank in Charlotte, North Carolina. After 9/11, U.S. agencies came knocking on the bank’s door asking for help finding terrorist financing that could be hiding among legitimate transactions.
That was a life-changing moment for me. Having been raised in a military family, married to a Naval Academy graduate and being asked to help law enforcement with something so monumental was humbling. The on-the-job investigative experience helped
formulate my desire to focus the rest of my career to protect nations, citizens and businesses, and to combat fraud, cyberterrorism and cybercrime. I realized that cybercriminals will use whatever means necessary to achieve their goals. And I
learned how much help companies large and small need to defend against these criminals.
FM: In one of
your presentations you tell the tale about how your White House security team
used “Blackberry happy meals” — plastic baggies containing the devices and
instructions on how to protect them plus candy and other goodies. Can you
explain how this inexpensive method helped improve security and taught you
about innovation and creativity?
Payton: What does a happy meal have in common with the White House? Turns out a lot. We realized that staff weren’t reporting missing BlackBerrys fast enough. We conducted an informal study and found they were afraid to first tell our department,
the Office of the Chief Information Officer, which floored us. We realized the policy language didn’t spell out how we could help, and our briefings weren’t designed for busy White House humans but for government compliance. So, I asked the security
team what we could do to design a brand-new process, training and communications. My team came up with a brilliant idea! They created a Blackberry happy meal — a clear bag that contained lots of fun things, such as White House pens and pencils,
White House lanyards, presidential M&Ms, plus a wallet card with brief, memorable, key security points and a number to call at any time day or night. We gave the kits to a small pilot group at first. The approach was successful. The average time
to report a missing BlackBerry went down over time. And those outside of the pilot group called us to get their own Happy Meals!
FM: What other
cyber anecdotes can you tell about your time at The White House?
Payton: Those stories need to go to the grave with me! However, once we changed our mindset to design our security at the White House for the staff, we were more effective. We knew we had to address the complexity of our systems and technology.
We also had to win over the hearts and minds of the staff if we wanted to protect their privacy and security. Our security protocols were meaningless if we made them too difficult for people to do their jobs. Of course, everything at the White
House was considered critical and sensitive data, but we knew we couldn't protect every asset the same way. Just as the U.S. Secret Service has a clear focus — to physically protect the president and vice president — we followed that same principle
in the CIO’s office. Our office’s responsibility was to protect and keep all assets safe. However, with limited time frames and resources, we always had a laser-beam focus on our closely guarded top two most critical assets, which I can’t name
here!
FM: How did you
become part of the CBS program “Hunted” team? What did you learn from that
experience that you use in your firm’s work (or vice versa)?
Payton: Some of my amazing milestones in life are God moments. Something happened that led me down a path I didn’t know existed. “Hunted” was no different.
The show’s premise was that a bunch of everyday people play fugitives on the run. Our Command Center investigators worked with the boots on the ground, the “Hunters.” Team members had backgrounds from the U.S. Marshals, U.S. military, the White House,
CIA, FBI and the National Security Agency. Even though it was a contest, we took the man-hunting seriously as if we were tracking child traffickers or deadly criminals. Each fugitive would have their lives compiled into a “target package” and
we would mine the profiles of their families, friends, coworkers and their online presences for clues. Everyone, including organizations, leaves cyber footprints. How you interact with the internet determines how public and how large that footprint
is.
FM: What’s your
motivation in continuing in the cybersecurity field?
"This is my gift — to defend, protect and help victims seek justice."
Payton: Righting the wrongs of the digital age with our skills and creativity. Protecting our nation and our allies. Protecting companies and helping them recover when bad things happen. Helping individuals get their lives back. Doing pro bono
work to end child trafficking and exploitation. I am my brother’s keeper. This is my gift — to defend, protect and help victims seek justice. If not me, then who?
Thanks to ACFE
Faculty member, Walter Manning, CFE, president of Techno-Crime Institute, for
his input. – ed.
Dick Carozza,
CFE, is editor-in-chief of Fraud Magazine. Contact him at dcarozza@ACFE.com.
1 Office of Personnel Management, Cybersecurity Resource Center
2 “The Daily 202: How the nature of cyberwar is changing,” by James Hohmann, The Washington Post, April 15
3 RSA Cybersecurity Poverty Index 2016