Martin then passed the podium to Ahold's Group Treasurer, Andy Nash. Nash commented on the challenges faced when desiring to leverage fully the power of technology for productivity, but controlling corresponding risk in the process. Highlighting the week's latest headline breach as an example, Nash used the IRS's well-intentioned "opening up" (online tax returns and record retrievals) giving way to the theft of personal information for over 100,000 individuals from the agency's website. Besides being the perfect segue for introducing the keynote speaker, Aneesh Chopra, and his presentation "Opening Up While Locking Down; Maximizing the Value of Your Data.", the example was ideal due to the multi-faceted implications of this breach, and their applications to the concerns and issues we were to discuss over the course of the day.
Punctuating the theme, The Washington Post covered the theft at the IRS the next day with "How the Breach of IRS Tax Returns is Part of a Much Bigger Problem Facing Taxpayers." We think the Post got it right, except consistent with our operating experience at Total Digital Security and our takeaways from the roundtable later in the day, the "bigger problem" applies well beyond just tax returns and the ID theft and financial fraud taxpayers now face as a result of the IRS's breach. It was these problems that apply broadly and deeply across the enterprise that we would find common to the discussions and concerns at the roundtable we were soon to host.
Aneesh Chopra was the country's first CTO and wrote “Innovative State: How New Technologies can Transform Government” . He had found success at the state level tapping the internet for ideas, innovation, and advanced levels of productivity using proven, private-sector methods and brought the thinking to Washington with support from the Obama administration in 2009. The contrast from a quality and productivity standpoint between using crowd-sourcing, force-multipliers, cloud-hosted information, and new, innovative thinking to the traditional approaches taken by big-government, is beyond striking. On one extreme you have the glacial pace and nose-bleed high costs of traditional governmental process and on the other are multiple examples of history's greatest personal fortunes being made over staggeringly short periods of time. So extreme is the contrast that the notion of an "open" government for the sake of unleashing some of these resources has full, bi-partisan support, says Chopra.
With "opening up" of course, comes increased challenges to remain "locked down", or in control of your data and protected from cyber threats. Chopra used examples across the private and public sector to make his points and stressed the challenges within our legal framework, the options we have for risk mitigation including industry internet channels within the public internet, and what individuals and organizations can do to increase security and reliability of their networks today.
The Forum's agenda included a variety of topics pertinent to the gathering, but for the purposes of this report we will focus on the cyber security elements of the subject matter. We were asked to host a round-table discussion Thursday morning; "Cybersecurity, How to Reduce Your Risk." that I had the pleasure of hosting along with Laura Harkins, a treasury professional from the corporate sector. Our 75 minutes was spent with a large group of individuals from industries including publishing, agriculture, airlines, hedge funds, private equity and financial services, and biopharma, among many others. It was a dynamic conversation with lots of engagement and real-world experiences that even in light of the diverse audience, seemed to resonate with a common tone across the group. After our introduction to the group, we launched in by framing the session with the following points:
With these points in mind and for this roundtable's conversation, we were going to discuss cyber security not so much in terms of the technology, but in terms of a social science. The technology will take care of itself riding the same cost/performance curve the hackers do. It's true that technologically, cyber warfare has always been asymmetrical with the advantage to the bad guys, especially at the battlefield's perimeters. But for most multi-national companies, the IT department is on it, and new regulations coupled with heightened consumer awareness are driving investment capital toward innovation in the space.
With the tone set and an engaged group on point, the conversation opened and many individuals coming from disparate industrial and geographical viewpoints joined in. Clearly the group knew firsthand of the threats at the perimeter, where people and technology engage, and how the human element was fast becoming the predominant challenge at hand. They had faced phishing emails, financial fraud, product and IP theft, and the losses ranged from staggering amounts to small sums of money. In cases, small amounts of funds and product are regularly drained, akin to shrinkage in a traditional environment.
There were examples of social-engineered email attacks that evidence tremendous preparation, research, detail, and patience. The emails have successfully led to fraudulent wires of great sums of money, perfectly timed and executed to not allow a chance of funds recovery. Product has been delivered or diverted fraudulently, and employees inside the organization are still a culprit for information and IP theft.
The implications from the IRS attack, as reported in the Washington Post and referred to earlier here, apply across the board: the hackers are sophisticated and motivated for profit, personal information is collected and curated over time for multiple applications in the future, some attacks are orchestrated using multiple parties that are in on the scam, and that the problems are escalating at a feverish pitch.
Additional takeaways from the roundtable discussion include:
For us, it became evident corporate treasury is playing an increasingly important role in setting cyber security strategy, and in the ongoing risk management and mitigation functions across the enterprise. The treasurer's office knows where the corporate assets are, who is around them, and how the assets are accessed and managed. It is at these key junctures within an organization that cyber criminals, hackers, and malicious employees will use sophisticated measures for information theft, financial fraud, and sophisticated social-engineered phishing attacks.
Treasury professionals are trained risk-managers and they are fully prepared to play their part in the fight against cyber crime. While we were mostly there to facilitate the discussion, we left the group with some thoughts of our own:
For more on protecting your organization, people, and assets from the escalating risks and consequences of cyber crime, please contact Total Digital Security at 1-877-643-6391, or contact me directly at brad@totaldigitalsecurity.com