Information Security with Jeremy Clough
We all see the headlines about the various hacks, breaches, and other security concerns that come along with being alive in this digital age. We’ve all probably wondered “Am I doing enough to protect myself and my business from being the next headline?” Well, lucky for us Information Security Officer at Machias Savings Bank, Jeremy Clough, shares his knowledge to keep you and your most valuable assets protected. From warning signs of an impending cyber-attack to the most common types of information being stolen, this is a don’t miss.
What’s the difference between cybersecurity and information security?
Wow, a tough one right off the bat! The line between the two has certainly diminished or even converged over the years, but I would currently break it down into these buckets:
Cybersecurity are the technical controls and expertise put in place to thwart automated processes from breaking into your network or device and causing data loss or corruption. Examples would include updated firewalls, updated patching, anti-virus, and log monitoring (aka threat hunting) searching for indicators of compromise.
On the information security side, I see it more as a mixture of formally documenting procedures and providing training to staff, customers, family members and any other members of the general public so they are less vulnerable to identity theft. These protections include use of multi-factor authentication for all your important accounts, general phishing awareness and training, limiting password reuse, and practicing good social media hygiene so you don’t provide breadcrumbs to the identity thieves and scammers. Seems simple but reminders to never send funds solely based on an email or text message request would thwart much of the successful fraud our customers encounter.
How do businesses know if they are in danger of a cyber-attack or information corruption?
First and foremost, if you are a business you are a target of a cyber-attack. Even in the unlikely scenario that your business does not have a web page or use the internet at all, you and your business’s information is likely out there on the “dark web” for use by scammers. The basic blocking and tackling are a mixture of tried and true cyber and information security practices.
Step one is to fortify your network or PCs. If you are solely using something like the Google Suite or Microsoft 365, are you using multi factor authentication like a text message or app to login to your network or devices? If you have a firewall, is it properly configured, and do you have staff or vendors with expertise to do that? Do you regularly check for up to date patching on all your devices including firewalls, servers, desktops, phones, tablets and Internet of Things (IOT) devices? Do you have any services in place that monitor network traffic to stop or detect external compromises? On the human side is your staff aware of phishing? Do they really know how dangerous it is to provide passwords to others? Start with those basic building blocks and the hackers and scammers are likely to move onto the next target.
What types of information and data are cyber attackers after?
The answer to this question still hasn’t changed much in the past ten plus years. The organized crime syndicate, largely based out of Russia, South Africa, Nigeria with huge operations setup in India are after money. They utilize phishing techniques including business email compromise to trick companies into sending huge sums of money via wire transfer or Automated Clearing House (ACH) payments. Direct Deposit fraud is a popular trick where an HR department is targeted via email and instructed to change where paychecks get deposited to. The smaller syndicates focus on text messages asking for purchase of gift cards by pretending to be a manager or law enforcement officer. Ransomware is also a popular tool to Hijack a company’s network or devices until a substantial ransom payment is made.
From the largest to the smallest schemes the advice is the same: A telephone callback is still your best defense. Never, ever send funds based solely on an email or text message. Always call to confirm the request is legitimate. Always.
On the other side of the coin are the intellectual property thieves looking to steal technology or process secrets. If your business has crown jewels to protect including military or patent secrets, take extra care that your network is properly protected. It starts with multi factor authentication. If you don’t have that in place yet, you are way behind.
Hactivism is another type of data that can be a target, but that is usually limited to government entities and companies involved in technology related to voting.
How is information security connected to client/customer experience?
This is a question I hope more and more companies are starting to grapple with. While of course, no company should provide exact details on what sort of defenses they have in place, I strongly believe that companies should be aware that customers do want to know that their data is being properly protected. Don’t be afraid to ask the companies you share your most important information with how they protect that information. If they brush off the question or fumble with it…it might be time to look for a new company to work with!
What are the benefits of employing an information security officer or analyst?
Needless to say, I am a tad biased, but I think it is very important to have qualified internal staff, even if they aren’t a tech wizard. So much of information security requires simple and regular reminders and governance that the basics are in place. It is understandable that a business line or even a technology manager might take her eye off the security ball when pressures to get a product out the door are in play. Having that security evangelist on staff that has support from senior management or a Board of Directors is crucial for the long-term success of any organization.
Why are data breaches a particularly big concern for businesses in the financial sector?
At the end of the day interactions with your financial sector company of choice are based on good relationships and trust. The mortgage or deposit rate across the street is likely to be quite close to what you are getting at your current bank. A big differentiator can be trust. If a customer doesn’t trust that their bank is properly protecting their data and operating ethically, it makes it much easier to walk across the street to see if the grass is greener.
As a community banker it is tough to get lumped in with the big banks. We really are different from a trust and service perspective. Time and time again we investigate situations where we see our customers have been scammed and their money has been deposited into one of the mega-banks. The mega-banks seem to have baked a very high loss threshold into their models where they seem to have lost the perspective that at the end of the day financial losses and breaches have real people involved in the transaction. Always keeping a customer focus on why we do what we do in my mind is crucial to keeping our jobs challenging and worthwhile.
Why is it important for businesses to train their employees in security principles?
As we’ve already discussed, trust is crucial for any business to help build lasting relationships with customers. If a company’s employees don’t know the basics of how to protect customer information AND why it is important, the chances of success are very low.
What are some security basics that businesses of all sizes should be following?
Keep aware of the threat landscape. There are some great writers and websites out there that in plain, and often entertaining English, help me to keep up on the most current issues. KrebsOnSecurity.com is a fantastic resource.
It is usually a good idea to find an independent technology or service provider to provide an overview of your infrastructure if you are just starting out. Maine is lucky to have several fantastic firms that provide this service. They are likely to suggest many of the items already discussed earlier.
Are there any information security resources you suggest for business owners who want to learn more or begin implementing a more robust security plan?
BleepingComputer.com and Wired magazine (print and online) are great resources. Most trade groups now have at least part of their outreach dedicated to information security. Check what sort of resources they have available. Also check with your bank…they might just have an Information Security Officer who would be happy to come to your company to provide a presentation.