With news last week of another data blunder by Facebook, it doesn’t take a reasonable person long to conclude the benefits of online social connectivity are hardly worth the risks. Reports of people deleting Facebook from their phones, their computers, their lives, are ubiquitous. Not good enough, said Theresa Payton, cybersecurity expert who was chief information officer in the George W. Bush White House. For like a spurned lover, the internet never forgets.
Social sites are mined by cyber criminals in their quest to socially engineer (or dupe) the individuals who stand between them and the money or data they seek. Who are common targets? People working at your bank.
“There are all kinds of ‘patterns of life information’ available” by examining a person’s social media pages that can be used to socially engineer them, said Payton, speaking March 20 in Nashville to the Independent Community Bankers of America. Answers to common security questions, such as “What’s your favorite sports team?” or “Where did you go to high school?” — all of this information is readily available by seasoned cyber trolls visiting social sites. Even if people have recently deleted their accounts, their sites can be targeted. “Deleting is not really deleting,” Payton said.
People need to be thinking differently about how they answer these types of questions, Payton suggested. Not just employees but customers too. So it can be incumbent on banks to educate people. When someone signs up for auto bill-pay, that might be a good time to introduce some education, she suggested.
Technology, and the security protocols that protect it, need to be designed for the humans who use it, Payton said. “Most people overestimate their ability to not be socially engineered.” This is important because scammers will send emails to bank employees under the guise of the CEO, asking them to move money or send data. And when the boss asks for something… well.
Many email programs already have built-in functionality to flag emails that come from outside the organization with a warning that reads: “please use caution when opening or responding.” This functionality often isn’t turned on, she said.
Payton, who is CEO of her own Charlotte, N.C.-based security firm, once worked at a community bank. She also hosts a reality show on CBS called Hunted. Payton used clips from Hunted to demonstrate how easy it is for scammers to glean data on a person. “The challenge with making tech secure is that tech also has to be designed for human beings,” she said. “Nobody appreciates it when passwords are automatically changed every 30 days.”
Payton suggested every bank have an incident response plan in place that focuses on technology, and she offered the following advice for bankers seeking to integrate new technologies with existing systems:
Segment it to save it. On average, it will take 211 days before a security breach is detected. That means a breach occurring on New Year’s Day will not be noticed until August 1. Think about how much mayhem can occur in that time span.
With open connectivity (the internet of things) becoming ubiquitous, it will be critical to separate functions at the bank. “Ask your technology services provider how you can have a physically different network, and a logically different network, as well as user access and user authorizations to separate the two,” Payton said.
Think about which assets are most important. Put critical protections around your most important systems, Payton said. “It can be daunting to think about protecting everything you have. Be laser-beamed focused on the top two.”
Develop a backup plan for when the technology fails. “We’ve lost sight of thinking through a ‘kill switch,’” Payton said. “Before suffering a security glitch, determine your ‘kill switch.’”
The incident response plan should include who at the bank gets to flip the “kill switch,” who gets called with the switch is flipped, and a thorough explanation of what functionality at the bank remains once the switch if flipped.
Payton suggested bankers test their technology incident response plan, or playbook, once per quarter. “Think about how the systems are designed,” Payton said, adding “multi-factor authorization has never been easier to use.”
Today’s systems are designed to be open and interoperable. By opening this types of design, the door is opened to risk, Payton said. When designs are built to maximize user experience, meaning designed for a human, they will need a safety net.
Probably more than one.