Veterans in cybersecurity share strategies and insights
That innocent-looking email might actually be the start of a phishing trip that leads to a cyberattack. Financial services companies that face the risk of multimillion losses, and perhaps even going out of business, are on the front line these days.
SFBW sought insight on how to fight back at its first Cybersecurity After Hours Event for specialty fund managers and senior executives at the Polo Club of Boca Raton. Panelists:
Erik Kellogg, founder & CEO of inCyber Security, a Chicago-based company that provides cybersecurity services for the financial industry.
Sal Orofino, principal of Orofino Law Group, a Miami Beach firm that advises clients on content, technology and commerce, including cyber and data privacy.
Mark Renz, chief investment officer of Socius Family Office of Fort Lauderdale, which helps advisers implement long-term wealth strategies for clients.
Alan M. Porten, senior territory manager southeast of eSentire, a multinational company that helps mid-cap companies protect against cyberthreats.
The following transcript has been edited for clarity and brevity.
Many executives say the threat of cyberattacks keeps them up at night. How do you help clients sleep better?
Renz: There’s a movement among independent financial advisers to use a lot of third-party platforms with data moving between platforms. There are a lot of passwords. We look at how we organize that and what information we access. Most smaller firms, sub $1 billion, don’t have a cybersecurity policy.
At a prior firm, we had an email from a client that said to move $50 million from that client. It never came from the client. Fortunately, part of our procedure was to confirm with clients orally.
Porten: I think one of the things I’ve seen most consistently is people become the root cause of most of the cybersecurity issues going on. Ninety-plus percent of the breaches that occur start principally with a phishing email. Companies should be identifying information flowing across networks, monitoring technology and areas of policy procedure.
Kellogg: What’s keeping me up at night is the unknown feature. You need to start with getting a full understanding of what you have, how you run your business and getting some policies in place. From there, understand what’s at risk.
Renz: If we don’t go back to that cyber audit and assessment and act on it, we have a smoking gun where are we going to be held responsible. There has to be a crisp message at the end of the day.
Can security requirements be a “set it once and forget it” policy?
Kellogg: No. At some point your business, processes and technology change. There is no set and forget.
Porten: When I started in cybersecurity 15 years ago, the vision of hackers was a pimply teenager. Today, cybersecurity is 100-percent organized crime. It’s profit-oriented.
Technology is changing on a day-by-day basis. Security issues evolve along with the technology. Security has to become part of the culture of each and every one of your organizations. Every employee is equally responsible for maintaining security.
Orofino: Technology is changing radically and markets are changing radically. It’s a difficult place for us every day.
What percentage of these cyber crimes get resolved? Are people being caught and prosecuted?
Porten: Cyber criminals win every time that they cause a reaction. Every time they steal the money, it vaporizes immediately. There are prosecutions, but much of the cyber crime activity takes place off U.S. soil. The ability to prosecute across international boundaries is difficult.
Orofino: There are thresholds where the FBI and state authorities get involved and cyber thieves realize that and make that part of their strategy. The question is: Do customers indict the business that was broken into?
Renz: I was a victim of identify theft five years ago. It wasn’t a lot of money, but the amount of time to deal with it was a lot. The Palm Beach County Sheriff’s office says 10 percent of people get caught.
What happens if I, as a business, refuse to get in line?
Orofino: Chapter 7, Chapter 11 and Chapter 13 bankruptcy court filings. Those are about as clear as I can make it. They may be company prosecutions, and there could be criminal liability.
What’s the intersection between good business and regulatory requirements?
Orofino: Take security and make it a business advantage. Customers should understand your efforts are to protect them. Are you really getting in front of the issue and is that reflected by how your customers are trusting you?
Porten: Regulations in the alternative financial field are relatively new. Security is not new, but the requirements of compliance are new. There is a complex set of controls government is trying to forcefeed that’s been in place in health care, banking and utilities for a long time. It’s just catching up with the alternative investment world.
Are data breaches one of the drivers for regulations?
Orofino: Financial security is an important part of economic security. The government is looking for ways to shore up that risk.
Porten: I think the ultimate goal is to prevent panic. We have seen tens of millions of identities captured through a wide variety of retail breaches. The financial industry has kept much of it quiet. I think part of the regulation is to ensure that nominal levels of control are in place to prevent any domino effects of breaches of financial systems.
Kellogg: It’s more about giving investors and customers a choice if they feel their identity has been stolen. They can feel the government is doing something about it.
Where do you see cybersecurity advancing in the next decade?
Porten: If any of us had an answer, we wouldn’t be sitting here!
Orofino: Look at the space of what Amazon is doing—taking over unrelated businesses that aren’t tech businesses, but then creating tech business that are related and influencing legislation.
Porten: When I was at Citibank, we spent $250 million on cybersecurity. They had 1,000 cybersecurity experts, but it wasn’t enough. Their plan for this year was to double that and double the staff.
Bad guys are going to be outsmarting and outthinking a lot of the defensive postures, because that’s how they are putting food on the table.
Kellogg: You don’t want to be getting your start five years from now. You better know what’s going on in five years, if you want to be around in 10.
How do you manage risk with third-party vendors?
Renz: You are probably safer with a cloud-based system or Amazon. The landscape is dominated by these tremendous corporations that have a lot of money to spend.
The size of cybertheft was more than $250 billion a year ago and continues to grow. Have a plan and use some of the largest players in market. Utilize guys like these to get protocols and procedures in place.
Porten: The most important thing is you have to talk about it. Part of what governance is about is being required to at least analyze the risk and make business decisions based on risk and cost. Nobody can hold a board of directors responsible if the risk has been analyzed and assumed. It’s not having everything addressed is where the problems begin. Stimulate conversation and make sure to ask right questions. ↵
About the Sponsors
With managed detection and response services, eSentire keeps midsize organizations safe from constantly evolving cyberattacks that traditional security defenses simply can’t detect.
ESentire combines people, processes and technology to detect, remediate and communicate sophisticated cyberthreats in real time. Protecting more than $3.2 trillion in assets under management, eSentire has received multiple accolades, including Hedge Fund Manager Service Provider awards (2013, 2014, 2015, 2016).
In 2015, eSentire was named to Deloitte’s Technology Fast 50 and Fast 500 and was included in “Cool Vendors in Cloud Security Services,” a report by the research company Gartner Inc.
For information, visit esentire.com.
Orofino Law Group is dedicated to helping businesses match or exceed the pace of an ever-increasing regulatory environment. Its practice connects business leaders with solutions for the integrated legal areas of cybersecurity, data privacy, advertising and marketing and labor law.
OLG is a first-mover on ambassador and influencer marketing for enthusiast products and service companies. Past engagements include providing in-house counsel to youth marketing icon RVCA, as well as Connexions Sports and Entertainment, an Omnicomm company.
Representative clients include ReadyPulse, Experticity, Racer X, RVCA, Equisolve and BTOSports.com.
For information, visit orofinogroup.com