[Music] welcome to tech trends tech trends is a podcast series provides perspective on the latest trends in technology fintech and digital october is cyber security awareness month and as we do every year on today's episode we're going to provide insight into the important role that cyber security plays in today's business and technology agendas i'm anish bomani chief information officer for commercial banking and joining me today is annie davis head of cyber security and technology controls for commercial banking here at jpmorgan chase annie welcome to tech trends thanks anish very excited to be here today so annie about a year ago we had your colleague jf legult on talking about the impact that the pandemic had on the cyber security landscape a year later can you talk a little bit about how we're thinking about the cyber security threat and cobit's impact on it yeah absolutely it's uh been quite a year obviously a year ago we were talking a lot about the cyber threats that are targeting very code-specific activities whether it was the paycheck protection program or small business debt relief that type of thing we're not seeing as much of that now so that's really slowed down it's the more traditional attack vectors and themes that we're seeing but i will say the volume of tax especially when you look at business email compromise fishing smishing the volumes are still really high and increasing and part of that's due to the ongoing amount of change in our environment um as well as the anxiety with the changing situation so it's still a really good attack vector for those cyber criminals to really take advantage of that anxiety and hope that people aren't looking as closely at their emails and that type of thing and still clicking on links which we continue to see a rising amount of so it's clear that the um the the environment caused by covet really did create a very fertile ground for attackers and while we're still dealing with that i think people are starting to come to get adjusted maybe a little bit to a new normal what are some of the cyber security risks that we are seeing today uh in the current environment yeah absolutely i would say the two largest areas where we're seeing an increase is in ransomware and supply chain attacks ransomware alone the number of attacks um in the first half of the year are as much as we saw in 2020 so we've seen over 300 million attempted attacks in the ransomware space and to step back ransomware simply put is basically a bad actor is able to gain access to your network and they're able to take your network over to the point where you're essentially locked out of your network or locked out of your data or that type of thing and in order to regain access to your network you typically have to pay ransom to unencrypt the network we are seeing more and more of this you saw with colonial pipeline earlier this year or late last year where colonial had to take their systems offline to address a ransomware attack which essentially impacted many of us in our ability to get gas as they had to slow down the pipeline so you're seeing how it impacts broadly um even more broadly are the supply chain attacks so put simply for that a cyber criminal will attack um one target but that target is typically one that then supplies services to multiple companies so i can attack that one target insert malicious code and then as other companies update that software they inherit that malicious code so we've essentially pushed out a significant impact much more broadly than attacking one company or one firm so we've seen that quite a few times as well this year solarwinds is the one that we saw that ultimately impacted the us government and other companies who were used that provider of software probably most recently you've seen the cassaya attack which was interesting because it was a combination of both the service provider attack as well as the ransomware attack so they were able to take advantage of that supply chain and also lock multiple people out of their systems as a result of being both supply chain supply chain and ransomware so ransomware's been around for a long time and supply chain attacks even longer right why now what's causing this uptick in the number of attacks yeah so anish i think because we've seen a lot of success in those attacks and those vectors it's just really added you know fuel to the fire that we're seeing a lot of ransomware paid we're seeing um really them being successful so they're taking more advantage of it and you're seeing it almost ransomware as a service at this point um but you know being able to take advantage of those companies the more they see the success the more they'll continue to do it which is why it's so critical for us to work across industries work public and private to implement controls and processes to help slow that down and stop that moving forward one of the other points that that always gets made as well is that the um when an attack first comes out it's really sophisticated it's very difficult to do but over time you get to you mentioned ransomware as a service you get to a point where there's almost like toolkits uh that can make it much easier for other people to conduct these kind of attacks is that part of it as well yeah absolutely um like i said it's getting easier and more successful though if you saw recently there's actually some unrest in the underground as uh unhappy employees of some of these ransomware companies have started to kind of divulge recent secrets and so on which is really opening us up to see what's going on the inside kind of scoop on how they're performing these attacks the vectors that they're um focusing on and it's going to help us and other companies protect so we are starting to see things unfold a bit as far as our ability to protect everyone against ransomware going forward yeah the moral of the story is even criminals need to worry about employee satisfaction i guess right got it yeah now one of the other questions that always comes up with with ransomware is whether companies should pay or not right and um there is a school of thought that says look are you gonna even if you do pay is it gonna have the results you want what are you what are your thoughts on that yeah absolutely so we talked to clients about this a lot of times to start to think about whether you would pay or not even jp morgan does um you know simulations where we discuss that as well consider situations where you may or may not pay so part of it will depend on your ability to recover can you even recover and then the other piece is really what's the value of either the data that they've encrypted or that type of thing because even if you pay ransom there's there's no guarantee you're going to get that data back or that even if you get access to your systems that they won't leak data or that type of thing so there's a number of things to consider you know your ability to recover as well as the value of that data and whether you should pay ransom yeah that's a good point because i think a lot of people think about ransomware as this you know very um you know sophisticated uh kind of attack that's very difficult to recover from in the end of the day i always like to think of it as really it's just a specialized case of resiliency right it's the you know how would you recover if you lost your entire data center or you know an application went down or there was a flood or any sort of natural uh disaster right and if you're that dependent on that one copy of data you know you have a that challenge whether it's ransomware or anything else right absolutely and we've looked more and more at you know the concept of immutable backups that are offline that absolutely are not at risk of a ransomware attack or that type of thing because as you mentioned one of the biggest things is your ability to recover so what do you have from a backup and your ability to recover will really um help determine whether you're going to need to pay that ransomware or not right so a lot of activity we mentioned ransomware we mentioned supply chain attacks what are the kinds of steps that companies can take to better protect themselves or prevent these kind of attacks especially in the current environment yeah absolutely well obviously the first thing you want to do is prevent so prevent and protect so a lot of what we've seen is just keeping up with normal hygiene patching keeping your systems up to date implementing that layered security model and the importance of multi-factor authentication is absolutely key in many of these examples we talked about your strong data backup and your ability to recover and then you know especially when it comes to supply chain is looking at that third party risk so ensuring you understand what third parties you're leveraging that you've assessed to make sure they have the appropriate controls in place because it doesn't matter if you have all the hygiene in place if your third parties don't that will come back to potentially impact you if there's a supply chain risk in addition to protecting detecting is just as important because i think many of us have learned that no matter what you do it's highly likely they're going to get in at some point so the key is if they do get in is to detect that as quickly as possible so you can contain it and reduce the impact so those two key pieces and then finally being prepared as we've talked about if you do have an attack how do you respond to that attack how quickly are you able to enact a playbook or run book who do you engage could you communicate with like we talked about will you pay ransom how would you pay ransom and really thinking through that ahead and that's very important to make sure that you're prepared for any worst case scenario like we talked about to be able to react quickly and put the right controls in place to address the situation yeah i think um you know having a plan is always always important you know i think it was mike tyson who said everybody's got a plan until they get punched in the face right so it's one of those things that things never actually go according to the playbook right so you mentioned things like simulations and and other sort of um exercises like that that can get you more familiar with the process right can you say a little bit more about how those work yeah absolutely so we call them tabletop exercises or simulations you're basically going through the exercise it's that muscle memory so you don't want to go through something for the first time in the middle of you know a very chaotic event so the more you've practiced and you've thought through those scenarios and really you know a lot of times when we do those we go worst case and trying to think through how you would respond so we do that internally as a bank but we also do it with clients to make sure they've thought about the scenarios that could potentially impact them how they would respond who they need to engage with again practice will help you in the event of an actual scenario we're not going to be able to practice everything and we know there's going to be different nuances you can never anticipate but um if you've thought through some of those more stressful situations you'll be better prepared when it does happen so as we said supply chain attacks have been around for a long time right and you know third-party oversight programs or third-party reviews have always been a part of any sort of corporate uh security risk program um can you talk a little bit more about what companies can do about third parties yeah that third-party risk is is very complex so you have your standard third party control reviews that everyone should already be doing but those are typically point in time assessments beyond that i think it's critical to really understand that relationship with a third party which third parties have your data which third parties are supporting critical processes for your company as well as which third parties are providing you you know now from a supply chain perspective actually providing you software that you're ingesting and making sure you understand that process we're seeing more and more third parties subject to the supply chain attacks or ransomware attacks and immediately we look at what version of software are we running what's the potentially compromised version of software with a third party and making sure you really understand to that level of detail you know and you do have to understand that third party in the context of your business risk because there are conversations now to really understand your risk and whether it's worth outsourcing that much risk to a third party something you really have to take into consideration into your business model because there is a higher risk as soon as you've handed something over to a third party it is an interesting conundrum right because part of what powers innovation and and and makes people able to move so fast is being able to leverage that work that other companies have done on uh building on top of their success and not doing it all yourself right and i think it's important to distinguish between third-party software providers which you just so eloquently talked about in terms of making sure that they're not um you know that you understand their vulnerabilities and what versions of software they're running etc but also treat differently third parties that host your data or have other information there about your clients right and making sure that you know that data is appropriately protected and encrypted and that the keys for that encrypted data actually reside with you and not with a third party and things like that because you don't want to be sort of subject to a sort of rogue employee at a third party or uh they get they're getting compromised or things like that right yeah absolutely and it's important within your contracts to make sure you have disclosure information so that that third party is required to disclose to you if there is any sort of compromise or attack that you're rapidly notified especially for those who are holding your data um so that you can ensure that you know the right controls are in place your data has not been compromised or if it has you're now enacting your playbook for potential data compromise of your client information so back to covent and obviously a lot of change over the last year and a half and maybe we've seen sort of a reduction in the number of covert themed kind of attacks whether it be fake ppe equipment uh fraud or whether it be attacks against things like the the the ppp program or things like that but um as much as it's been you know great for people to build these sort of uh flexible work arrangements and remote working and hybrid working nothing like that that causes risk as well right so can you talk a little bit about any risk sort of created by the number of people working remotely yeah well i mean i think the good news is that we've all i think significantly uplifted our remote working environments and a lot of those capabilities that we might not have had before or the level of security has significantly increased for the those work from home environments i think when we talk about going back to the office we need to be prepared you know if you have systems that no one's logged into for 12 18 months you have to be ready to make sure those are patched and secured and up to date as well as you know we talked early on about that toil and that real kind of chaos that happens when we change our schedules again and that you know people are trying to figure out those hybrid schedules or the return to the office that's when we become much more vulnerable to those attacks because our guards down a little bit as we're we're switching environments and we need to make sure that we continue to educate our employees and make sure they're aware of you know those phishing attacks or you know whatever it might be um during that period of change yeah i think another thing to think about is just as you worry about making sure that devices in the office are taken care of you know how do you make sure that those systems that are remote people laptops at home are appropriately patched aren't subject to malware aren't uh you know don't have um you know bad passwords you really are on the one hand um you're giving everybody the ultimate flexibility on the other hand you're putting a lot more of your company's security in the hands of all of your employees remotely right yeah absolutely and i think you know making sure you have the right tools to monitor for that and obviously you know the bank or in a virtual environment so it helps us secure that much more so but even for myself you know when we first started to work from home we were sharing devices and you know chances of my fifth grader you know clicking on something malicious on the device i'm sharing with him was was much higher especially you remember at any given point in time we were getting a text that said either click here or else your you won't your package won't be delivered or um you haven't paid your bill for your streaming service click here it'll be disabled you know both of those were potential to be crises in my household at that time so it's actually surprise surprising that we didn't fall victim to one of those but all those types of risks in that mixed environment between home and work are real and they're you know a lot of it's around education of your employees basic hygiene um and protection of your home network your home pcs that type of thing um you know it doesn't cost a lot to do that awareness but you have to just keep doing it and really make sure you've built it into your programs and your employees are very aware of the controls that they need to have at home as well yeah i think that's a really important point because as much as people like to think about cyber security as this big sort of a highly technical issue that you need some sort of big fancy piece of software or whatever to to solve for at the end of the day it really does come down to basic blocking and tackling right it's it's it's it's user awareness it's making sure you have good hygiene around things like authentication and passwords and things like that it is about making sure that you know systems are appropriately patched and things like that as well because at the end of the day it's it's phishing it's malware it's all the same sort of attacks that have been uh at us for years right you got it and we do a lot with our clients because we do feel like that general awareness is so important and we have so many examples being as large as we are so those real real-life use cases are very impactful when you understand how there's been a business email compromise situation and you've incorrectly rerouted money to someone else you know that's happening every day and to be able to share those use cases and how you prevent that and really the general awareness and training um is key as well as like we talked about the simulations so putting them through some of those examples how would they react what would they do and so on is just doesn't cost a lot to make sure to educate your employees finally annie uh you've been in the space for a long time right how have you seen the role of the cyber security professional change over the last five ten years yeah absolutely well funny enough phoenicia i worked for you many years ago and you were in a similar role so i'm actually going to turn the table on you how have you seen it change you know working across cyber security technology and so on you know i think that um historically cyber was thought of as this thing that the security team dealt with and then over time i think it became more of the technology organization more broadly dealt with and i think now it's generally viewed as a a broad-based issue for everybody right i mean we talked a lot about awareness we talked a lot about uh you know end users being sort of the first line of defense around this so i think that's probably the biggest change i'd see around this is one other thing is i think the level of visibility that the issue has has gotten is much greater now it's become much more of a an issue in almost every boardroom right uh 10 years ago when i when i was a cso we used to go to the board you know once a year and now our current ciso is there almost every other month uh if not more so right so i think it's something to get a lot more attention um it's something people sort of realize it's it's kind of an existential uh threat to a lot of firms and one they have to take very seriously so anish i absolutely agree and there's no doubt that we're going to continue to see an increase in the number of attacks or an increase in the sophistication of the attacks but we've also increased our ability to identify those vulnerabilities monitor and detect so your cyber book of work just continues to increase so i think that's why it's even more important for the cso to be at the table because they need to be able to under understand that risk in context of the business and make sure we're prioritizing the right things and that we are you know addressing the highest risk areas based on the business processes the threats in the environment and so on so to your point it's no longer understanding cyber in the context of just technology it's understanding that broader cyber risk to your entire company in your business so you make sure you focus on the right things because you know it's going to continue to evolve it's going to continue to change there's always going to be more than you can do so you got to focus on the right things yeah that's a great point well amy thanks very much for joining us today and for sharing your insights on this incredibly important topic absolutely thanks anish and to all of our listeners remember if you enjoyed this episode you can rate us on spotify apple podcast or wherever you listen tune in next time [Music] you
2021-10-18