Cybersecurity Concerns for Lenders

Identifying the security threat landscape Implementing the “right” infosec program Best practices for securing consumer data [toggle title="TRANSCRIPT"] 00:00 This next presentation where our speaker will dive into the top security cybersecurity concerns for lenders. Our presenter, Eddie yonker. Is honey capital America's Vice President, information protection and chief information security officer. Eddie has 30 years of cross industry experience spanning the military, federal consulting, manufacturing, financial, and distribution sectors. He has served in a variety of roles ranging from military munitions support to progressive it roles to managing cutting edge security operations for the largest Department of Defense at the time, to program management to information security, consulting with the premier fortune 500 company to executive leadership roles. Eddie's experience spans small, medium and very large environments. In his current role with Hyundai capital, America, Edie launched the information protection department where he continues used to mature the information security, privacy and records management programs. He also led the launch of an enterprise data management capability. Eddie recently spoke during our auto finance excellence his latest podcasts on this similar topic. Be sure to tune in to that podcast at auto finance excellence. org. And please remember if you have any questions for Eddie, please do find him after the session. He will be around to answer any questions that you may have in case we do not get to it today. There's a ton of information to cover on this topic and he wants to give you the best education possible. But he will be around to answer any questions you have. And if you also would be interested in receiving Eddie's contact info, you can reach out to us or our events team, and we'd be happy to share that with you as well. With that, please join me in welcoming Eddie to the stage. 02:02 Thank you, Nicole. It's a privilege to be here with you to talk about one of the top priorities as we'll discuss in the lending industry. today. My goal at the end of all of this is for you to walk away from here with more information than you had coming in, and ultimately take some of these data points back to your workplace and generate some constructive, constructive discussions. I plan on being pretty provocative as we go through this. Okay, the storyline. We're going to establish the cybersecurity as the top concern for lenders. Then we'll understand what that security threat landscape looks like. We'll explore that a little bit after we understand that will respond to that threat landscape with a the right infosec program for your organization. And I'll explain that a little bit of what I mean by that. Then once we have an infosec program in place, we'll talk a little more specifically about protecting the consumer data. The attorneys that were in front of us here a little while ago actually hit on that a little bit. I'll expound on it as I go. The audience, I want to establish that I know I'm not talking to a bunch of cyber geeks here. Okay. I know that. So the materials I've put together, I hope resonate with all of you. I've lifted this up a little bit, hopefully, to where it's meaningful for you. We have a lot of diversity in attendance here. I want to start off by talking about what is info and what does information security and what is cyber security. There is a nuance there. those terms are used interchangeably a lot, and I would suggest in appropriately so. So the nuances from an information security perspective, we're generally talking about a broad program. approach to protecting the confidentiality, integrity or availability of company information of all forms. The cybersecurity piece is sort of what it implies. You'll also hear called IT security. It's more on the electronic side, talking about network systems application and associated platforms. So just wanted us all to have a common understanding as we go through this presentation as we as we use these terms. So cyber security is a top concern. Let me start with that a yunker. saying it's a top concern, then we're going to talk about other saying it's a top concern. So I'll go back five years ago, which is a really long time and this cyberspace okay, but not not so long ago when you're talking about national intelligence, okay? Because they can really see further in the future than typically you and I can't. So a discussion with the Director of National Intelligence former DNI At the time, he told me Eddie, my top two concerns around cybersecurity, the financial system us financial system, which then has global implications, and the other one was the power grid. And no, we're not talking about the power grid today. So we'll stay with financial system. So that's Edie younker telling you, it wasn't concerned five years ago, on a national security level and on a homeland security level. Next data point CEOs of the largest us banks, they just met with the House Financial Services Committee just last month, and they said we have two major concerns. One is cybersecurity. The second one slowing global economy. Next data point, January of this year, fortune report on a new survey from the Conference Board that stated cybersecurity has become the top external risk concern for CEOs in the US Obviously within the US, obviously within the lending community, also in January Bloomberg headline, climate and cyber risks, top concerns facing the world in 2019. That's the World Economic Forum. Mr. jamie diamond from JPMorgan Chase. And his annual letter just out to shareholders just last month, stated, the threat of cyber security may very well be the biggest threat to the US financial system. Those are some different perspectives. Establishing we've got a business. We've got a business concern in the lending community, and it happens to be a top concern. 06:44 Let me just state a fact here and I'll get into it a little further. In that kind of a climate. Cyber security threats can disable computing resources, and cripple government multinational organizations within minutes. Many or across borders, borders don't exist within minutes, and then hours and days, not Petya. We'll talk a little more about that later, two most devastating cyber attack in history just a couple of years ago. So that's the environment today. I think when we get into the threat landscape, I just thought of this. Maybe I'll reveal a little bit about why that's still a top concern. And it continues to escalate. So the rhetorical question, is your company ready for that kind of an environment? Many are not. And I think we'll explore some of that as we go. So it's in that context. I want to talk to CEOs, future CEOs, senior execs, board members, if we have any of those, any of you in here, and also abroad. I'm talking to you on these next couple of slides. What are you doing about that concern? well established it's a top concern in this industry sector. What are you doing? is it part of your annual goals this year for your company? Is that a priority for your organization? Or are you just hoping for the best and that you can stay under the radar? I would suggest you can get sucked in as a non targeted victim. If you put your head in the sand are the boards and senior executives committed to a destination state A to B state? Right? What I'm what I'm really talking about there is a commitment from the most senior leadership in the organization to recognize this top concern. It's a business problem. That's not an IT problem. So business problem. Are you taking a look at what that concern is? Are you talking to your seaso your chief information security Through your chief security officer, your VP of information, something, right? Whatever you call them in your organization, or you're bringing them in saying, I've got concerns, help me understand my concerns, help me validate them helped me understand my organization, and how our posture measures up against that risk that threat vector out there. Are you doing that? These are the rhetorical questions. I'm hoping some of you maybe they're CEOs here. Some of you take back to your organization start asking these questions. 09:37 Sisa seaso 09:39 needs regular transparency with the board of directors if there is a board, otherwise, it's the senior executives the CEO and his or her team to ensure that they maintain transparent risk awareness and can provide appropriate direction and oversight. I can't overstate that one. 09:58 And I'll get get into that here on the next slide, I believe 10:05 there's a button under here, I keep touching, moving these forward. So more thoughts for the CEO, right? a CEO needs an experienced seaso not just somebody, right? They need to understand security operations, I would suggest the need to be able to speak to the geeks and translate in a meaningful way to a board or to a senior leadership team. 10:34 Do you have the right reporting structure 10:37 for the seaso? 10:38 Right. I think this is starting point critical point number one. It's got to be in the right place in the organization. You heard me say on the last slide the transparency piece on the risk management side. You need the appropriate alignment to get the transparency that the board level needs. So my opinion For mid size, large size, especially those organizations, get your security leader out of it. And it organization focuses primarily on uptime on delivering services on delivering projects, on budgets, timelines, your security guys don't really care about that. Their primary focus is on the risk management piece. And if you take a risk management group, and put them under an operations group, if you take your CRM and have them report to the sales guy, there's got to be a natural conflict of interest, the board and your most senior people in your organization. I'm telling you through experience, and through many conversations with people like me, you're they're going to get filtered. Okay, the top risks won't always make it up to where they need to be. Therefore, I'll jump to Conclusion at least partially. So maybe why we continue as an industry to talk about this being a top concern, especially when I get into the threat landscape here, I'll tell you some ridiculous stuff that we're talking about that we shouldn't. And I would suggest would go away if you had the right level of attention on it. So various surveys support what I just said. I'll use the PwC one here, because it's one of the prominent ones. I've been watching it for years global state information security survey. In 2018. They had I believe it was 9500 respondents to survey from around the globe, across industry sectors, and it ran the full spectrum of C suite. Okay. So 9500 of them said, Hey, the seaso role, whatever you call it reports into the CEO 27% 40% CEOs 27% of the board. That is very refreshing. I'll tell you, because companies are finally Getting it. And the fact that I'm here talking today about cybersecurity being a top concern in our community that tell and you see that the right people are saying, hey, it's a top concern. Companies are getting I think it's a very good thing and it's it's starting to go down a path to where security concerns are coming out of it. They're being raised up to somebody who can give them the appropriate oversight and power or authority to affect change. One final point here on this one is seaso, CFO CIO, all three are stakeholders on the cybersecurity problem, this business problem, they all play some different roles on the cyber thing, and they really need to be in a collaborative relationship. All three, a board or a CEO needs to make sure that happens won't happen naturally. 13:54 trivia 13:56 How much does jamie diamond say that his company spends annually to play protect against cyber threat. 14:03 That's the money piece. 14:08 Here is the how many people piece? How many people? 14:14 You have your answers. 14:17 jamie diamond says we spend nearly $600 million a year on these efforts and have more than 3000 people deployed to the mission in some way. That's a tremendous investment. And I would suggest that is just one CEO, as we saw on the earlier slide, who's putting his money where his mouth is, Hey, I have concerns and we're doing something about it. Only time will tell if that's adequate. 14:43 Okay, so we understand it's a concern. 14:48 Let me help paint a picture of what the threat landscape looks like. I'm trying on my time here. I've got a lot of slides to get through and I'm gonna stay on a steady pace here and I'm trying to hit my time. Let's jump to since 2013, only 4% of breaches were considered secure breaches where the encryption of the stolen data rendered it useless to the attacker. That's alarming to me, guys, that's a six year period. Now, that's alarming in today's age, that you and I are not taking it seriously, to appropriately protect consumer data. And it starts with what the attorneys have. They're still here with what they said. And that is you better find it, you better figure out how it flows and where it goes. So that you can make sure the right controls are in place. That's ridiculous. A few years ago, I can never stop talking about this one. Almost 100% of exploited vulnerabilities by attackers, were compromised by more or compromised more than a year after the controls for the vulnerability were made. publicly available. In other words, the vulnerability that was exploited by an attacker had a patch that was available for more than a year. And the vulnerability was not patched. That's unacceptable. And I hope boards and CEOs feel the same way. Equifax is a good example that I can think of off the top of my head vulnerability that was exploited. Patch was available over a year. I'll point out a couple of these web threats. This might be this is a very prominent web threat that you may not have heard of, but it's it's trending in 2018, right? form jacking. So form jacking is where you and I, we go out to a payment site, and we enter our payment information. And you and I don't know it but that site has been compromised with some malicious code and as we enter it in hits Submit. You just submitted your code or your payment information to the bad guys. And then they do whatever they do with it. That's what form jacking is targeted attacks. I think we're all familiar, probably very familiar with phishing. So spear phishing continues to be the most popular avenue for targeted attacks. That's no surprise. So the in the security community over the past decades actually, if you heard them talking about how do you secure your environment, it was always focusing on creating a fort knox out there on the perimeter, right? perimeter defenses and then layered defenses. So router harden that firewall, a DMZ to protect some things. an intrusion prevention system, intrusion detection, system content filtering, right you have layers to protect against the bad guys. They can't get through all that. Well, they sure can today good All they have to send you an email, right? phishing, and then just hope one of you and I are naive enough to click on that link, or open up that attachment. Which 48% of those attachments are office files. By the way, that's no surprise because it's so popular. So anyway, easy way to get on the inside of your environment these days. 18:26 So who are these people? And why do they visit you and me? Right? They have very, very defined agendas. The first three are really more common to you and me. hacktivists so you might remember, a few years ago, a group called anonymous boy they were they were hitting a lot of companies, defacing their websites making their political or social statements on on websites that was very common then. So that's what hacktivism is criminals. Individual or especially organized crime organizations, they get pretty advanced. And they're trying to generally extort money out of you, you and me in some way. Okay. One of the ways, current day that they do that is through ransomware. Right? ransomware comes in, because you and I just clicked on that link and fishing. What did I do? You and I just clicked on that link and fishing. And we just downloaded code, that code just encrypt our encrypted our hard drive and any shared drives that's aware of any USB drives. And then it says, Hey, if you want to decrypt that, you need to send me some Bitcoin, right? Which is not traceable back to them. So you need to send me some and then I'll send you a code where you can decrypt this and you can get to your data again, so they were making money. Right? That was a big deal. A couple few years ago, insider threat we all understand that. Somebody is amongst us, and they are motivated and in incentivized to steal something for game. espionage terrorism warfare, it is what it says, You and I typically don't get exposure to that in our community here. So those are sort of the bucketed bad guys, and and what thereafter. So we'll talk a lot. So that's who they are. Now, how do they get to us? How do they do what they do? This is a good anatomy of a targeted attack. So when they're targeting you, they're doing a whole lot of homework. They're not just shooting stuff out at you. They're doing a whole lot of homework about who you are, what products or services you sell, who your business partners are, who your supply chain is, because they're planning and attack how much is in it for me, if I can get to that company is it really worth my effort? By the way, again, what's their supply chain look like? What's the business partners look like? Because they might be a weak link to get into the back door to this organization. That's what recon is reconnaissance. Then they'll, for example, send you on me that phishing email will click on it will download that code. And they just established a foothold on one machine on the inside of your environment. Now that they have that inside, presence, they're looking to escalate privileges to a root, administrative kind of an account where they can move anywhere with full authority on the inside of your environment, firewalls, all that perimeter defense not even aware of any of this. Then they'll do internal recon, right figure out what all is in this environment. They have some crown jewels in here somewhere where is it? They can easily find out what ports and protocols are running on all machines on the inside environment which will tell them Whew, that's a web server. Ooh, that one is a, that's a database server. Let's go see if it has some crown jewels in it. Okay. So they'll go over, move laterally, expand their presence as they need to, to find whatever it is they're looking for. And now they're to your data, and they're ready to exfiltrate it. If they're bold, they might grab the data and exfiltrate it all right now, right? If they're wise, they might be aware that that could set off some security alarms and bells might not want to do that. So they'll trickle data out over hours, days, years and maintain a presence in your environment. That's called an advanced persistent threat. And they'll stay in there and exfiltrate your data for as long as they have an interest. 22:52 So that's basically how how that works. 22:58 They just got your data. Where are they do with it. This is an actual screenshot from the the black market. This is a dark web. 23:08 So it's a shopping cart. 23:10 You can see there they got a bunch of Amex cards on this page with some expiration dates the bank they're from and who knows what other information is available. You click on some of those. And then you take the ones you want. You add them to your cart over here, it gives you the price 30 Bitcoin, right? And you pay and you've got the data. Now you do with it what you want. That's what the dark web looks like. Now, when they're selling it out there, how much is it worth? Here's some examples. So a credit card first and last name with credit card number one to $8 at a pin at an expiration date 17 to $35 driver's license passport 25 to 5000. So security card 250 to 400. Bank info There's an asterick down there if you can't see it from where you're sitting based on account balance, right? 300 to 40 $200 a full identity profile 1200 to 1300. Okay, so that just gives you an idea of what they do when they get to your data and how much they get out of it. Another trivia question. Released in the wild in 2017. This malware attack combined two hacker exploits, eternal blue and Mimi Katz into one single malicious package. The US intelligence agencies in the White House confirmed that Russia's military initiated this attack against Ukraine, which quickly spread globally and really brought down Maersk shipping company, Mark, FedEx and actually many others. You may remember this in the in the news, which malware is that? Somebody said not pet Yeah, answer is not pet you some amazing power used for malicious activity. Eternal blue. That was part of what was compromised from the NSA 25:10 a few years ago. 25:14 Okay, we understand that cyber security is a problem. We understand a little bit about what that threat landscape is. And there's a lot more to understand about that, but it can't 45 minutes. So now we're going to respond to that with the right infosec program for your organization. This is where I want to be thought provocative again, especially if we have some senior leaders in here, key thought provoking message messages for boards and the senior leaders. Okay. I think it's the next two slides. I'm really focusing on that group. Generally, I hear it from time to time and various organizations. Hey, what what are our competitors doing? What's the next company next door doing as it relates to that security thing, whatever it is, My general response always is, it says doesn't matter. You might have some reference point out of that. But it doesn't matter what the other organizations are doing with their security programs. As long as you have faith in your security leader, right, he might not. Maybe that's why you're asking the question first, but maybe that's why here. Each company, each company has its own internal and external risk profile, risk, appetite, tolerances, business culture, and all of that is really what should inform what you do with your infosec program and to what degree Okay, one size does not fit all. We've all seen the leader coming in from the other company. They're new into this company, and they were masterful, that last company and they just want to copy and paste into this organization, whatever was masterful there. I hope that raises caution flags for years. You You ever see any kind of a security guy coming in with that attitude, wrong attitude. So seaso is board, appoint a seaso, I got to believe in this community, probably everybody has a Sisa whether it's called that there's somebody heading up the security program. And if you do business in New York, and you're collecting consumer information, you're subject to the cybersecurity reg there. And it says you got to have a cease to have somebody on this program. So just something to consider there. Again, make sure that that and by the way, it doesn't matter if you're just starting up this kind of a program, or if you already have a seaso, who's been there for 15 years, and it's a really mature program and they're humming along great. Stop, reevaluate, always Why? Because our leadership in the industry sector just said so. So real concern, a lot of vulnerabilities still unmanaged. So get the organizational alignment, right? That's, that's the first thing I would say, right? And then make sure again, in short, make sure they can speak geek and then go to the executive table and resonate with those folks with solutions about their concerns. Make sure that they can build relationships with the executive levels, so that they can then influence right. knock down obstacles. So when their teams go out and do whatever, it's a smooth ride. Leaders work with your seaso commit to that destination state. It might start with something like, as I mentioned earlier, I think, understand that concern, understand the threat landscape, work with your seaso to figure out how do we measure up against that concern? What's our risk exposure? Therefore, I would suggest what are some directional strategic goals and then Edie kind of a guy come back to me With a roadmap, come back to me with a plan to get there. Okay. And I board CEO, I want to oversee what you're doing, get on our calendar monthly, quarterly, whatever it is not once a year, right? Not once a year. See, so what should they focus on? Again, I would say, I don't care if you see. So it's been around 30 years, get to know the business, it's processes that go into producing whatever it is the company sells products, services, whatever it is, why is that so critical? You need to integrate into those processes. So that at some point, security and privacy concerns, they're not just concerns, they're integrated into your processes and people are running their processes, doing what they need to do to account for the risks. 29:54 Learn what data services information are important to those leaders right? Then ascertain who your business partners are and what are you sharing with them. And by the way, CFO, you just told me that you run that report every Monday morning, and whatever that report says, that sets your team in motion for the next week or some period of time. What if you can't get? What if you can't get to that report? What if malware hits corrupts some data affects the integrity of the data or you just can't get to it? What does that mean to you leaders? Right? See, so needs to understand that so that you put the right controls and restoration processes in place for contingencies. Directional strategic goals, so in the interest of time at the bottom so I harp on this with it guys all the time when they come in with little secret recipes, I don't want to hear secret recipes. recipes are already written for you in it. And certainly in the security world too. There's there's best practices there standards out there that are globally recognized. Use them to guide your thinking. Use them to guide your thinking and develop that recipe for your organization. I'll do a call out on one here that I especially like, especially if you're in the earlier days of your journey here. And it's the Center for Internet security controls. You may have heard them called the top 20 or the top 20 critical security controls or the sans top 20. It's all the same thing. I'm going to read the third bullet under there to you. They reflect the combined knowledge of actual attacks and effective defenses of experts in the many organizations that have exclusive, exclusive and deeply knowledge about the current threats, those experts. That's your intel community in the US. That's Department of Defense. That's Department of Energy. That's Department of Homeland Security, and a whole lot of others, including some out in the industry sector too. And similar components over in the UK, over in Australia. This is a global effort that assesses what are the threats coming in, what's the best way to defend against them, and then they publish these top 20 controls in a prioritized order of implementation, because they build on one another as you go. continued focus. The obvious is policies and standards include risk thresholds, risk tolerance thresholds, so that when you have a critical vulnerability, say, and you define what critical means you have a critical, vulnerable in your environment, you have a threshold on how long you have to address that vulnerability, right? That's a common oversight. By the way, in a lot of organizations that I've seen over the years, jump down to the processes down below, this is where I was talking about integrating into the processes, right for around the business. These are change processes in probably most of our environments, right? It change management process, a procurement process, Master service agreements, contracts with the legal team. So you need to integrate into every one of those processes, so that you as the security component, privacy component, you have the opportunity to do your privacy impact assessments on that change, your security risk assessments on that change. 33:53 Okay, so if you haven't done anything with security, and you're wanting to know where to start, start with The cis controls that I just mentioned, start with the first five of the 20. You start with the first five, you knock out over 50% of your vulnerabilities in your environment, highly impactful with laser effort, maybe with limited resources, then perform a third party risk assessment, it will be eye opening, because you're on the inside as a security guy, drinking your own Kool Aid and rationalizing right along with the local politics that affect all that, right, get a third party credible. That comes in and says You don't look as good as you thought you did. And by the way, here is a prioritized set of risks that is risk based approach. From here on out again, especially if you have limited resources to work with. 34:46 risk based approach from here on out, 34:49 breach plan and gotten on. That's a problem. And I'm sure you've seen it in the media where some companies they just for whatever reason, they just haven't prepared. So when the data breach day hits. It's all my god the sky is falling and just good people trying to figure out where to go from here and who can help us and what should we tell launch? Should we even contact law enforcement? 35:11 What kind of 35:11 forensics? What do we, it's too late to figure that out. And by the way to get to these resources, you're going to have to get your legal team to get some service agreements in place. Good luck on negotiating them from a position of weakness, right. Relationships with law enforcement to that that's a really important when I work a lot with the local law enforcement and with the FBI, FBI is a wonderful resource. They have outreach programs for you and me to come out and do some awareness training. Because obviously, just from their perspective, they get to see a wide range of national and international issues. So they're a good resource for all of us. continued focus, training and awareness. It's a great way to change the way people think and the way people behave. I have an award winning program here, 36:02 where I work 36:04 in training and awareness. And I would suggest just thoughts for you to consider as you might do a training and awareness program. What themes start with themes? What do you want to what do you want to communicate to the user community start with executives, right? What do you want to communicate to them and change the way they think change the way they behave? Then what are the specific deliverables to do that? Right, weave them in and out throughout the year? I got to tell you, I spent so many years in highly classified environment. Now that's a different culture, though. It's a security culture. But still, I can't tell you how many years I would get this annual security refresher training, right? annual man if you don't use that, you'll lose it. Right. My whole point here is get to people throughout the year. There's different ways to do that delivery format, whether it's in person going to a department meeting, and you know, Presenting whatever you need to present, podcast, whatever, but get to people multiple times throughout the year. This isn't just security. This is for anybody who's done training and awareness. Last, keep an eye on the horizon. This industry sector moves fast. The whole it arena most fast as you guys understand very well, the whole security piece of that, my goodness, it's changing so rapidly, you have to stay relevant. If you don't, you're going to be irrelevant. Your boss is going to see that at some point, then that's probably not a good discussion. 37:39 More trivia for you, bad actors, so they make money when their ransomware encrypts data on a victim storage device, which results in the victim paying to decrypt the data. 37:52 Attackers 37:53 also use a newer money making malware that uses the victims processor on their computer to mind for crypto currencies like Bitcoin. What is this type of malware? It's a newer malware in 2018, yellowed out. crypto jacking, somebody said that it's exactly crypto jacking. Okay, so we're to the point of I have nine minutes left, or to the point of what what what should you be thinking about as you're securing the consumer data, right? Again, the attorneys hit on this a little bit. And I'm going to hit on it for sure. I'm going to start to hit on on on this first bullet. What data do you have in your company? Right? Again, from a security perspective here, right? And again, all of this, I'm just reminding you is in the context of the very first slide that we discussed, leaders in this industry sector, so That's, that's a top concern. That's cyber thing, right? So, you better find the data, you better find out what kind of data your company even has. What does it collect? What does it use store, transmit? And again, to their point, what does it share? externally, you need to understand that, and I, one of them might have said this, you need a visual of this, you got to create a diagram of this so that you can visually facilitate some discussions with many stakeholders, and then do an or do a risk assessment. Once you understand you know, what, what all that data is where it is, make sure that there's the appropriate controls around that data. 39:47 of all that data, 39:48 whereas the sensitive data in our community, they define PII for you. I won't do that again. But PII is definitely one of those components for you and me that we care about. It's rare It's regulated data. 40:02 That's not why we should protect it, by the way, 40:05 should protect it because we have fiduciary responsibilities do so, moral responsibilities to do so, document and inventory and make that a bit, you know, an actual diagram, you need to have a lot of discussions on this. Inventory should include the location of the data 40:27 systems, 40:28 applications, data flows, external partners and vendors. You need to understand that again, and boy, that that's uh, 40:37 that that's 40:38 that can be a feat. I so I, you know, I started that with this company about five years ago. And Holy cow, nobody knew where the data were. It couldn't even give me an architectural diagram of their environment. It's fairly complex 40:53 for a midsize organization. 40:56 It couldn't even tell me more. So good luck on finding where that data is. You Gotta start with a whole lot of interviews with all kinds of stakeholders just to get information so you then know where to go from there. Okay, so it can be a very tedious process, but 41:09 critically important. 41:13 Okay, so now that you understand where the data, what data you have, and what the protection requirements are, you need to develop a protection policy and strategy, how are you going to protect that? And there's various ways but I'm just mentioned a few here. In that policy or in that standard, it should talk about the use of encryption, masking tokenisation when you use that, etc. After you do that, again, perform the risk assessment, because now you know where the data is located, how it's used, what the data flows are, you need to then determine are the right controls in place to 41:55 adequately protect that data 41:59 or organize the data that makes sense in your organization. You've probably heard terms like EDI, W, enterprise data warehouse, right data, lakes data, whatever, right as a bunch of them. Does it make sense to put all the data in one place? And then build Fort Knox around it? Maybe? Or do you maybe have a lot of legacy systems in your environment? And you need to spread the data out a little bit for performance reasons, maybe, or maybe even for security reasons. Network controls are really important to maybe segregate your legacy data, for example. 42:37 But after you figure that out, 42:40 you need to figure out an identity and access management strategy. Right? You and I, in our workplaces, we have identities, right? It's typically our email address or some username, whatever it is. And then we have access to various systems and data right. The ideal World is and a lot of companies are really getting with this these days to is to create some kind of a role based system 43:07 to where 43:11 you have an analyst, right? And an analyst gets that set of permissions, then you have a manager and they get that set of permissions which is different than analysts, then you have a, you know, the next role, a different set of positions. Now, you and I, depending on what role we're in, we just get added to that role and assume the access that that role has that prevent so now five years from now, you and I, we get a promotion or something or we move into another role, they pull you out of that role. Moving into that role done with the access 43:47 access management. 43:49 Typically, what we're still seeing in our environments is the accumulated access effect, where you and I either get promoted or we move in various roles over 1520 years. And we accumulate all that access that we've had, which is a lot of is unnecessary at that point, right? And then remember, Joe can always get disgruntled after 20 years. And he's got a whole lot of access that he doesn't need. sharing of data. So maybe our organizations do this differently. I've seen it done differently. But I'll tell you where I am. We established so so there's always the data request to share data externally to whoever it is. 44:36 If those are really infrequent 44:40 sharing requests, we have a form that we have people fill out the privacy guys, the security guys, they review that make sure privacy guys might say, hey, you can't share data. You can't use the data like that. Our privacy notices don't cover that right. So you can't do that. 44:57 security guys. They just want to make sure that they can securely 44:59 get it from Point A to Point B. Okay. So that's what we do for the really infrequent requests, we use box comm has a good solution over the years. But you don't necessarily need that kind of you can just use secure email these days. 45:13 Frequent sharing. 45:16 I can't remember if the attorneys hit on this one, but this is where you got to get your legal import department involved and set up a service agreement, some kind of a service agreement. You know, in our world, a lot of times you have we outsource some things, right, whether it's collections activities, customer service activities. In fact, I've got my director of infosec over in the Philippines right now with the compliance team, doing just what these guys said. And that is go do a vendor assessment. We're getting ready to maybe give them more work. But we want to do an assessment to ensure that we can convey our security requirements to them and privacy requirements, and that they're going to live up to them. We do that through an information sharing agreement. Through a master services agreement or some kind of a formal agreement with our legal team. If I've put you asleep the whole time, for the last 44 minutes, take these three things with you. The business of cybersecurity. It's incredibly complex guys. And it's because it's a constantly changing environment. And it's hard to always understand where the threat vectors are coming from, and what the actual vulnerabilities will be. And then what your risk is, it takes time to understand that right? And we'll never I don't want to say never. I don't know that we'll ever get in front of that to where we just have secured hardened systems. It's difficult. Second, boards and CEOs get engaged man, this is a business problem. It's not an IT problem. leadership in the industry sector. says it's a concern. And if it may not be a concern for you, because maybe you don't understand it well enough, you can get sucked right into that concern. What are you going to do in the lending community financial system goes down, right? Or if one of the banks that you rely on or somebody over on wall street that you rely on, where if they get taken down for 72 hours, what's that do to your business, understand the threats associated with that? Get involved. Again, not an IT problem, it's a business problem. I hope I've shared some good insights with you. Take them back and have some constructive conversations in your workplace. Thank you. [/toggle]

Containing Collection Risk

Retrieve your password