James O’Kane: Good afternoon, and a big thank you to our audience and panelists for attending today’s webinar. Get tech, get human: Evolve your cyber defenses. My name is James O’Kane, and I’m a member of the Wells Fargo operational risk group, and the technology and information security risk management oversight team. I’m excited to moderate today’s event with our knowledgeable and highly experienced panelists. So, let’s get started.
Today’s cyber threats are dynamic and constantly evolving. Even threats you think your organization may have under control, are changing as criminals find new ways to apply and execute criminal tactics. Criminals are using technology as the gateway and means to exploit the vulnerabilities of an organization; technology vulnerabilities, process vulnerabilities, and vulnerabilities associated with people. Organizations increasingly must focus on technology, processes, and people, to understand and address these vulnerabilities. Today, we will speak with Tami Hudson, Wells Fargo’s Cybersecurity Client Officer, and Rob Kosicki who manages the fraud prevention office team here at Wells Fargo.
Emerging technologies not only enable the digital business world, they also enable new techniques associated with criminal activity. As business practices and technology evolve, so do the tactics of criminals, tactics that can be increasingly stealthy and evasive. Proactive organizations are striving to better understand how this evolving cyber threat environment may impact their business. To gain more insight into this dynamic cyber risk environment, I would like to introduce Tami Hudson, Wells Fargo Cybersecurity Client Officer. Tami is a recognized cybersecurity business leader, as well as previous chief information security officer and for a global HR and a big-four consulting executive. Currently, she leads Wells Fargo’s client and industry cyber agenda, which encompasses driving to cyber go-to market strategy, voice of the client, cultivating trust with clients using cyber as a differentiator, and partnering with industry and government policy makers to enhance resiliency efforts across the global cyber ecosystem.
Welcome Tami. Let’s kick off with a question we hear frequently. We’ve all heard a lot about various attacks, especially since COVID. Can you describe the threat landscape and how it has actually evolved?
Tami Hudson: Thank you, James. And thank you for having me. We really have seen the threat landscape evolve, and I think evolve dramatically. At the beginning of the pandemic, there was a lot of threat crime. And I think towards the middle and as people were sent and into this quarantine and working from home, we saw an evolution of cybercrime increasing in both frequency and sophistication. So, if you go years back where cybercrime was really this vertically integrated individualistic activity. Now, we’ve seen it become an extremely sophisticated operations, where threat actors are working together to cause significant damage to organizations, both from a reputational and financial impact and standpoint there. And the pandemic really increased that. So, as the adage goes, necessity as the mother invention, we saw threat actors take advantage of that, and take advantage of that to a very significant level to organizations.
James O’Kane: Well, it’s an interesting level of transition there. So, when I think about increased frequency, size, sophistication of organized cybercrime at this point, can you please comment a little bit on how these trends are impacting organizations’ risk exposure overall, and what can be done to actually mitigate some of that exposure?
Tami Hudson: That’s a great question. I do want to say, when we talk about cybersecurity risk exposure, just for definition, we’re talking about the probability, the impact, the level of damage that could occur both in the short and long term to an organization, and how confident they are in the controls, both from a preventive and detective nature in containing that. Most enterprises have a cyber team that recognize the impact of the threat landscape, the risk exposure, and how the changes to that risk and threat landscape affects them. And we’ve seen that a lot.
So, when you speak about cybercrime progression, it really is a combination of technology, people, and process, in order to combat those threats and in order to do so in a timely manner. Of course, we can implement additional technological controls, but thinking about it and understanding the need to look at the threats and the vulnerabilities holistically, looking at the end-to-end processes, as well as the people, the impact on the people, the short and long term, and the technology and how mature program is from each of those standpoints, really is something that we need to do in order to combat cybersecurity and cybercrime progression.
James O’Kane: Thank you. As the organization of criminal operations gets larger in scale, what is actually involved in maturing a company’s cybersecurity program?
Tami Hudson: Thank you. I think the first step really is to understand what the cyber maturity of the organization is. So, really understanding as we had talked about the risk exposure, understanding the risk appetite, understanding the level of exposure that that particular sector or industry is in, and what kind of controls and defenses that they have for that. And then really implementing a very holistic approach to cyber security. So, depending of course, on the industry and the sector, it’s looking at, how are we protecting the customer? How are we protecting their data, and how are we implementing controls to make their user experience better and more secure? How are we protecting the product and implementing security by design from the very beginning and not as a bolt on, on the end? And then the business. So how are we looking at the business holistically, and looking at the various points for cybersecurity and how cyber threat actors can impact that business holistically throughout the entire environment.
And then of course, production. Depending again, on the sector or industry that the company is in, how can that company be affected by cybersecurity and cybercrime in the production process, and what can we be doing proactively to stop that?
James O’Kane: So, if I heard you correctly, we hear about protect a customer, protective the product, protect the business, protect production. This holistic approach seems a little bit challenging. As a company starts to mature its cybersecurity program, are there any external resources or considerations that they can turn to for some type of assistance?
Tami Hudson: Yeah, there actually are. And I think it’s important before any company goes and looks at various resources, to really understand where they are, so what their cybersecurity program consists of if they have or don’t have a cybersecurity program, really understand the need there. And then of course, combine that with these various resources that are available to everyone. One of course, is NIST, so, it’s the National Institute of Standards in Technology. NIST develops cybersecurity, standards, guidelines, best practices, and resources, really to help in our common fight against cybercrimes and these cyber threat actors. Federal agencies use this, the general public uses this. It’s available to, like I said, across industries and across sectors.
Another one is the Cybersecurity Infrastructure and Security Agency, so CISA is the acronym there. They again provide up-to-date information on threat actors, the techniques, the indicators of compromise the threat actors are using, and really a solid understanding for various companies so that they can defend themselves, and that they can move towards security and a vigilant standpoint. Another resource that many companies use is the CMMC, which is a Cybersecurity Maturity Model Certification. Even if a company does not choose to be certified, the cybersecurity model is really a very unifying, I think, in a baseline standard for implementing cybersecurity. And what this does, James is provide a framework that includes verifying the implementation of processes and practices. So, really walking companies through the processes that should be implemented and should be stood up for cybersecurity in order to become more secure, more vigilant, more resistant, and then the practices that accompany that. And those are all associated with achieving that certain level of cybersecurity maturity.
James O’Kane: These sound like three very good resources at a programmatic level to help companies mature their cybersecurity programs. I’m going to go straight to a next level, the cybersecurity teams. How can those teams actually go ahead and position themselves as business enablers?
Tami Hudson: That’s a fantastic question, and something that I think is so paramount to many companies. It’s very important to align internally within the organization. And by that, I mean, speaking with treasury, risk security, broader IT, HR, operations, have those very transparent upfront communications so that everyone understands the amount of risk the organization can and should accept, and what that organization can be doing to mitigate and remediate cyber risk. I consistently challenge organizations not to rely completely on any sort of resources, models, or frameworks, without first having an understanding of what their risk appetite is, what their level of exposure is, what their level of risk and threats are. So, you can use these models to help and frameworks, of course, to help understand what you want to move towards in your organization, and help you understand the organization gaps, but really combine that with your organization and the resources that you have internally in order to make your organization more resilient.
I also say it’s important to have partnerships. So, when you think about the various sector in industries, many industries have partnerships or groups within those industries to help promote communication, to help bridge the gap between the threat actors and the indicators of compromise and the techniques they use to what we can be doing, what kind of defenses that we can be doing, what kind of defenses we have. And the more information is shared, the less the threat actors can use that element of surprise to attack our organizations and our various companies.
I also want to say, keep in mind that there is no final destination when it comes to cyber maturity or cybersecurity. It’s fluid, it’s ongoing. And it’s important that we not only stay up to date with regard to the threat actors, but that we share that information, and that we are constantly challenging ourselves to understand where we need to be in that cybersecurity maturity level.
James O’Kane: Well, Tami, thank you. That is great information. The impacts of technology on how a company needs to consider their approach to their cybersecurity risk strategy is obviously critical. Thank you very much for sharing your insights and helping us land on some key considerations for technology and that companies fight against cybercrime and fraud. Thank you, Tami.
Technology alone cannot address today’s cyber emerging threat landscape. While new technologies help make businesses more efficient and effective, they also have the potential to disrupt the employee work environment. For example, considering additional end user steps involved in encrypting a file, or the shift from in-person meetings to online meetings. If we couple, the technology changes such as these with our tendency as humans to be trusting and prone to error, we begin to recognize the importance of accounting for human behavior when seeking to mitigate the impacts of emerging cyber threats. To learn more about human behavior and the human factor in countermeasures that are involved, I would like to welcome Rob Kosicki who manages the fraud prevention office team here at Wells Fargo.
Rob, could you please tell us a little bit about your background and experience here at Wells?
Rob Kosicki: Yeah, sure. Thank you, James. And I’m happy to be here. As far as my background, I have been at Wells Fargo for over 17 years in various roles within the fraud prevention in digital payment space. And I’m currently the head of the fraud prevention office, which provides our business customers with value added services and the support that they need to help identify and triage fraud events within the digital payment space; payments such as wires, ACH, and real-time payments.
James O’Kane: Well, thank you, Rob. Thanks for joining us again today. So, what factors make employees susceptible to cyber-attack and fraud specifically?
Rob Kosicki: That’s a great question. There are two key factors in my opinion, that contribute to organizations being more susceptible to fraud. The first is human vulnerability or human nature. And the second would be the constantly changing and evolving fraud environment. From a human nature perspective, it’s natural for many reasons for the team member in a business environment to want to be helpful in a business transaction that likely be trusting of what they’re seeing in reading an email. And there often can be some hesitancy by the team member to directly question their management or even their business and trading partners. And it’s that trust or hesitancy to raise questions, that frauds just prey upon when it comes to Business Email Compromise schemes.
James O’Kane: Well, that sounds like an interesting exploit, Business Email Compromise. For those of the folks in the audience who may not be familiar with that concept, could you please describe that a little bit?
Rob Kosicki: Absolutely. Business Email Compromise, or as Wells Fargo often refers to it as imposter fraud, is when a bad actor compromises the communication channels, often email, between two trading partners and provides fraudulent payment instructions to redirect the payments to accounts that they control. And BEC fraud is one of, if not the biggest challenge that businesses face today from a fraud perspective. And according to the IC3’s annual report, $1.8 billion was lost to BEC last year, which was almost half of all of the total losses that businesses reported across all cybercrime activity together. So, it’s quite significant. And the losses for this year are projected to be even higher.
James O’Kane: Obviously a very large problem space here. So let’s go back to human vulnerability for a moment. How does human vulnerability actually expose someone to a fraud exploit such as Business Email Compromise?
Rob Kosicki: Sure. Well, unfortunately we see many examples of Business Email Compromise fraud, where had the team member listened to their instinct or verified that request with an executive in the company or even with the company that they’re paying, they could have avoided large losses. That hesitancy to verify can cost the organization. However, if they properly verify before the payment’s submitted, it can prevent the fraud loss altogether. And even in cases when there were clear red flags, we see that human vulnerability and that natural tendency for a team member to trust the payment instructions. In fact, in one recent example, the fraudster provided a customer with the account information via email. The payment was initiated, but then it was returned because the account provided was frozen by the beneficiary bank. The company simply replied to the fraudster’s email and obtained a new set of instructions without even questioning why the original payment instructions that were provided were not valid.
So, a best practice in this situation, would’ve been for them to directly contact their trading partner, using a known phone number on file, to question the payment details and obtain the correct account information.
James O’Kane: Well, thank you for going into that example, and providing a good taste of what we mean by human nature as that first factor. Could just take a little time and spend a little time explaining a little bit about the second key factor, a changing and evolving fraud environment.
Rob Kosicki: Sure. The other key factor that I mentioned is that while BEC and social engineering schemes are not new, cyber criminals keep changing their approaches to target their victims. Their tactics continue to evolve as they focus on attacking vulnerabilities in an organization’s processes, they may be targeting new business segments or other industry sectors that aren’t prepared to deal with of these threats. They also focus on evolving their techniques to new communication channels or emerging technologies. For example, threat actors are now leveraging Skype and Microsoft Teams instant messaging to initiate fraudulent requests for payments. The threat has evolved to any type of business communication being a potential channel for cyber-attacks.
The main goal for the fraud is really just insert their payment instructions through any means available, which is why it’s really important for companies to always validate the instructions through an alternative communication channel.
James O’Kane: Thank you. As we talk more about this evolving fraud environment going from external to internal, how does an organization’s operating environment itself add to human vulnerability?
Rob Kosicki: In terms of operating environments, criminals are always looking to exploit change. They thrive, especially on large scale changes, which is why we’ve seen so much increase in fraud over the past few years. For example, the shift to that hybrid model of working from home and office that happened during the recent pandemic, that adjustment caused vulnerabilities for organizations. There was a lot of change during a short period of time as companies rolled out new processes and procedures to enable employees to work from home. In addition, there were disruptions in the routines, employees lost their ability to interact in-person with their colleagues and their managers. And add to this, the potential for additional distractions when working from home, all of this created that disruption that fraudsters really needed and took full advantage of.
James O’Kane: These are some interesting points. If we go beyond or outside the pandemic, can you describe some other ways that operating environments also add to human vulnerability?
Rob Kosicki: Well, for years, we’ve seen seasonal spikes from the end of November through the end of the year. Fraudsters really understand that organizations are closing out their books, employees are sometimes out of the office, and the company may be relying on backup or temporary workers. And all these factors can add just a little bit more vulnerability to an organization, that may lead to a mistake or a process not being followed. And ultimately at the end of the year, there’s just a larger volume of payments. So, it’s a numbers game. More payments creates more opportunity for the fraudsters. So, companies should really consider what times of the year where they tend to have peak volumes. It could be month-end or quarter-end, or maybe if their industry has a particular time where they’re processing a lot of payments or where staffing levels might be tighter. Consider what you can do to amplify your oversight and focus in those times. And look for vulnerabilities within your organization, which can lead to fraud.
James O’Kane: Well, thank you for all that. The operating environments, human nature. I’d like to shift gears a little bit now and focus on what can actually be done about the problem space here. Specifically, what can organizations do to effectively support their employee base, and what can the employees do themselves to help the organization?
Rob Kosick: Yeah, James. One noticeable change we’re seeing is that customers, there’s more demand from our customers for fraud education and information. They’re starting to realize the importance of regular fraud education for their employees, and looking for ways to provide that. So, it’s been a really positive trend to see organizations taking more interest and accountability, to stay informed. As part of that trend, there are a few best practices organizations can apply. First and foremost, every organization should have a fraud education program in place that consistently and continually keeps fraud top of mind. And the key to that education program is going to be frequency. So, in addition to formal training, use team meetings as a learning opportunity to keep employees up to date on how to recognize a fraud email, or even share details of a recent fraud incident.
Another best practice is to create an environment that encourages employees to listen to their instincts. In the examples I gave earlier, the employee may have had some hesitation, not felt empowered or comfortable in questioning the transaction. So, it’s important to encourage employees to listen to their instincts, and to take action, especially if they perform high risk functions like payment authorization or payment initiation. And then lastly, I would say, take full advantage of the information available to stay informed and educated. There’s sites out there, such as IC3 or the NC FTA. There’s also plenty of online materials out there that you can provide your team members to discuss in internal meetings.
James O’Kane: Thank you, Rob, for showing some of those external resources to take advantage of. As a follow up, I want to go back to that, you mentioned human instinct as a potential line of defense against fraud. Can you describe a little bit about that, and how that works in the working environment?
Rob Kosicki: Sure. I feel let’s say you important to really empower and encourage your employees to trust their instincts and to act on them, as part of practicing good risk mitigation. If something doesn’t seem right or throws up a red flag, you should follow your instincts and question it. For this to be possible and effective though, employers and management need to create that culture where it’s acceptable to question certain requests, including those from senior managers. Oftentimes there’s a feeling that questioning a request might bring about negative repercussions. But that shouldn’t be the case. If a team member questions a transaction or payment instructions, and the request is ultimately valid, they’re doing the right thing in confirming it. And it’s better to check to be sure, rather than miss a potentially fraudulent transaction.
James O’Kane: So, how can organizations train their employees to apply their human instincts in ways that remain consistent and well-integrated with their job responsibilities and the organization as a whole?
Rob Kosicki: Well, instinct and process really need to work together in this case. Allowing employees to act on their instincts and raise concerns is certainly an important first step. But there also needs to be strong process and controls as a foundation for the overall fraud risk program. For high risk activities, especially where there’s money movement involved, organizations should have a well vetted and documented process and procedure which employees must follow. In addition to those process and procedures, it should also be monitoring and controls in place to ensure that they’re being followed. We’ve seen many examples in the past of fraud, where we talk to the victim, and they inform us that they have a process. But for some reason, that process wasn’t followed in that instance. And it only takes one time not performing the procedure right for there to be a fraud incident.
Also, make sure there is a clear chain of escalation. The process should account for not only how do you identify or prevent fraud, but what you should do when a fraud event does occur. Time is of the essence when dealing with fraud recovery. So, having a playbook at the ready can be the difference in losing funds or recovering them. Team members should be armed with this information, how to report it and who to report it to, to initiate those recovery activities.
James O’Kane: Well, Rob, thank you for joining us today. It’s clear that human vulnerabilities need to be taken into account as well as processes and procedures that helps strengthen and organization’s line to defense against fraud.
Cyber criminals are exploiting technical and human vulnerabilities and the links between them. Criminals are increasingly sophisticated. The emerging cyber threat landscape is evolving. In light of this, organizations are combining people, processes, and technology, to bolster defenses. There are external resources available to support organizations. Today we mentioned two of these cyber threat intelligence and the cybersecurity maturity model certification framework. Understanding your organization’s strengths and weaknesses and addressing gaps, is key to evaluating and evolving your organization’s cyber maturity. Thank you for joining us today.
For more information, contact your Wells Fargo representative or fill out the Contact Us form on this site.
©2021 Wells Fargo Bank, N.A. All rights reserved. Member FDIC.