When money was nothing but tangible, at least you could keep an eye on it. Today, when most financial transactions take place in the virtual ether, maintaining a high level of security requires a near-blinding array of resources and skills. INSIGHT VAULT sat down with Greg Schaffer, Chief Information Security Officer at FIS, to find out how one of the industry leaders in financial technology is combatting cybercrime – and how credit unions and their members fit into the formula.
INSIGHT VAULT: Your background includes work at the U.S. Departments of Justice and Homeland Security, prosecuting and fighting against cybercrime. But you haven’t just emerged as an expert in this field: You’ve witnessed its evolution.
SCHAFFER: That’s true. I began working in this area in the 1990s as a federal prosecutor for computer crimes. What we were seeing then was, as more people were beginning to enter the online space, bad guys were following them. It’s like the old joke, “Why rob a bank? Because that’s where the money is.” Today a great deal of money is being transacted online, so that’s where the bad guys will go.
INSIGHT VAULT: Obviously guarding virtual money is very different from guarding actual cash.
SCHAFFER: Right. If you think about money moving around in the physical world, it’s easy to visualize. You have armored cars taking money from a vendor’s location to a bank branch. You have ways of protecting that cash and monitoring its whereabouts. We understand what that looks like.
In the virtual world, it’s more difficult to “see.” And in fact, this space is not as secure. There are a lot of different ways to hack into a system – and without the kind of risk one might associate with physical theft. People have connectivity from many points of contact, anywhere on the planet. It’s a lot more difficult to catch them in the act.
INSIGHT VAULT: In fact, isn’t connectivity one of the big challenges facing the security field right now? We’re all very “networked” – and on some level, that means vulnerability.
SCHAFFER: That’s why we’re hearing more about shared responsibility lately. No one entity can provide comprehensive protection all by themselves. Systems are connected to one another. So in addition to maintaining your own perimeters, you have to be aware of what your contractors and consultants, employees and vendors are doing. Anyone who is going to be on your network or communicating with your organization is a potential point of compromise.
Another thing that’s having an impact is the “bring your own device” movement. If you’re using your own iPad, iPhone, laptop – or whatever – and you’re using it to log into your work network, you’re exposing your organization to risk. We all know that we’re not supposed to download unauthorized programs and apps onto our work devices. But what about our own devices? When you have the commingling of work and personal activity, the number and types of connections increase, along with the risk.
INSIGHT VAULT: So, we’re creating a bigger target. Are we also facing tougher opponents?
SCHAFFER: We are. The sophistication of the hacker community has increased dramatically, particularly over the past five or six years. Now, one person doesn’t have to be an expert at everything because experts exist across many areas. It’s a little bit like ants trying to get into your home. Every ant doesn’t have to be an expert at finding a way in. If one ant cracks the barrier, the rest can follow. In the same way, modern hackers are organized to take advantage of each other’s skill sets – and that’s new.
INSIGHT VAULT: What is FIS doing to combat the problem?
SCHAFFER: Several things: We’re bringing the kind of resources to the table that will enable us to offer best in class solutions. We’re also working with our customers to keep them better informed about what the risks are and what they might do to address those risks.
We’re investing very heavily in security. We have $40 million worth of community technology in place – and the work in this area is constant. For instance, we have further segmented our data, so that you can’t traverse from one area to another easily. We have state-of-the-art intrusion detection. That prevents hackers from doing much damage if they do get in.
We’ve brought in some of the best talent available, and we’re taking this challenge seriously.
INSIGHT VAULT: Is it a question of beating the hackers at their own game?
SCHAFFER: Certainly, we need folks who are very vigilant about security working in this field. But there is also a need for good communicators. We need people who can talk about these issues in ways that resonate with many different people, because so many people share responsibility for maintaining security. Security experts need what almost amounts to a translation capability across all areas and levels within a company.
Information security has gone from being an IT concept to something that is its own holistic enterprise with many pieces to it. Now you’ve got very senior executives whose job it is to look at these risks and find ways to manage it.
INSIGHT VAULT: We haven’t addressed a huge piece of the puzzle, and that’s credit union members. In this new era of shared responsibility, what can credit unions do to encourage members to be more security-minded?
SCHAFFER: I think some of the basics are still an issue. For instance, when I got into this space, the most common password was “password.” After 15 years of security guys standing on their desks and screaming about using complex passwords with upper and lower case letters, numbers and special characters, the most popular password is still “password.” Or people use “1234.”
No amount of security is fail proof. But if you use some common sense, you decrease your chances of being hit. It’s like being chased by a bear. You don’t have to run faster than the bear – as long as you can run faster than the other guy being chased by the bear. If you do all of the basic things right, you make it more likely that you won’t be the one getting caught by the bear.