PERSPECTIVES ON CREATING AN ADAPTIVE CYBERSECURITY AND FRAUD PROGRAM
In October, OG100 members had the opportunity to invite their finance and IT leads to a virtual session focused on cybersecurity. The hour featured a discussion on the cyber threat landscape, key phases and challenges attached to phishing attacks, and how supply chain risk manifests within cyber.
The panel featured:
- Sophia Leung, SVP, Protect Platform, TD Bank
- Dennis Parker, VP Business Deposits & Cash Management Services, TD Bank
- Jeff Foley, Chief Technology Evangelist for Cybersecurity, Siemens Digital Industries
- Ali Vashovi, Partner, EY Technology Consulting (Moderator)
Full bios of our expert panel are available at the bottom of this post.
CREATING HEALTHY FRICTION
Phishing attacks target the weakest link – but actually – humans can also be the most intelligent layer of defense if they are properly trained and continuously tested with phishing simulations. On top of that, it is important to offer frequent reminders about the features that employees have in their inbox to reduce the risk of phishing success. Security and technology need to create a “healthy friction” within the workplace that makes employees question the pace of things – threat actors do not want time and people added to the process. To keep fraudsters at bay, Dennis recommends dual authentication: 2 participants on all processes, and elongating processes that will cause fraudsters to show their true colours – make them panic.
“Common principle in the industry: it’s not a matter of if, it’s a matter of when.” – Ali
INTERCONNECTED – IT & OT
Five years ago, an oil company in the Middle East was hacked on the IT side. People thought it wasn’t critical: an IT hack wouldn’t affect the company operationally. The problem was the IT side controlled the loading of the oil into the tankers…the trucks were backed up for kilometres, unable to be loaded with fuel. Phishing does have an impact on operations. Once ransomware gets on the network, it doesn’t immediately show itself. It spends time – weeks, months – seeing what’s on the network, and finding ways to get into critical features of your operation, and then it will lock up your operation.
Ransomware as a service is now a self-sustaining industry – and the services are inexpensive to hire.
“Two types of networks: those who have been hacked and those who don’t know they have been hacked” – Jeff Foley
SUPPLY CHAIN RISK
Sophia highlighted a cyber attack case study from 2020 – SolarWinds – a software company that makes IT tools. It was big not because it impacted a single company, but because it triggered a much larger supply chain incident that impacted thousands of organizations, including the US government.
Malicious code was inserted into their software, enabling delivery of backdoor malware into their customers. The incident started in September 2019 but was not detected until December 2020, so the damage was done by the time a cyber security company detected it.
Threats can target any industry in a persistent and sophisticated way: before we see indication of critical activity, your system has likely been compromised for months. It’s important to understand your ecosystem, ranking greatest risks, and then planning for the response and recovery when events happen.
“I think a lot about our understanding of the risk that is being posed by using third party software” – Sophia Leung
ADDITIONAL RESOURCES
If you’re a subscriber to the Financial Times, try your hand at this simulation: Can you negotiate your way out of a ransomware attack? (ft.com)
This article reflects on our shift to work-from-home models and opening ourselves up to video platforms, as well as the move to the cloud: Far too low-hanging fruit | Cyber Security | Siemens Global
BIOS OF PANELISTS
ALI VARSHOVI
PARTNER – FINANCIAL SERVICES, EY Toronto
Ali Varshovi is a partner at EY and leads the Financial Services Cybersecurity and Privacy practice. Ali has more than 18 years of technology and cybersecurity research and consulting experience and currently leads the incubation of advanced tech and cyber capabilities for modernized banking operations. His Financial Services and Banking Experience includes helping global banks digitally transform their operations while maintaining and improving security. Ali is experienced in enterprise security architecture, large-scale security technology implementation, and cultural/organizational transformations in support of reconfiguring banking operations.
SOPHIA LEUNG
SVP, Protect Platform,
TD Bank
Sophia Leung, SVP, Protect Platform, joined TD in 2021 to lead the Protect Platform within the Platform and Technology organization. Within this role, she is responsible for protecting TD from cybersecurity and fraud threats, bringing together leading-edge data science and analytical capabilities with operational security expertise. This integrated approach to protection gives the bank better insights, an ability to be nimbler in the face of threats and better positioning to continually learn such that protections are relentlessly strengthened across the institution.
As part of her role, Sophia owns a “follow-the-sun” integrated cyber and fraud fusion center program with world class operational centers. This program continuously improves the bank’s ability to generate meaningful insights on the threat environment, and delivers return on investment through reduced losses due to fraud and improved information security.
Prior to joining TD, Sophia was the Head of Governance, Risk and Controls at JP Morgan Chase, where she had firm-wide responsibilities to ensure a strong control environment for the Global Technology division. Prior to that, she held various technology, IT risk and security management roles at Morgan Stanley and JP Morgan Chase in Asia and New York, including as the Chief Information Officer (CIO) of Asia at JP Morgan Chase. Sophia also has a Bachelor’s degree in Biochemistry from Barnard College, Columbia University, and an MBA from Kellogg-HKUST.
JEFF FOLEY
Chief Technology Evangelist for Cybersecurity
Senior Business Development Manager
Siemens Digital Industries (PA DCP)
Joining Siemens in 1998, Jeff Foley is the Chief Technology Evangelist of Cybersecurity for the Siemens Digital Connectivity and Power group. Within this role, Jeff is responsible for the Global Business Development of Cybersecurity for ICS (Industrial Control System) networks, utilizing the best practices of IT (Informational Technology) for Cybersecurity in the OT (Operational Technology) environment for manufacturing, factory automation and Critical Infrastructures such as Utilities, Oil & Gas, Transportation and Rail.
Jeff is also responsible for the enablement and support of Siemens regions and their customers, in the planning and development of OT Cybersecurity solutions utilizing Siemens communication platforms, along with the best in class Cybersecurity partners to develop secure, and reliable Industrial Control Systems networks. This is realized by implementing Defense in Depth and Cybersecurity by Design for OT systems, while utilizing international standards and requirements such as the National Institute of Technology (NIST) Framework, the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP), the Ontario Energy Board (OEB) framework, the European Network & Information Systems (NIS) Directive, along with other risk based cybersecurity models for OT networks.
DENNIS PARKER
VP Business Deposits & Cash Management Services
TD Bank Financial Group – Business Banking
100 Wellington Street West, 25th Floor, Toronto
Dennis Parker is the Vice President, Business Banking Deposits and Cash Management Services, for TD’s Business Banking group. Dennis and his team deliver a wide range of ‘value add services’ to TD’s Small Business, Commercial and TD Securities customers through various customer facing channels.
During his 35 years with TD Bank Group, Dennis has held a number of progressive roles starting in commercial lending and has spent 25 years focusing on Deposits, Payments and electronic banking services. He has participated in industry and Bank led initiatives to make it easier for businesses across Canada to manage their money.In his current capacity he is responsible for managing a team of product leaders, regional sales leaders and supporting the on-going development of industry-leading services.