Demystifying Cybersecurity 2024

Katrina Faessel:
The human element and corporate culture are critical factors in a successful cybersecurity program. In this discussion, Timothy Torres, TriNet's Chief Security Officer and Ishawna Wint, Lead Product Manager at TriNet will show you how HR professionals can help make a positive impact in protecting their people and organization in the digital age.

Timothy Torres:
Good afternoon, everyone. So happy to be here today and thank you for taking the time to join our session. We want to make sure that we cover topics relative to this discussion at the very end. If you have questions, please feel free to submit those. We would love to be engaged. We've got a full agenda.

We're going to talk today about demystifying the cybersecurity problem and going a little bit deeper and talking about the role of small to medium-size business leaders in how to manage the cybersecurity problem. We're going to give you critical success factors, things that you can take away, practical elements beyond just sort of philosophy, things that you can actually go back and check to make sure that you have in place or prioritize to implement.

Then we're going to actually end with some thoughts about what problems you should be thinking about that are on the horizon. At the very end, we're going to put it all together and make sure that you understand how to navigate this new dynamic world where we're relying on digital platforms, and we've got a lot of risks that we have to deal with.

With that, I'm going to go ahead and get started. First of all, when we talk about the cybersecurity problem, we're talking about demystifying that, if you could go back one second, the thing that you must understand is before you can actually come up with a solution to the problem, you must understand the actual fundamentals of the problem. There must be a really solid problem statement. When we talk about cybersecurity, people think that the problem is we don't have enough encryption, or we don't have enough anti-malware, or we don't have a robust cybersecurity team that can perform incident response and forensics and defend the bad guys.

In many cases, it's an issue of not enough budget, not enough momentum to be able to shift the tide and be able to win the battle in the digital world, but the reality is the problem is actually different. It's not really a technical problem, and we're going to talk about that, but it's really a risk management problem, and I'm going to define it for you.

Risk is the likelihood an impact of a future loss event. That's the most simplest way to actually define risk. It's not necessarily vulnerability, it's not necessarily criticality. It's what is the likelihood and what is the impact of a future loss event, and how can we manage and mitigate that or live with that, knowing what those risks are.

That's the sort of backdrop that I want to talk about today and I'll tell you why. Small to medium-size businesses make up over 90% of U. S. companies. In fact, it's closer to 95%, which means SMBs are a prime target for cybersecurity adversaries. SMBs are a soft target, as I mentioned. They don't have enough budget, not enough security team to help protect, not enough technology.

What do we do? Do we go home, do we give up, or do we actually update our thinking and approach to effectuate safe outcomes for our business and for society? The next slide, that's actually going to set the stage for what we're going to talk about today. As I mentioned, it's all about minimizing the impact of a future loss of it.

What you see on the screen are some really catastrophic events. Fukushima, which was a nuclear power plant that had a meltdown and complete disaster impacting millions of lives. You can see on the screen, an aircraft carrier coming into land and having a massive fire that has severe impact. If you're near and dear to the healthcare space, you understand that malpractice is a significant risk.

In fact, you're likely to be safer flying in an airplane than being admitted in a hospital because aviation has minimized their errors and reduce the risk for safe outcomes. Whereas healthcare continues to struggle with that and obviously the role of healthcare providers is to do no harm.

As you know, there's risks in that as well. Think about payroll, the risk of being unable to provide payroll services to your employees. Think of the challenger. All of these that you see, even landing a plane on the Hudson, these are all critical loss events that people have been involved in trying to manage and trying to avoid. When we think about risk and we think about cybersecurity, I want you to think about your own business. What are some of the most important risks to your organization? As you read in the news every day, small, medium-size businesses, large businesses, we just read several months ago about change healthcare, which is a part of United Health, had a significant ransomware incident that brought down their platform and brought down their business, that had a catastrophic impact for healthcare providers and millions of individuals whose data was compromised and in many cases, unable to access their benefits.

Such a major inflection point in the industry. These are the things that we think about as sort of the highest impact event that we least like to see materialize. What we don't realize is, in the digital space as SMBs, almost all companies are reliant on digital platforms, on the internet, on email, on technology, on data, and on availability of their business.

The likely risk that would hit the company the hardest would be their inability to serve their customers, would be their inability to sort of be able to process data and being able to sort of protect that. What I want you to think about today is: what's the worst thing that could go wrong from a digital standpoint in your world and what are the things that you've been doing about that? Really, at the end of the day, what we want to have is a risk mindset and what are the things that we can do to reduce it. Ransomware, you're going to learn in a minute, is on the rise. That's the most likely cyber-attack on an SMB, as we've seen a significant increase in that space.

We really want to put the frame of mind. What are we trying to talk about today? Here's another dimension of the problem. Cybersecurity is a trillion-dollar industry cybercrime. If all the criminals of the world form their own country, they would have the third largest gross domestic product GDP next to the United States and China. This is a massive problem and the reason it's the case is, it pays to be in that industry as a cyber-criminal, it's highly lucrative. Unfortunately, going after companies, holding their data hostage, extorting them for money is a big deal for them. Being able to also compromise individual accounts and redirect payroll or redirect their bank wires is a lucrative industry. We continue to see the growth rate trajectory going upward.

We continue to see a skills gap, from a cybersecurity talent standpoint. When we all think about what are we doing to solve this trillion-dollar problem, we don't have enough people in the industry to help provide solutions from a technical administrative standpoint. Then we continue to see an increase even in SMBs. Two-thirds of cyber-attacks last year were against SMBs.

Two-thirds, which means you're more likely to be hit by a cyber-attack than a large major company and the reason is it's the low hanging fruit that these cyber criminals are going after. They're not intimidated by small to medium-size businesses because most of the time companies haven't done a risk assessment, they haven't established what their most critical assets are, they haven't established sort of a basic plan to be able to detect and mitigate those incidents, and they don't really have a strong recovery plan if those incidents do materialize.

What we're going to talk about today is really the next level down. Really the question is, "Okay, Timothy, we know it's a trillion-dollar problem. We know we're trying to prevent catastrophic loss. We know that it's continued to rise, and we know that we're a big target. We're a soft and rich data target. So what do we do?"

And so that's really the next, I think, step. I think the highlight here is cybersecurity is not a technology problem, it's actually a human problem. It really boils down to the human element. We all think about security as anti-malware and encryption and passwords and multi-factor authentication and incident response.

It's actually all about the human. In fact, cyber criminals are going after the identity. That's how they actually get in to your companies and get into your email system and get into your platforms. They go directly after the human. They target humans by phishing attacks. They target humans by compromising your sort of credentials.

Then, in many cases a cyber-attack is not going after necessarily data and the company or ransomware. They're going after your password vault of a major company so that they can then replay all those passwords across thousands of platforms and see which of those actually work, that's called a credential stuffing attack.

Basically, then you're left, you know, without the ability to protect yourself. This comes back down to the human element and what we're going to do today is talk about what should we be doing from a human element standpoint? And how does that translate into a security strategy that helps you manage your risks and helps you reduce those loss events that we're talking about?

Ultimately, what does winning look like? What is success? Success in cybersecurity is zero harm, quality outcomes, and a high trustworthiness quotient. If we win, there's zero harm. There's absolute high quality that you're able to serve your mission and fulfill your business objectives, and you have a trustworthiness level in the marketplace and with your customers.

We're going to talk about some practical things on the next slide. Number one, instead of going after, again, the most robust security solution in your company, I think that really starts at the top. The tone has to be set from the leadership of the company and from a culture standpoint. What we've seen many times in organizations is they haven't really identified cybersecurity as one of their top risks.

As I have already mentioned, two-thirds of cyber-attacks are going after SMBs. In fact, another large, I think close to 50% of them, after suffering a major cyber-attack, struggle to be even able to remain in business within six months of that attack. The question is, if you haven't identified cybersecurity as one of your top three risks for the company, if not top one, I think it's time to refresh your risk assessment.

If you haven't conducted a risk assessment, I think it's time that you start in conducting an enterprise risk assessment to understand what are the most critical things that you cannot afford to go wrong. Then, establish a mitigation plan so that you can understand what you're able to do, what's in your control and what things that you should plan for to help address that residual risk.

It starts at building the right oversight at the top and then begin advocating and participating in that governance aspect. Set policies, procedures, hold your workforce accountable. Many times, you'll see organizations conduct phishing assessments where they can simulate a phishing attack just to understand what the culture temperature is and preparedness and awareness.

Those are tactics that help you understand if it's working. Then really understand who has access to your network, who has access to your data, how do you onboard them, how do you off board them, is it consistent, are you managing access, and as I mentioned earlier, also one of the main themes is reinforcing accountability.

At the end of the day, every workforce employee, every contractor, every colleague, everyone from the boardroom to the break room has to understand that this is a team sport and that it's not security's job, it's not the CEO's job, it's not technology's job, it's everyone's job to protect the organization and to fulfill their role with high standards of excellence and to have mindfulness that one minute error could lead to catastrophic outcomes. One click of a link, one sort of poor hygiene moment could lead to catastrophic outcomes for the organization and even their employment. With that, I'm actually going to hand the baton over to Ishawna and let her talk a little bit about what's going on.

Ishawna Wint:
Perfect segue, Timothy. Thank you so much. I'd like to go into further depth regarding cybersecurity from the perspective of product management and how TriNet is committed to ensuring the safety and security of each and every user who uses our platform. We've seen the data, right, indicating that the cybersecurity landscape will only continue to grow and impact organizations more and more over time.

What does it actually mean for each individual user? What's the impact it has on the user awareness of the risks associated with cybersecurity and in turn how they respond to them? Over 343 million people fell victim to cyber-attacks in 2023. That's a significant spike from previous years. Let that number sink in for a moment—343 million people. We witnessed an increase of 72% that surpassed the previous record held between 2021 and just last year. In addition, it's already expected that 2024 may break records once more. That indicates based on current statistics, an attack occurs on average, every 39 seconds and with more than 2,000 attacks each day worldwide, adding up to over 800, 000 attacks annually.

The frequency of these attacks is an important metric to consider as it provides insight into the magnitude and prevalence of cyber threats that companies need to be aware of. Awareness of threats, the human behavior remains crucial. Timothy just mentioned it's a human element. As technology continues to develop, so are the methods used to take advantage of the weaknesses. As we continue the conversation, I believe it's important to highlight the common mistakes that users make and the consequences that it has for individuals as well as organizations.

Starting with poor password hygiene, this is the most common way that credentials are stolen. One of the most routine mistakes people make is using weak or simple passwords. If a password is compromised, this may result in unwanted access to accounts and private data. Furthermore, sharing passwords across several accounts raises the possibility of an extensive data breach in the event that a single account is compromised.

Not using multi-factor authentication. Multi-factor authentication is a second layer of verification that typically either sends or generates a code on a mobile device to confirm the identity of a user. We know that passwords alone are no longer adequate to protect online accounts, because so many users use the same password as mentioned across many different sites and services. It's a good idea to add an extra layer of protection going above and beyond just passwords, for example, introducing two factor authentication by either SMS text messages or other means would be a step in the right direction.

Misuse of personal email. Targeting of personal email accounts are very common because when you stop and think about it, private and confidential information is shared and stored in your personal email. So if personal email credentials are compromised, it can be used across other accounts, social media, banking, e commerce platforms, of course, leading to identity account takeovers and financial fraud.

Oversharing information on social media. Now we are all aware of this one. We're seeing it in today's society. Maybe we're, you know, we've done it ourselves in the past, but identity theft is more likely by disclosing too much personal information on social media, so that's your full name, that's your birthday, that's your address, your phone number, and even information about family members or pets. This information can be harvested to impersonate individuals and commit a variety of identity fraud. Last but not least, the risk is even increased even more with careless or inappropriate use of smartphones.

Being careless with smartphones, leaves them, you know, unattended in public, or not securing them with strong passcodes, or biometric authentication, it exposes them to unwanted access. Bad actors may be able to bypass measures and access private messages, login credentials and sensitive data kept on a smart phone, including your personal information and financial information as well.

The question is, how is TriNet addressing the challenges that both Timothy and I have identified? In what ways are we putting into practice a tailored approach that considers specific needs and ensures growth and scalability so that you can adapt to your changing business goals.

We know that data is the currency of the modern economy and the protection of your data has become paramount. At the core of our vision lies a steadfast commitment to empower and safeguard our most valuable asset, which is your trust. At TriNet, protecting customer data and users of our platform is not just priority. It is our fundamental commitment. We understand that our customers entrust us with their most sensitive information and we take that responsibility very seriously. I want to take a moment just to share the high-level blueprint for securing success from the perspective of platform security.

Customer centric design. Our approach to product development is based on an in-depth knowledge of the need and challenges faced by our customers. A solid understanding of the customer journey is always the first step in the process. We're able to map out important insights and guide the creation of security products by interacting directly with customers and hearing what they have to say. Our design philosophy is customer-centric, meaning that not only are the security solutions effective, but also user friendly, intuitive and seamlessly fit into existing processes.

Continuous innovation. Innovation is the lifeblood of cybersecurity and we are committed to sharing, to staying above the curve, which is why we invest in research and development to identify threats and develop preventative responses because ultimately, cybersecurity is not just about protecting networks and systems and data. It's also about coming up with solutions that actually benefit real people. We're continuously expanding the scope of possibilities and using technology to safeguard transactions from our platforms, security processes, including leveraging our artificial intelligence and machine learning to recognize and respond to threats in real time.

Comprehensive protection. The TriNet platform provides security protection across the entire data lifecycle for user journey. From a new hire onboarding to the first time a user logs in, a returning user, even terminated users, we have a multi-layered defense strategy to prevent unauthorized access and mitigate risk.

Scalability and flexibility. We recognize that businesses come in all shapes and sizes, each with its unique security needs and challenges. However, our goal is to empower growth and that's why our security platform is designed to be capable of adapting to the evolving needs of our customers as they grow and expand. Our security platform can scale with you, providing the same level of protection regardless of your size or industry.

Partnership and collaboration. We all know that success requires teamwork and we're able to provide more secure solutions by utilizing the combined strengths of our partners. We can better secure your data and fight cyberattacks by promoting a culture of cooperation and knowledge sharing.

Lastly, empowering users with education and support. As Timothy and I both mentioned, the human factor continues to be both our greatest strength and our biggest weakness in the field of cybersecurity, the success or the failure of our security measures ultimately depends on the choices and actions of users. For this reason, customer centric design includes tools, materials, readily available documentation to equip our customers with the information and skills that they need and require to maintain their online safety because in order for us to make sure that our cybersecurity efforts are successful, I urge you to become involved.

All right, handing it back to you, Timothy.

Timothy:
I love it. Thank you, Ishawna. So kind of bringing it home. Some of the things that are on the horizon, and I'll be brief because I think we've seen some questions come in and we want to touch those. As you know, I don't have to say this, the AI, ML sort of new world that we live in, generative AI and AI becoming a commodity poses significant risks to individuals and businesses and really society because we have an issue around sort of trust and models that we haven't really vetted to have a high level of confidence that there's accuracy in the outputs of that model. In fact, not only that, but threat actors are now able to leverage artificial intelligence to go after individuals and companies, they're able to write better phishing emails. They're able to use AI to go sort of amplify their work. This is a new reality that we're living in. I don't think that problem's gonna go anywhere, but continue to increase.

Adversaries on the inside. This is also going back to the lucrative aspect we've seen a lot of. It really ties with the remote worker motif. We've seen a lot in the last couple of years where adversaries are posing as new employees, they'll interview for a job, they'll get in and they'll use that opportunity to be able to go after the company and extort them. What I really strongly advise you is to really vet employees and contractors in the interview and background check and on the onboarding and off boarding process so that you know whoever you are providing access to, you validate on camera with their licensure, their driver's license or their passport and it matches everything and that you provide them access rather than doing it all off camera and remote.

Global supply chain talent shortage. Those are things I've already talked about. Obviously, the need for everyone to have security is a core competency across the board. No longer do we rely on just security, as the subject matter experts, we need business leaders to become security experts and advocates.

All right, so let's bring it home and then let's go to the question. We've learned at the end here, why cybersecurity is a problem. It's because it's lucrative and organizations are continuing to be a soft target. The role that SMB leaders play in governance and oversight and policymaking and engagement and holding their organization and individual accountable.

We've learned some practical things about password hygiene, using MFA, ensuring that you've got the right access in place, relying on cloud providers that have high standards of excellence and security. Then lastly, understanding that your people are your greatest asset or your weakest link. Your culture and your people is your vanguard, your tip of the spear. It's either your greatest solution to this problem or it's your greatest weakest link in that space. It's not a technology problem, it is a human problem and awareness problem.

I'm going to read off a couple questions as we go into the Q&A. We've got just a few minutes. One is, what are some of the red flags or warning signs that indicate a potential security issue? That's a great question. An issue could be anything. An issue could be a compromised identity, an issue could be a vulnerability that's been exploited. It could be a third party that's been compromised. It could be a lot of things, but I'll tell you what some of the most sort of significant signs that help you be aware and that is your own sort of daily habits and practices around email and accessing corporate networks.

For instance, here's the biggest thing that we see. Adversaries are sending people emails that appear to be someone that they know and are luring them by sort of stating things that seem somewhat relevant to their job or their personal life, because that information is out there on the internet usually.

The warning sign should be: A) Do I trust the individual that I'm talking to? If I have sort of a skepticism, I reach out to the individual that I know out of band and say, "Hey, is this email from you?" And if you feel like you've been compromised, that you actually take necessary steps to reduce that immediately, you change your password, you contact your IT administrator.

You could even contact law enforcement if you feel that your network has been breached and your data has been accessed. Law enforcement will actually help you if you're a small to medium-size business and you can't address that problem. Lastly, I do recommend that you get a contract with an incident response firm and that you also get cybersecurity insurance so that in case you get compromised, you have professionals that can help you and that you have insurance coverage.

Last one, how do you recommend we approach vendor management to ensure cybersecurity compliance? Great question. At the end of the day, you really don't have control over those vendors, but you do have the ability to set the contract language to give you provision and sort of coverage if there's a breach of contract.

I would always ask them and seek to understand what level of security they have. Do they have cybersecurity insurance? How would they notify if there's an incident? Then lastly, who are they? If you're talking about a large player in the market space, AWS, Oracle, Amazon, Microsoft, all of the big players, they've invested heavily in security.

If you're talking about sort of a small mom and pop kind of shop as a third party, the likelihood that they've invested in security is no different than the likelihood that you have. When their business model is reliant on a high availability, usually they're going to highly invest in security and that should help you understand that a little further, but I would always seek to understand what their posture is.

And there are solutions out there that will provide vendor assessments. I'm not going to name any companies just because I don't endorse them, but you can actually have third party assessments conducted against your vendors to understand better how you can protect yourself. I hope that answers all the questions.

It looks like we're coming down to the end of time. As we're wrapping this up, I want to say thank you for participating. You can always reach out to us afterwards if you have questions. You can email us directly or you can reach out to our communications department at TriNet. Thank you for the time.

I hope that this helps you, that you leave empowered to manage your risks and make good decisions to protect your company, your employees and your customers. Thank you so much.