"The Insider by DFIN" is a series of video interviews featuring the latest trends, topics and key perspectives on the global capital markets.
In this Insider, Dannie Combs, Senior Vice President and Chief Information Security Officer at Donnelley Financial Solutions, discusses the state of security in 2023 and what companies should know about protecting their data.
Host Dana Barrett and Dannie talk about the challenges companies face in securing their data from outside threats and insights into how to keep their data safe.
In this episode, we’ll examine:
- The complexity of cyberattacks including phishing and ransomware
- Key strategies to secure your company’s data
- DFIN’s advanced security protocols that protect our clients’ data
- Dannie Combs, Senior Vice President and Chief Information Security Officer at Donnelley Financial Solutions
- Dana Barrett, Host
Watch the second part of this Security Insider Series, Strategies to Protect Your Company’s Data:
Dana Barrett: - Welcome to the Insider by DFIN, I'm Dana Barrett. We have long accepted that there is a critical need for information security, especially around financial data. And along with that, of course, an ever-evolving list of bad players and threats. Joining me today to talk about those kinds of security threats and the challenges we can expect in 2023 is DFIN’s CISO, Dannie Combs. Dannie, welcome.
Dannie Combs: - Appreciate it very much, Dana.
Dana Barrett: - Glad to have you here and I do want to dig into both kind of what has happened in the last year, where we're going in 2023, but also before we get started, can you just share a little bit about your background and your current role at DFIN?
Dannie Combs: - I've been in the industry for approximately 28 years, which is quite a long time to be focused on cybersecurity. I began my career in United States Air Force, where I served as a Threat Analyst in the Intelligence Community and spent just over 10 years in a variety of roles focusing on identifying bad actors and trying to always stay one step ahead of them. And in the corporate arena for just over about 20 years now a variety of industries, including Fintech, pharmaceutical, and transportation.
Dana Barrett: - So you've obviously seen a lot of change over the years, as it relates to sophistication of the attacks and the solutions of course as well. So, before we get into looking forward into 2023, can you talk a little bit about the trends and challenges from the past year? I know you were on the Insider last year around this time, so what's coming forward from last year?
Dannie Combs: - Sure, I think there's a number of items, probably most notably would be that of phishing. It remains to be a highly effective, unfortunately, very common attack technique that so many millions of people around the world, both in the consumer markets as well as, of course, in the corporate arenas are falling victim to. And one of the reasons that that's so effective is that is the one of the tried and proven means to gain elevated privileges across a system. Why hack a system when you can hack the individual, and they'll just give you your credentials? It's a low cost, again, highly effective means that we expect to continue for the foreseeable future.
Dana Barrett: - Do things like two factor authentication, or multi-factor authentication and some of the other methods that people are using now help eliminate some of the dangers there?
Dannie Combs: - I'll say it certainly, significantly, reduces the risk. It won't eliminate, where there's technology there's always a means to potentially defeat. However, yes, it dramatically reduces the risk and so my recommendation, and how I conduct both my professional security efforts as well as protecting my family's digital online experiences and assets, is ensuring just that. Multi-factor authentication is so crucial, especially in today's age.
Dana Barrett: - Yeah, definitely. All right. So we've got phishing that's been going on for a long time and still going to be happening in 2023. What else?
Dannie Combs: - I believe that you're also going to see, unfortunately, there's going to be a continued evolution relative to ransomware. If we go back a few years, probably like the last 8 years or so, ransomware has been around, it's been a threat for some time. It's been devastating for many organizations, but what's interesting from my perspective, is that it’s still continuing to grow both in frequency and in revenue. The average size of the ransom demands is also increasing almost in line with a profiling of companies. So they look at a billion dollar company and we're going to charge you 20 million dollars to provide you the decryption keys. I think you're going to find the techniques will continue to evolve, the frequency to which they elect to use that attack technique will continue, and there are certain industries where there's a lot more successes. I think about the government sector, particularly municipalities, they're still greatly struggling, part due to budget, part due to legacy technologies and other drivers, limited staff, and they may not have all the luxuries that a larger organization may have. But probably most notably will be the complexity of the attacks are going to increase, even with all the legislation that's been put in place to try to mitigate this, prevent payments and the alike, it's just going to continue to be a burden for organizations around the world. I read a study recently that is a bit surprising, that in two years the ransomware revenue more than doubled, and the projected impact will be 40 billion dollars by 2028, unless something changes. And how are we going to change it? It’s through conversations like this, through awareness, through just remaining focused on being cognizant of phishing risk, being cognizant of architectural considerations around security, making the entire company have a good understanding of baseline knowledge of how to identify threats, what actions to take, who do you call? It's just a of activity, that we're making the right decisions relative to educational technology that we're going to continue to be one step ahead.
Dana Barrett: - Yeah, I don't want to get too into the weeds on this, but I feel like we could just do a whole interview just about phishing and ransomware, right? Because they do sort of work hand in hand. Yeah, someone gets into the system through, maybe a phishing scam. They're able to get the ransomware installed on the system, and then they go from there. Correct?
Dannie Combs: - Correct, absolutely. It's once you're in, its unfortunately all too common that you can pivot from system to system from account to account. Imagine what you could do if you were able to compromise, say an IT professional, or even a security analyst? They're human as well, and they likely have broader access. And again, if I was to recommend just a couple of things that would be just such table stakes to being prepared to do all one can to prevent and to limit the impact in the event that an incident occurs. It really truly begins with training that organization, building that culture that's security conscious, providing those those real-world simulations, for example, that that we do here at the Donnelley Financial Solutions. We test ourselves regularly. I’d rather have someone fall victim to my phishing attempts than that of a bad actor.
Dana Barrett: - Is there anything else that’s been around for a while came through 2022 that we're expecting to really still have to focus on in 2023?
Dannie Combs: - I think that over the last 18 months in particular, we continue to see a pretty sharp increase in the amount of attacks that are not necessarily originating by an individual, but they're automated, and they're leveraging the machine learning, and they're leveraging artificial intelligence. And so I think you're going to see not only that to continue, but unfortunately increase in complexity.
Dana Barrett: - All right. Well, let's move on to kind of new things. What's coming down the pike in 2023 that we really need to be thinking about?
Dannie Combs: - Sure. There are several, and I’ll start with perhaps the trends relative to bad actors. There's one that's actually I’m watching very closely, and it's quite concerning, and that is, if we go back to artificial intelligence that is helping to protect organizations much better than just 2- 3 years ago. But the bad actors are leveraging the same technologies as well, in their efforts to compromise organizations and individuals. And so, for example, imagine a scenario where you receive a phone call, and it's very interactive, it feels live. You recognize that voice. You recognize that face on a video. In reality it's a deep fake. It’s artificial intelligence responding to questions that you're asking live, leveraging machine learning to get more realistic in those efforts. And so, I think you’ll continue to see social engineering getting much more complex as a result of these deep fakes. I believe that you're going to see artificial intelligence being leveraged, so that in the moment of an attack, where the system or the bad actor recognizes that you have a security control in place that's going to defeat their technique, it will systematically or automatically, in real-time, adjust its techniques to try to counter, to find that vulnerability that you didn't think of, or whatever may be in place. The battlefield is getting a lot more complicated, in short. I also believe that companies are going to struggle with the reality that we have a cyber-security talent crisis. There are currently over 4 and a half million jobs open. And we have 3 and a half million people globally in the industry. So, there's a tremendous gap here. And probably most notably with that in the United States, Britain, Australia, Canada. Those countries are targeted far more frequently, and thus we have the largest air gap. Another trend that we need to be mindful of is, the pursuit towards the cloud is not slowing down. And those are very different technologies. And so you again go back to the security talent shortage that organizations are facing. But it requires different technologies to protect those in the cloud environment as compared to data center environments. And so, organizations need to be mindful that change is necessary if you're going to stay one step ahead of the bad actors.
Dana Barrett: - Yeah, and I know you've talked about this in the past. You’re talking about not just protecting your own company and having a great staff on board, which I know you have at DFIN. You're also talking about vendors, partners. So nobody's in a sort of a closed environment with just their own company anymore. That’s just not how we do business. So it's that even though you may feel like as a particular CEO or a CISO of a company that you've got it locked down. If your partners don't, or your vendors don't and or somebody you're interacting with doesn't, you can be in just as much trouble, correct?
Dannie Combs: - Absolutely. In fact, one of the tenets of an effective security program is, just as you make reference to, a supply chain security program must be in place. You look at the events over the last 2 years with very notable technology suppliers, and ranging from some of the cloud providers, to network infrastructure providers, to application SaaS providers. They've all been impacted, and some of them, just a few of them, that were extraordinarily impactful on a global scale, and so, obviously we all partner with third-party organizations and rely on those partners to build our solutions, to help us operate our business every day, and so we need to think about the suppliers as potentially our weakest link, because in some instances, unfortunately, they will be. And we have the least amount of visibility. It's a third-party company, right? And so, for example, here at DFIN, we set out several years back to ensure that we can increase that visibility, that we set expectations relative to having a matured security capability that we could have confidence in, and that they could demonstrate that by way of some certifications such as is ISO27001 or SOC 2, SOC 1. There's many certifications out there appropriate, depending on who the partner is, but we want that independent third-party perspective as to value the certifications, and we expect them to demonstrate their commitment to security and if they don't, well, unfortunately they may not be the partner for us. And so the good news is that most organizations are recognizing that need, and are well on their way. One of the challenges, though, is that it can at times increase cost both for the partner and of course, internally. It takes resources to perform those reviews and assurances. But again, we come back to change. Both entities will need to change how they're thinking about managing their supply chain.
Dana Barrett: - So when you talked earlier about artificial intelligence and machine learning, and how that's being used in cyber, you kind of got me thinking about the fact that we have tech-enabled cars. We have tech all over our homes and all throughout, I mean we're all walking around with tech devices in our hands. We're talking in our homes, too. You have to whisper the names of the various machines like Alexa or they'll talk back to you, right? And so are those things becoming a threat too as people work from home in these environments and ride in these cars?
Dannie Combs: - The short answer is yes, and from a security professional's perspective, it's a little bit disappointing, because a number of my friends in the security research arena have been conducting research and discovering and sharing vulnerability detail on those platforms. The automobile industry, can you imagine one day if a teenager somewhere around the world thought it’s funny if the passenger airbag deployed on you while you’re on the interstate? Those are those are real capabilities in an insecure setting. Or can you imagine if 10,000 smart TVs were compromised due to a lack of patch availability or the fact that we often don't even think about patching our refrigerators, our home surveillance systems, our televisions etc., and that botnet is formed to create an army that can perform a very large scale attack against government agencies, against cloud providers, etc. Or imagine a bad actor that has a targeted organization that they want to gain inappropriate insights into, they want to steal intellectual property, if they're going to pull that trigger on some merger or some divestment, etc., and they compromise a conference room smart television, and they're recording not only sound, but also video, and you don't know it. The use cases are endless. And so, it's quite concerning, I hope more and more consumers, and of course, businesses around the world recognize that risk because it's quite substantial.
Dana Barrett: - That kind of gave me chills in a bad way. You know what I mean? It's kind of scary to think about. But I think it's a good lead in to talk about the geopolitical environment as well. Because, you know, things are changing all over the place, and we hear stories that seem like they don't relate to us. We hear about Russian hackers or Chinese hackers, and we think, oh, that's not going to happen to me, or that's not relevant. Or we don't think about maybe something happening like the war in Ukraine, and how it might impact cyber. So can you sort of talk at a high level about how geopolitics does sort of factor into your thinking when you're developing your cybersecurity plans and trying to keep all this on lockdown.
Dannie Combs: - Absolutely, and just to say it directly, it is top of mind, unfortunately. It's the world we live in at the moment, and it's a complicated environment out there. From a Western country perspective, the majority of the more sophisticated, more successful attacks, are originating from outside the United States, Australia, Canada and Britain. Particularly originating from China and from Russia. We take a step back longer than, say, 3 years ago, go back 5, 7, 8, 9 years ago, that list would have expanded to Iran, North Korea, fairly common countries to be named because of geopolitical considerations there. But there's been a number of attacks that have been very impactful: The Colonial pipeline. There's been a number of attacks that are attributed to Eastern bloc in Europe that were targeting critical infrastructure, such as utilities in Texas, utilities in Arizona, and so it's very concerning, and it does hit home, but there's a bit of a lack of appreciation at times. At least, I would suggest, that the average say American or and consumer even just may not really appreciate that they are in fact, being impacted. Pricing is going up because we have to secure our supply chains, we have to secure our banking systems, we have to secure the markets, and so there's always that indirect impact as well. And then there are considerations for many average citizens, if you would, who may have less of a militaristic background or something, but cyber is an element in the war chest that is used, and most countries will acknowledge that now. You think about the concerns with Taiwan, and the implications that it could occur if there was an armed conflict. My opinion and opinions of many other people is one of the first indications of the battle picking up would be cyber. There’ll be massive disruptions potentially at a regional level, and perhaps on a global scale. But not to be doomsday, but it is reasons that, justifications I just described, that really folks in roles such as mine need to be mindful of and preparing for from an architectural perspective, and from a policy perspective, and from a planning, incident response planning perspective. But also educating the broader community at the company of what to be on the lookout, you know grammatical errors again on phishing is a great indicator of an international, sourced phishing message that likely is originating from a bad actor. And so, we just want to make sure that the organization is aware. And once again, which is why so many companies to include Donnelley Financial, is so committed to that educational awareness training program, why we conduct those internal phishing simulations. Why my organization in particular, we hack ourselves, and before a bad actor can do so. We want to know where those vulnerabilities lie. Why we employ a team of cyber-threat analysts that have a very impressive background from organizations within the Intelligence community and law enforcement, with over 20 years in a couple of instances of experiencing that cyber warfare each day. So it's just one of the many reasons why we've got to ensure that cybersecurity is top of mind.
Dana Barrett: - Yeah, I mean, I can tell just from the conversation we're having, Dannie, that you and your team, certainly, and DFIN on the whole, have made this a priority, and I know that entails sort of being involved in the process of software development and all that from the ground up. And does that apply product by product? If we're talking about ActiveDisclosure, you guys are involved, your team is heavily involved. Is that accurate to say?
Dannie Combs: - Oh, very involved, in fact, and I recommend that others do the same. But from ideation through the launch of the product, continuing on to the patches and the latest releases of the product. The security organizations must be working shoulder-to-shoulder with product management, with IT, the software development efforts, with the supply chain vendor, the partners that are in place. And we do. We're in fact, we're quite proud of that. And so, as an idea on how to introduce the next feature and functionality of our software offerings: If I look at ActiveDisclosure, for example, we have application security engineers, working shoulder-to-shoulder, developing the solution with our software development team. As we go through the testing phases, for example, we have an application security engineer that's defining and introducing abuse cases, in addition to the functional cases to ensure the applications are working properly and doing so in a secure manner. As we deploy, my team takes the lead on deciding a lot of those details about how the product is deployed into the cloud, for example, with ActiveDisclosure: web application firewalls, traditional next generation filtering devices, intrusion detection systems, and integration into our cyber threat intelligence that I’ll come back to here in a moment, the list is very long. The requirements that we expect to be in place, and that we have an obligation to the organization, and to our clients, and to our regulators, not only to expect, but to ensure that they are in place, and that they are operating effectively. Again, we're very committed to staying ahead at all times, at least one step ahead, of the bad actors.
Dana Barrett: - Yeah, and it seems to me, that one of the advantages of the structure you're describing with your team being so heavily involved, is that you guys are focusing on that knowledge, for example, about the geopolitical situation, and I’m sure you're also having to look at governmental regulations across the board, and you bring that knowledge to the table as well when this development is going on, so that the software developers aren't having to worry about that because you're bringing it to the table and they’re bringing it to their to their team. So, talk to me a little bit about how much of that there is in terms of governmental regulations. What do people need to be aware of on that front?
Dannie Combs: - There are a lot, and perhaps before I get into that, if I may, I just want to comment, because this is a suggestion that I strongly encourage other organizations to follow. We’ve been focused here for many years here at DFIN, and that is a cyber-threat intelligence consideration. So what does that mean? We have a group of analysts whose role is to understand what are the current techniques, tactics, and tools being used by the bad actors? How effective are those tactics, techniques, and tools in yesterday's attacks, and they're very much working in the real time, and then, of course, they're assessing our own systems and applications to see if we need to make adjustments to, again, keep one step ahead of our adversaries. And so to that end, to answer your question, there's been a lot of development, both domestically and from a global perspective. Several years, 5 years ago, I believe, roughly, GDPR, Global Data Protection Regulation, came into effect and caught the world's attention because of its global reach. While defined as EU-centric and impactful to EU residents, well, their definition of residents, you're a citizen of Germany, and you're physically residing in Austin, Texas, you're protected, and the penalties extend. To the Department of Finance in New York State. We took a look at their expectations and found them to be very prescriptive, but very necessary. Also, you don't need to be limited in your operations to the within the confines of New York. Their definition, their reachability, I should say, is quite broad. And so the challenge we've been facing as an industry of cybersecurity, and those that are trying to interpret and apply these the expectations that are outlined in these regulations and laws around the world, has been a lack of harmonization. We have an organization in the EU expecting us to report a cybersecurity threat within 48 hours, and we have an organization in the United States expecting us to report a real event, not a suspected event, and do so in 72 hours, for example, we're seeing a lot more harmonization that's coming that's being attempted, and frankly speaking, being achieved. More specifically in the United States, we're seeing a lot of activity, a lot of prioritization, really, on trying to solve this cybersecurity challenge in Arizona and Indiana, where there's now defined expectations on reporting an incident. Now, there's some deviation on specificity depending on the state that that you're operating in, but broadly speaking, there's a lot more of that harmonization occurring. In California, in January, just a few weeks ago, they further refined that Consumer Protection Act relative to data privacy, the expectations, and they extended that to not just protect the employees, but also contractors of organizations that are impacted or governed by that regulation. So, a flurry of activity. Virtually every State and Territory in the United States has something on the books relative to cyber reporting. We've seen updates from the SEC, really, clarification, on what their expectations are for reporting purposes, both from a programmatic commitment to cyber point of view, but also on incident reporting. And of course, President Biden signed last March, expectations in the law relative to critical infrastructure, as it relates to cyber incident reporting We expect there to be more specificity and clarification this year, as it relates to that act that the President put into effect last year.
Dana Barrett: - Yeah, there's a lot there, so clearly that goes to having a strong security organization within the company, and which you do, and of course you want all of your vendors and partners to have as well, and clients, right? So this is why we’re talking about this. Because it is a lot, and we do want to point people in the right direction, because we never to your point, none of this get solved because it's always going to be ever-evolving, but the better we can do it, keeping up with all of the regulations, all of the potential new threats, this all works together into how we do the best we can to protect ourselves, our data, our companies, all of it.
Dannie Combs: - When I have this conversation with my colleagues around the world and they ask me for my perspective about how to interpret this very complex landscape of regulations, of laws, and from a global point of view, it's a bit challenging to try distill it all down for my good friends in the health care industry, or a very good friend of mine over at American Airlines, etc. They're industry-specific often times. But as I look forward, again I go back and the good news is, we’re seeing a lot of harmonization that is more broad in a specific industry. And secondly, be aware that there are many regulations. My opinion is, it's extraordinarily unlikely, regardless of the size of your organization, that you're not obligated to report certain events should they occur, and certainly going to be expected by your client community to demonstrate your adherence to the regulations that they're accountable to.