Information security teams are facing a new challenge that isn’t impacted by secure passwords, detection networks and tokenized data.
Maintaining “Business as usual” has been a challenge for cybersecurity professionals as the COVID-19 pandemic has forced many companies to distribute their workforce while still being tasked with providing data protection to clients and employees. Benjamin Blakely, Dwolla’s Director of Information Security said his team continues to adapt to both challenges and says progress is being made as teams adjust to the new normal.
Just because Dwolla’s team members weren’t in sight, they weren’t out of mind.
“While there were and continue to be challenges, we were able to make this change nearly overnight with little day-to-day friction,” Blakely said. “Our company adapted without a blip from a customer perspective and we’ve been able to stay just as connected and functioning as a team as ever before.”
In June, Blakely participated in a virtual question and answer session with the Greater Des Moines Partnership to discuss how COVID-19 is impacting cybersecurity. We’ve transcribed his responses to share how Dwolla is responding and what other businesses can do to mitigate their risk.
His answers have been edited for conciseness:
How has COVID-19 impacted your daily activities?
BB: We’ve found that most of our tooling adapted well, but our ability to provide the level of support we usually do to business partners has been a challenge. We have minimized any need for an employee to go into the office, but this means that we can’t just roll up next to someone and help out with a quick fix or pin someone down with an urgent issue.
From a people and process perspective, this has been nearly seamless, but from a tooling perspective, we’re still adapting. We had an advantage in that we were already very cloud-based, but the work continues.
Do you think it will be harder to respond to cybersecurity incidents in our current environment and why?
BB: No. Dwolla has taken a continuous monitoring, proactive alerting stance rooted in data collection and automated analysis wherever possible. We like to let humans do human things and robots do robot things.
Because of this, we are able to leverage our available tooling the same as before and have not seen any degradation in our ability to detect and respond to incidents. It can be somewhat challenging to assemble all necessary parties in an incident, but our utilization of cloud-based collaboration tools has mostly kept this from being an issue.
How will COVID-19 impact digital transformation and/or your customer experience?
BB: We expect to see shifts in the clients interested in our platform or the ways they intend to use it.
The shift to digital-first and/or cashless payments, combined with things like touchless payments mean many more companies may be looking to make digital transformations and we expect to see many more startups with cool new ideas to solve the challenges the fallout from a global pandemic has created. Dwolla has already shifted over the past few months to a focus on how we can get our clients moving money as quickly as possible, with minimal friction. We expect this to be a natural parlee into COVID-related expectations.
What is one thing you’ve learned and will do differently should we have another pandemic or crisis of this scale?
BB: Planning for pandemics is easy to put on the back burner. While every business I’ve ever worked for has had some sort of plan on a shelf somewhere, typically it is dusty and not well-exercised.
Case in point, the most common scenario I’ve heard through professional contacts is a “zombie apocalypse.” It just didn’t seem like a realistic risk in the spectrum of “scary things” prior to COVID-19. While things like H1N1 have increased the priority for pandemic planning before, I don’t think anyone will ever let this drift toward the back burner again.
Just like being prepared to respond to a security incident can be the difference between a Target Breach and a Home Depot Breach. Being prepared for a fully distributed and potentially degraded workforce at all times will be critically important.
How do you see this pandemic impacting your program or company in the mid to long term?
BB: I am working under the assumption that “remote-first” employees will increasingly be a primary consideration, if not the norm, in many companies.
We are taking a hard look at risks related to physical presences we control and asking “does this need to be something we manage?” As cloud-first as we already were, the strategy for corporate infrastructure going forward will need to be one where we think of the office as just another coffee shop—not a primary work location (even if it is a primary work location).
Where did you go to get help making the transition (internally or externally)?
BB: Our internal partners in HR and Legal were the foundation upon which all other decisions were built.
With the level of uncertainty in the weeks leading up to a full WFH mandate, these partners bent over backwards to provide clarity where they could and support the many edge cases of individual employee situations. Outside the organization, we were able to leverage connections with some of our local partners (nameless in the interest of Chatham House Rules protocol) as well as memberships in organizations such as Infragard (and its CFWG) and FS-ISAC.
Since the onset of the pandemic, has there been an increase in cyber-related financial crime impacting central Iowa? I would anticipate this leading to a discussion about BEC.
BB: Our client base is nationally distributed, so this is a bit hard to answer specific to Central Iowa. However I personally have not seen a material change in reports of fraudulent activity by our clients. While we’ve seen some pickup in phishing built around the current situation, very little of it has made it past our protection systems and our employee base has done a fantastic job of being vigilant and reporting when it does.
In addition to the threat of business email compromise, are businesses continuing to experience account takeover?
BB: Yes, this is an ongoing threat that we work to mitigate according to current threat and attack trends. It’s worth mentioning that it was the number one issue in the 2020 Verizon DBIR. If you’re not using MFA for sensitive accounts, or at least provide the option, you’re falling behind.
We will be making an exciting announcement about that ourselves within the next few weeks. While I want to avoid specifics of our strategy, we are continually critiquing our approach to ensure we’re delivering a level of security on par with being part of the financial industry with a level of customer “delight” on par with being part of the technology industry.