It’s spooky season on Banking on Community—and nothing’s scarier than cyber threats. Saxon and Brett are joined by CSI’s own CSIO and CRO, Steve Sanders, to talk deepfakes, voice cloning, and why you should probably think twice before scanning that random QR code. From AI-driven fraud to Steve’s secret “SAUCE” for staying secure, this episode will keep you informed… and paranoid enough to change all your passwords.
Transcript
Saxon Prater (SP): Welcome to Banking on Community, a podcast for community bankers. I’m Saxon Prater.
Brett Glover (BG): And I’m Brett Glover.
SP: And this month, it’s spooky season and nothing is scarier than cyber threats.
You know, actually, here on Banking on Community, we thought we would do something that nobody’s ever thought to do in the month of October. We thought we’d talk about cybersecurity. To do that, we’ve got our own resident cybersecurity expert, Steve Sanders, our Chief Information Security Officer and Risk Officer.
Steve, welcome to the show.
Steve Sanders (SS): Welcome. Thanks, happy to be here, ready to talk cybersecurity.
BG: Appreciate it. And, um, you may notice that our usual companion, Tara Schultz, is not with us. We hate that. Tara’s doing really strategic things considering she’s SVP strategy, I’m sure.
Um, but we also need to give her a shout out, Saxon. Tara recently was accepted and appointed as a board member for the AFT—Association of Financial Technology. So, congratulations, Tara.
SP: Yep. Congratulations. Much, much deserved.
BG: Well deserved, well deserved.
You know, before we dig in—and I do like to give the people what they want—and some of my folks have been asking if Steve can let us into some insight: Steve, has Saxon ever personally failed a phishing email, you know, education? You know, the people wanna know.
SS: Brett, I would love to tell you that, but when I expose our weak links, we make targets of them. So, I can’t share that data. And by the way, you and I need to talk after this call as well.
BG: Oh, well, I mean, yeah, I’m pretty sure everybody’s just assuming I have.
SP: Well, Steve, you know, on this podcast, we like to obviously talk about community banks, community financial institutions, and so I figured we would start with just as an initial foray into cybersecurity: you talk to banks a lot, I mean, what advice or perspective would you like to provide them as the kind of opener to this conversation?
SS: Uh, you know, I think the one thing that banks are missing right now is the, I think what’s a golden opportunity. I believe that banks are always looking as a way to give their services to the community in some way, to benefit the community. And I believe positioning yourself as the cyber experts in the community is a great place to position your bank.
It’s a win-win. You are, uh, finding that people turn to you when they wanna know more. Maybe you have a website that has cyber tips on it. Maybe you do trainings periodically, and you’re also protecting your interest at the same time. So, I mean, if I were running the strategy and the marketing of a bank, this is something that I would be strongly positioning in the community. I think it’s a great opportunity that’s missed in most cases.
BG: Yeah. Steve, I completely agree with you, and I mean, on a serious note, it is Cybersecurity Awareness Month. Um, for those of you who are not following, if you’re on LinkedIn, follow Steve. He’s been dropping knowledge all month this month, and will continue to do so, uh, even on a regular basis.
But, you know, Steve, what are some of the things with obviously AI accelerating, um, and, and this is an ever-changing landscape, you know, that better than anybody. What are some of the things in the headlines that are kind of dominating the space right now?
SS: There, there’s always “new news” and there’s always “old news that’s new news” again, in the cybersecurity space.
But the things that I think are really important to pay attention to right now: the Cybersecurity Information Sharing Act expired on October 1st, and that’s not budget related. That was being cut no matter what. And so the, the impact that has to community banks directly is probably not large, but the impact it has indirectly is really a big deal because it affects the willingness of companies to share information with DHS, which benefits us all. It removes the protection that they have when they do that.
I think the other one that is really an ongoing battle that everyone is familiar with, but they may not think of it regularly, and that is the third-party vulnerabilities. So when we’re bringing or connecting applications into our systems, and in many cases these are applications with a lot of rights on our, on our systems or on our networks. When those applications have vulnerabilities, we have a big problem. And the most recent one is Oracle E-Business Suite. So the Clop ransomware crew is taking advantage of this, they’re rolling out ransomware. So this is a big deal. And, and the question’s always, how do we protect from all the vulnerabilities in this third-party software?
And then of course, you mentioned AI: AI and fraud is a really big deal. In fact, AI within the fraud space, AI and deepfakes now comprise 50% of all fraudulent attempts. So, it’s really a big deal. And the problem with AI is not that AI is inherently bad. It’s not. In fact, it’s a great tool and many of us are using it, but the bad guys are doing this without principles. So they are taking advantage of it, moving at a pace at which those of us fighting the good fight cannot move. So there’s a real surge there right now.
Then the last two are things that I really think people need to pay attention to, and that’s voice cloning. So, we’re experiencing a lot of voice cloning. In fact, in a matter of two minutes, I can take your voice and I can, uh, for example, put your voice on Saxon, if I want to, Brett, or I can make your voice match what I’m saying. So I can say something and make your voice match that through a program that I have on my computer. It’s actually a good use program, but you can do some pretty wicked things with it if you want to. And so this is targeting bankers, it’s targeting executives, and it’s targeting customers of banks.
And then the final one, and this one is one that everybody needs to pay attention to, and that’s QR code phishing. And so you receive an email, your security system isn’t strong enough to detect the bad links within the QR code, or the bad guys are making the QR codes less detectable through color schemes, or in some cases splitting the QR code into two to four smaller images that are side-by-side so they still make the QR code. When you take a picture of the QR code on your phone that is not as protected as your computer is, you go to a bad link and you end up running malware or participating in an attack of some sort. And you know, that one’s particularly scary because if I’m a bad guy, I can take stickers with QR codes and put them on the restaurant’s menu that’s at your table. And so you think you’re scanning the menu and you’re infecting your phone.
SP: Yeah, I think about that all the time with like Super Bowl commercials and stuff like that. Obviously, those are a little bit more vetted, but we’re just conditioned to just, like, QR code? Scan it. And it’s like, somebody could put something on a shirt and you’re like, “I wonder what that actually goes to.” And you never, never really know.
SS: Yeah, that’s exactly right. I think our, our natural tendency to be curious—and maybe even nosy—gets us into trouble sometimes.
SP: Well, a new fear for me is the voice cloning thing. We have already said far too much on this podcast.
SS: Yeah. It’s actually very scary when you can, again, with frankly as little as 10 seconds of good audio, I can impersonate your voice if I have the right application.
BG: And I think you, you brought, you touched on an important aspect of that, Steve, with—you know, I like how you often term it bad guys. And in large part how I think about this, it’s really no different, right, than the dawn of the internet, right? Like, a really good tool, and there’s gonna be people out there that use it for not good purposes. I think that’s what we’re experiencing right now. But with the targeting from C-level executives, whether that’s, you know, a larger company such as CSI or a financial institution itself in a local community, right? Um, which is definitely something folks probably aren’t used to seeing and are trusting and assuming.
I know you talk to customers regularly, um, and I so appreciate that about you. As you’re having conversations with banks, with credit unions, like what are you hearing right now that they’re dealing with on the day-to-day and any practical tips or wisdom that you’re sharing out?
SS: Well, I think obviously fraud is a really big deal for all of the banks that I talk with. And of course, with that it’s not just simple, um, historical fraud, like we’ve dealt with. It’s more advanced, more, uh, scary fraud, if you will. So we’re dealing with—we’re hearing a lot of that. We’re hearing a lot of, uh, customers that are falling for very sophisticated attacks that are allowing account takeover and disbursement of a lot of money very quickly.
From a cybersecurity, uh, from a more specific cyber security perspective, I think the thing that’s standing out to me is I’m still finding the cybersecurity executives aren’t having a seat at the table at the banks. And the reason they’re not, if I’m just being candid, is because they are still wearing their IT hat. And as long as cybersecurity is viewed as an IT issue, it is not taken seriously by the people who don’t speak IT. And so for the cybersecurity executives, the CISOs at the banks, they have to put on their business hat and learn to talk business about these issues. So that continues to be a really big problem.
Uh, I have spoken to CISOs that don’t understand how their mission fits into the corporate mission or the bank’s mission. All they know is they’re there protecting the bank, and that sounds noble and great, but if you don’t really understand, um, how, how you mesh in with with what’s going on at the bank, you’re possibly going down the wrong path.
Uh, I, I think maybe the other thing that I’m hearing is some frustration around the CAT, which was a cybersecurity framework that has went away. In fact, I think Tyler Leet has had a podcast on that, or maybe it’s even a video session, but I’ve seen that out there on LinkedIn. And so it’s good, but I think that what we need to realize is no matter what tool we’re using, if all we’re doing is completing the activity with that tool, we’re not doing the right thing. That tool is there to help make the case of the maturity level we’re at. And we need to be sure that we’re conveying that message properly.
So for example, on a scale to one to five, where do you really expect your cybersecurity maturity to be? And you know, you might have a bank that says, “well, I wanna be at a five, I wanna be at the top.” Well, maybe? Are you prepared to spend the money it takes to be at the top? Because that’s expensive. There’s a cost benefit correlation there. So I continue to see that sort of problem.
Uh, there’s also, just to reiterate what I said a minute ago, there’s frustration with third-party apps. There’s a belief, I think, historically, that you weren’t vulnerable because of third-party apps, and now they’re the way the bad guys are getting in.
BG: Quick follow up to that: I mean, just in your conversations as well, I mean, you hit on what I commonly hear too is like, “it’s expensive to do that.”
SS: Mm-hmm.
BG: From my standpoint, please correct me if I’m wrong, but like, is your perspective like: “um, I get it, and there’s a lot of other budgetary items that financial institutions would probably like to focus on instead of cybersecurity budget dollars, but can you really afford not to?”
SS: I think that’s a good question, but let’s put on our business hats as we think about that for just a minute. To be totally secure, if you really wanna be secure: there was a man named Gene Stafford that once said, “the only secure computer in the world is one that’s buried in a hole, six feet underground, surrounded by six feet of concrete with no electrical or data connections.” Well, you can’t do business, so you can’t be secure, right? I mean, that’s just impossible.
So, what level of security are you willing to take on? And I think the question we have to ask is if the risk that I believe that I’m taking on as a bank—maybe I’ve quantified that as I have a $3 million worth of risk, worth of cyber risk, and I can eliminate a million of that by spending a million and a half dollars—is that worth that investment? And so you do have to ask those questions. For example, what’s the reputation risk? How big of a deal is it if we end up with all our systems encrypted?
So, you’ve gotta go through those scenarios, and it’s a lot like business continuity. You have to understand what’s the business impact of a cyber event, what’s the risk of us having that cyber event, and could we maybe spend money on some controls to lower that risk quite a bit without a lot of expense and maybe not spend the absolute maximum budget we can get, because we’re all wearing lowering the risk enough without that.
So, really it’s not a one-size-fits-all decision to get to the point, Brett. It’s this question of how risky are you? Because if you’re willing to take on more risk, you can move faster. You can do things that make your customers happier because you don’t have controls, but in doing that, you are exposing yourself to some risk, and you just need to be aware of what the risk is you’re exposing yourself to and be prepared for it when the bad activity happens. Does that help?
BG: Absolutely. I mean, it’s so incredibly well said. Thanks for kind of breaking down some of the nuance of that.
SP: Yeah, Steve, you have a great way of capturing in a very succinct and eloquent way some of these fairly complex topics that are like—there are obviously so many, I mean, there are all these like, I guess, gray areas of “it depends,” right? Like what you wanna prioritize, what is your risk tolerance? But you had a really good way of phrasing something. It was an acronym. Uh, can you remind us or share with the podcast listeners what that acronym was?
SS: Yeah. I call it my “secret sauce,” if you will. And SAUCE is the acronym.
And so the S stands for security. And by that I mean, how are you securing yourself? How are you securing your data? And with that, like, don’t go to the bad part of town. You know, if you’re traveling around and you go to the bad part of town, you’re asking for trouble. So don’t do that on the internet either. Stay in the known, good spaces. Have proper backups, for example, use good offline backups. There’s a simple rule around that—and this fits right into security: if you lose your data today, how upset are you going to be? Well, if you haven’t had a backup in three months, you’re probably gonna be pretty upset. So that is a rule of thumb to follow to help you determine a schedule for backing your data up.
A is authentication. We’ve said for a long time to use strong passwords, and I still recommend using strong passwords. If you were to watch me type my password on my computer, you would probably just shake your head because it’s like 30 characters long or something. But I still think strong passwords are good, but most people don’t know how to use passwords well, and they get compromised because of that.
For example, uh, your password may be “ILikeChickenWings,” and you know, if everybody knows you like chicken wings, they know to try that password or some variation of it. So that’s why we have multifactor authentication, which is table stakes, frankly, but most people are still using SMS text messages for multifactor authentication, which is easily hacked. You need to be using a third-party application for that.
Stepping it up a little bit more is moving to pass keys, where they’re supported. That is a fantastic alternative. It keeps you out of the chain of having to type a password in. You’re authenticating using face ID on your phone, or you’re authenticating using a third-party application, like 1Password to do these pass keys, which are strongly recommended. They are a little bit complex, but they’re not too scary.
And then finally, for the most risky people, I think something like YubiKey, which are—let’s see if you can see this. We’ve got their little USB tokens that you put into your computer, and if that token is not plugged into my computer, I can’t log in. So, you actually have to physically have that token if you want to get to the machine. So that covers authentication.
U is for updates. And that means not just your operating system. And by the way: hello, all you Windows 10 users out there. If you have not updated Windows 10, shame on you because it is tomorrow it is no longer supported. And so, you’re opening yourself up to whatever the latest risk is.
But it also is your applications. How are you updating every application on your computer? How do you know they’re updating? And you should be turning on automatic updates every chance you get, because you’re probably not good enough to be sure they’re updated appropriately. Everything you install is a potential vulnerability.
C is for being “cyber smart.” And that’s one of my favorite phrases. In fact, people internal will notice I use that a lot when I’m posting out to our Viva Engage posts. I use “cyber smart” because I want to remind us that we need to be that way. We need to be aware, we need to be cautious. We need to follow the motto: “When in doubt, throw it out.”
You know, somebody texts you—this morning, I got a text message and it said, “how’s the weather in Kentucky?” I don’t know who this person is, but they know that my area code’s a Kentucky area code. And so I hit the report junk button. Do not reply ever. Don’t play games with these people because they’re not playing games with you.
The same with emails, the same with phone calls. If you don’t know who it is, you don’t have to talk to ’em. And then, you know, I think along with that: don’t be scared to, for example, at work, tell your IT administrator, if you think you’ve made a mistake, do that fast so you can get that fixed.
And then E stands for encryption. And so, you know, within our businesses, we should be using encryption, protect everything that’s valuable, but we should be using it at home too. You should be using a router, a wireless router with WPA three encryption, because that’s the standard now that’s, that is, uh, more the most secure. You don’t wanna use the older versions. Use VPN when you travel.
If you are traveling on business, use your bank’s VPN. If you’re traveling personally, have a VPN. Never use a hotel VPN, because it’s so easy for me to see everything you’re doing on that hotel network if you’re not using your VPN. So, products like PIA or Nord are good alternatives for personal business.
So there’s quite a bit that people need to do and a lot contained within that, that sauce acronym.
BG: Yeah, I feel like we’re definitely gonna need—we’re gonna need a graphic, Saxon, to follow up with this. We just gotta get the sauce out there. It is the secret sauce.
Steve, well, I think, first of all, I’m really glad you’re on our side. And I’m glad you’re the resource that we can utilize to help as someone who works with our customer base and financial institutions every single day. You do an amazing job. As we’re kind of closing out here—’cause I have a feeling you could talk about this for days on days on days, but we have a limited amount of time—with some of the emerging technologies that are being used for not good and not great purposes, what are some of the emerging technologies coming out that are being utilized to help combat that?
SS: Well, in many cases, the emerging technologies that you can use to combat the bad guys are the same as the ones the bad guys are using. So, I encourage any business to be looking at utilizing AI in their security infrastructure. I think that that’s, again—it’s much like MFA—it’s table stakes anymore, because the bad guys are using that.
I think the other thing that we need to be looking at, like I said a minute ago with authentication, you need to be looking at more advanced authentication mechanisms. You need to be looking at ways to reduce your identity and access management risks. So not not having local admins throughout your network, using a tool that helps you do that.
So, those are things that lower your risk. I guess you need to think, “if a bad guy gets into my network and they take over my account, what can they get to?” If they can get to the whole network from my account, then I’m a very big risk. If they can only get to a little bitty small area that every time I try to do something, I have to get permission, then that’s much better.
And by the way, that’s how it is at CSI. I can’t do a lot of things because I don’t want my account to be the risky account in the organization, so I have to ask permission for those things. So I think we need to be looking at adopting those things, and I think we need to be open to how much AI is changing the landscape. It is drastically changing it every day, both for good and bad, and we need to be aware of both sides of that.
SP: Absolutely. Well, Steve, it’s, you know, it, we joked before this that it’s fitting that cybersecurity month is also October, uh, spooky season. And, you know, for those of you who are watching video, you may be wondering, what’s the deal with all the hood stuff?
I’ve got this, for those of you who are just listening, I’m wearing a black hood sitting in a dark room. For some reason, the media is intent on portraying hackers as such. And I thought, “hey, what’s something scary?” A hacker, right?
Saxon’s hacker Halloween costume: the scariest monster financial institutions face today.
But Steve could also tell you, we joked about it before this, that they don’t necessarily look like that. They’re more likely to be sitting next to you at the coffee shop than they are sitting in a dark room staring at their computer in a hood.
But speaking of scary things—I mean, we’ve talked about a lot and you’ve given us plenty to at least be aware of. What keeps you up at night, Steve? Like, what are some of the things that either people are overlooking or just that they should be concerned about?
SS: There’s actually a lot that that keeps me up at night in regards to this topic. I’ll just give a couple that I think people are overlooking. I think within many organizations, cloud integration risk is not being evaluated properly. So, the cloud’s actually more secure most of the time than your network is, but the way you connect to the cloud may not be secure. And so be sure you’re doing that right. That I think allows opportunity for really large compromises.
Also, I’m constantly amazed at the number of organizations that have in place the right defenses, but they don’t monitor those defenses. And so that is something that bothers me quite a bit too.
I do think the speed at which technology is changing, whatever we’re talking about today is not gonna be the big risks tomorrow. That’s why I have almost an evergreen topic, because it’s always changing. There’s something new coming. And I do think that boards need to be aware of what is coming. So they need their CISOs or somebody in the organization to be letting them know what’s on the horizon, what’s coming down the path, if you will.
SP: Do you find that banks are doing that? Keeping their boards informed, engaged?
SS: Uh, no, not really. Um, I frankly find this to be a pretty big hot button for me. I think number one: the boards don’t care. And I don’t mean that they just don’t even wanna hear about the topic. They don’t understand what’s being said because the people presenting it are unfortunately presenting it very technically. And the board doesn’t speak tech, they speak business.
So, I think the CISOs need to be, as I said earlier, learning to speak a different language and approaching this as a business issue. The CISOs need to be spending time with the boards, helping them to understand the business risk of what’s going on, what happens if we have a cyber attack? What happens to our bank? What happens if we come in tomorrow and every computer in the whole bank is encrypted? What happens if we can’t get online? What happens if someone, uh, goes on a campaign against us and destroys our reputation using the tools that are out there on the internet? How are we gonna handle those things? The real business risks?
And the boards need to understand where we are, where we should be, and what is reasonable. What, again, as we talked earlier: how much are you willing to spend to avoid the risk? Because the answer is not, “I accept no risk.” The answer is, “I accept a calculated risk and I know where I’m at.” So, I do think it’s a humongous void.
BG: Great. Saxon, I think we are about at the time for the closing word. I don’t know how you wrap it up any more succinctly than the points you’ve already made, Steve.
But before you do: just on behalf, you know, again, Steve Sanders, I say it all the time, we’ve got one of the best in the business. Thank you for what you do here, day in, day out, and thank you for how you care and seek to educate us internally and take care of our safety and security, but also our customers as well. I really appreciate what you do.
And maybe a segue, Saxon, I know registration for CX26 is open now.
Denver, Steve, I’m assuming you’re gonna be there and educating the masses, as always.
SS: That’s the plan.
SP: Awesome. Yeah. Yep. That’s exactly where my brain went. Yeah, April 12th through 15th in Denver. You guys could register today. You can find out about that and a bunch of other things. It’s on CSIweb.com.
You can also find Steve posting useful information and perspective on LinkedIn.
Until then, keep banking on community.