Former White House CIO Theresa Payton. Photo: Cybercrime Magazine.

Former White House CIO: How To Thwart Business Email Compromise Attacks

Theresa Payton provides tips to businesses and consumers for National Cyber Security Awareness Month (NCSAM) 2018.

– Georgia Reid

Northport, N.Y. – Sept. 17, 2018

In honor of the 15th annual National Cybersecurity Awareness Month (NCSAM) 2018, Cybercrime Magazine asked former White House CIO Theresa Payton of Fortalice Solutions to share some advice for businesses and individuals. 

According to the official website,  NCSAM — observed every October — was “created as a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online.” Since 2008, NCASM has grown significantly. With more attention on cybersecurity than ever before, we can all pay more attention.

Payton is a cybersecurity leader both in the public and private sectors with years of experience and insightful advice. Her three main points are:

Watch the interview below to hear more about what Theresa has to say about cybersecurity.

CM: So we are here today with Theresa Payton of Fortalice Solutions and we are talking about the 15th annual National and International Cybersecurity Awareness Month.  And Theresa has some tips for us for both businesses and individuals about cybersecurity.

TP: Yeah, absolutely!

So for businesses, one of the things that we see that really works against business email compromise — typically that business email compromise (B.E.C.) is the CEO telling the CFO to wire money outside the company and it looks completely legit so CFOs actually do it — and this happens to large companies and small alike. And one of the things that can help you fight against that as well as equipment purchase fraud and leasing purchase fraud is to actually create a domain name that is not your company’s forward-facing, public-facing domain name. So, for example, if you’re ABC company, come up with “we are not the company you are looking for” dot com — and then have your credentials all set up around that for your wire transfers, for your large equipment purchases, and your large equipment leases. 

And that has actually helped large hospitals, large retailers, large government organizations that move money around, it’s helped law firms, and lots of different clients of ours have reported that that spear-phishing campaign no longer works because they’ve created this domain name they use no place else except for that single purpose. That can really make a huge difference.  Doesn’t cost a lot of money, is not that super complicated to implement.

For individuals, and it’s not the only thing you can do, but I can’t stress enough that two-factor authentication is sometimes the difference between complete account takeover and someone leaving you alone and going on to the next victim. I can’t tell you how many times, because of a recycled password, or a password that was in a data breach, and you didn’t realize it had been dumped on the internet and you don’t change your passwords often and you don’t use two-factor authentication, I will have clients come to me and say, “They are in my email, or they are in my iPod account, or they are in my Google account, they are in all my social media accounts, I can’t get them out.” And that to me, that two-factor authentication, the not recycling passwords, and using multiple email accounts is a great way to segment your life.

The last thing I want people to be thinking about both at their business and at their home is how do you create a logical and physical separation of information, so you have zones of trust and zones of zero trust?  So if you are implementing Internet of Things devices, those smart thermostats, smart doorbells, smart lights, smart rooms, whatever it is you’re implementing, those are known to be highly insecure.

What you want to do is create a segmentation of your home network or your office network. Where you can still modernize and have these amazing technologies, but make sure they have their own email address, where it’s not your work or your personal domain name, and make sure they have a logically and physically separated access to the internet, so in the event there is an issue, like the Mirai botnet that happened two years ago that took over these Internet of Things devices, you don’t have to worry about cross-contamination because you have that logical and physical separation.

CM: Very good. Thank you so much.

TP: Thanks for having me.

Official National Cyber Security Awareness Month (NCSAM) 2018 Statistics from Cybersecurity Ventures:

  • Cybercrime damages will cost the world $6 trillion annually by 2021
  • Global spending on cybersecurity will exceed $1 trillion annually by 2021
  • There will be 3.5 million unfilled cybersecurity jobs by 2021
  • Ransomware damages will cost the world $11.5 billion in 2019
  • Ransomware will attack a business every 14 seconds in 2019

Georgia Reid

Theresa Payton Archives