When it comes to data security, offence is the best form of defence
At Donnelley Financial Solutions (‘DFIN’), a leading risk and compliance solutions provider, security is embedded in its DNA. Over the years, the firm has built out an array of financial technologies to support its clients as they operate in increasingly complex markets, where risks come in a variety of forms; not least of which is the constant threat to data security.
“It’s top of mind for us and all of our clients as we build out and deploy solutions that they use every day,” says Dannie Combs (pictured), SVP and Chief Information Security Officer. “Communicating the importance of security and adhering to data protection laws across the globe is of critical import to us. Our clients have to trust us to protect their data at the end of the day. We are humble to earn that trust, and we work diligently to make sure we exceed our clients’ expectations.”
Combs is well accustomed to the challenges DFIN’s clients face. During his military career in the United States Air Force, he held a number of security and operational risk roles under the United States Air Force, witnessing first-hand the consequential impact that cybersecurity shortcomings had; whether they were nation state-sponsored attacks, or terrorism efforts using cybersecurity techniques to cover up or fund nefarious activities.
“I’ve seen first-hand the negative impacts cybersecurity attacks can have, beyond the business landscape where it tends to be intellectual property theft and financial-related drivers. There’s a phrase one of our great generals once said, ‘We train to fight and we fight to train’.
“From an operational perspective, DFIN does just that. We conduct regular phishing exercises with clients, we’re consistently hunting down adversaries and we use a lot of the same basic techniques that go back 25 years.”
In that respect, offence is the best form of defence as PE firms begin to embrace digitalisation more fully, primarily through the use of cloud-enabled technologies. Part of this shift in mindset is in response to the serious nature of data security breaches, if proper cyber processes and controls are not in place.
“We want to provide our clients with features and functionality to make their lives easier, and automating processes where possible, yet at the same time we have to ensure they remain protected from unauthorised access, data leakage, etc,” explains Combs. “The diversity of our products and services does lend itself to some technical complexities but whether it be multi-factor authentication or encryption of data in transit and at rest, we have a 24/7 SOC that is laser focused on ensuring we understand our adversaries.”
Another complexity relates to the sheer diversity of data protection laws globally; especially in the UK and Europe with the introduction of GDPR. This regulation has set the benchmark for data privacy and led the way for data protection laws to subsequently be introduced not just in the US but across the globe; there are now more than 120 countries with national data protection laws.
As PE firms ingest and share increasing amounts of data, not just internally but externally with investors and key service providers, they are becoming more exposed to cyber threats. This is requiring GPs to put great emphasis on insuring their technology partners demonstrate their commitment to cybersecurity.
Combs refers to one trend he has started to observe called ‘crimeware-as-a-service’, which is illustrative of how far we’ve come as relates to cyber crime.
“You now have hackers buying or selling hacking tools that enables less talented individuals to initiate a ransomware attack,” he says.
“Once a hacker targets a PE firms and infects their system with ransomware, the victim might try to pay the ransom with Bitcoin but if they run into technical issues these crimeware-as-a-service providers also help the bad actors with payment collection. We certainly see an increase in this type of activity in Europe. It’s been quite remarkable.”
Ransomware continues to be a very problematic attack that large organisations struggle to mitigate; the higher profile the name of the firm, the bigger the target.
In 2019, Combs observes there was actually a 37 per cent drop in overall ransomware attacks. However, there was a 53 per cent increase in targeted ransomware attacks, with a particular focus on enterprise. Bad actors have moved away from ‘retail’ consumers, he says, and moved more towards targeting corporations, stating that “three quarters of the recorded ransomware attacks last year targeted US-based corporations, including PE groups”.
As best practice, PE managers are being urged to put processes in place to regularly back-up their systems. Unfortunately, the reality today is not if but when a ransomware attack happens.
Moreover, failing to regularly practice the restoration of one’s data can really become a problem in the moments that matter. Doing this regularly can make a huge difference and help mitigate data security risk.
“Another area that is very successful, if not the most successful means of delivery for ransomware and other attacks, is through phishing,” says Combs, who notes that phishing attacks are now becoming so sophisticated, bad actors are able to initiate what appear legitimate phone calls, such that it is increasingly difficult to tell if the voice on the end of a telephone call is real or actually automated.
“That is causing a lot of disruption as people continue to be the victims of these phishing attacks.”
Cloud security is not a panacea
Part of the data security conundrum for PE firms is that oftentimes, they like to run ‘lean and mean’ businesses, organisationally. The cloud has been a particular driver for this, allowing managers to reduce technology spending by benefiting from economies of scale. Most cloud breaches, however, have typically been exploited through remote access services that were ill configured, or poor use of passwords.
While the cloud has really enabled PE firms, the assumption that AWS, Google and Microsoft have fully addressed cloud security completely would be naïve.
As the CISO for a major financial institution, charged with keeping clients data secure at all times, one of the biggest challenges for Combs and his team is staying on top of, and understanding, all of the attack trends and the mitigation trends.
“Another would be ensuring that we are educating our users, as well as our employees and supply chain partners on those risks and best practices. And that we remain focused on measuring ourselves against our policies and procedures to ensure we ourselves are adhering to those best practices.
“In the era of Big Data, we need to build and deploy technology that can provide what I refer to as near real-time enterprise-wide security monitoring. We want to know who did what, where, when and why.
“At DFIN our aim is to systematically reduce cyber risks, in as close to real time as possible,” explains Combs.
The technical complexity; the sheer breadth of data being used by clients, and the fact that bad actors are becoming ever increasingly sophisticated…all of those elements combined create challenges for any CISO today.
Automation of cyber defences
And it is also worth stressing that while the media gets excited by advances in machine learning, Natural Language Processing and so on, the fact is bad actors are themselves using these latest technologies too, to help them automate cyber attacks. That trend is only likely to move on an upward trajectory.
“There are, however, a number of exciting technologies coming out of Israel and the US, to address the problem of Big Data, which takes up a lot of computing processing power to build insights and perform correlation analysis to identify irregular activity which then allow our security analysts to investigate and respond accordingly.
“I think you’ll continue to see significant advances in automation of cyber defences over the coming years,” concludes Combs.
Chief Information Security Officer, DFIN
As SVP, Chief Information Security Officer, Dannie Combs has overall responsibility for cybersecurity at Donnelley Financial Solutions, a publicly-traded, full-service solutions provider for regulatory compliance, capital markets transactions, and shareholder communications. Dannie brings 24 years of cybersecurity and information assurance experience to Donnelley Financial Solutions.
Prior to joining Donnelley Financial Solutions, Dannie was the senior leader responsible for overall network security for the fifth-largest US-based wireless operator supporting > 20 million mobile subscribers. From 2001 to 2009, he consulted with a number of organisations to build and mature technology security programmes and organisations as interim CISO, security architect, and more.
Dannie is also a ten year veteran of the United States Air Force when he served as a cyber threat specialist supporting a variety of military and national security organisations.