Now when you combine that human factor with the risk of ransomware, you've got a double whammy.

Welcome to Focus, a podcast dedicated to the business of Higher Education. I'm your host, Heather Richmond. And we will be exploring the challenges and opportunities facing today's higher learning institutions. Today, I'm joined by Sean Davidson, a Senior Manager of Security Solutions at Verizon, to talk about the latest trends and data breaches and payment security. Hi, Sean, it's so great to have you with us today.

Thanks, Heather. I'm really excited to be a part of your podcast.

I know sometimes payments and data security is not that exciting. But it's a really important topic. And I know you have a lot of expertise in this that you want to share with us. But let's start with a little bit about you and your background.

Sure. My name is Sean Davidson. I'm a cybersecurity services Senior Manager for Verizon. I have been with Verizon for 26 years. And I've come up through the technology ranks and had been working with/around security for most of that timeframe. During my experience, I've had a lot of exposure in retail and other areas that leverage PCI (Payment Card Industry) Security Services, and have been exposed to a lot of different environments that deal with PFI and PCI related data.

Yeah, it's interesting with you saying you have a background in retail, because a lot of times, we talk about a higher ed campus being almost like retail, because you have your anchor tenants and you have all the different departments or kind of, quote unquote, store friends within the campus. So just the sheer number of transactions and different types that are flowing in it really is a lot of times a small city or retail environment. So I think that translation is really cool.

Yeah, it's kind of funny, I've got four daughters, three of them through college, one in college, I went to college myself, and I actually participate one of the IT boards for one of the local universities. When you think about a college campus, you've got your bookstores, you've got the library, you've got now potentially IT connected, vending machines, where a student can use their ID to purchase things, you've got events, you've got all different types of areas where you've got credit card transactions taking place, not to mention you have all their financial information in the database that is being used for tuition, book purchases, and all kinds of other related expenses.

Yeah, there's definitely a lot and a lot of places to make sure that you're keeping all that data secure.

Yeah, it's a lot. It's a lot to cover, some of the challenges that the universities and other educational establishments face are the same challenges that their enterprise, brothers and sisters face and, whether it be a retailer or whether it be an event stadium or something like that, where you have changing needs, changing attack surfaces, and also an ever growing number of threats, approaching them trying to make money and run away with valuable information.

Absolutely. And you know, I'm sure when you think about Verizon, a lot of our listeners are probably like, arenÕt those phones? Why are we talking to this guy from Verizon on security? So why donÕt you give us a little bit of background of the role of Verizon plays specifically when it comes to data and potential breaches and data security and payment security?

Absolutely. Well, it's funny, all my years at Verizon, it never fails, when you meet somebody and you start talking about your work for Verizon, the first thing they say is I've got this problem with my phone. Well, that's not what I do. Although I do have several phones myself. Alright, so Verizon as a cybersecurity services company. We've been in the business for over 23 years, we've been dealing with IP VPN remote access and firewalls from a managed services implementation integration perspective even further back than that. But, as a services provider, we provide managed security services, assessment services consulting services globally. In fact, we manage nine global security operation centers. One of our most well-known contributions to the cybersecurity industry or community is the data breach investigations report, the DVIR in 2022 was its 15th publication. So 15 years of publication, and is seen as the foremost authority on data breach investigations and reporting.

Yeah. Sounds like that's probably a good opportunity to even do some benchmarks since it's been going on that long.

Yeah, absolutely. And there's something I also forgot to mention. When you think about PCI payment card information, we actually helped to write the PCI DSS, so the original PCI compliance requirements, we were part of the contributing members to that publication. We also provide PFI, primary forensic investigation services, and QSA, a qualified security assessor services, so we can help companies validate that their environment is secure and compliant.

Yeah, sometimes we talk to our customers, or even ourselves, all those acronyms get a little confusing. And so having somebody there to help is absolutely good and translate. So when we think about the reports, and even just think about data breach investigations report, obviously, there's information in there about how the bad guys are getting in what you need to do to be more secure. Can you just maybe expand a little bit on that?

Yeah, absolutely. So I'll give you just kind of a high level, what it is and what we do, and why it's important. So the data breach investigations report basically, is a combination of our own data, and 87 contributors. So 86 are partners, competitors, and other security industry leading experts all working together to gather data. And we use the various framework, which is a vocabulary for event reporting and incident services. I forget the exact acronyms, but it's a vocabulary we use to categorize threat actors, their attacks, techniques, the attributes that are impacted and the techniques, and then also their motives. So what the data breach investigation report is, is it's a culmination of all this data, we looked at in 2022, we looked at 23,896 incidents, which equated to 5212 data breaches. We analyze that data, and we boil it down and come up with a view of the cybersecurity threat landscape that companies can use to better understand their threats, their attackers, their motives, and the defensive areas that they should bolster to help prevent impact from these attackers. So we publish this annually, we break it down also into industries. And lo and behold, education is one of the industries that we cover within the DVIR.

You know, it's interesting, I want to delve into that. But it kind of goes back a little bit of nomenclature. And so I know you talked about that there were so many incidences versus breaches. So can you expand on what the differences between an incident and a breach?

Yeah, sure. So an incident is a cybersecurity event that has been categorized and identified as an actual threat action. Now, in the DVIR, an incident is defined as anytime that sensitive information is exposed. So I've been able to compromise your environment, I'd have seen sensitive information. Where when an incident turns into a data breach, is when we've actually confirmed that that data breach has been exfiltrated and exposed to outside environments. So it's not just that it's been seen or, exposed internally, but it's now been exfiltrated. And their data has not only been compromised, but actually shared outside of their environment.

That helps to clarify the difference of you need to concern for both, but when something's an incident versus when it transitions over into the breach. And obviously, there's different requirements around which one it is.

Yeah, in fact, I mean, depending on what governing body the organization has to be compliant to say, HIPAA or PCI, as an example, certain factors determine whether or not that data breach needs to be announced to the public.

Yeah, that makes a lot of sense. And I know that the bad guys always are thinking about new ways to scheme. What are you seeing in terms of some of those trends? As with data breaches and some of the security risks?

So this is going to be shocking to anybody in the industry, but ransomware is on the up rise. Okay, so I think it's like the past four or five years ransomware has been number one, and it's skyrocketing into the right. So, when you think about what ransomware means, it really kind of gets to the heart of the motive behind threat actors. Most threat actors are looking to make money, so they're financially motivated. So the easiest way for them to make that money is to compromise the environment, get ransomware in place, and then demand a ransom. Now, when we talk about that a lot of times, they may demand a ransom and a company has to make that hard decision, do I pay? Do I not pay? And we might be advising them in the background saying, you might pay, but you may not even get your data back. So that's a really sticky position for a company to be in or educational establishment to be in. But ransomware on trend has a 13% increase in 2022 alone. So it's not going anywhere. Another thing that is specifically interesting is that 82% of all breaches are driven by the human element. Now, when we think about the human element, what is that? Human element is the exposure of credentials, your username, your password, your identity, if you will, also leveraging our weaknesses as humans to get in. So you know, spear phishing, meaning sending an email specifically to somebody that looked to be valid emails from trustworthy folks that then, asks you to go click on a particular link and input your password or share certain information that can be then used to infiltrate and compromise your security environment. Once they're in obviously, their next goal would be to elevate their privilege and then ultimately get to, the sensitive data that they're after. Now, when you combine that human factor with the risk of ransomware, you've got a double whammy. So now we're using humans to get in. And now we're going to implant some malicious software that's going to expand in your network, and then ultimately take over that network and then give the threat actor the opportunity to blackmail you into giving them money.

Right, which is why it's so important, I think, to continue doing the education and making sure people understand what these things look like. And they're getting smarter and smarter. I know, we have tests go through and we look at the email, it's kind of like, okay, really getting sharp here, we analyze what all could be wrong, do I open this or not?

Yeah, they absolutely are becoming more sophisticated in their approach. If you think back to the early 2000s, you'd receive an email from a prince in some foreign country who had been estranged from his family and needed your help to access $12 million, and he was willing to give you a share, those were a little bit easier to sniff out. But, nonetheless, those tactics have evolved over time. Now, they're far more sophisticated. As an example, they know its tax season, they know you're filing your taxes online. You receive a text that says, ŌHey your tax return has been accepted by the IRS, click here to go collect your refund.Ķ Obviously, we're all excited to get the refund. So we click there, we go to a web page, it looks like the company that we submitted our taxes through, it asks us for our username and our password. And next thing you know, you've divulged some very sensitive information. Now one of the defenses we're seeing and you've probably experienced elsewhere, is we're starting to add multi factor authentication into that. So now we might ask you a sensitive question, what was the first name of your dog? What kind of car did you first drive? Or maybe even send you a text to confirm a passcode to validate that you really are who you say you are. I would argue that we could probably mimic that action too. But nonetheless, they're getting more and more sophisticated every day.

Yeah, they really are. And I know the report kind of goes in across all industries, but are you seeing anything specifically within higher education? Are the same trends reflecting in that space?

Yeah, absolutely. So one of the things that we've seen over the past couple of years is an increase in system intrusion. Now I'm thinking in general now, system intrusion is good old hacking. So that could be through your H vac system or your IoT systems, it can be through the land, and that computer lab, or even actually just hacking into a bank of modems to allow you access to the system. That is on an increase. And what's interesting is system intrusion, for education specifically matches that. Another thing that stands out a little bit about educational services is miscellaneous errors are on a decrease for most industries, but for education, it's on an increase. Now, miscellaneous errors are misconfigurations, potentially sending some valuable details to a third party, leaving ports open on a web application firewall that allows a threat actor to do cross scripting or some other type of traditional attack. But that's while the rest of the industries are on a decrease in 2021-2022 data and DVIR and investigate 2021 data was actually on an increase. So another thing that stands out about the education space, specifically is that while the rest of the industries between 2017 and 2019, have seen an increase, a significant increase, in basic web application attacks, we've seen a significant decrease in web application attacks for the educational industry. Now, I don't have any data that I can specifically say this is why, but one might argue that corporate enterprise is more quickly adopting cloud services and migrating to the cloud to reduce their costs, complexity and consolidation of their environments, which opens up that attack surface we mentioned a little bit earlier. But that's purely conjecture on my part.

Yeah, it may make sense, though, you kind of have to analyze and look to see, when you look at all the industries, you do have some of that insight to say, how is it different on a college campus, for instance, than it is in a retail environment? And how can we make some changes? So speaking of that, is there some advice that you would give to help prevent data breaches within higher education? 

Yeah, I'm going to dig a little bit deeper into some of the findings that were specific to education. And then I'll give you a little bit of the idea the how we might be able to defend against that. So extortion is three times more likely in education than in the rest of the industries. So we've got your data, we're going to extort money from you, because we're going to release that data. How do we prevent that? How do we protect against compromise? Well, having a solid security program with a good security posture can help prevent being compromised, can help prevent against ransomware can help against system intrusion. So those are ways that we can help control it. Also having good cybersecurity insurance in place. And hiring a good adviser potentially, like Verizon, as a forensic investigator, and incident response provider to help you determine whether or not it makes sense to pay that ransom or to take the risks associated with it could also help. Another factor is ransomware was five times more likely this year and education breaches than last year. Ransomware was five times more likely. So one might assume that the threat actors weren't going after educational industries? Or is it more that they identified that they were weaker and had weaker defenses? So some of the ways you can defend against that are, you know strong perimeters, great educational programs, and you mentioned that earlier, it's critical to protect ourselves against ourselves. And we do that by training and through reeducation. And I say reeducation, but little reiterative education, and then also putting technology and process in place to quickly identify, protect and respond to threat actors.

Yeah, I think it's probably equally as important that when software providers, for instance, you know, implement things like MFA and some other security measures, to ensure that the schools are adopting that as quickly as they possibly can because while it's annoying sometimes it's there for a reason.

Yeah, absolutely. So one of the industry trends that we're seeing all along, and it's nothing new, but is the drive towards a zero trust environment. So, zero trust architectures, eta zero trust architecture, really is the nirvana of security. What a zero trust architecture means is that no entity identity, whether it be a human identity, or digital identity, should access any asset, that they do not have specific permission that access. As an example, I want to access the database of all of the studentsÕ social security numbers, well, the Google administrator doesn't need access to that. The bursarÕs office probably doesn't need access to that. Maybe the health office needs access to that, how do we lock that specific information down so that the only people that can access it are the people who have the identity that has authorization, and we can account for that. So we can basically determine who we can allow when we can allow them and what they should be able to access specifically, obviously, we need to account for that so that we can determine, you know that our defenses are in place, and that the data has not been compromised. So moving towards a zero trust architecture is a great path. But it's a many step journey. It's not a product that can be purchased, or a rubber stamp that can be slapped onto an environment.

Yeah, that makes sense, I think kind of going back to, as our schools are looking at software vendors, or, you know, from a technology standpoint, to make sure that there is functionality that is permission based that you're able to have some of those parameters locked down. And I'd say coupled with that, also having the tracking and reporting ability. So it's one thing to say we have the permissions, but we also want to prove when did somebody access that data? And at what point so that we needed to track down where there was a potential human error or risk, we have that kind of data?

Yeah, absolutely. So I'll kind of embellish on that. So it's critical that companies have the proper detection, and defense capabilities in place to detect when a threat actor is compromised their environment, or is attacking their environment. But it's also very helpful for companies to de-scope, their PCI data, specifically. De-scoping meaning moving that data into an environment that it's not able to be compromised. So a lot of corporations are moving towards taking data and going directly to the payment processing company, so they can avoid being liable for that. Not only that, but they're holding that data into the hands of experts, right. So you're giving your data directly to the to the credit processor. So it doesn't have the same risk. It also helps them because they don't necessarily have to staff aggressively to have ongoing, evolving and development around their network infrastructure and their security in the same way that they do to assure that they have PCI compliance. And not only that they're compliant, but they actually are secure. Because remember, compliance does not mean security. Compliance is merely that you've been validated that you're meeting the defined tenants of that particular compliance requirement.

Yeah, that's a really good point. Because I know a lot of times we hear security and compliance almost used interchangeably, but they're really two different focuses. It's one thing to check a box saying you did some paperwork, but it's another thing to ensure that you really have your systems locked down and secure. Right?

Yeah, when you drive into the mechanic, and you say, hey, take a look at my car. How does it look? He says, that looks pretty good. Well, that's saying the car looks nice, right? But when you keep going under the hood, that's where you start to see things are a little bit maybe in disarray, maybe your starters bad. Maybe there's something else going on. And that might be a bad correlation. But compliance is kind of like a health check. Are you meeting the requirements? Are you eating healthy? Are you exercising? Are you drinking plenty of water? Yes, we should be good. Security is about actually making sure that you're healthy, making sure you have the controls in place, making sure that you're taking the proper steps to actually secure that data and it's ever evolving in changing effort to stay secure. So what we recommend is that you look at your security not only from a PCI as a compliance requirement, but actually as a lifecycle continuum where you're continually evaluating your controls, you're continually looking at the environment to validate that you have the proper security in place, and that you're also adapting to meet new requirements. Now, the requirements try to adapt over time to meet the ever changing threat landscape, but there's no way that compliance can guarantee security.

Yeah, that makes a lot of sense and probably also why the PCI DSS has their cycle of when they update requirements and new information again, coming out this year with PCI 4.0 and really ensuring that there's new ways of doing things.

Yeah, absolutely. So while we're talking about PCI DSS, Verizon does publish another publication called the PSR, Security Report. It's very similar to the DVIR. But it's focused specifically on PCI data and related security. As you mentioned, PCI DSS 4.0 is coming out, there's a lot of new changes, one of which is that now we have to have a named individual responsible for certain aspects of compliance, which means that we're no longer just holding companies liable, we're actually putting somebody's name on that specific requirement. It's really important that companies are properly planning to meet those requirements, but also understand why they're being put in place. So it's no longer just a check in the box for them. ThereÕs some real teeth to it. One thing to keep in mind also around compliance, it's important to look at your environment from different angles. I've had conversations with customers, when they say, I love my QSA, qualified security assessor, because he knows my environment, he makes it easy for me to get the compliance, the ROC, record of compliance, and confirm that I am compliant. You know, youÕve got to ask yourself, do I want to be confirmed that I'm compliant, or I do I want somebody really making sure that not only am I compliant, but I really am not leaving the backdoor open for somebody to walk in and steal my data. That's really where companies need to get. And if you tie that back to like the continual education of us as individuals. When you receive that email that says, hey, I need you to transfer $2 million to an offshore account, because we have a bill that's due, we have to be thinking along those terms, too, right. So we got to be continually trained, just like our security experts are continually grooming our environment to make sure we're not opening any new backdoors.

Yeah, that makes a lot of sense. I know, a lot of times when we're talking to schools, there's that fear factor, and especially now of naming individuals, it's like, I don't want to go to PCI jail. While there's not really as you know, a PCI jail, there definitely is risk, and you want to make sure that both from a security for your campus and all of your students and faculty and everyone, you want to make sure you're doing the right things to protect from all of these bad actors that I think a lot of times really target higher education, because they know it's a learning environment, maybe a little bit more open environment. So it really is essential to make sure you understand all the pieces and parts.

And that's a really good point you touched on, you touched on risk. So there's the risk of non-compliance, I'm going to have to pay X number of dollars a day that I'm not compliant, until I become compliant. So that's one thing. But then there's the actual risk, that could impact either the individuals who could have their identity stolen, could have their payment card information exposed, and compromised and use for fraudulent activities. But then you also have the risk of the organization. And when you think about these organizations my alma mater is an example of how a university is a couple 100 years old, and we trust our children to go to school there, we trust them with our information. And we trust that they're going to take care of that. Much like a corporation, if they were compromised, their name brand can be impacted. ThereÕs a number of examples, we could point out to say billions of dollars impacted these corporations. So there's not only impact to the data being stolen and exposed to the end users, compliance and litigation costs, but there's also long lasting impacts to the brands. And when you look at some of these schools, they educate 1000s of people and people really take pride in those schools. And these both take pride in their name brands. So it's really critical that they spend the right time and focus and invest proper resources to protect themselves against this potential impact.

Yeah, makes a lot of sense. And it sounds like that they need an expert. And so I know that Verizon happens to help with both data and payments security. So can you just give a little bit more details about the different services that you provide?

Yeah, I thought you'd never ask. So I'll selfishly say that we are one of the largest telecommunication service providers in the world, we provide managed security services, we manage the infrastructure, firewalls, IPS, IDs, we provide manage sock services. A security operation center does the traditional threat analysis and response of the actual events that are gathered from the security infrastructure, and IT infrastructure, we also provide services in the form of people process and technology. We provide consulting services, implementation, integration, services, advisory services, governance, risk and compliance GRC services, as well as we also provide technology. So you name it, the name brand, manufacturers of technology, we also pervade their services. So I would say there's no security provider that can say, hey, we provide everything from A to Z. But at Verizon, we really do have a comprehensive security services portfolio. And we're always available to help our clients.

That's wonderful. And even just the report you talked about, those are generally available to anybody to go out to your website and get right?

Yeah, absolutely. They're free. And you can find them at Verizon.com. So the data breach investigations report, the DVIR is actually scheduled to be released in this upcoming June. So it may or may not be available before this podcast is published. And then the PSR is also available there. I don't recall specifically our publication date there. Also, we are available on Bright Talk, if you look up our channel, we do all kinds of free educational services to help the security community evolve and address their environments the best they can.

Wow, that is great. Well, Sean, thank you so much for sharing all your expertise with us today. Maintaining data and payment security is so important for higher education. And I know a lot of things you said people are writing down and trying to figure out how to make sure they're doing everything the right way.

Hey, I'm pretty sharp as a general practitioner, but I have access to lots of super-duper smart people that can help. If you're interested in getting more information from us, feel free to reach out to me at sean.davidson@verizon.com.

I love that. Thanks so much, Sean. 
Thanks for tuning in to this episode of Focus. Don't forget to subscribe so you can stay up to date on the business of higher education. For more information, check us out at TouchNet.com.