Hopefully not a hacked-up hairball of a “no can do” message when customers rush to change their PINs. In this episode: Corporate resilience vs. the opposite.
What’s the opposite of a resilient operation?
It’s when your wireless carrier gets breached for the sixth time in a few years, you try to change your PIN online, and the site tells you “No can do.”
As of Wednesday, T-Mobile had confirmed its sixth breach over the last three years. The purported thief/thieves posted a list of 30 million customer records for sale on the underground over the weekend and claimed they were keeping another ~70 million to sell privately, for a total of 100 million purportedly stolen records. (T-Mobile, for its part, has only discovered ~40 million leaked records, but its investigation is ongoing, so take that number with a few tens of millions of salt grains.)
I’m a T-Mobile customer. I went online to change my T-Mobile PIN when the news broke. I got some kind of 404-like message, telling me the operation couldn’t be performed at the time (sorry, I didn’t think to screengrab it).
Jennifer Bisceglie is the founder and CEO of Interos – a company that offers a SaaS platform that uses artificial intelligence to model business ecosystems into a living, global map, down to any single supplier. She defines the opposite of corporate resilience as when things fall apart following a security incident or, for that matter, any type of disaster, be it the choking of the Suez Canal that led to a supply-chain crisis and Apple subsequently missing its earnings. It’s COVID. It’s business paralysis that could potentially be avoided with proper insight into operations and bounce-back capabilities.
“Really, it’s just making sure that operations can continue,” she said when she visited Threatpost podcast this week. “And we talk about prioritizing. Too late it’s things like this, right. It’s things like what we saw at the pandemic where Apple came out, very public and missed their earnings. It’s when the Suez Canal, the ship got stuck and people didn’t know if they had alternative sources for the demand, it’s the semiconductor industry that doesn’t have enough to go around or it’s, you know, potentially, the experience that you had, where you went to change your password and you couldn’t access your account, right? That’s not a resilient operation.“
[It’s] prioritizing resilience and doing more “What if” or tabletop exercises as they’re sometimes called, so that you don’t have a negative impact on brand and reputation, customer loyalty or revenue streams, is really a big focus for the folks that we work with. —Interos CEO Jennifer Bisceglie
To hear her thoughts on how to build corporate resilience, along with what’s next for T-Mobile and its customers, you can download the podcast here, listen to the episode below, or scroll down to read a lightly edited transcript.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the SACUT community.
Lightly Edited Transcript
(Editor’s note: Here’s a link to the cost of phishing report mentioned in the podcast.)
Lisa Vaas: My guest today is Jennifer Bisceglie, founder and CEO of Interos, a company that offers a SaaS platform that uses artificial intelligence to model business ecosystems into a living global map down to any single supplier, thus, hopefully helping them to avoid situations like the one T-Mobile found itself in this weekend.
Jennifer, welcome to the Threatpost podcast.
Jennifer Bisceglie: Thanks for having me, Lisa.
Lisa Vaas: Absolutely. So Jennifer, let me just jump right into the T-Mobile situation. I mean, as TechCrunch has pointed out, they enumerated how many cybersecurity blunders that T-Mobile has gotten: into: blunders or unfortunate incidents.
What does it say about T-Mobile’s security profile and incidents response that this would be the fifth breach over the last three years?
Jennifer Bisceglie: I can’t speak specifically on T-Mobile’s security profile.
I think that a couple things one, if you read the paper, as I’m sure your listeners do, this is, you know, cyber attacks are simply on the rise and that major telecommunication providers are definitely one of the areas that the bad guys focus on as are other areas of the critical infrastructure. And so I think there’s an opportunity for improvement, but it’s definitely an area that I think that the world’s getting used to. We are so hyper-connected digitally that we really have to understand who we’re connected to at any point in time. And that’s really understanding your business partners and their business partners, which is a different cultural shift than most people have thought about in the past.
Lisa Vaas: Well, when you talk about business suppliers I assume we’re talking about things like insider risks or even just an inadvertent misconfiguration, somewhere along the supply chain, when it comes to suppliers, do you want to expound on that?
Jennifer Bisceglie: Sure. So we look at business partners through three lenses. If you will. We look at, you know, kind of the physical supply chains. So those business partners or suppliers or customers that you’re trading physical widgets with, you look at digital. So those that you have electronic connections to, and then you look at services or the people.
And so, you know, if you think about insider threats, that would kind of be the third around services or the people. So who has access to my stuff. And is that a good or a bad thing from a hands-on? Versus just folks that have digital connections, like cloud providers for point of sale systems or any sort of electronic connection.
To the point of what I said a minute ago in your question, because we are also digitally connected or electronically connected this world of cybersecurity. The conversation has expanded from simply the companies that, you know, you’re doing business with to all of the companies that those companies are doing business with.
And so on. So the, the unknown risk and the unknown connections are often where the problems and the vulnerabilities are.
Lisa Vaas: Right. Well I know you guys provide as I said, a global map to kind of suss out, down to the individual supplier, who those are. But what do you think about T-Mobile? What is next for the company and its customers?
Jennifer Bisceglie: Well, I think the first thing is just locking down exactly what was stolen and, and and if there’s a continued vulnerability that’s exposed right now or where the potential next one is. And so I think you’re going to see what we normally see in this situation is a heightened sense of security.
And you know, another fresh look at patching to make sure that there isn’t, you know, as little porous of a situation as there can be. This isn’t just T-Mobile. I think you’re going to see it across the telecom industry because, you know, it’s a very, very small world that we live in.
Nobody wants to be the next one. So I think you’re going to see a heightened sense of security across the industry.
Lisa Vaas: Well, that would be good, but the breaches keep coming. So I don’t know what exactly that’s going to mean. I mean, people are gonna suddenly start paying attention to patching, like they weren’t before, or something?.
Jennifer Bisceglie: I don’t know that they weren’t paying attention to it. I think they’re going to, it’s more of an expanse approach to it. I also think that unfortunately, we live in a world and as I mentioned that we are digitally connected to each other, and it’s hard for anyone to be at 100 percent constantly.
Trying to figure out how to preempt or be proactive with some of these things so that it’s not if you get breached, but when you get breached, there are protections and fences that you can put in place is going to be really important. Segmentation of data that’s housed in-house is also going to be important.
So making sure that the crown jewels are just not in one single location. So if that location is breached, you can suck it all out is, is another way. So like containerizing data would be another way to kind of patch something. So I think there’s going to be, my expectation, having not spoken with any of them, is there’s going to be a hard look at how we’re housing, you know PII or personal data.
That’s valuable to make sure that if the next third, when the next breach happens, that they can’t be hit all of once.
Lisa Vaas: Even T-Mobile, multiple servers were involved in this breach according to the seller who’s trying to offload the 30 million customer subset of the 100 million uber set.
They’ve got the Oracle customer relationship database. I know that there were multiple other servers, but that seemed like the crown jewels right there, the customer relationship management database. And how do you segment a database like that?
Jennifer Bisceglie: To me, I think to your point, is it different servers, different containers? There’s lots of different technologies that, you know, can separate these things. I know we do the same thing here at Interos, making sure that, you know, it’s very difficult.
And again, it’s, it’s we always look at this as, when, not if, we all get there. And it’s very difficult to take everything all at once. You know, we did a survey, Lisa, that talked about, you know, the physical disruption of these types of reaches could be anywhere from $184 million a year. If you actually look at it from a loss, from a profitability, as well as just the brand and reputational harm.
And so, you know, as far as the technology solutions, there, there are several out there. But you know, if you look at should the money and the time be spent to protect yourselves, I think that the dollars speak for themselves.
Lisa Vaas: Yeah. Proofpoint just came out with a report about the true costs of phishing, which will often lead to business email compromise and ransomware, of course.
And it was interesting to hear them say that, when you think about ransomware, for example, the actual extortion payment itself only accounts for in, in general, on average, 20% of the entire costs, and productivity loss was just a huge part of the pie. So yeah, I definitely hear you on that, never mind the whole mopping up, fixing issues, investigations, all that jazz. Well, let’s talk about how this breach I mean, we don’t even know yet. I guess as of yesterday, we didn’t know, they hadn’t verified. T-Mobile had not verified these are actual customer records that were involved.
I would not be surprised if they were, but probably nobody would be. But if, if this breach, does turned out to be the worst possible case, which is the loss of all of that personally identifiable information along with even the security PINs and Social Security numbers and on and on and on, how is that going to affect T-Mobile? How is it going to affect their customer base and their reputation?
Jennifer Bisceglie: Yeah, I think it really, it really depends on what they choose to do from here. And so I think it’s been proven over the years that a breach isn’t always the end of the world, especially if the company can demonstrate a good-faith effort to protect and potentially, you know, monitor the affected consumers as best they can and take measures to increase the operational resilience and cybersecurity.
I think that over the last year and a half to two years, based on world events, Lisa, that this, this world of interconnectivity became very, very personal. And so I always tell people like for the first time ever, my mother understands what we do for a living because they couldn’t read, they couldn’t get access to paper towels or cleaning supplies with the pandemic.
And most recently, I couldn’t drive for two days because of the breach of the gas line on the east coast. So I think that whether the breach turns out to be significant or not, so much of this is happening at the brand and reputational level, and it’s being played out in the court of public opinion.
And at the same time, these breaches are happening so rapidly that there is some level of desensitization that’s happening with the general public as well. And so, you know, I think again, I think a lot of it’s what T-Mobile, or the whole industry, does from here, you know, as they go forward. But I, I do think that, you know, Joe public really understands that this is part of life and it really just depends on how they operate and you know, how their leadership comes out from, from what next steps are.
Lisa Vaas: As a T-Mobile customer myself, I would like to hear what you think a good-faith effort would be. I know it’s premature for them to reach out, to affected customers if they don’t even know that customers have been affected. But yeah, I was really scurrying when I heard this news, to change my password. And fortunately, I already had multifactor authentication enabled, et cetera, et cetera. But at one point I was trying to change my password online and I wasn’t able to. I don’t remember what the error message was. Something like a 404, can’t complete your request at this time.
Maybe it was just my connection, but I don’t know, boy, I wasn’t reassured.
Jennifer Bisceglie: The great news with what you just said, though, Lisa, to look at the bright side is, you know, there’s been statistics, something around 60 to 70 percent of cybersecurity is around what they call hygiene, which is exactly what you just talked about.
It’s updating your password. It’s multiple factor authentication. It’s these things that five years ago, I don’t know that we would have used in a sentence. So how powerful was what you just said versus saying I wanted to change and go to Verizon. Right. And I think that that’s really, when I talk about the desensitizing of kind of the Joe public it’s that we realized that we all have a role in cybersecurity and understanding that there are certain things that are within our power.
Changing our passwords, like multifactor identification sign-up that actually helped to protect us on our own data that actually helps the companies that we put our trust into. And I think that’s really a great news story.
Lisa Vaas: Yeah, that is a very good point. But you know, as somebody who gets completely ignored by loved ones when I try to preach the benefits of multifactor authentication, I don’t know what to do with that insight. The onus is on individuals, but they don’t seem particularly eager to adopt these practices.
Well, anyway, you said earlier, In our discussions over email, that T-Mobile should prioritize corporate resilience before it’s too late. Cybersecurity writers love the phrase “too late.” I was like, oh, what does that look like? What would too late look like? And while you’re at it, maybe we can define corporate resilience.
Jennifer Bisceglie: Yeah, so corporate or what we call operational resilience is, literally, we consider that the ability for the organization to continue operations or service in the face of a variety of shocks, which includes everything from cyber attacks like we’re talking to, or, you know, we work with customers dealing with natural disasters to pandemics.
And so really it’s just making sure that operations can continue. And we talk about prioritizing. Too late it’s things like this, right. It’s things like what we saw at the pandemic where Apple came out, very public and missed their earnings. It’s when the Suez Canal, the ship got stuck and people didn’t know if they had alternative sources for the demand, it’s the semiconductor industry that doesn’t have enough to go around or it’s, you know, potentially, the experience that you had, where you went to change your password and you couldn’t access your account, right? That’s not a resilient operation. [It’s] prioritizing resilience and doing more “What if” or tabletop exercises as they’re sometimes called, so that you don’t have a negative impact on brand and reputation, customer loyalty or revenue streams, is really a big focus for the folks that we work with.
Lisa Vaas: Okay, fair enough. We’re coming up against our time limit here. So Jen, can I ask you for any parting thoughts for T-Mobile or for other companies that might be, wisely, fearing a similar situation?
Jennifer Bisceglie: The first thing is, as I shared in the very beginning, it’s not an if, it’s a when. And so really focusing on the future of having solid corporate or operational resilience and having that visibility into your internal and external ecosystem before the disruption begins is really a powerful place to be so that when you do get hit, because most of us will in some level, you actually have an answer.
You didn’t go out to the public and say, you can continue to partner with us to trust in us because we’re investing in ourselves and investing in your safety and your education. And I think that’s, you know, if we were to wish anybody that, you know, leading today, it’s really having proactive, operational resilience, we believe wins the day.
Lisa Vaas: Yeah, totally. I I love it. That’s a great final thought. And you know, it certainly expands the whole, “We take seriously your security” cliché that we often hear. There’s got to be some more nuance to it than that. Well, Jen, thank you so much. It’s been a real pleasure to have you. Thank you.