Cyberwire Podcast: With Special Guest Paige Schaffer

We are excited to share the October 4, 2019 episode of the CyberWire Daily podcast. At the 16-minute mark, you’ll hear from our CEO, Paige Schaffer, on the topic of the University of Texas’ Identity Threat and Assessment Prediction (ITAP) report. Simply click the link below to start the podcast. Enjoy!

Transcript

Dave Bittner: [00:15:55]  My guest today is Paige Schaffer. She’s CEO of Generali Global Assistance’s Identity and Digital Protection Services global unit. Our topic today is the recently published University of Texas at Austin identity threat and assessment prediction, or ITAP, report.

Paige Schaffer: [00:16:11]  We’ve been involved with the University of Texas for the past several years. And I really don’t think there’s anyone like them that does, really from a research standpoint, looks at those relays for identity compromise and abuse in as many different ways as they can. So they just capture thousands of details. And they’re really looking at the aggregation of the information to kind of trend risks and head them off at the pass, if you will.

Dave Bittner: [00:16:46]  Well, let’s go through some of the key findings together. What were some of the things that caught your eye?

Paige Schaffer: [00:16:51]  One of the first things that kind of leapt out, which really shouldn’t be a surprise, but that really 45% of identity compromise is from an inside threat. Now that could mean a lot of things where companies are concerned. But, you know, it makes sense that employees have intimate knowledge of organization networks, their infrastructure, their practices. And so it’s almost like it’s too easy. And I – you know, unfortunately, there can be employee ignorance, which gives way to cyber threats. So really just unwittingly giving access with unauthenticated users, folks clicking on attachments or opening up links that are malicious, some are phishing emails. Some of it is not malicious intending to be by the employee.

Dave Bittner: [00:17:48]  Right.

Paige Schaffer: [00:17:48]  It’s just kind of dumb luck and not being savvy to it. And much of that has to do with the type of culture that an organization establishes where cyber protection is concerned. And so if you’ve got a culture that puts cybersecurity at the forefront, then that company is going to be harder to penetrate and less vulnerable to all of the threats, including the ones inside. But if you don’t have the mentality to kind of drive that culture, that cultural shift to kind of empowering a cyber-secure organization, it’s going to be tougher to do.

Dave Bittner: [00:18:30]  And it does strike me that it has been a bit of a shift, that in years past, you know, the IT department, the security folks, it was up to them to handle these sorts of things. And it was their responsibility. And it seems to me like this has shifted to being a company-wide responsibility these days.

Paige Schaffer: [00:18:50]  You know, it really is. It could be anything from – well, first of all, everything that we trade in is information – and so whether it’s employees coming on board with human resource information on employees, whether it is client information that’s out there, selling to particular audiences. It’s not only about kind of the technical cyber threat, it is about information security. So now, you know, you’ve started to see over the past couple of years, you have clear delineation between kind of IT infrastructure and info security. And so you see more and more roles in larger companies that have huge divisions that are really looking after the information that they are responsible for.

Paige Schaffer: [00:19:38]  The other thing I thought that was interesting is – and also not surprising – is that almost 75% of the cases that have happened where identity theft is concerned, they are cyber vulnerabilities. So it is – folks are getting information online through computers, through software. And I think that there is a little bit of delusion around folks that say, oh, well, I’ve got antivirus software. Well, antivirus software doesn’t necessarily protect you from an identity theft.

Dave Bittner: [00:20:11]  There were a few things in the report that were really surprising to me. One of them was that the victims were most often college graduates. That’s counterintuitive to me.

Paige Schaffer: [00:20:24]  It’s true. Most are college graduates. And I would say that we have a large percentage of seniors that are victims as well. Identity theft thieves are going to make it easier for themselves. And I would say college graduates and as well as seniors, if you look at the age range now, those college graduates today are very dialed into social media. And all sorts of things on social media – whether it’s Facebook, whether it’s Snapchat – all of these things, they’re engaging in sharing lots of information. And so putting that information out there makes it easier for identity thieves to kind of piece together a profile that – whether you have your birth date or graduation or where you’re from, your address that you’re sharing on a particular social media site, and then they go after credit card information or tie that with birth date – it just makes it easier.

Paige Schaffer: [00:21:26]  I think there’s some different tactics that folks take with seniors in that they’re maybe not as technically savvy, but they are a little – you know, if I think about my mother, who’s very active on email and the web, quick to say, hey, this looks serious. Should I share this information? Now she’s got a daughter that works in this business. So she’s gotten better about saying, hey, I probably shouldn’t do this. And – but there are a lot of folks that, quite frankly, thieves are savvy about and kind of scare them into, well, if you don’t do this, you’re – you know, the latest was the IRS scam, where we’ve got a warrant out for your arrest kind of thing.

Dave Bittner: [00:22:10]  Right.

Paige Schaffer: [00:22:10]  I think the other thing that was really kind of glaringly interesting in this study is when you think about all of the types of losses experienced by victims – financial loss, property loss, reputational damage – by far it is emotional distress that’s most frequently reported by victims. So over 80% ranging from medium to high levels of really truly emotional trauma. So where almost 50% felt like they had a medium level of emotional distress, another 32% experienced really high level of emotional stress. And this is in sync with – we also, Generali, we conducted a survey, a global cyber barometer survey, early this year in February. And over 82% of global respondents consider a cyberattack extremely stressful. And almost 50% of respondents wouldn’t know how to fix their situation if they were compromised.

Paige Schaffer: [00:23:18]  So again, really another reason why full-service resolution services are important and really knowing what next steps to take so you can alleviate some of that stress. Again, I would kind of hammer home how important it is that organizations are really working towards a culture that embodies cyber safety. And those that don’t will just increasingly fall further behind as those criminals get more and more sophisticated. So I would say for these market sectors, we see an opportunity to leverage today’s age of data breaches and the need for information security by really providing their members, customers, employees with identity protection services. They can really differentiate themselves while also creating a culture of information security from within. And we see that to be a win-win.

Dave Bittner: [00:24:16]  That’s Paige Schaffer. She’s CEO of Generali Global Assistance’s Identity and Digital Protection Services global unit. And we were discussing the University of Texas ITAP report.