White House alum Theresa Payton talks cybersecurity defense


Theresa Payton, CEO of Fortalice Solutions and keynote speaker at this year’s ICBA Community Banking LIVE, knows more than most about what can go wrong in cyberspace. Here, she shares her tips on staying ahead of major threats.

By Roshan McArthur

Theresa Payton was recently at a meeting where someone was writing on a whiteboard. The information wasn’t classified, but it was the kind of proprietary material the company would rather not share publicly. When a staff member started taking pictures of the board with his phone, Payton stopped him and asked what he was doing. He explained that the whiteboard printer wasn’t working. He was taking pictures so that he could transcribe the information later.

Payton asked him, “Do you back up your phone to the cloud automatically?”

Yes, he replied—to his personal cloud.

“Do you know cloud accounts are a huge target of nation-state and cybercriminal syndicates?” she asked. “You’re one bad password away, or you click on a link and they’re going to own your cloud account.”

To Payton, it was a clear misstep. The employee, however, had no idea that such a simple action could make the company vulnerable. It is perhaps a product of the age we live in, one where handheld devices are sophisticated tools that we take for granted and data has become an extremely valuable commodity.

Payton knows all about that technological shift and the dangers it has brought. As a high school student, she was drawn to computer programming and its ability to solve complex problems. After graduating from the University of Virginia with a master’s degree in management information systems, she spent 16 years in the banking sector before joining the White House in 2006 as chief information officer under President George W. Bush.

“It was everything from inspiring and awesome and an honor, to absolutely frightening if something were to happen under your watch,” she recalls, “and thankfully, nothing did.

Payton says that after working in the banking industry, she thought she had seen it all. “We were on the frontlines of emerging technology,” she says. “I was seeing terrorist financing, money laundering. Then I started working at the Executive Office of the President, and I realized I had been looking through a peephole into the closet of a mansion, because I had no idea what the adversary was capable of and at what level.

“We talk about it more openly now, but we didn’t then. We didn’t talk openly with the public about China, Russia, Iran, Iraq and North Korea, and what their capabilities were. And even the capabilities of cybercriminal syndicates. That was all not in the public domain. Up until recently.”

Moving into the private sector

Upon leaving the White House in 2008, Payton set up security and intelligence operations consulting company Fortalice Solutions to focus on emerging threats from nation-state actors, anarchists and cybercriminal syndicates. In 2014, she founded Dark Cubed, a cybersecurity SaaS (software as a service) platform. Then, having traveled from the server room to the boardroom, where she was shielded from the media, Payton took the unusual step of joining a reality TV show. Between 2016 and 2017, she was the deputy commander of intelligence on CBS’ Hunted, a role she relished.

“It was an incredible opportunity to engage and hopefully entertain while enrage them about today’s modern cybersecurity issues—‘Are you serious, people can really do that?’—inform and educate,” she says. “But I also hoped that it would inspire more men and women—especially women—to consider cybersecurity and intelligence operations as a career.”

Threats to community banks

Payton is keen to recruit because there’s a lot of work to be done. In the banking sector, current threats include attacks from activists, such as what happened in 2010, when Mastercard, Visa and PayPal suspended payments to Wikileaks. In retaliation, the group Anonymous launched distributed denial of service (DDoS) attacks against websites in the financial world.

Other risks include business emails being compromised, wire transfers going astray and banks being sued by customers. “If you get sued by your own customer because a wire transfer went out the door,” Payton explains, “even if the bank wins because the bank’s not wrong, it’s still a losing proposition when your own customer sues you. That’s a huge potential risk.”

But there is another hidden risk Payton says isn’t being talked about nearly enough. “What cybercriminal syndicates have figured out is this: If I break in and don’t take anything, and I don’t lock any files up; if I break in and I only do one thing, which is to deposit cryptocurrency mining software and steal your CPUs from you, and you don’t even know it, then I can fatten up my digital wallet and nobody else is the wiser.

“So, we’re starting to see, where these silent break-ins have occurred, they’ve figured out how to hide in plain sight within your processing. It’s like your neighbor stealing your electricity by plugging into the outlet behind your house with a long extension cord.”


Practical security steps

What can community banks do to combat these threats? First, Payton suggests a walkabout. “Go to each of your functions that takes care of your customers,” she explains. “Don’t try and fix, and don’t try to criticize, but ask them: Are there any system processes or manual processes that you have to create a workaround for in order to take care of the customer? You could very well learn at that moment that people are writing customer data on Post-it notes or taking pictures of screens with their phones. Don’t chastise them for doing it. Just listen. And then look for design opportunities to remove those obstacles.”

Second, plan for the worst and pray for the best. Payton suggests quarterly top-down digital disaster exercises, changing the scenario each time. “I would highly recommend the first thing being a ransomware attack,” she says, “and make it for real. Time yourself. Ask somebody how long [before they can] start restoring backup. And see how long it actually takes to validate the data. I have people say to me ‘eight hours,’ and they come back and it’s 18, 24, 72, 96 hours. That’s really important.”

Another exercise could be a DDoS attack against your website, like the Mirai botnet of 2016, when almost the entire East Coast screeched to a halt. “So, the question is: With your website down and social media not available, how do you let your customers know you’re still open for business? What do you want to do? [An email] blast? An old-school phone tree? Do you want to text message all of the cell phones you have on file? What’s the backup plan?”

Third, Payton recommends doing some social engineering campaigns against third-party vendors and your own employees to look for potential weaknesses. “Who clicks on which links and why? Who opens up attachments and why?” she says. “Ask yourself: Is there a way to prevent that from happening by using additional tools and techniques? Or is there a way to almost create a sandbox for link opening and attachment opening so that we don’t have damages when people make bad choices?”

Payton admits these are difficult concepts and advises community banks to learn about the issues. If that fails, seek outside help to find out what your peers are doing about, for example, ransomware and cyber liability insurance. “You can see why I say sleep and rest are completely overrated!” she laughs. “There’s so much to do.”

8 cybersecurity basics for banks

According to Theresa Payton, there are eight cybersecurity basics that every community bank should have in place:

  • Ability to conduct risk-analysis benchmarking and tracking
  • A system that helps identify and store classification of data and assets
  • Ongoing user security-awareness training and testing
  • Testing tools that focus on application security
  • Internal (for employees) and external (for customers) multi-factor authentication methods
  • Tools that support a multi-layered authorization process across data elements, systems and platforms
  • Network device, application code, credentials and customer data discovery
  • Ability to sandbox attachments and links on a virtual workspace to avoid contamination in case antivirus and anti-malware software fail to detect an issue

How to stay up to date

To keep up with emerging threats, Theresa Payton recommends the following steps for banks.

Appoint a board member who is responsible for a sub-working group on security and governance. Then decide whether your bank has the capacity to recruit in-house staff. If you add two staff members, for example, will they have the capacity you need?

Look at bringing in an outside team as an alternative. Look for a trusted partner that understands the needs of community banks—mission, tight margins, operations, vendors, internally developed programs, customer care and recovery-time objectives.
Keep up with information from security conferences. These three sites all upload short videos explaining key issues and fixes: rsa.com, blackhat.com, defcon.org

Roshan McArthur is a writer in California.