Love and Cybersecurity: Q&A with eHarmony’s Ronald Sarian

Now through Feb. 14 is the busy season for the online dating and matchmaking industry. Heavier traffic can present risks to these sites, demanding added precautions. Ronald Sarian, vice president and general counsel (and default risk manager) at eHarmony spoke to Risk Management Monitor about the types of risks he faces—particularly regarding data and cybersecurity—and how he protects the “#1 trusted dating site for like-minded singles,” where “Every day, an average of 438 singles marry a match they found on eHarmony.” (For those familiar with its commercials, the song now stuck in your head can be played in a new tab here—don’t fight it.)

Risk Management Monitor: You joined eHarmony following a data breach in 2012 in which 1.5 million users’ passwords were compromised. What steps did you take to prevent a recurrence?

Ronald Sarian: Following that breach, we put everything we did under a microscope and brought in Stroz Friedberg to aid our investigation and help improve our processes. We ultimately decided to migrate all credit card data off-site to CyberSource, a third-party vendor. When we need to charge a credit card we get the key from the vendor and then return it when we’re done. We wrote transmission gateways out of all of our internal apps so things aren’t communicating with each other so easily. This way, if there is an attack, it will be “quarantined.” We also employed extensive layering for the same purpose. We put a much more sophisticated logging system in place, hired a full-time security engineer, and started performing more firewall audits and regular white hat hacks to try to detect vulnerabilities. And we improved our on-boarding and off-boarding for employees.

RMM: What are the prevalent risks you face leading up to Valentine’s Day and how do you mitigate them?

RS: We face risks all year long, but this time of year there are just more of them. There are always fraud issues we deal with and people try to launch bot attacks to take down our systems and cause us grief. We believe we utilize industry best practices for all these issues. For example, to try to prevent fraudsters from getting into the system we have sophisticated business rules that look at keywords or phrases used when filling out the intake questionnaire—certain words or phrases indicate the probability of a fraudster. Misuse of the English language can sometimes signal a problem. These raise red flags in our system.

Our questionnaire is quite elaborate and evaluates psychological factors in order to determine personality traits. We have essentially 29 different dimensions of compatibility we look at and try to glean all these dimensions so we can match you with someone who is typically 80% or higher in each. If you answer the questions in a certain manner for most of the questionnaire and we see a major inconsistency toward the end, for example, that can indicate something is fishy.

We also look at suspicious IP addresses. We utilize these practices all year round but scrutiny is heightened at this time of year and especially when we have free communication weekends. We’re pretty good at sorting these people out before they can communicate. Our system has been developed over 17 years and is constantly being improved as threats change and fraudsters become more sophisticated.

RMM: How else is risk management used in eHarmony’s strategies and operations?

RS: A goal of mine is to adapt the ISO 27001 ERM framework for eHarmony. I believe we have the best practices in place to achieve that when the time and finances are right. It’s quite a bit of work to get the certification and I don’t know if that would happen this year but it’s something I want to do because I think it would be great for us. It basically requires a holistic, top-down look at your entire operation. This is not only from a tech standpoint but from a personnel standpoint as well.

Many breaches start internally, most of the time unintentionally, so people should, for example, know not to click on a link in an email from an unknown source. You also need to assure your vendors are utilizing the appropriate safeguards and you must have a security incident management plan in place. There are many other requirements, of course. I believe we essentially have the information security management system (ISMS) envisioned by ISO 27001 in operation right now. We just need to make it official.

Using ERM to Protect Your Business from The Equifax Fallout

As with many data breaches, the general conclusion of the Equifax attack is that personnel were not aware of the issue beforehand. This conclusion, however, is false.

In early September, I anticipated that a vulnerability in Equifax’s software was known ahead of time, and that this scandal was, therefore, entirely preventable. A month later, the NY Times reported that the Department of Homeland Security sent Equifax an alert about a critical vulnerability in their software. Equifax then sent out an internal email requesting its IT department to fix the software, but “an individual did not ensure communication got to the right person to manually patch the application.”

The Equifax data breach was a failure in risk management. As a credit bureau that deals with the personally identifiable information (PII) of 200 million U.S. customers, Equifax has a legal and moral responsibility to safeguard their customers’ security, and to adopt the proper systems to do so.

For instance, if Equifax had an enterprise risk management (ERM) system in place, the warning from Homeland Security would have been properly recorded and assigned out to the appropriate personnel. This system would have provided transparency over the status of the task in progress, and would have triggered reminders until the vulnerability was patched and verified by the right subject matter expert.

A Point of No Return

It’s my opinion that this scandal is a point of no return for risk management. While data breaches have abounded in recent years, there has never been one of this magnitude or one that provides every piece of information hackers need to steal our identities. Of course, lawsuits and penalties are piling up around the company’s negligence, but these financial losses are nothing compared to the reputational damages Equifax will suffer—shares fell by 18% following the breach and have yet to fully recover.

What makes this scandal so unique, and therefore a point of no return, is that these reputational damages reach far beyond Equifax. Consumers can’t always choose whether they’re a customer of Equifax, but they can choose whether to do business with the institutions that gave away their information to Equifax in the first place.

I also believe that consumers’ outrage with this scandal will cause them to shift their money, loyalty, and trust to institutions that can demonstrate effective risk management. CEOs and boards of every company will have to prove their organizations have adequate enterprise risk management systems in place. They’ll find that more effective risk management and governance programs are necessary to keep their market shares up and their reputation clean.

Where to Go from Here

While this breach may appear to be an event of the distant past, we are in the eye of the storm. Stolen information can lie dormant for months or years as criminals wait to make their move, and when they do, you’ll have either taken this period of calm as a chance to forget the scandal, finding yourself ill-prepared, or a chance to get to higher ground, finding yourself fully protected.

To protect themselves, businesses must:

  • First, to determine where to focus your security resources, recognize that people, processes, and procedures are now the biggest risks. Businesses need to perform risk assessments across all departments to determine who has access to sensitive information and authentication processes, and what the business impact would be if these employees were to be impersonated.
  • Next, to address these risks, businesses must rewrite their procedures for authenticating the people involved in sensitive requests and actions both verbally and electronically. With so much PII now in the public domain, it is no longer safe to rely on traditional authentication based on these pieces of information. For example, the security question “What was your first car?” is not effective because the answer is now easily accessible. A more effective question would be “Who was your best friend in elementary school?”
  • Finally, it is important to keep your third-party vendors in mind. Vendors often have access to sensitive information and processes, which could have an enormous impact on your company. It is crucial, therefore, to extend your internal authentication procedures out to your third parties so that they are authorizing sensitive requests and actions as securely as your own organization.

Our world, including the business world, is becoming increasingly transparent, meaning it’s up to you to act with integrity and protect your stakeholders. Keeping the Equifax data breach in mind, along with enacting these tactical steps, will help you stay ahead of the competition and out of glaring social media headlines.

Risk and Crisis Management Explored at Cyber Event

NEW YORK—Cyberattacks and data security need to be high priorities for all businesses, experts stressed at ALM’s cyberSecure 2017 event here, Dec. 4 and 5. In fact, not only is failing to prepare for an attack or breach risky, it’s foolish, Kathleen McGee, internet & technology bureau chief for the Office of the Attorney General of the State of New York said in Monday’s opening address. She added that not reporting a breach in a timely fashion has its own set of legal and reputational risks, referring to the SHIELD Act (the Stop Hacks and Improve Electronic Data Security Act), introduced to New York State legislature by Attorney General Eric Schneiderman in November.

“Under the SHIELD Act, companies would have a legal responsibility to adopt reasonable, administrative, physical and technical safeguards for sensitive data,” she said Monday, adding that the standards would apply to any business holding data of New Yorkers, whether or not they do business in the state.

McGee noted that even though a company may not have all the details in the first 72 hours following a breach, reporting it to the New York Department of Financial Services (NYDFS) or another regulator is crucial. It is a legal requirement as part of the NYDFS Cybersecurity Requirements for Financial Services Companies, and even if all the pertinent information about an attack is not yet available, divulging what is known will prevent further enforcement action from the state.

“For some companies, data is the only commodity,” she said. “But in the past 10 years, risk assessments have not evolved as quickly as data collection.”

That observation lent itself to a segue for the next session, “Integrating Periodic Risk Assessment to Avoid Becoming the Next Target of a High-Profile Cyberattack.” Panelists covered the importance of formal risk assessments, which will be legally required by regulators like the NYDFS and the General Data Protection Regulation (GDPR) in Europe and goes into effect in 2018.

Moderator Eric Hodge, director of consulting at CyberScout, said education charts the path to a positive assessment and suggested using non-traditional training methods to onboard clients and employees over the course of a year.

“There are a lot of ways to educate other than the traditional annual training session set in a typical conference room,” Hodge said. “You can try white hat phishing to trap people in a safe way. Share your stories every month and be honest about your own failures. There are ways beyond just checking a box.”

eHarmony Vice President and General Counsel Ronald Sarian said his company has learned from its past incidents to better prepare and to update its ERM framework. The dating and compatibility company’s site was breached in 2012, before he joined the group.

“You need to do a data impact assessment and ask: What are your family jewels?” noted Sarian, who said he aims to implement ISO27001 as the ERM framework to secure eHarmony’s international and cyber presence. “We had so much in place already that I thought we should take a shot at it. It takes at least a year but so far it’s working for us.”

When considering ransomware, experts from healthcare, insurance and electronic payments companies spoke passionately during a dedicated session about how they mitigate risks. Christopher Frenz, director of infrastructure at the Interfaith Medical Center strongly advocated for network segmentation, which he uses at the center, in an effort to keep intrusions contained.

As previously reported, Advisen’s recent Information Security and Cyber Risk Management Survey indicated that, for the first time in the seven years of the survey, there has been a decline in how seriously C-Suite executives view cyberrisk. With that trend in mind, panelist Christopher Pierson, Ph.D., chief security officer & general counsel of ViewPost, a provider of electronic invoice and payment services to businesses, outlined his approach to eliciting a response from board members.

“You can’t tell the board that [paying] is not an option unless it’s illegal,” Pierson said. “Educate the board and explain that it is an option to pay terrorists and criminal syndicates. You’ll see the looks on their faces and then you’ll get them [to want to take action].”

For more information about GDPR, read Risk Management magazine’s coverage.

Coverage, Breaches Highlighted at Advisen Cyber Conference

NEW YORK—Advisen’s Cyber Risk Insights Conference, held during Cyber Week, featured risk management professionals and more than 20 panels and sessions on Oct. 26. The keynote was delivered by former New York City Mayor Rudolph W. Giuliani, currently the chair of Greenberg Traurig LLP’s Cybersecurity, Privacy and Crisis Management practice. Giuliani used sports analogies to describe the cybersecurity industry, noting that, “the defense trails the offense by about five years.” Comparing the newest waves of protection software to a strong rookie pitcher, he said, “A new pitcher may come along and strike everybody out as he goes through the league a few times. But eventually he gets figured out and [hackers] figure it out,” he said. “It needs at least a year of being attacked for real,” to find the gaps in efficiency, and leads to the “the kind of experimentation that will yield better results.”

In the session, “SME: In A League of Their Own,” moderator John Mullen, CEO and founding partner of Mullen Coughlin, a cybersecurity and data privacy firm, discussed the growing importance of cyber insurance among small- and medium-sized companies. He asked panelists where they have seen productivity. Panelists agreed that growth among small law firms and accounting firms were strong contributors. Michael Bruemmer, vice president of Experian’s Data Breach Resolution Group, noted he is already seeing breaches of W2 tax forms, which he said is worrisome with tax season approaching. “With some of the recent, large incidents and all the information that was compromised, I think W2s are going to come roaring back again,” Bruemmer said.

As for a look into the future, Bruemmer noted that while startups show great potential for growth, they need to make cyber policy purchases while in their infancies. “Any startup needs cyber protection,” he said, adding that this is particularly crucial during the initial financing and hiring stages, as “You see too many of them go out [of business]. They’re great companies with great ideas but they don’t consider cyber.”

Andy Lea, CNA’s vice president of underwriting for E&O, cyber and media, echoed those sentiments, saying that with the thousands of businesses created each year, “there will always be new buyers and there will be opportunity for this industry to provide value.”

During an afternoon panel, Erica Davis, Zurich North America’s senior vice president, specialty products and E&O, highlighted results from the newly-released annual  Advisen Information Security and Cyber Risk Management Survey, which found that risk professionals view cyber-related business continuity risk less seriously than data integrity risk. This was surprising, she said, as business interruption costs have risen and high-profile business interruption attacks have taken center stage.

The survey also found that just 10% of respondents identified business interruption as the primary reason for purchasing cyber insurance and that purchase growth has gone stagnant after a steady six-year increase from 35% to 65%. Davis noted that the survey ended before the Equifax breach announcement in September.

“These findings may indicate that businesses are not up to speed on the magnitude of the impact that business interruption losses are beginning to have,” she said. “Annually, the survey results are critical for understanding how businesses are thinking about cyber risk and what we need to do to help them protect themselves as we watch this issue continue to evolve.”

The study found that corporate concerns about cyber may be waning, even as the nature of cyberattacks has evolved to include ransomware and malware

According to the study:

  • For the first time in the seven years of the survey, there has been a decline in how seriously C-Suite executives view cyber risk.

  • 60% of the risk professionals surveyed said executive management view cyber risk as a significant threat to their organization—down significantly from 85% in 2016.

  • Only 53% of respondents knew of any changes to their companies’ cyber security systems in response to the high-profile attacks that took place in early 2017.