While there aren’t many good things one can say about cybercriminals and the chaos they’ve created, in at least one sense you kind of have to hand it to them — they’re pretty clever.
“You work hard to lock up your front door against them,” Karen Webster noted in a recent Topic TBD conversation with MoneyGram’s CIO Wayne McGurk, “next thing you know, they are digging a tunnel up through your basement.”
McGurk agreed, noting why the first lesson of information security — the first consideration before one gets to technology or process — is humility. No matter how much you already know — no matter how many locks are on the doors — there is always more work to be done.
“You have to have the fortitude to admit you have gaps, so you can find those gaps and fix them. You can’t get overconfident in information security,” he said.
It’s that “humility” that’s driven MoneyGram to focus their efforts acutely on “defense and depth,” a series of concentric rings with MoneyGram at the center, McGurk said. He explained that the way MoneyGram looks at information security is to consider what is happening outside its perimeter, at the borders of its perimeter, inside its perimeter as well as what’s happening at the host level, application level and data level.
And, he noted, it’s important to stay on top of all those levels constantly, since MoneyGram’s brand is under constant assault from a variety of malicious actors.
Proactive vs. Reactive
McGurk said the biggest challenge MoneyGram faces for the always evolving nature of the threats to data is being reactive vs. proactive. He told Webster that being on the proactive side is the goal: being able to spot and derail the bad actors before they can execute.
Making that happen is, again, not one activity but a series of them, including advanced alerting technology for spotting threats and a security operations center dedicated to finding, tagging and triaging threats, 24 hours a day, seven days a week.
“We have third parties and internal audits that are performed against various security processes each year. We have our PCI certification that we go through every year — and those requirements are constantly changing. We have state exams for compliance and info security,” McGurk explained.
He said that he and his team also spend a fair amount of time probing their internal systems for vulnerabilities. That includes looking at things from a technological level by trying to hack their systems in an attempt to make them hack-proof. It also means working at an employee level to make sure that their workers aren’t the unwitting gateways to hackers.
“Interestingly enough,” McGurk said, “80 percent of all breaches occur because of email threats like phishing and social engineering. So we regularly test our employees and contractors with phishing campaigns” — the timing of which is known only to the CEO, chairman and head of security.
And, McGurk said, they work.
“We are running below a 3 percent click rate — which is much lower than most companies,” he explained. “When people do click, we have them undertake more training. We are also constantly reminding folks through various forms of communication that we have company-wide.”
And company-wide — given MoneyGram’s scope — is a big place.
The Clicks-And-Mortar Environment
McGurk said that the world of information security is always evolving — so it’s never a one-and-done approach to securing their data. For MoneyGram, that’s taken to another level, given the digital transformation of financial services, something McGurk calls the “click-and-mortar approach.”
“We do have a lot of digital innovation directed to the consumer side of our business, and then we have 350 thousand agents around the world that have some kind of platform that we have to help them to secure so that malicious [actors] can’t act upon them.”
McGurk noted that all of MoneyGram’s data is encrypted in transit and when it is stored. Along with the technical aspect of information security is the focus on the governance of that data and who has access to data at any given time.
“The only people within MoneyGram who have access to data are those whose jobs require them to have access to particular data points. It’s not easy to gain access to a full data file on a consumer,” McGurk said.
And these standards are unwavering — even as new digital products roll out, like their new SendBot that will be live on Messenger and was announced at Facebook’s F8 conference last week.
“We still follow the same process. We still do the penetration testing, we still do vulnerability scanning, we still encrypt data in transit,” McGurk said. “The information security team is actively involved from the very beginning, from ideation all the way through implementation and production and constantly doing their due diligence for any product that we have.”
And this seriousness about data security and all that goes with it, he noted, will likely be a feature of the firm forever — no matter who its eventual owner becomes.
As of today, that owner appears to be Ant Financial, whose bid was upped and the MoneyGram board approved. (It still requires CFIUS and DOJ approval.)
However, given the likely possibility of an Ant acquisition and the Ant Financial International president’s commitment to upping investments in MoneyGram’s security and compliance programs, Webster asked McGurk how he thought the acquisition might change what he and his team do. Aside from handling an increase in volume, everything else will remain the same, he said.
“It may impact the number of transactions we do, but it doesn’t change our strategy of defense and depth,” McGurk said. “I think we will move at a faster pace, and I think to compensate for that growth, we will see even more money being invested into our information security practice.”
McGurk said that the protection of data is something that the firm takes seriously and is “sacrosanct” for the firm, since their consumers have to trust that they will secure their data correctly and be able to handle a money transfer from Point A to Point B.
“If we lose that trust, it has an extremely negative impact on MoneyGram.”
And McGurk said that it’s he and his team’s job to make sure that never happens.