Focus on social engineering: Fraudsters prefer the path of least resistance and instead of trying to find highly sophisticated ways to attack an organization’s infrastructure, they usually favor social engineering methods, where they easily steal an employee’s credentials. Companies need to properly train employees, ban access to suspicious websites, and use reliable filters to classify threats.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Fotis Konstantinidis.
Fotis is a Managing Director and leads the Artificial Intelligence and Digital Transformation practice at Stout. He has over 15 years of experience in data mining and advanced analytics, digital strategy, and integration of digital technologies in enterprises.
His experience includes data transformation and visualization, application of a broad range of machine learning algorithms to maximize real business value and data-driven assessments of digital initiatives and priorities. Fotis has also led large digital transformation programs in both private and public companies, and launched agile-driven digital solutions that were presented in international conferences and workshops.
Fotis started applying data mining techniques as a brain researcher at the Laboratory of NeuroImaging at UCLA, focusing on identifying data patterns for patients with Alzheimer’s disease. He was also one of the leads in applying machine learning techniques in the field of genome evolution. Fotis has implemented artificial intelligence (AI) in a number of industries, including mobile gaming, social media, banking, retail, automotive, and energy among others.
Prior to joining Stout, Fotis held leadership positions leading AI-driven products and services at CO-OP Financial Services, McKinsey & Company, Visa, and Accenture.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I was born and raised in a lower middle-class family in Greece. I showed interest in math and computers from a young age and managed to become the first person in my extended family to go to college. I came to the U.S. for graduate studies after studying physics in Greece. Due to my insatiable desire to learn, I studied several scientific fields including space physics, chemical engineering, and computer science.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
A few years back, when I was relocating for a new job, I was in the process of submitting several rental applications. However, I kept getting rejected due to a low credit score. Something I could not explain, since I always had a good credit score. I finally found out that my personal information was stolen as part of a major data breach. As a result, fraudsters opened several revolving accounts under my name. Feeling first-hand the impact of having my personal data stolen motivated me to take action and focus my professional career toward cybersecurity, tools, and methods that protect sensitive data.
Can you share the most interesting story that happened to you since you began this fascinating career?
I had a past client that due to a shift in office culture decided to allow some of their workforce being remote. The IT team was under the impression their existing policies and software were more than enough to protect them. I was hired to assess their systems, but they basically expected me to give them a pat on the back and confirm that their cybersecurity systems were exceptional, and they would only need minor tweaks to make them impenetrable. Lo and behold, we found several issues during our assessment, such as open holes in their infrastructure and network security as well as several employee device vulnerabilities. The moral of the story is that you should never feel invulnerable, regardless of how capable your IT team is.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I did have a mentor in my professional career for whom I am very grateful. He spent a considerable amount of time to understand my professional goals and helped me immensely in improving myself in areas where I was lacking the skills. Additionally, he believed in my professional abilities and chose me to lead very challenging projects. But the most important quality of my mentor (who was always extremely busy) was his commitment to developing a close personal relationship with me. One example that comes to mind was when he surprised me by sending a personalized baby gift basket for my newborn son while I was on parental leave.
Are you working on any exciting new projects now? How do you think that will help people?
We always have exciting projects at Stout. And the great thing is that we tie our projects to measurable metrics that have a financial and cultural impact on the companies we serve. We are currently working on a few IT cybersecurity assessments, where we identify security gaps and help companies mitigate them. We also have projects where we analyze large amounts of data to generate actionable insights that help organizations make informed decisions. Data insights, whether to improve IT cybersecurity systems or increase efficiency and productivity, always help people and improve their quality of work.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
It is very important for someone to first recognize that they are burnt out and secondly to identify the root cause to properly address the underlying issue. My advice to my colleagues would be to develop a self-care routine as one of the main priorities; regular exercise, proper nutrition, and good sleep habits that are essential in keeping us emotionally stable and energetic. Social interaction with family and friends, even if it is over video calls, is very important. Additionally, each one of us has a different “recipe” for reducing stress, whether it involves exercise, reading a good book, or playing with our kids.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
The first thing that excites me in cybersecurity is continuous learning; a concept that defines me as a person. There are always new methods to secure systems from bad actors, most recently leveraging machine learning and AI to detect and prevent fraudulent activity.
Second, cybersecurity has a significant impact in people’s lives: By assessing and mitigating security gaps, your objective is to protect sensitive data and information that would otherwise fall into the wrong hands.
And third, you never get bored! You always try to think faster and better than the fraudsters. It is like a chess game where you always need to be several moves ahead of your opponent.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Digital transformation became a priority due to the pandemic. Having employees work remotely accelerated the need to develop an agile workforce, move IT systems to the cloud, deploy virtual desktop, Desktop-as-a-Service(DaaS) tools, etc. However, the deployment of new digital transformation initiatives increases cybersecurity risks. Some critical threats on the horizon are ransomware attacks, cloud security, device/network edge security, and generally more sophisticated attacks based on machine learning and AI. Bad actors can now leverage AI methods to quickly identify vulnerabilities.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
In many instances, cybercriminals are focused on finding ingenious ways (such as phishing, social engineering) to steal employee access credentials to gain access to an organization’s systems. Many stories come to mind, where I used machine learning methods to analyze user activity data to extract behavioral patterns and insights associated with all employees. Although companies always have proper cybersecurity training, it takes a single employee to fall into the trap and have fraudsters gain access to sensitive data. My team was able to detect anomalies in employee behavior after the attack sneaked past the spam filter. Our custom AI-based programming code flagged the potential attack and stopped it by alerting the system administrators before the attackers had time to do significant damage.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Depending on the engagement and sometimes the company’s industry, we use different tools, which can be open-source or enterprise software. For example, for penetration testing we use software to simulate real-world attacks to networks, web and mobile applications, and IoT devices. We also simulate phishing and social engineering malicious attacks. My team provides cybersecurity and vulnerability assessments that follow control sets and frameworks that depend on industry, such as NIST-based frameworks or industry-specific regulations (e.g., NYDFS 23 NYCRR 500 for financial services, HIPAA for healthcare, etc.).
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Many of the organizations we serve are in the middle market, so they don’t have large cybersecurity resources and expertise. Therefore, they engage with our team to assess their cyber risks and define a cybersecurity strategy customized for their specific needs and industry. We help our clients choose the right cybersecurity software tools and build an internal security team under a Chief Security Officer (CISO). The key for companies that fall under this category is to engage with an expert in the field to provide them with the right cybersecurity plan. Choosing software for their cybersecurity needs is the first step, but this cannot run in autopilot to fully protect them. The software would need to be customized, policies have to be in place, and eventually organizations may have to hire a CISO, depending on their industry, in order to be compliant with regulatory frameworks.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
This is the 8 million dollars question since this is on average how much a data breach costs to companies in the U.S. Normally, it does take a significant amount of time to identify a breach for a reasonably sized organization; on average between 9 -10 months. Four basic signs for a layperson to look for a breach would be having an unusual slow device or internet connection, high volume of outbound traffic, having your account locked when entering valid credentials, or finding out that critical and sensitive files (like operating system or database files) have been recently modified or replaced.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
First, the company has to understand what data was exposed after the data breach occurred and follow all relevant state and federal regulations. Second, the company must be transparent and notify its customers and everyone affected by the breach. To protect its customer relationships and brand, the company should offer identity protection services for the individuals that their data were stolen. Additionally, the company should secure all systems and enforce stricter security policies and procedures internally.
Data protection regulations such as CCPA and GDPR have affected several of the organizations we serve. Companies now must identify and secure all sensitive data and also offer certain opt-out options to the consumers in all their publicly available digital applications. At Stout, we offer CCPA and GDPR compliance services, where we assess all IT systems, provide data classification, and evaluate data protection policies and procedures. In some engagements, data privacy regulations limit our ability to use and analyze personal data for our machine learning algorithms to provide personalized insights and recommendations. Instead, we use anonymized and masked data, where sensitive information is not used in our statistical analysis.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Some of the most common mistakes are the overconfidence and heavy reliance on software and IT teams instead of focusing on changing the overall security culture and awareness of the organization, ignoring continuous security training and internal attacks from disgruntled employees, not having a comprehensive data-focused security strategy where all datasets are classified, locations are known and are treated differently from a security and encryption standpoint based on data sensitivity, and underestimating cybercriminals thinking that are not sophisticated enough or that they will not bother attacking their company due to its size, industry, location, etc.
Since the COVID-19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
We have certainly seen an uptick in cybersecurity errors. This is because employees work remotely, and large amounts of data are now transmitted to the core IT systems of the organization. Companies did not have sufficient time to adjust to this work-from-anywhere environment and proper cybersecurity measures have not been taken in many cases. Additionally, data privacy errors exist, due to the volume of data exchanged between employees working from home and IT systems and applications. Companies are still catching up in deploying a data-focused security strategy, patching existing IT software and corporate devices, configuring and securing VPNs, and enabling strong multi-factor authentication.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
Every company needs to know the following:
- Establish a custom data-focused, cybersecurity strategy: You need to know and understand all IT systems and applications running to assess security gaps. Based on the system and data assessment, a detailed strategy has to define, that incorporates optimal tools and internal processes and procedures that detect, prevent and isolate cybersecurity threats, and ensure data privacy.
- Develop a corporate culture focused on security and data privacy: Specialized intrusion prevention software, firewall rules or IT support teams are not the only responsible parties in securing data and systems. The whole organization has to be well-trained and aware of cyber threats.
- Frequent re-evaluation of security policies, IT systems, and vendors: Cybercriminals keep changing their methods of attacking organizations. A few times a year, a company needs to evaluate all existing policies, employee training, IT systems, and generally all components that comprise the cybersecurity infrastructure of the organization.
- Focus on social engineering: Fraudsters prefer the path of least resistance and instead of trying to find highly sophisticated ways to attack an organization’s infrastructure, they usually favor social engineering methods, where they easily steal an employee’s credentials. Companies need to properly train employees, ban access to suspicious websites, and use reliable filters to classify threats.
- Secure the cloud: Due to the pandemic, most of the companies have several IT services on the cloud, such as virtual desktop services or certain core applications. Specific security measures must be taken on the cloud instances as well as the network edges to ensure a secure environment.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
I would inspire the healthy diet movement, where everyone would choose to eat more vegetables and fruits and reduce fats and sugars. This movement would reduce the risk of heart disease, obesity, high-blood pressure, diabetes, and generally a lot of diseases that are linked to our modern lifestyle.
How can our readers further follow your work online?
You can follow our work at stout.com, and follow me on Linkedn at https://www.linkedin.com/in/fotios-konstantinidis/ and Twitter at @fotios09.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!