…Refresh your data backup contingency plans. If you have not re-evaluated how and where your storing production and backup data in the last 12 months, you are behind schedule. Network connectivity is essential for online access. However, I strongly recommend creating what is called an ‘airgap’ in your storage contingency plan. Disconnecting backup data from the internet and network is one approach that has been proven effective against Ransomware.
It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?
As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewing Jojo Seva who comes with over 25 years of experience and is a recognized industry leader in core banking system technology, artificial intelligence, enterprise digital transformation and information security. He has been the Chief Information Officer at NEFCU on Long Island, New York and Coast Hills Credit Union in Central California. He also held executive roles at Unify Financial Credit Union and Santa Ana Federal Credit Union.
Jojo is considered to be an industry change agent with a laser-focus on operational efficiency and realization of customer value through innovation. One of his most recent accomplishments was the successful application of digital technologies at Mission Fed to effectively respond to the COVID-19 crisis.
Jojo is also active at giving back to the community. He volunteers his time to conduct community seminars on cybersecurity, social engineering awareness and ID-Theft prevention. For the last 5 years, he also served as a judge at University of California Irvine’s student software and hardware design competitions.
Jojo holds a BS in Computer Science from Cal State Fullerton and an MBA from Pepperdine University. He is certified in information security and Agile product development.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in the bygone era of 70s and 80s in Santa Ana, Manila, Philippines. Fairly middle-class, we lived on a small and narrow street about 250 yards from the southeast banks of the Pasig River. I attended catholic schools from childhood to adolescence.
After graduating high school at 16, I matriculated at the University of Santo Tomas College of Architecture and Fine Arts.
The Philippines is a cultural hodgepodge of Spanish, Chinese and American influences in food, fashion, art, and technology.
Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.
The first two years of architecture were uninspiring. It became self-evident that my design, rendering skills and model building abilities were just so, so, especially when compared to my talented and driven batch mates. I grappled with my choice of major and was insipid.
One summer, a friend endorsed taking a computer class. It intrigued me enough to give it a shot. I subsequently enrolled in a COBOL programming course at the Datamex Institute of Computer Technology. Lo and behold, its preemptory procedure, format, and syntax rules unlocked the deductive part of my brain. It got me exhilarated. Since then, that side of my intelligence has dominated my personality. I still have a creative side, which makes me a more rounded techie I suppose.
Less than a year after that fateful class, I immigrated to this country. Moving to California also meant hitting the reset button on my college career. I started over and earned a bachelor’s degree in Computer Science.
Can you share the most interesting story that happened to you since you began your career?
I have many interesting career anecdotes that are noteworthy — from getting 100% of network files infected with Ransomware to visiting landfills in search of backup tapes inadvertently thrown away by the cleaning crew. What is top of mind, however, is the most recent security lesson I learned from, of all people, my 9-year old daughter, Sophie.
She got an iPod Touch as a birthday gift two years ago. Like an iPhone but sans the phone functionality, the Touch is an iOS portable gaming system, video player and a web browsing device.
To limit activity and enforce security, parental controls are configurable to ensure age-appropriate content and screen time limits are managed. Moreover, I set up a 6-digit PIN for device access which she was not privy to. Mom or dad would have to sign in for her every time.
Well, last week, she proudly announced that she figured out her Touch’s password. I asked her how, and she detailed how she tried different combinations of her birthdate month, day, and year. My fourth grader basically employed a “brute-force” attack and successfully hacked her way in.
I must admit that I thought her accomplishment was endearing given her age, but would I feel the same way if she were 18 years old and hacked into her high school’s computer system a la Ferris Bueller?
This incident reinforced the lesson of not using trivial passwords that can be easily guessed.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
Looking back over my 26-year career, I can recognize several occupational rungs that led me to where I am today. The first turning point was transitioning from a very hands-on technician to leading a team of technicians. A few years later, I assumed leadership of managing a department. From there, I took the next step and changed organizations to become an executive. I subsequently transferred to a larger company to command a bigger team. The same organization also sponsored my MBA degree.
It is amazing that all these watershed events were made possible by one individual. Gordon Howe was that person. Of course, it took a lot of hard work, but work ethic alone does not guarantee success. Someone of authority must also recognize your potential, invest their time in you, and be an advocate for you. He was my boss in three separate organizations, spanning 15 years.
Gordon is currently the CEO of Unify FCU.
Are you working on any exciting new projects now? How do you think that will help people?
Yes, we want to replace the use of legacy username and password combination with more secure authentication methods.
We are all familiar and use what we call physiological biometrics when signing into our mobile devices. FaceID, TouchID, Windows Hello, retina scans are all examples of physiological biometrics. protocols. But have you heard of behavioral biometrics?
Imagine that instead of requiring customers to prove who they are when calling our Contact Center by providing personal information (e.g. account number, account password, PIN) our phone system automatically authenticates them via their voice qualities of pitch, rhythm, resonance, and tone. Not only is it more secure, but also think about the efficiencies gained of not having to go through the rigmarole of asking personal or out-of-wallet questions. This method of verifying customers’ identity using voice cadence is an example of behavioral biometrics.
The COVID-19 pandemic also forced businesses to support remote workers. Rather than the standard requirements of a password plus a two-factor token, we can just use keystroke dynamics such as typing speed, keyboard pressure, or touchscreen swipe patterns. I learned last year that the New York DMV started using typing patterns to validate identity of student drivers taking traffic school exams online. How cool is that?
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Most often than not, IT security teams are known to be understaffed and overworked. Additionally, security tools go obsolete quickly as technology changes and accelerates at an unprecedented speed. Because of obsolescence, security professionals are forced to bring cyber knives to the cyber gunfight. Cybersecurity threats are constant, and cybercriminals are relentless. They put tremendous strain on any team that is undermanned and under-equipped.
Cybersecurity must always be managed holistically. Businesses must defend their perimeter on all fronts — anti-malware, IDS/IPS, MFA, network monitoring and user training. It is not realistic to acquire these core competencies internally with a small team and a small budget. Outsourcing these critical services to a reputable SOC-as-a-Service agency is a viable and effective way to mitigate limitations and prevent staff burnout.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc., about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?
Federal and state laws with the intent of protecting consumers’ private information are aplenty. Distinct industries are regulated by niche privacy laws that safeguard different types of customer information.
In general, businesses are legally obligated to not only secure consumer data, but they must also provide transparency on how data is collected, how data is used, and if they are shared with third party entities. Contemporary laws further enable consumers to have a say in being able to approve or deny the aforementioned data practices.
Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?
Beyond the legal requirements, it is best practice to delete data that no longer serves a purpose to your company. Keeping unnecessary data heightens the risk of security breaches or data compromises. You can also be legally liable to produce data if you are storing them.
There are also tendencies to keep more backup data, especially with legacy systems. What is sometimes not considered is the amount of time and effort to recover old data. Legacy systems are typically built on older software or hardware technology but are still in use. Data recovery on these older platforms customarily take longer due to outdated data recovery programs, processes, or slower backup media. You need to know how long it will take to recover data from a year ago, five years ago, ten years ago, and so on. Determine the break-even point and appraise where the value of the information will no longer justify the costs of the recovery process.
Lastly, proper data sanitization procedures must be in place. It is the practice of deliberately and comprehensively purging data from any memory device that deems it unrecoverable. This can be achieved by demolishing them physically, demagnetizing devices using a degausser, or encrypting the data and throwing away the security keys.
In the face of this changing landscape, how has your data retention policy evolved over the years?
The proliferation of cloud-based services is a game changer. On-premise data centers with traditional storage devices have limited storage capacity, and data retention policies used to be dictated by how much data can be save on internal storage appliances. Not anymore.
Today, unlimited storage cloud offerings are pervasive, but it is a double-edged sword. It facilitates boundless capacity to amass customer data points. If left unmanaged, it also leads to extended retention periods that puts the organization and stored information more at risk. A more stringent and automated retention protocol must be in place.
Creating and preserving competitive advantage via Business intelligence, AI, opti-channel algorithms all require mass amounts of customer data. It is a tough balancing act between providing better customer experience by way of prescriptive products and the risks associated with mishandling the collection and storage of customer data.
Are you able to tell our readers a bit about your specific policies about data retention? How do you store data? What type of data is stored or is not? Is there a length to how long data is stored?
We strictly adhere to all federal and state privacy laws that govern our industry such as CCPA and GLBA. The National Credit Union Administration (NCUA) is our regulatory body, and while they do not specifically regulate record retention policies and practices, the have provided our industry with guidelines in safekeeping and storage of operational records such as our credit union charter and bylaws, committee meeting minutes, general ledgers, and records of our members accounts just to name a few.
We only keep member information pertinent to doing business with them. As the primary system of record for their accounts, shares, and loans, we collect and store transactional data on secure server(s). We keep multiple copies of these records on various physical and virtual locations, both online and offline.
Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?
Yes. The most recent statute in our industry was the California Consumer Privacy Act (CCPA). It took effect January of last year and was tailored to strengthen consumer protection and improve privacy rights for those of us living here in the Golden State. It empowers consumers to have the knowledge of what personal data of theirs is collected, sold, or retained.
The law grants them the right to say ‘no’ to these practices.
Being in the financial industry, we are accustomed to these types of decrees safeguarding our customers’ personal information. Specifically, credit unions have been operating within the confines of the Gramm-Leach-Bliley Act (GLBA) which took effect at the turn of the century.
Our Compliance and Legal department just educated me the other day on the new California Privacy Rights Act (CPRA) that the voters approved last November. It supposedly expands upon the CCPA and will take effect next year.
Protecting our customers’ data will always be a priority for us regardless of legal requirements.
In your opinion, have tools matured to help manage data retention practices? Are there any that you’d recommend?
Yes. Tools to help manage data retention practices have matured. A few come to mind.
If your company leverages Google Analytics to help analyze website traffic, they now have configurable retention settings. This tool can help companies and subsidiaries abide by industry-specific data privacy laws.
Microsoft 365 have parameters that control automatic retention and deletion of emails, documents, chat messages and other file types within the platform. These settings may help you reduce the risks of security breaches or litigation by systematically deleting data that is outdated and no longer needed to do business.
For personal accounts, Microsoft 365 also keeps your personal data for 90 days after your subscription ends to allow you to extract or download your data before they get permanently purged.
There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?
By now, we have all heard about the Solarwinds supply chain attack late last year. It was executed at a massive scale and was so innovative in its delivery method. We will most likely not know the full extent of the damage due to inherent geo-political sensitivities.
The fact that Solarwinds is one of the most widely used network monitoring tools in the world, increases the likelihood that our business partners are also on the platform. It is reasonable and prudent for us to reach out and, if they are, to place business partnership on hold until assurances of effective mitigation steps have been performed.
Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs to Know in Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)
One of the foundations of employing an effective data governance program is the classification of your data asset inventory. You must identify and catalog all customer and corporate data you hold. Designate different data types per their confidentiality — public, confidential, restricted, and so on with corresponding management and retention policies and standards.
Second, one of the topics we have already touched on is knowing and abiding by all Federal or State legal framework applicable to your line of business. Even though technology is consistently faster than the law, we should all keep abreast of pending privacy legislations.
The third best practice is to develop and enforce a data retention policy. This could be unique per industry and per applicable legal statute. Although, most cloud-based systems offer unlimited storage, refrain from taking full advantage of this feature. Only retain useful data.
Next, make sure you train your staff on all data privacy and data retention policies. This can be achieved during the onboarding process or on a regular training schedule. Email retention settings is one of the common points of confusion in any enterprise. Do you know what happens to an email you deleted a week ago, a month ago or a year ago? Are they recoverable? There might be legal liability complications to these questions.
And last, but not least…refresh your data backup contingency plans. If you have not re-evaluated how and where your storing production and backup data in the last 12 months, you are behind schedule. Network connectivity is essential for online access. However, I strongly recommend creating what is called an ‘airgap’ in your storage contingency plan. Disconnecting backup data from the internet and network is one approach that has been proven effective against Ransomware.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
As much as possible, know where your personal information resides. Cloud services and SaaS platforms utilize data centers around the world, and countries may have differing data ownership and data control decrees.
It is in our best interest to not click on that “Agree” button without reading the online terms of services disclosures.
How can our readers further follow your work online?
Please visit our Security Awareness page(s) on our website (MissionFed.com).
This was very inspiring and informative. Thank you so much for the time you spent with this interview!