Subscribe
Share
Share
Embed
What can you and your organization do to prevent security breaches? Calabrio's security experts weigh in on simple practices to ensure data security.
In this series we will discuss Contact Center industry trends and best practices, as well as sharing success stories and pain points with some of the most innovative professionals in the industry. Join us as we learn and grow together in order to provide world class customer service to each and every one of our clients.
Dave Hoekstra: welcome to working
smarter, presented by Calabrio, where
we discuss contact center, industry
trends and best practices, as well
as sharing success, stories and pain
points for some of the most innovative
professionals in the industry.
We're glad you are joining us to
learn and grow together in order to
provide world-class customer service
to each and every one of our clients.
My name is Dave Hoekstra, product
evangelists for Calabrio and my guests.
today are Craig's Zweber VP of cloud ops
security and compliance for Calabrio and
Tim Wittenberg, director of information,
security and compliance for Calabrio.
So we kind of have a couple of firsts.
This is our first Calabrio
employees part, and we've got
multiple people on the podcast.
Thanks for joining me today.
Craig Zweber: Okay.
Dave Hoekstra: All right.
So one of the biggest things that we
have seen out in the world, let's,
I would say today, but it's been a,
probably 20 year long or more problem
is data security and compliance.
And I know that at Calabrio
we get asked to be responsible
for a lot of this quite a bit.
And so what I thought today would be a
really good conversation with you guys
to have is some of the things that.
Not just an enterprise organization can
do, but maybe individuals and personal
people could go towards securing
their own data and making sure that
a lot of the information out there,
maybe we debunk a few myths today.
Maybe we get some good information
in the hands of people.
And I think you know, we just want
to have a good conversation about
data security and what that means
to not just Calabrio customers.
And individuals that are out
there in the day-to-day world.
So the first thing I kind of want to ask
you guys, and maybe is a good, this is
good to start with you, Craig is, you
know, you told me that there are lots
of misconceptions about data security
and I kind of want to start there.
Let's, let's debunk some of the
myths and some of the ideas that
are out there about data security.
So in your experience, what are some
of those misconceptions that are out.
Craig Zweber: Yeah, there's, there's a
lot of different things, especially things
that revolve around fear, uncertainty
and doubt are a good, solid FUD factor
for those for that technical term.
There's when you're connected to the
internet and use internet services,
there's no such thing as perfect, secure.
The perfect security is simply not to
plug into the internet at all, but then
are all of our devices and services
would be pretty worthless if we did that.
So really good security is
about good diligence and, and
leveraging your partners and the
software services that you use.
And really take advantage of the security
updates and fixes that they provide.
Keeping your stuff up to date in new
is what keeps us ahead of a lot of the
security trends and tracking out there.
There's a misconception out there that.
If I have something old or something I
don't necessarily fix or keep up to date
that that might be some more secure when
in fact those things are the things that
can be taken advantage of along the way.
There's also we get hit a lot with.
Some of our vendor providers that unless
we buy their security product or service,
then we are somehow less secure because
we don't have every particular bell and
whistle available out there in the market.
And that's simply not true.
Some just fundamental good security
practices that we follow here at clever.
Are just as effective as buying
30 or 50 different products
as other services out there.
So that's something that even our
customers, if they get bombarded all along
the way, by all these people that say that
they get the next best security thing,
they actually don't, they're, they're
marketing their wares, just like the
rest of us market are awares that aren't
necessarily directly security related.
Dave Hoekstra: Well, I feel
like, you know, your, your
example of the, the older.
The, the older piece of technology.
It, I like it because it, it works.
It's never failed me.
Right.
And it's funny because a lot of the old
school thought process, I think it goes
back to automobiles right back in the day
when automobiles did not have any chips
in them, there was no software in them.
It was purely a mechanical thing.
Those things were designed
to last for years and years,
and years and years, because.
So the key in you turn the ignition,
it was a purely mechanical process.
As long as you kept the Mac ma the
mechanics up to speed, everything.
And a lot of people still believe that.
Right?
We're going to, we're going to
talk a lot about my mother-in-law
and father-in-law today.
I think I have this feeling and
the, the, the problem is that the
old school automobile never had.
Anything updated on it.
It was always exactly what
it was when it first started.
The problem now with technology is that
older pieces of technology or even newer
pieces of technology that have been a
little bit farther out from the update.
Those are the ones that
are most vulnerable, right?
Because like you said, people aren't
always creating new ways to exploit.
Tim Wittenburg: One of the
things that's happening.
Of course, in the software industry,
you mentioned a lot of this computer
technology is different than an old
car because it has a computer in it.
All right.
And there's software.
And that software is constantly
being examined for vulnerabilities
by all kinds of hackers and people
who would try to steal information.
And so literally if if something
goes out of date, like an
operating system is basically.
The turn to be obsolete, it's
automatically put into the highest
security risk because there's nobody
patching it or nobody fixing it.
And so if you are operating some
of that software, you are at risk.
So to your point, the older
software is going to be the
most vulnerable in general.
Dave Hoekstra: So when you say at risk,
Tim, what, what, what do you mean there?
W like what's, what does
risk mean in this context?
Tim Wittenburg: In simple terms, that
just means something that's high-risk
is most likely to be exploitable.
So just like all kinds of
innovation is happening in software.
In general, the tools that
hacker U hackers use are also
being automated and updated.
So it used to be when a, a vulnerability
or a weakness in software was discovered.
It used to take.
Months or years for an automated
hack to become available.
That is a script that can be used to
exploit the vulnerability to steal your
information if you happen to have the
vulnerability, but now instead of a
year or a month, it's literally hours.
So when a vulnerability is discovered
in a piece of software, you can
literally have somebody attacking
that vulnerability with an automated
script in a matter of hours now.
Happened in the last five years.
Dave Hoekstra: So in that example,
let's let's, let's use the world's
most popular operating system.
I'm not going to say what it is
because we don't want to do that to
them, but let's just say I have a
lot of them on my house that I use
to view my street during the day.
The minute a new version comes
out, it is automatically being
attacked by automated scripts.
Is that kinda what you're talking about?
I
Tim Wittenburg: would say within hours.
Yeah.
And the reason for that, or the
tools have become automated.
And the process for writing scripts has
become more and more automated over time.
So it's just, you know, the general
watch word is like Craig said, if,
you know, keep your software current.
If a patch comes out, apply the patch.
If you haven't, you know, on your
phone, when a new version of the
operating system becomes available,
update it, apply the patch.
Take the few minutes of time.
People don't like to do those
updates because it takes a few.
It's well worth it because it is
going to buy you more security.
Dave Hoekstra: Yeah.
And I think that's, I think that's a
great point that you guys are kind of
trying to make is that, you know, when
my father-in-law looks at his phone and
it says there's a new update, his fear
is that something's going to get moved
around his fears that a word's going
to change, or he's not going to be able
to find the same app that he used to
have, but in reality, Isn't that kind
of just the very tip of the iceberg
that we see what's really happening
in those updates are all of those
vulnerabilities are being taken care of
that are discovered in that timeframe.
Tim Wittenburg: Exactly.
Okay.
Dave Hoekstra: I think that's a, that's
a great point to make is that we all,
we all tend to look at these updates
as visual or UI based, but in reality,
they're probably almost exclusively
security based, so that should give
people an idea of what we're facing here.
So it's interesting that we we've kind of
talked about this and you guys are trying
to educate people, which is just great.
But there are a lot of organizations out
there that kind of live in live and die
by these, these particular approaches.
So these are something that I know we
at Calabrio and you guys probably in
particularly I have to deal with a lot
during day to day, but there are a lot
of different organizations out there
that provide certifications of security.
Now I know probably yours are a little
more focused on the enterprise software
side, which is great, but you know,
we talk about some of the really big.
Like GDPR and, or, or those types
of things, but what are some of the
certifications you have to deal with
on a day-to-day basis and how do they
help organizations secure their data?
Tim Wittenburg: Sure.
So we we have three main certifications
that we obtain every year.
The first thing I would just
tell you though, is that.
Actually operate a security program.
That's based on something called
the NIST cybersecurity framework.
So Craig was mentioning some
misconceptions about security.
There are lots of those around if
you want to dispel all of those
misperceptions, go and read the NIST
cybersecurity framework because.
It will tell you exactly how to secure
confidential information of any kind.
So one of the great secrets
is there is no secret, right?
The way to protect information
is well documented and well
understood by security folks.
So you can, anyone can
go read that, but so
Dave Hoekstra: like a
good solid 15, 20 minute.
Tim Wittenburg: I'm about 15 to 20 hours.
So I don't want a kid, you, it there's,
you know, there's a lot of, kind
of jargon in that, but it does give
you pretty much very straightforward
instructions on how to protect that data.
So we.
We basically adopt have
adopted that program.
And that is it.
It lays out a number of
capabilities to protect information.
And what we do is, are setting up
the capabilities in our company.
We've already established them.
And what we're doing year over
year is maintaining the maturity,
measuring the maturity and improving
the maturity of all those different
capabilities to protect information.
So we're the audits come in.
As we have three different
ways of checking.
Using outside parties, how effective
those different protections are working.
And so the first method we use is we
have a SOC to something called a SOC two.
And that goes and looks at all
of our different infrastructure
components, the servers and the
databases and the different software.
And it checks to see how well we're
protecting that, that information,
the software, the systems, the data.
And so that's important.
The other audit that we get
is we get an ISO 27,001 audit.
That one is more important
from our international.
Perspective and our customers out in the
world because it's just widely known and,
and more, I guess you'd say respected
out there in the international markets.
And then the third one we get is a PCI.
So we are not a credit
card processor under PCI.
We are what's called a service proven.
Because we provide a service
to our customers who may or
may not process credit cards.
And so we get a third one
called the attestation of
compliance from the PCI world.
And so all those audits basically.
Essentially provide assurance
to our customers that we're
serious about security.
And we have third parties come in
and validate that our security is
operating effectively each year.
And
Dave Hoekstra: Craig, what
kind of work goes into secure?
I mean, I don't even know what the right
terminology is, passing those audits
securing those security certifications.
What kind of work goes
into a, to those processes?
Craig Zweber: Yeah, all those, as, as
Tim mentioned with the with the security
capabilities each capability is, is got a
review process or procedure around that.
So you can think of who has got
administrative rights into a
particular area of the application.
We have to review that list of
administrators on a periodic
basis and prove to the auditors.
That we actually have done that
review and prove that we've
taken any appropriate action.
Should we find something misconfigured
in that particular review?
So every single one of those rules that
are in the NIST cybersecurity framework
has another process or rule around it
that we have to show that we are actually
following the security best practices.
So we have a bunch of manual processes.
I like to call them the army of
people with clipboards, right.
They go around and, and, you know,
and they might manually go through
the checklist and ask us, Hey, did you
perform your security audit this month?
Or this week, or this quarter, we collect
that data, other things, and we're working
more so towards this is to have the
computers, help us audit the computer.
In the end.
So it's a term that we've worked to coin.
Tim and I here called
continuous assurance.
It's more becoming more broadly
accepted into industry where we
don't necessarily come around and
do audits on a periodic basis.
We are working to actually program
magically detect every single change and
make sure that every single change that
actually stays in compliance really.
So that will save us a lot of time.
We can start to reduce the size of that
army of people with clipboards and go
towards all automated processes around
Dave Hoekstra: that.
So it's a, it's a, it's a 24 7 thing.
It's not a shoe we're done.
Okay.
Now I can stop for six months and
stop thinking about this, right.
It's kind of a continuous process.
Tim Wittenburg: 7 365.
Yeah.
Yeah.
Craig Zweber: So holidays either.
Dave Hoekstra: Well, that's,
that's why you guys are so well
paid and in good looking, right.
It's it's the, the super glamorous
life of information security
Craig Zweber: out there.
That's right
Dave Hoekstra: now let's take let's
take someone who might not know.
Have the greatest understanding.
I mean, we've thrown around some
really good jargon today, right?
ISO 27,001.
And, you know, really kind of interesting,
but if I were kinda starting from
maybe not scratch, but I really, I
mean, you know, from an enterprise
standpoint where could I really go to
start to understand what's going on?
So.
Tim, I think, you know, you gave me some
pretty good ideas when we talked before
about some really simple things to do,
but, you know, maybe let's start what's
what are some simple things that people
can do to understand, and then maybe
progress to a little bit more complex?
Tim Wittenburg: Sure.
So I think as we've stated here that,
you know, good security, it really
involves a lot of common sense.
And so for example passwords,
we've talked about.
Using passwords that are too simple.
So you know, people, there's a
kind of a joke about you know,
somebody hacked my password.
Now I have to change the name of my dog
because my password was my dog's name.
Right.
Those sorts of things.
And so use a longer password.
Those are generally more secure mix it up.
So don't, don't use a dictionary
words because the common methods.
Hacking passwords is to have a huge
list of commonly used words and phrases.
And if a hacker gets a hold of
your account and they're going
to try it up, you know, try all
sorts of known phrases and words.
So mix it up, add some letters
and numbers, make a long password.
Probably one of the biggest
things is don't reuse passwords
from your personal account.
Don't reuse those passwords for
your Calabrio accounts or accounts
that you use for business.
And one of the reasons for that
is there's a website called have I
been poned.com and we can talk about
how that's spelled, but they keep
track of all the hacked passwords.
And there are billions, literally
billions of hack passwords.
So if you reuse one of those
four, you're one of those.
You used that for Calabrio account,
then you're vulnerable because a hacker
can basically pull up that huge list.
Try try, you know, if they guess,
and that's your collaborative
account they're they're in.
So simple thing.
Don't reuse passwords.
Personally, I
Dave Hoekstra: cannot believe that the
word poned is a word that's something
that kind of originated from online
gaming and it was just absolutely
the most slang of slang words.
And now I'm listening to
two informational security
professionals using the word poned.
I love it.
That's great.
Okay.
So sorry.
Continue.
Passwords is an important part.
What are some of the other
maybe areas that we could.
Tim Wittenburg: Sure.
So let me keep going on that point.
So I haven't, I've had an
email account at Comcast.
Something like 15 years.
And so I went to that site,
checked it out, turns out
the password has been stolen.
It was something like 13 or 14 times.
So instead of me panicking, I went
and changed my password again.
But then I also turned on this thing
called two-step authentication.
So general point, if your S your
service, if it's Facebook or, you
know, some Calabrio service that's
been being used in the company.
Turn on the two step authentication.
So what that basically is, is instead
of you sort of just authenticating with
a password that you may also get a text
message that gives you a little code
and it shows up on your phone, and then
you put that into your account and then
you have to log in with both a password.
And this.
Extra number, extra pin code.
So things like that are very
effective at keeping this a, this
hack attempt method from working.
So somebody finds a stolen password
from one of your old accounts and you
have reused it on our customer account.
If you've got.
You know, this two factor or two step
authentication activated that will stop.
So I keep using my email address, the same
account that I've had for years and years.
Cause I've turned on the two step
authentication and people should be doing
that in general, everywhere they can.
And yes it does.
It does.
It is more time consuming, but
believe me, the peace of mind that.
As well worth
Dave Hoekstra: it.
Okay.
So those are great from
a personal level, right.
And enterprise level.
I mean, obviously my, my password
to log into my email and things like
that, rather I'm doing personal or
my work email is important, but what
about more on the enterprise level?
What are some of the, some of
the places that someone could
start with a good strategy?
Tim Wittenburg: Okay.
So there's, there's that the password
management thing is, is pretty good.
And then the other thing is just
to think about phishing emails.
So I'll just, I think we've all talked
about phishing emails and from a corporate
perspective, those are very deadly because
if you get an email on your corporate
inbox and it is a phishing email and you
click on the link, what happens is that
email will generally, if you click on a
link or an attachment, it'll download.
Malware right onto your workstation.
And that bypasses all of the other
protections that we put in place like
firewalls and, you know, all of these
various layers of intrusion detection
and so forth don't work because you've
clicked on an email and it put, you
know, malware right onto your laptop.
And there was nothing we
could do to stop that.
So, so being careful about, you
know, recognizing phishing emails we
train out at every year, you know,
Tend to create a sense of urgency.
Hey, you're, you know, this is chase bank.
You've got something wrong with
your account click on this link
right away, where you can get those
in your corporate inbox, just like
you can in your personal inbox.
So it's especially important.
To be aware of those things
in a corporate environment.
I think I'll just stop there.
You know, I'm sure Greg's got
some comments on that too.
Maybe.
Well, and Craig
Dave Hoekstra: that's, what I was
going to ask is, is kind of just going
along that exact, so passwords and
fishing are those, the two biggest
vulnerabilities that are out there.
And if there's one bigger, we'd like to
know, but otherwise what are some other
things that maybe they have to be careful.
Craig Zweber: Those, those two
things are definitely big on the
social engineering side of things.
Y'all taking advantage of what
people know or, or taking advantage
of behaviors to, to gain a leg up.
That's, that's definitely a ways
to protect yourself over there.
Be aware of those passwords and fishing
on, on the, on the corporate side.
And we, we touched on it, keeping
things up to date is critical, right.
And and leveraging those
re reputable services out.
Folks like Microsoft and AWS,
they spend billions of dollars on
information security to provide
secure services out there.
So leveraging those services,
trusting those services and accepting
those updates from those people.
They, they know best in us as individuals
and only the largest of the largest.
Enterprises can spend that much
money on security every year.
So leverage what they have to offer,
leverage what they, what they preach
and definitely take those updates.
Keep things up to date.
Dave Hoekstra: I keep hearing a phrase
that pops up, not necessarily on this
discussion, but many other times.
What, what a pen test can you, what, what
is a pen test and what do those do for us?
Tim Wittenburg: So a pen test is where
we literally hire third-party hackers
to come in and try to hack our software.
So in our case, we run a pen test every
year of, of our Calabrio one software.
And we hire third party hackers
each year to come in and it's
kind of an open door test.
We give them an account.
We give them a password.
We say, here you go see
what you can do, try to find
vulnerabilities in our software.
And so it's, it's actually,
I mean, we, and we take the
results extremely seriously.
So if we find anything at all, we
quickly go fix those things so that you
know, it's not the true hostile hackers
that are finding these things for us.
We are obviously on a hunt for
those to find them and fix them for.
Dave Hoekstra: So, which is a bigger
danger to an organization, social
engineering, hacking, or phishing.
If you, if you had to pick the
worst one, which one is the
what's, one's the one that makes
you lose the most sleep at night?
Craig, what, what would you say?
Craig Zweber: Fishing?
Definitely.
Just because it creates
that sense of urgency.
After that would be social engineering,
Cushing is a type of social
engineering but Social engineering,
those who are kind of vulnerable
to, to the fast talker, right.
You get that phone call
and suddenly you're really
interested in the conversation.
And you just have to stop and think,
wait a minute, why would my bank
call me or send me an email, asking
me to verify my own information.
That doesn't, that doesn't make any sense.
Dave Hoekstra: Yeah.
Why wouldn't my bank.
Call me to tell me there's
a problem with my account.
And the only way I can fix that
is to give you a gift card code
off the back of a gift card.
Yeah.
Craig Zweber: As I get a text message that
claims that, Hey, this is my CEO, right?
I'm in this important customer
meeting and we forgot to bring
our, you know, the gifts for them.
Could you go to the store and
pick up several $500 gift cards?
Dave Hoekstra: It's crazy.
I'm sorry.
Crazy.
You mentioned that because
yesterday I got a text message
from my son's precedent of his.
Yeah.
And I had never heard of that
particular social engineering hack.
I, you know, and so I sent my son a texts.
I was like, I think I just got
a text that was meant for you.
And now granted, there were
no links and I was literally
in my head trying to conceive.
How this would lead to a scam, but you
just laid it out for me right there.
If I had a texted back and said, Hey,
what's up, I probably would have gotten
that exact message of, we need to go
get some gift cards for these people
in this meeting or something like that.
Huh?
Yeah.
Craig Zweber: Well, it plays
out our natural wants to be good
servants to be good employees, to
be good people and help others out.
Well, though, they'll the, the
hackers will attempt to play on that.
To take advantage of your, of your
good nature to to help people out
and, and get something for themselves.
Dave Hoekstra: Well, you said
something that I think really, I think
we'll stick with a lot of people.
You said you don't need expertise.
Is that, is that fair?
How, how does that, how does that phrase
work in your head to secure your own data?
What does that mean?
Tim Wittenburg: So, so I, I think
people think one of the misconceptions.
Is that to be secure, you have
to be some sort of wizard at, you
know, all this secretive technology
Dave Hoekstra: and from
the matrix you have to be,
Tim Wittenburg: you have to be able
to crack all this fancy encryption.
You know what I'm saying?
And, and
Craig Zweber: a hacker for 20 years
before you, you earned your stripes,
then you're an expert hacker.
Tim Wittenburg: But if you
think about what, what both Greg
and I have been talking about.
You get more bang for your buck.
If I can use that expression, you know,
more return on just doing common sense
things, you know, keeping your passwords
current updating your software, keeping
that current being careful not to click
on suspicious emails, none of these things
are very technical or very complicated.
And so.
Literally just common sense is going
to give you a very good result.
Dave Hoekstra: The thing that I've taught
my kids in there throughout their life
and, and you know, my family and is that
we as human beings have a very finely
tuned sense of things not being around.
But we've been taught our whole
lives to ignore it, whether it's to
be polite or to go with the flow.
And what I teach them is that if their
brain ever says, huh, that's weird
that you really need to listen to them.
That, that part of your brain that
says that we've all gotten the emails
that say, you know, Hey, this is PayPal
and you need to click on this link.
And if we just went, Hmm, that's weird.
And then took one extra step to
verify that, oh, wait, this came
from like some Russian link in, in
the email address that it's like,
okay, I'm not going to click on that.
But I think we're you're right.
We, we, we, they are very
good at tapping into.
Primal emotions of doing good or helping
or fixing something that's broken.
Right.
What's the old saying that if you ever
want to get responses on the internet,
just post something that's incorrect
and you will absolutely get it.
I'm sure I'm butchering the
phrase, but the, the idea.
And so I think that that's really
the point of what you guys are
saying is, is that I can have the
most, the highest ranking level.
The internet security that ever, but
without the instinct of something's not
right here, it's not worth very much.
Tim Wittenburg: That's right.
That's
Dave Hoekstra: right.
All right.
Well, this this has been absolutely.
I mean, honestly, I didn't
think we could possibly make a
fascinating conversation out of.
And that's not a knock on you guys
and what you do, but we've actually
done a really good job and I'm
actually immensely proud of us.
And if I can do to our own
horn for just a minute here.
So yeah, I feel like I feel like this
has been a really good what I want
to do is first ask you guys, is there
anything else that you feel is really
important to pass along to the listeners
of the collaborative podcast here
that could help them in their journey?
Craig Zweber: If you, if you see anything
suspicious, I mean, report it, I think
we're getting trained to do that in the
days of terrorism and all that stuff.
Right.
So on the on the security front, yeah.
Report it to your local security official
report to your local security director.
Don't call us directly.
We simply don't have enough time
to respond to everybody, but
if you see anything with any
of our products and services,
definitely call our support line.
We're here to help.
We're here to fix and make sure
that that our customers have
got the best service possible.
Dave Hoekstra: So, okay, fantastic.
So you are endorsing that if
something does pop up, that raises
a red flag in one of our users.
Support is the way to go through
Tim Wittenburg: absolutely.
Craig Zweber: And support them in
the, in the best way possible to
ensure that our customers stay secure.
Dave Hoekstra: Right.
And would you say there's no red flag to.
I
Tim Wittenburg: would say, absolutely.
So don't ignore your instinct, right?
If, if something doesn't look right,
you should definitely raise your
hand and let somebody know about it.
Craig Zweber: Fantastic.
Unlike Tim and me, our support staffs
are are very friendly and loving.
Tim Wittenburg: There's more
of them than there are of us.
Dave Hoekstra: Yeah, you guys will hear,
you guys will hear about it, but the,
you know, let's, let's, let's follow
the the, the proper protocol here.
No, this has been great.
You guys, I can't thank
you enough for joining.
I think this is going to be a
really informative discussion.
A lot of people are going to find
some tremendous value in, so from.
I appreciate your time, Craig and Tim,
you guys look forward to hearing more
from you over the, over the years.
I have to say you guys did a
fantastic presentation a couple
of weeks ago, which kind of led to
this podcast, which is really great.
And I thank you guys for, for putting
that together and really spurring
a good discussion here on, on data
security and what we can do there.
So for those of you listening,
thank you guys again for
giving us some of your time.
We appreciate it.
And as.
If there's anything we can do for
you, we are available@calabrio.com.
Please don't hesitate to reach out if
there's questions we can answer, or if
you have a great idea for a more podcast
issues let's let's have a chat about it.
So Craig and Tim, thank you guys again.
Thanks everybody else.
Have a great rest of your day and we'll
talk to you soon on the next episode
of working smarter from Calabrio.
Thanks everybody.