M+E Connections

Cybersecurity crimes remain a major challenge for media and entertainment (M&E) organizations and companies in other industries, especially the financial sector, according to SecureTheVillage, and artificial intelligence (AI) only stands to complicate the issue.

SecureTheVillage teamed up with the Federal Bureau of Investigation (FBI) and the California Department of Financial Protection and Innovation (DFPI) to host an online April 19 information security threat briefing targeted at fintech and other financial services professionals.

SecureTheVillage urged organizations to figure out how hackable they are, what their most dangerous threats are, and what their greatest weaknesses are and what they can do about it.

“This is the fourth time DFPI, the FBI and SecureThe Village have gotten together to present this threat briefing, Stan Stahl, PhD, founder and president of SecureTheVillage, a 501(c) (3) organization, said at the start of the webinar.

Stahl then introduced Michael Sohn, an information security specialist who is supervisory special agent with the FBI. Sohn is currently an embedded FBI Cyber Division liaison to the National Cyber-Forensics & Training Alliance (NCFTA) in Los Angeles. NCFTA is a non-profit corporation that is focused on identifying, mitigating and neutralizing cybercrime threats globally.

Lack of Victim Cooperation Doesn’t Help

Sohn discussed cyber threats including ransomware, emphasized preventive measures including multi-factor authentication.

He also highlighted challenges in prosecuting cybercriminals because of a lack of cooperation from many victims.

Sohn also shared stories of the real-life impact from cybercrimes, stressing the need for proactive engagement from managed service providers (MSPs) and victims.

DFPI Tips

Rochelle Rapada, senior financial institutions examiner at  California DFPI, then shared some information and online resources that are available for consumers on the DFPI website, including a free crypto scam tracker that allows users to learn about specific crypto-related complaints received by the DFPI.

She too urged viewers to make sure they have multi- factor authentication. “And, to avoid cyber fraud, be cautious of emails, especially those with attachments. Don’t click on any links. If you are getting an email from a company that you do business with and it sounds kind of fishy, contact them directly. Don’t email them” back.

Keep in mind also that financial institutions “will not request your personal information via email,” she pointed out.

She also urged viewers to avoid using free public Wi-Fi networks.

“I know that they’re convenient, but if it doesn’t require a password, that means it’s not secure. Any other users on that same network can see what you send. So your personal information, your private documents, your login credentials – all of that can be accessed without your knowledge or permission.”

AI: Yet Another Threat

She then moved on to discuss AI, saying: “Why is AI so popular? It’s because it’s transforming workflows around the world. It’s helping people speed up their daily lives. It’s easy to access, it’s free to use. Is it a fad? No…. AI is everywhere. If you have ever used Siri or Amazon Alexa; if you ever use Grammarly or Google Translate, ChatGPT, … all of these use AI.”

But she was quick to add: “With good comes the bad. Thanks to technological advances, it’s possible for thieves to capture and record your voice and then use software to generate a deep fake version and impersonate you. This isn’t reserved just for celebrities and politicians…. If you get a call and you feel like it’s a little off, it’s not quite right, hang up and call that person back.”

On that same topic, she offered another tip: “Create a safe word…. This works great with young children or elderly relatives. That way you don’t have to do that callback. And then lastly, if you don’t have that safe word set up, try a question that only that person would know. ‘So, what did you have for dinner last night?’ Or the conversation could go like this, ‘Hey, I just want to make sure this is really you. What’s your favorite Disney character? Make sure the question is specific enough that the scammer couldn’t answer correctly with an educated guess.”

Stahl also pointed to new software being a challenge, noting that a scammer can “take a good picture of a person fully clothed, and now they can use it to generate inappropriate pictures, and then they can use that to try” to blackmail a victim, threatening to distribute the picture if he or she is not paid.

“You really need to be aware of what you post and how you post, because there are nefarious people that will take advantage of your kids [and] your grandkids,” he said. Software is good in some cases. But now it can be used for nefarious cases, which is something that you really need to be wary of.”

Regulatory Update

A regulatory update was also provided by Matthew Fujikawa, assistant deputy commissioner and financial institutions manager with the California DFPI, starting with an update last year to Interagency Guidance on Third-Party Relationships: Risk Management.

“This updated guidance includes factors that institutions should consider throughout all the stages of the risk management life cycle, starting with planning, due diligence, contract negotiations, ongoing monitoring and termination,” Fujikawa said.

The updated guidance “lays out the principles to support effective third-party risk management, and it can be applied to really any type of third-party relationship,” Fujikawa said.

“The one thing that we continue to emphasize with all of our licensees is that while the use of third parties can be beneficial to your institution, they also can increase the risk,” Fujikawa said. “The use of third parties does not diminish or remove your organization’s responsibility to perform all activities in a safe and sound manner and in compliance with all laws and regulations. You remain responsible for the compliance of your vendors. And that’s something that is a point of emphasis that we are looking at when we look at compliance at our institutions.”

Fujikawa added: “You can outsource the work, but you can’t outsource the responsibility. That remains with our licensee.”