Corpay SVP & Chief Information Security Officer James Edgar joins host Brennan Robison to discuss trends in cybersecurity threats businesses are facing around the world.
In this episode of the "Smarter Payments" podcast by Corpay, Brennan Robison, Director of Corporate Communications, interviews James Edgar, Corpay's Senior Vice President and Chief Information Security Officer, about cybersecurity strategies for companies. Edgar highlights the increasing frequency and sophistication of ransomware attacks, noting that 40% to 80% of companies pay the ransom. He discusses his extensive career in cybersecurity, spanning over 20 years, and his current role at Corpay.
Edgar explains the growing number of cyber-attacks, often state-sponsored and linked to geopolitical tensions. He emphasizes the importance of strong cyber defenses and compliance with evolving regulations, such as the SEC and PCI standards. AI's role in cybersecurity is also explored, with Edgar describing how it can enhance threat detection and reduce workloads.
The conversation touches on the critical role of employees in cybersecurity, urging vigilance and awareness. Edgar concludes with tips for combating cyber threats, including diligence in email handling, adherence to policies, and flexibility in adopting new controls. The episode underscores the importance of a proactive and comprehensive approach to cybersecurity in today's environment.
James Edgar intro: 40% to 80% of companies who suffer ransomware attacks pay the ransom.
Brennan Robison (host) intro: Bad actors bent on committing cyber-attacks are getting more creative and aggressive by the day, making a strong cyber defense more vital than ever. This is Smarter Payments by Corpay. I'm your host Brennan Robison, Director of Corporate Communications for Corpay. In this episode, Corpay Senior Vice President and Chief Information Security Officer James Edgar shares cybersecurity strategies that help companies process payments safely. Here's our conversation.
Robison: Hey, James. Welcome to the show.
Edgar: Hey Brennan, thanks for having me.
Robison: Well, before we get started, let's take a minute for the folks to get to know you a little better. Why don’t you give us a brief summary of your career and how you came to Corpay.
Edgar: Sure, so about my career, we’ll start with cybersecurity. My career in cybersecurity started over 20 years ago, so back in the day, I was doing consulting for the State of Georgia Department of Corrections, and around that time the state was looking to acquire more federal funding, and one of the requirements was that their major agencies had to have a dedicated information security officer, which the Department of Corrections did not have at the time, so they approached me said hey you seem to like IT stuff, you know network stuff, you know firewall. So, hey, you probably can do do security stuff, too. So, that was kind of my first step into information security and cyber security. From there, I was there for a while and enjoy that learned a lot moved on to a large data broker here in Atlanta, ChoicePoint at the time, now part of LexisNexis. I learned a lot because they were big into data security and being at a much more mature program than what we had at the State. From there went to Cox Communications, led their security architecture and compliance teams. And then after that went to Elavon, which is part of US Bank, and that's when I got to the payment services. So, I served in a sort of similar role at Elavon doing their security assurance and security architecture and then eventually ended up here at FLEETCOR the time, now Corpay as their CISO. That was almost seven and a half years ago. So, doing it for a while and I've enjoyed it since day one.
Robison: Indeed. So, you just cited your title in addition to SVP Chief Information Security Officer known by that acronym know I've heard CISO. So, and again you pronounce it see so. Correct?
Edgar: Yeah. I always call this about you add, right? Yes, Sizzo. You know, it depends on the person and where you’re from.
Robison: We’ll stick with that. Well, let’s jump right into the topic. There have been a number of high-profile cyber-attacks in the last year. I was looking at the headlines, hackers linked to China and Russia attacking entities in other countries, some with political motivations. Others, of course, just out to extort money from companies. First, are we seeing an uptick in the number and scale of cyber-attacks? And if so, why is that?
Edgar: So, I mean it seems like cyberattacks increase every year and which which they do in like ransomware for example has been increasing year over year slow down a little bit if you will 22 and 23, but in Q1 of this year, we're seeing an uptick, I think a 24% 25% increase in ransomware attacks. We’re just going to continue to see that. It makes money, a lot of companies pay it. I think depending on who you go to as a source, anywhere from 40% to 80% of companies who suffer ransomware attacks pay the ransom at some level. And as you mentioned, there are some very big ransomware attacks. You look at MGM casino in Las Vegas, that was impacted last fall. They had a ransomware attack. They refused to pay the ransomware, but they ended up paying. What it cost the business was actually two and a half times more than what the ransom was, upwards of a hundred million dollars. So, it’s very expensive. It’s very impactful. And again, like I said, a lot of these companies are being impacted by this, and unfortunately, they're paying them, paying it out. So, these bad actors are continually incentivized to come in and continue to try to deploy ransomware.
Robison: So, yeah, clearly it’s very profitable, and that would suggest there are many more attacks coming.
Edgar: Yep. Yep. Absolutely. So, then that’s, we don't see that slowing down anytime soon. You mentioned kind of getting into the geopolitical world of it, you know, I obviously last year and into this year with all of the geopolitical turmoil going on right now you see obviously with Israel and Hamas, the wars going on the Middle East. You got the Ukraine-Russia war that continues to go on. There’s escalating tensions in the South Pacific around Taiwan and China. So, you also see a lot of activity related to those a lot of those are state-sponsored a lot around espionage, but you see that's the local over into the commercial or into the business world. So, a lot of these businesses service a lot of these government agencies. So, we've seen a number of third parties that are tied in to significant organizations where they're impacted because they're using them to leverage another their actual target, and you'd be on that even even as recently as a couple weeks ago the White House released a warning kind of everybody say hey, you know what, we need to keep an eye open. Our critical infrastructure within the U.S. is at risk and or is already compromised by some of these State bad actors as they try and get a foothold, you know as these things escalate around the world.
Robison: So, when a large publicly traded company or a government entity is attacked we tend to hear about it. I would imagine there are a lot of smaller ransomware attacks that we don't hear about.
Edgar: Absolutely, absolutely a lot of smaller companies don’t want to declare, and especially if you look at our current regulatory landscape, if you are a publicly traded company now hit new SEC rules, you have to declare an incident material incident, which a lot of companies have to define what that is, but in many cases it means they're going to err on the side of caution. So, you know we're going to declare this. So I think that’s another factor we’re seeing, it seems like we’re seeing a lot more of these, but it's a lot of these bigger companies that are publicly traded like, you know, we have to we want to we want to like I said, err on the side of caution, make sure we declare this so we don't run into any regulatory problems like you’re saying a lot of companies smaller companies and ones. We don’t know about or hear about are likely impacted and paying these never even saying a word.
Robison: So, you mentioned regulations. What are the regulations that are constantly evolving. What's new in 2024, and how can a company stay up-to-date on the regulations?
Edgar: So, absolutely. The SEC is a big one that came out the end of last year. You've got a lot of Industry changes like PCI version 4.0 started this year that are impacting companies that make sure that if you have a breach or an incident, you need to declare that. You’ve got a lot of these privacy laws that they keep ratcheting it up, more State privacy laws were coming out and even when you get into the talk about artificial intelligence, right? A lot of these like the EU even the US. White House or coming out with regulations and guidance around how you use these technologies to protect your consumers protect your data and ultimately prevent that Cyberattack or breach. It's challenging. As you know, Corpay is a global company, payments processor. So, we touch a lot of different areas that are regulated. So, we have to be very careful in how we implement our technology, making sure that we are in compliance with these different regulatory and industry bodies out there and their requirements. So, you know, we take a very deliberate approach in our compliance. Probably one of the simplest things that we can do. What we do is have a common control framework because at the end of the day a lot of these regulations in these industry standards have common controls similar controls. Hey, you need to put a firewall in place. You need to have endpoint protection. You need to have encryption. So being able to map out what your control set is making sure that supply to against all of your enterprise and all of your critical applications and systems helps give you a leg up and make sure that as different regulated comes in or a different auditor comes in, you can quickly kind of say hey, yeah, we have that control in place for anti-virus. So, hey, this is what we do for anti-virus or hey, we had this control for firewalls. So, here's what we do when it comes to firewalls protecting our internal network.
Robison: So, would you say these regulating bodies are leading the charge and creating these regulations or are they playing catch-up?
Edgar: That's a great question because I think in many cases it's both. Sometimes they're a little bit behind the curve and they're trying to catch up, and certain aspects and you look at maybe the SEC for example, you know some of the Cyber stuff that came out with NYDFS, which is the financial regulator in New York auto companies are basically operate out of New York. They're trying to catch up there trying to get ahead of it and say hey, you know what we need to do a better job. We haven’t been doing a great job as we see some of these companies get compromised and a they're not doing a good job of declaring it not doing a good job of reaching out to the consumer. So, you see folks like companies or entities rather like the NYDFS and some of these SEC trying to say. Hey, let's get caught up and make sure we at least we're kind of on par with where we believe companies should be. Like I mentioned with the AI stuff. You see the EU, even like Italy, countries themselves trying to stand up their own regulations and drive architecture, drive the policies around that so that businesses are able to properly protect the data and they don't get too far out ahead of where we're they are as a regular making sure that people's privacy people's data consumer data is protected properly. So, you kind of see both. I think they’ve wisened up and now as these new breakthroughs in technology like AI come up, they’re saying, you know, we can't do what we did in the past. We’ve got to get out ahead of it.
Robison: A moment ago, you mentioned everybody's favorite topic these days, artificial intelligence. Should every company be looking at AI as a means to protect itself from cyberattacks?
[resume here]
Edgar: Now, I definitely think AI will be, or artificial intelligence will be a game-changer. It'll be a game changer on both sides. You know, there's a lot of hoopla in the past year and a half about especially when chat CPT came out, OpenAI announced it, and a lot of excitement a lot of anxiety a lot of concern, but I think at the end of the day, it was oh, hey, don't panic. This isn't you know, this isn’t the end of the world. This isn’t Skynet coming down. It's let's take their technology as we can, implement it and apply it in real world scenarios take advantage of it and we're starting to see that now, right we did on the cyber security on the cyberattacker side, first thing we saw was around phishing. So, some of these entities who cyber criminal gangs who English for example isn't their first language, they were able to leverage some of these these tools like ChatGPT and come up some pretty good, impressive emails that look legitimate, look like they, you know, they could feed it in data from different corporations and different messages and come up with an email that looked pretty convincing. So, we started seeing that, you know even early in 2023, but then now we flip to the cyber security protection side. One area that we're seeing a lot of this now come to fruition is around security incident and event monitoring so and management. So, these are tools that we dumped a lot of logs into all our different security tools and trolls and then it's designed to kind of filter through that help us identify anomalies or suspicious activity AI is great at doing that because it streamlines that whole process you can automate a lot of that. So, you see the big the big vendors like IBM, they're doubling down on their Watson AI, CrowdStrike another big one out there with their Falcon XDR. So, they are taking what they call Charlotte AI, plugging that in, and really improving the overall automation orchestration to make responding to these incidents a lot quicker as well as also hey, we can identify that kind of needle in the haystack because we can connect the dots a lot quicker than the person sitting in front of a screen going. Hey, you know what? This log came in this came in from this system, this users doing something suspicious that's often out of hours. Put all these pieces together could take a few hours for an analyst to sift through that but the AI allows them to quickly be able to connect these dots and be able to identify a potentially a breach a lot quicker than before.
It also reduces the workload. If you look at Microsoft, for example, they have their Copilot on the security copilot. So, they kind of a soft launch in March of last year and through that soft launch and analyzing the improvements, people were using that beta version reduced the amount of time it took to identify an instant by 40 percent and reduced their workload. So, which is music to my ears because if you've tracked the cyber security field and how it's grown so much over the past few years, there's currently a four million job gap in cyber security globally, and it's not something you can fix quickly and get even. Bringing in new folks into cybersecurity takes time to get up to speed and understand what an analyst does, what an engineer does from cyber security standpoint. So, having AI be able to improve that takes that workload off. It takes less pressure on teams that are under resourced and just don't have the staff to keep up all the growing alerts and logs coming in.
Robison: Certainly. Let's talk about the role of employees, especially those who are not IT Savvy. It's common for companies to keep their own employees on their toes by sending those simulated phishing attacks. It's very satisfying to click on that report fishing button in Outlook and receive the congratulations for passing the test alert. That's a lot of fun. So, where are we in terms of employees being educated enough to be part of the solution to strong cyber defense instead of part of the problem.
Edgar: So, you hit the nail on the head, you know, people are part of the solution, and that’s how they should position themselves and see themselves. and the way I look at it, people are the first line of defense, and they’re the last line of defense. So, in many cases, you're the first one who's going to see potentially a new threat or you're gonna be someone that you know, you get that WhatsApp message that comes through that looks like it's coming from our CEO but you know better but you're also the last line of defense, you know at the end the day you see something looks like this doesn't look right. Maybe I need to go let security know or go. Let my manager know you could be Having someone you already got into our network was trying to quote live off the land and had been able to subvert all of our controls. But you say you know what? That's that's that's weird. It doesn't make sense. It reminds me of a recent incident, not at Corpay, but where a state-sponsored bad actor had spent two years working their way into an open source forum in order to install a backdoor, and this backdoor was in a software package that would have been deployed to a very common operating system that is used globally by almost every Fortune 500 company large government organizations. So, this bad actor spent two years gaining the trust getting into this form taking over the forum, and then inserting the back door into the software. It was getting ready to be launched as an update to the operating system, which would again would have opened up hundreds of thousands of millions of systems to these bad actors and had it not been for one developer, I want to say a Google developer who was looking at this new patch and getting ready to install it and noticed that there's a little spike in CPU, and he's like that's weird. So why is it doing that? As he dug into it, he was the one who discovered there was actually a backdoor. This is not operating right? This is funny. What's it doing? Oh, it's making this call out here that doesn't look normal and discovered it. So, you know, this software goes through scanning, goes through testing. Had it not been for this one individual who found this one little flaw that looked abnormal, you know, we could have had a huge, this would have been worse than Solar Winds, or the movement vulnerability last year. So at the end the day, like I said, it's people who make the ultimate difference. They're the ones who can see and they know how the business runs. They know how this application works. They know. Hey, this is normal for this time of day. You know, I usually see these file uploads now, but what happened wanted to change or why do I see too many files going up there? You know that sort of thing that until AI gets to that level that, you know, we haven't gotten to yet which going to take a while. It's so important that people understand that you know what you're the first and last offense. You can't just rely on all the security controls that are out there, that you really can make a significant difference protecting environment, protecting your business, potentially protecting a lot of other businesses.
Robison: Well, yeah that story you cited had a happy ending but rather scary that it was just one person away from disaster.
Edgar: Yep, and unfortunately a lot of times, that's what it comes down to it. Only takes one one mistake or one click on the wrong link, and you're going to have a really bad day for sure.
Robison: For sure. Well, why don’t we wrap up our conversation by having you give us some tips or recommendations to combat the growing sophistication of bad actors in a challenging cybersecurity environment.
Edgar: Sure. Absolutely any first off like we mentioned you going back to the human factor is, you know have due diligence, you know, make sure that you are paying attention to what you're clicking on it. If you don't recognize something, you weren't expecting an email from someone or you see something that just doesn't look right, you know, see something say something we're going to work on better awareness and training for everyone. But at the bottom of line, you know, if you see something that doesn't look right don't be afraid to say something raise your hand and open a ticket. Beyond that, you know, make sure you're following the policies, right? You know, we think about like AI for example, so a lot of people want to get into artificial intelligence ChatGPT, we want to be careful about where we put our data where we send our data. We don't want to put it in the cloud. We don't want to put it into an AI engine that hasn't been vetted or we don't know where that data is going because once our data gets out there, we can't get it back. Other things that we need to look at is as we work through these different regulations that we talked about earlier and different industry standards, there's going to be change coming, so we have to be flexible and willing to adopt some of these new controls that are being required. There are more lot more controls about multi-factor authentication around data loss prevention and encryption. So, it's come to a point where we have to continue to change with the technology and how we operate and what we do as a business. I think that's going to help us if we can if we could recognize that and work together. I think that's gonna help us get along a lot quicker and be able to achieve the goals that we want to make sure that were compliant make sure that were secure and hopefully, you know knock on wood avoid the next breach.
Robison: Very good. Well, James, we appreciate your tremendous insight on this topic. It's just going to get more complex and challenging in the future. James Edgar, Chief Information Security Officer for Corpay. Thanks, James.
Edgar: Thanks, Brennan.
Robison: That's it for this episode of Smarter Payments. Thank you for listening. Be sure to follow the show wherever you get your podcasts so you don't miss an episode. Smarter Payments is a production of Corpay Incorporated, copyright 2024. I'm Brennan Robison. And we'll see you next time.