welcome to working smarter, presented by Calabrio, where we discuss contact center, industry trends and best practices, as well as sharing success, stories and pain points for some of the most innovative professionals in the industry. We're glad you are joining us to learn and grow together in order to provide world-class customer service to each and every one of our clients. My name is Dave Hoekstra, product evangelists for Calabrio and my guests.
today are Craig's Zweber VP of cloud ops security and compliance for Calabrio and Tim Wittenberg, director of information, security and compliance for Calabrio. So we kind of have a couple of firsts. This is our first Calabrio employees part, and we've got multiple people on the podcast. Thanks for joining me today.
Okay.
All right. So one of the biggest things that we have seen out in the world, let's, I would say today, but it's been a, probably 20 year long or more problem is data security and compliance. And I know that at Calabrio we get asked to be responsible for a lot of this quite a bit. And so what I thought today would be a really good conversation with you guys to have is some of the things that.
Not just an enterprise organization can do, but maybe individuals and personal people could go towards securing their own data and making sure that a lot of the information out there, maybe we debunk a few myths today. Maybe we get some good information in the hands of people. And I think you know, we just want to have a good conversation about data security and what that means to not just Calabrio customers. And individuals that are out there in the day-to-day world.
So the first thing I kind of want to ask you guys, and maybe is a good, this is good to start with you, Craig is, you know, you told me that there are lots of misconceptions about data security and I kind of want to start there. Let's, let's debunk some of the myths and some of the ideas that are out there about data security. So in your experience, what are some of those misconceptions that are out.
Yeah, there's, there's a lot of different things, especially things that revolve around fear, uncertainty and doubt are a good, solid FUD factor for those for that technical term. There's when you're connected to the internet and use internet services, there's no such thing as perfect, secure. The perfect security is simply not to plug into the internet at all, but then are all of our devices and services would be pretty worthless if we did that.
So really good security is about good diligence and, and leveraging your partners and the software services that you use. And really take advantage of the security updates and fixes that they provide. Keeping your stuff up to date in new is what keeps us ahead of a lot of the security trends and tracking out there. There's a misconception out there that.
If I have something old or something I don't necessarily fix or keep up to date that that might be some more secure when in fact those things are the things that can be taken advantage of along the way. There's also we get hit a lot with. Some of our vendor providers that unless we buy their security product or service, then we are somehow less secure because we don't have every particular bell and whistle available out there in the market. And that's simply not true.
Some just fundamental good security practices that we follow here at clever. Are just as effective as buying 30 or 50 different products as other services out there. So that's something that even our customers, if they get bombarded all along the way, by all these people that say that they get the next best security thing, they actually don't, they're, they're marketing their wares, just like the rest of us market are awares that aren't necessarily directly security related.
Well, I feel like, you know, your, your example of the, the older. The, the older piece of technology. It, I like it because it, it works. It's never failed me. Right. And it's funny because a lot of the old school thought process, I think it goes back to automobiles right back in the day when automobiles did not have any chips in them, there was no software in them. It was purely a mechanical thing. Those things were designed to last for years and years, and years and years, because.
So the key in you turn the ignition, it was a purely mechanical process. As long as you kept the Mac ma the mechanics up to speed, everything. And a lot of people still believe that. Right? We're going to, we're going to talk a lot about my mother-in-law and father-in-law today. I think I have this feeling and the, the, the problem is that the old school automobile never had. Anything updated on it. It was always exactly what it was when it first started.
The problem now with technology is that older pieces of technology or even newer pieces of technology that have been a little bit farther out from the update. Those are the ones that are most vulnerable, right? Because like you said, people aren't always creating new ways to exploit.
One of the things that's happening. Of course, in the software industry, you mentioned a lot of this computer technology is different than an old car because it has a computer in it. All right. And there's software. And that software is constantly being examined for vulnerabilities by all kinds of hackers and people who would try to steal information. And so literally if if something goes out of date, like an operating system is basically.
The turn to be obsolete, it's automatically put into the highest security risk because there's nobody patching it or nobody fixing it. And so if you are operating some of that software, you are at risk. So to your point, the older software is going to be the most vulnerable in general.
So when you say at risk, Tim, what, what, what do you mean there? W like what's, what does risk mean in this context?
In simple terms, that just means something that's high-risk is most likely to be exploitable. So just like all kinds of innovation is happening in software. In general, the tools that hacker U hackers use are also being automated and updated. So it used to be when a, a vulnerability or a weakness in software was discovered. It used to take. Months or years for an automated hack to become available.
That is a script that can be used to exploit the vulnerability to steal your information if you happen to have the vulnerability, but now instead of a year or a month, it's literally hours. So when a vulnerability is discovered in a piece of software, you can literally have somebody attacking that vulnerability with an automated script in a matter of hours now. Happened in the last five years.
So in that example, let's let's, let's use the world's most popular operating system. I'm not going to say what it is because we don't want to do that to them, but let's just say I have a lot of them on my house that I use to view my street during the day. The minute a new version comes out, it is automatically being attacked by automated scripts. Is that kinda what you're talking about? I
would say within hours. Yeah. And the reason for that, or the tools have become automated. And the process for writing scripts has become more and more automated over time. So it's just, you know, the general watch word is like Craig said, if, you know, keep your software current. If a patch comes out, apply the patch. If you haven't, you know, on your phone, when a new version of the operating system becomes available, update it, apply the patch. Take the few minutes of time.
People don't like to do those updates because it takes a few. It's well worth it because it is going to buy you more security.
Yeah. And I think that's, I think that's a great point that you guys are kind of trying to make is that, you know, when my father-in-law looks at his phone and it says there's a new update, his fear is that something's going to get moved around his fears that a word's going to change, or he's not going to be able to find the same app that he used to have, but in reality, Isn't that kind of just the very tip of the iceberg that we see what's really happening
in those updates are all of those vulnerabilities are being taken care of that are discovered in that timeframe.
Exactly. Okay.
I think that's a, that's a great point to make is that we all, we all tend to look at these updates as visual or UI based, but in reality, they're probably almost exclusively security based, so that should give people an idea of what we're facing here. So it's interesting that we we've kind of talked about this and you guys are trying to educate people, which is just great. But there are a lot of organizations out there that kind of live in live and die by these, these particular approaches.
So these are something that I know we at Calabrio and you guys probably in particularly I have to deal with a lot during day to day, but there are a lot of different organizations out there that provide certifications of security. Now I know probably yours are a little more focused on the enterprise software side, which is great, but you know, we talk about some of the really big.
Like GDPR and, or, or those types of things, but what are some of the certifications you have to deal with on a day-to-day basis and how do they help organizations secure their data?
Sure. So we we have three main certifications that we obtain every year. The first thing I would just tell you though, is that. Actually operate a security program. That's based on something called the NIST cybersecurity framework. So Craig was mentioning some misconceptions about security. There are lots of those around if you want to dispel all of those misperceptions, go and read the NIST cybersecurity framework because.
It will tell you exactly how to secure confidential information of any kind. So one of the great secrets is there is no secret, right? The way to protect information is well documented and well understood by security folks. So you can, anyone can go read that, but so
like a good solid 15, 20 minute.
I'm about 15 to 20 hours. So I don't want a kid, you, it there's, you know, there's a lot of, kind of jargon in that, but it does give you pretty much very straightforward instructions on how to protect that data. So we. We basically adopt have adopted that program. And that is it. It lays out a number of capabilities to protect information. And what we do is, are setting up the capabilities in our company. We've already established them.
And what we're doing year over year is maintaining the maturity, measuring the maturity and improving the maturity of all those different capabilities to protect information. So we're the audits come in. As we have three different ways of checking. Using outside parties, how effective those different protections are working. And so the first method we use is we have a SOC to something called a SOC two.
And that goes and looks at all of our different infrastructure components, the servers and the databases and the different software. And it checks to see how well we're protecting that, that information, the software, the systems, the data. And so that's important. The other audit that we get is we get an ISO 27,001 audit. That one is more important from our international.
Perspective and our customers out in the world because it's just widely known and, and more, I guess you'd say respected out there in the international markets. And then the third one we get is a PCI. So we are not a credit card processor under PCI. We are what's called a service proven. Because we provide a service to our customers who may or may not process credit cards. And so we get a third one called the attestation of compliance from the PCI world. And so all those audits basically.
Essentially provide assurance to our customers that we're serious about security. And we have third parties come in and validate that our security is operating effectively each year. And
Craig, what kind of work goes into secure? I mean, I don't even know what the right terminology is, passing those audits securing those security certifications. What kind of work goes into a, to those processes?
Yeah, all those, as, as Tim mentioned with the with the security capabilities each capability is, is got a review process or procedure around that. So you can think of who has got administrative rights into a particular area of the application. We have to review that list of administrators on a periodic basis and prove to the auditors. That we actually have done that review and prove that we've taken any appropriate action. Should we find something misconfigured in that particular review?
So every single one of those rules that are in the NIST cybersecurity framework has another process or rule around it that we have to show that we are actually following the security best practices. So we have a bunch of manual processes. I like to call them the army of people with clipboards, right. They go around and, and, you know, and they might manually go through the checklist and ask us, Hey, did you perform your security audit this month?
Or this week, or this quarter, we collect that data, other things, and we're working more so towards this is to have the computers, help us audit the computer. In the end. So it's a term that we've worked to coin. Tim and I here called continuous assurance. It's more becoming more broadly accepted into industry where we don't necessarily come around and do audits on a periodic basis.
We are working to actually program magically detect every single change and make sure that every single change that actually stays in compliance really. So that will save us a lot of time. We can start to reduce the size of that army of people with clipboards and go towards all automated processes around
that. So it's a, it's a, it's a 24 7 thing. It's not a shoe we're done. Okay. Now I can stop for six months and stop thinking about this, right. It's kind of a continuous process. 24
7 365. Yeah. Yeah.
So holidays either.
Well, that's, that's why you guys are so well paid and in good looking, right. It's it's the, the super glamorous life of information security
out there. That's right
now let's take let's take someone who might not know. Have the greatest understanding. I mean, we've thrown around some really good jargon today, right? ISO 27,001. And, you know, really kind of interesting, but if I were kinda starting from maybe not scratch, but I really, I mean, you know, from an enterprise standpoint where could I really go to start to understand what's going on?
So. Tim, I think, you know, you gave me some pretty good ideas when we talked before about some really simple things to do, but, you know, maybe let's start what's what are some simple things that people can do to understand, and then maybe progress to a little bit more complex?
Sure. So I think as we've stated here that, you know, good security, it really involves a lot of common sense. And so for example passwords, we've talked about. Using passwords that are too simple. So you know, people, there's a kind of a joke about you know, somebody hacked my password. Now I have to change the name of my dog because my password was my dog's name. Right. Those sorts of things. And so use a longer password. Those are generally more secure mix it up.
So don't, don't use a dictionary words because the common methods. Hacking passwords is to have a huge list of commonly used words and phrases. And if a hacker gets a hold of your account and they're going to try it up, you know, try all sorts of known phrases and words. So mix it up, add some letters and numbers, make a long password. Probably one of the biggest things is don't reuse passwords from your personal account.
Don't reuse those passwords for your Calabrio accounts or accounts that you use for business. And one of the reasons for that is there's a website called have I been poned.com and we can talk about how that's spelled, but they keep track of all the hacked passwords. And there are billions, literally billions of hack passwords. So if you reuse one of those four, you're one of those. You used that for Calabrio account, then you're vulnerable because a hacker can basically pull up that huge list.
Try try, you know, if they guess, and that's your collaborative account they're they're in. So simple thing. Don't reuse passwords. Personally, I
cannot believe that the word poned is a word that's something that kind of originated from online gaming and it was just absolutely the most slang of slang words. And now I'm listening to two informational security professionals using the word poned. I love it. That's great. Okay. So sorry. Continue. Passwords is an important part. What are some of the other maybe areas that we could.
Sure. So let me keep going on that point. So I haven't, I've had an email account at Comcast. Something like 15 years. And so I went to that site, checked it out, turns out the password has been stolen. It was something like 13 or 14 times. So instead of me panicking, I went and changed my password again. But then I also turned on this thing called two-step authentication.
So general point, if your S your service, if it's Facebook or, you know, some Calabrio service that's been being used in the company. Turn on the two step authentication. So what that basically is, is instead of you sort of just authenticating with a password that you may also get a text message that gives you a little code and it shows up on your phone, and then you put that into your account and then you have to log in with both a password. And this. Extra number, extra pin code.
So things like that are very effective at keeping this a, this hack attempt method from working. So somebody finds a stolen password from one of your old accounts and you have reused it on our customer account. If you've got. You know, this two factor or two step authentication activated that will stop. So I keep using my email address, the same account that I've had for years and years.
Cause I've turned on the two step authentication and people should be doing that in general, everywhere they can. And yes it does. It does. It is more time consuming, but believe me, the peace of mind that. As well worth
it. Okay. So those are great from a personal level, right. And enterprise level. I mean, obviously my, my password to log into my email and things like that, rather I'm doing personal or my work email is important, but what about more on the enterprise level? What are some of the, some of the places that someone could start with a good strategy?
Okay. So there's, there's that the password management thing is, is pretty good. And then the other thing is just to think about phishing emails. So I'll just, I think we've all talked about phishing emails and from a corporate perspective, those are very deadly because if you get an email on your corporate inbox and it is a phishing email and you click on the link, what happens is that email will generally, if you click on a link or an attachment, it'll download.
Malware right onto your workstation. And that bypasses all of the other protections that we put in place like firewalls and, you know, all of these various layers of intrusion detection and so forth don't work because you've clicked on an email and it put, you know, malware right onto your laptop. And there was nothing we could do to stop that. So, so being careful about, you know, recognizing phishing emails we train out at every year, you know, Tend to create a sense of urgency.
Hey, you're, you know, this is chase bank. You've got something wrong with your account click on this link right away, where you can get those in your corporate inbox, just like you can in your personal inbox. So it's especially important. To be aware of those things in a corporate environment. I think I'll just stop there. You know, I'm sure Greg's got some comments on that too. Maybe. Well, and Craig
that's, what I was going to ask is, is kind of just going along that exact, so passwords and fishing are those, the two biggest vulnerabilities that are out there. And if there's one bigger, we'd like to know, but otherwise what are some other things that maybe they have to be careful.
Those, those two things are definitely big on the social engineering side of things. Y'all taking advantage of what people know or, or taking advantage of behaviors to, to gain a leg up. That's, that's definitely a ways to protect yourself over there. Be aware of those passwords and fishing on, on the, on the corporate side. And we, we touched on it, keeping things up to date is critical, right. And and leveraging those re reputable services out.
Folks like Microsoft and AWS, they spend billions of dollars on information security to provide secure services out there. So leveraging those services, trusting those services and accepting those updates from those people. They, they know best in us as individuals and only the largest of the largest. Enterprises can spend that much money on security every year. So leverage what they have to offer, leverage what they, what they preach and definitely take those updates. Keep things up to date.
I keep hearing a phrase that pops up, not necessarily on this discussion, but many other times. What, what a pen test can you, what, what is a pen test and what do those do for us?
So a pen test is where we literally hire third-party hackers to come in and try to hack our software. So in our case, we run a pen test every year of, of our Calabrio one software. And we hire third party hackers each year to come in and it's kind of an open door test. We give them an account. We give them a password. We say, here you go see what you can do, try to find vulnerabilities in our software. And so it's, it's actually, I mean, we, and we take the results extremely seriously.
So if we find anything at all, we quickly go fix those things so that you know, it's not the true hostile hackers that are finding these things for us. We are obviously on a hunt for those to find them and fix them for.
So, which is a bigger danger to an organization, social engineering, hacking, or phishing. If you, if you had to pick the worst one, which one is the what's, one's the one that makes you lose the most sleep at night? Craig, what, what would you say?
Fishing? Definitely. Just because it creates that sense of urgency. After that would be social engineering, Cushing is a type of social engineering but Social engineering, those who are kind of vulnerable to, to the fast talker, right. You get that phone call and suddenly you're really interested in the conversation. And you just have to stop and think, wait a minute, why would my bank call me or send me an email, asking me to verify my own information. That doesn't, that doesn't make any sense.
Yeah. Why wouldn't my bank. Call me to tell me there's a problem with my account. And the only way I can fix that is to give you a gift card code off the back of a gift card. Yeah.
As I get a text message that claims that, Hey, this is my CEO, right? I'm in this important customer meeting and we forgot to bring our, you know, the gifts for them. Could you go to the store and pick up several $500 gift cards?
It's crazy. I'm sorry. Crazy. You mentioned that because yesterday I got a text message from my son's precedent of his. Yeah. And I had never heard of that particular social engineering hack. I, you know, and so I sent my son a texts. I was like, I think I just got a text that was meant for you. And now granted, there were no links and I was literally in my head trying to conceive. How this would lead to a scam, but you just laid it out for me right there.
If I had a texted back and said, Hey, what's up, I probably would have gotten that exact message of, we need to go get some gift cards for these people in this meeting or something like that. Huh? Yeah.
Well, it plays out our natural wants to be good servants to be good employees, to be good people and help others out. Well, though, they'll the, the hackers will attempt to play on that. To take advantage of your, of your good nature to to help people out and, and get something for themselves.
Well, you said something that I think really, I think we'll stick with a lot of people. You said you don't need expertise. Is that, is that fair? How, how does that, how does that phrase work in your head to secure your own data? What does that mean?
So, so I, I think people think one of the misconceptions. Is that to be secure, you have to be some sort of wizard at, you know, all this secretive technology
and from the matrix you have to be,
you have to be able to crack all this fancy encryption. You know what I'm saying? And, and
a hacker for 20 years before you, you earned your stripes, then you're an expert hacker.
But if you think about what, what both Greg and I have been talking about. You get more bang for your buck. If I can use that expression, you know, more return on just doing common sense things, you know, keeping your passwords current updating your software, keeping that current being careful not to click on suspicious emails, none of these things are very technical or very complicated. And so. Literally just common sense is going to give you a very good result.
The thing that I've taught my kids in there throughout their life and, and you know, my family and is that we as human beings have a very finely tuned sense of things not being around. But we've been taught our whole lives to ignore it, whether it's to be polite or to go with the flow. And what I teach them is that if their brain ever says, huh, that's weird that you really need to listen to them.
That, that part of your brain that says that we've all gotten the emails that say, you know, Hey, this is PayPal and you need to click on this link. And if we just went, Hmm, that's weird. And then took one extra step to verify that, oh, wait, this came from like some Russian link in, in the email address that it's like, okay, I'm not going to click on that. But I think we're you're right. We, we, we, they are very good at tapping into.
Primal emotions of doing good or helping or fixing something that's broken. Right. What's the old saying that if you ever want to get responses on the internet, just post something that's incorrect and you will absolutely get it. I'm sure I'm butchering the phrase, but the, the idea. And so I think that that's really the point of what you guys are saying is, is that I can have the most, the highest ranking level.
The internet security that ever, but without the instinct of something's not right here, it's not worth very much.
That's right. That's
right. All right. Well, this this has been absolutely. I mean, honestly, I didn't think we could possibly make a fascinating conversation out of. And that's not a knock on you guys and what you do, but we've actually done a really good job and I'm actually immensely proud of us. And if I can do to our own horn for just a minute here.
So yeah, I feel like I feel like this has been a really good what I want to do is first ask you guys, is there anything else that you feel is really important to pass along to the listeners of the collaborative podcast here that could help them in their journey?
If you, if you see anything suspicious, I mean, report it, I think we're getting trained to do that in the days of terrorism and all that stuff. Right. So on the on the security front, yeah. Report it to your local security official report to your local security director. Don't call us directly. We simply don't have enough time to respond to everybody, but if you see anything with any of our products and services, definitely call our support line. We're here to help.
We're here to fix and make sure that that our customers have got the best service possible.
So, okay, fantastic. So you are endorsing that if something does pop up, that raises a red flag in one of our users. Support is the way to go through
absolutely.
And support them in the, in the best way possible to ensure that our customers stay secure.
Right. And would you say there's no red flag to. I
would say, absolutely. So don't ignore your instinct, right? If, if something doesn't look right, you should definitely raise your hand and let somebody know about it.
Fantastic. Unlike Tim and me, our support staffs are are very friendly and loving.
There's more of them than there are of us.
Yeah, you guys will hear, you guys will hear about it, but the, you know, let's, let's, let's follow the the, the proper protocol here. No, this has been great. You guys, I can't thank you enough for joining. I think this is going to be a really informative discussion. A lot of people are going to find some tremendous value in, so from. I appreciate your time, Craig and Tim, you guys look forward to hearing more from you over the, over the years.
I have to say you guys did a fantastic presentation a couple of weeks ago, which kind of led to this podcast, which is really great. And I thank you guys for, for putting that together and really spurring a good discussion here on, on data security and what we can do there. So for those of you listening, thank you guys again for giving us some of your time. We appreciate it. And as. If there's anything we can do for you, we are available@calabrio.com.
Please don't hesitate to reach out if there's questions we can answer, or if you have a great idea for a more podcast issues let's let's have a chat about it. So Craig and Tim, thank you guys again. Thanks everybody else. Have a great rest of your day and we'll talk to you soon on the next episode of working smarter from Calabrio. Thanks everybody.