Part I: Worse than Giving a Speech in Your Underwear…
You know that nightmare where you are running late and find yourself in front of an audience in your underwear? Well my IT nightmare is worse. In it, our systems are hacked and every single email becomes public. All our dirty laundry gets aired in public, and a ton of sensitive, often personal, and frequently very embarrassing information gets posted online for all the world to see. Yep, much rather be making a speech in my skivvies than dealing with that.
See, the environment around cybersecurity has shifted enormously in the five and a half years I’ve been at PulteGroup. We’ve always taken cybersecurity seriously- it’s always been top of mind, but previously we could take some comfort in knowing we were not a target-rich environment like an Equifax or Home Depot. Outside of Pulte Financial Services, we don’t have much Personally Identifiable Information (what cyber geeks call “PII”) and we don’t conduct high volumes of online transactions.
Over time though the threat risks have expanded and become more critical. Back in 2014, Sony Pictures suffered a security breach where the goal wasn’t to steal personal information or credit cards or Social Security Numbers. Those hackers had the sole objective to destroy the company’s reputation by stealing and releasing intellectual property and email. Add reputation destruction to the list of information theft, data ransom hacks and the growing threat of state-sponsored cyberattacks, and you understand why I wake up at night screaming from a fear-induced nightmare.
While we’ve consistently built up our cyber protection capabilities, we decided to further formalize our security program coming into 2018 by bringing in a chief information security officer (CISO). I am extremely pleased to announce that a couple of months ago we hired Kevin Morrison, who was formerly CISO at Jones Day. Kevin is a cyber-ninja with one objective: keep the bad guys (and girls) out!
Cyberthieves would love to breach our walls and destroy our corporate reputation and the trust people have placed in Pulte — it’s my job, it’s Kevin’s job, and it’s really everyone’s job to keep that from happening. Technology and cyberthreats are changing at warp speed, but we are working really hard to keep pace.
We keep adding layers of security in the form of sophisticated tools and technologies. We are even using artificial intelligence and machine learning to identify patterns of behavior and adapt to new scenarios. One of our newest tools continuously monitors our entire environment for minute changes and patterns of behavior that are outside of the norm. When we identify something we quickly dive into it and if it’s a threat, neutralize it. You know, if not for there being so much at stake, it would almost be fun- like a great game of cat and mouse. Except we’re always the mouse. So, on second thought…. maybe not so fun.
Let me mention two keys to the success of our cybersecurity program: being vigilant about applying software patches, and putting a huge emphasis on user awareness. And please note that you can’t spell user without U.
To the first point, we’ve gotten much faster at patching. We’ve automated the testing and application of patches, so when we get an alert from the FBI or another security group we can jump on it immediately. We’ve avoided many spectacularly unpleasant attacks as a result of our relentless drive to keep systems patched.
To the second point, our security can’t protect for every circumstance and that’s where user awareness comes in. By far the most common threat we experience is email phishing where attackers target employee email accounts for the sake of gaining access to data or for ransomware purposes. There have been numerous attempts to get Pulte employees to wire money to fraudulent bank accounts; though none have been successful so far, they get more and more sophisticated.
Cyber threats aren’t limited to employees, as our customers can be at risk too. Keep in mind, we’re not just a homebuilder but a mortgage company, which makes us a tempting target. From the attacker’s perspective, we are a transaction-based organization that has customers and customer email lists that can be vulnerable to an attacker who can then target our customer directly. Attackers have been successful in compromising Pulte customers’ personal email accounts to launch sophisticated phishing scams.
You may have noticed that our employee phishing simulations are getting more devious. That’s because the bad guys are getting sneakier in their efforts to breach our security. If you were hesitant to click on the email a couple of weeks ago asking you to change your secret security question, good for you! And you were in good company; Ryan Marshall was one of the first to ask me if the email was legitimate* or if it was another test. This shows that PulteGroup employees are being ever more vigilant in protecting our brand and corporate reputation. Well, most are- some people still fall for our tests. Don’t be one of those people, because we just might start posting names on MyPulte…
That’s the end of Part I; I hope you have a better sense of what keeps me up at night. Stay tuned for Part II: Tips for Practicing Safe Security at Work and Home, coming soon.