Capital One Fraud Seminar Recap

Michael Pitcher, Vice President, Technical Cyber Services, Coalfire Federal

Recently, I was honored to be invited as a panelist at a recent seminar hosted by Capital One Spark Business to share some views on fraud prevention and cybersecurity with their customers. I was joined by a few other industry experts, Gerald Glickman, a Manager of Capital One’s Fraud Analysis team, and Jennifer Smith, who led the Cybersecurity and Data Privacy group at the Shulman, Rogers, Gandal, Pordy & Ecker law firm, to round out a diverse group from various parts of the industry. Each of us deal with fraud daily, but we have very different roles: Jennifer on the litigation side, Gerald from inside a bank, and myself from the technical perspective.

The questions from the audience had a similar undertone of fear and uncertainty. Most attendees have either been a victim of cyber-related fraud or knew they didn’t understand it well enough to feel they could defend against it. We covered topics such as ransomware (including a discussion of Bitcoin), phishing, insider threats, and CFO fraud. Between the questions being asked by the audience during the panel and the conversations I had with business owners both before and after the event, I empathized with many who didn’t know where to start. Many of them had IT firms they worked with for basic administration, but had no idea what those firms were doing in terms of security. When I asked attendees about some of the basics, such as vulnerability scanning and hard drive encryption, I was presented with blank stares or even more questions about what I was asking. Forget multi-factor authentication and locking down hardware with strong security configurations.

My general message had to come up a few levels, asking if cybersecurity had been budgeted for, and if anyone within the organization had cybersecurity responsibility. These questions were well understood, and the answer was usually no from attendees.

Large organizations spend millions on cybersecurity for a reason, because they understand the reputational and financial impacts of an incident. Small businesses need not spend millions, but asking the right questions of  third party IT firms and getting internal training for users and administrators is a good place to start. The basics of cybersecurity don’t need to come with a large price tag. Multi-factor authentication can be had for $1/user per month. An industry-leading vulnerability scanner can be purchased for less then $2,000.

Coalfire can help as well of course, offering Vulnerability Assessment as-a-Service (VA3S) and Virtual CISO services, so organizations can buy fractional cybersecurity personnel if they aren’t ready to take the plunge and hire their own experts. Our advice to customers is, don’t wait until Gerald is calling you because the bank sees something suspicious, or until you need to call Jennifer for legal help to handle a breach!

Michael Pitcher


Michael Pitcher — Vice President, Technical Cyber Services, Coalfire Federal

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS