CISO Q&A: How AvidXchange manages COVID-related threats and risk

Like many CISOs, Christina Quaine's team is supporting the payment processor's work-at-home employees and managing internal pandemic-specific risks. It also helps its mid-market customers meet new security challenges.

Christina Quaine, CISO, SVP Technology Operations, AvidXchange, Inc.
AvidXchange, Inc.

CSO caught up with Christina Quaine, the CISO of AvidXchange, a North Carolina-based payments processor that focuses on mid-market companies. We talked to her about how this mid-sized company, with 1,400 or so employees, has dealt with the changes wrought by the COVID pandemic. Given the company’s role in financial transactions, we were particularly keen to hear how the rise in coronavirus fraud instances were affecting her job. Below is a transcript of our conversation, edited for length and clarity.

 

What should CISOs focus on in the pandemic environment?

Quaine: The threat landscape has changed. We continue to see the need to up our game from a security standpoint and really pay attention to what is new out in the industry and what’s occurring in the new environment. People are taking advantage of all those COVID phishing attempts and how to get your check and all those great schemes.

Just being able to tie that into the education of our employees and making sure that they know what’s changing out there so they can be alerted and on high alarm when they receive these types of emails and aren’t victim to phishing attacks. I think that also plays into just ensuring that we have the right tools and controls in place.

Office 365 has just given us the ability to work from anywhere. But when you have sensitive job functions or data that you're accessing, you certainly need to be on a VPN. And then even looking at just the development of our new applications, making sure that we have security in mind at the forefront, that we really are shifting security to the left. That's the phrase that you hear everybody talk about these days.

What are the particular security challenges of your mid-market customers?

Quaine: Our business model in particular, we ingest invoices in a variety of ways, and we do a lot from email. If you think about just email being a threat vector, we get emails all the time. For us to have the appropriate controls on our end to make sure we're not getting malicious email is really important.

To your point around mid-market companies, they typically don't have a security department. Sometimes we have to work with them on TLS connections and secure FTP. It also goes to educating them because they're one of the conduits in which we receive invoices or changes to payment methods. We need to make sure that they have some sort of awareness of what fraudsters are doing to stop it at their company and not necessarily pass it along to AvidXchange. We're sort of the receiver of that data, and we have to help them on their knowledgebase as well.

You have to protect yourself by protecting your customers

Quaine: If you think about it, it's kind of like banks. They have to educate their consumers. They're just anybody off the street, but to protect themselves they have to give the proper education to their consumers, so they're also doing the right thing.

When did you first recognize the new risk potential and start executing new plans?

Quaine: I don't want to put it on a quarterly basis, but in our company, we do a quarterly risk assessment. We definitely review the risk landscape on a quarterly basis to see if there's anything we need to pivot on. For the pandemic, I think the bigger problem we were solving was ensuring that our teammates had the capability of working at home.

For me, that was obviously first and foremost. Because of the pandemic, we were actually, increasing our sales and doing a great job in the market just because we were seen as the business continuity solution. These mid-market companies didn't want to go into the office to pay with paper check. They accelerated their connections with AvidXchange, so we would do that for them.

Which is great news from a sales and revenue standpoint, but we really were just mobilizing our team. We have an “in office” culture, or we had that office policy in how we were going to operate going forward. But we definitely were about being in the office.

We've always had VPN and VDI (virtual desktop interface), but it was also kind of a problem just to ensure that people had the right network capabilities at home. We were doing a lot of troubleshooting people's networks and probably because we are a smaller company, we kind of do more hand-holding in that area.

I think if you worked at a Wells Fargo, you'd have to figure out how to set up your router on your own. But we like our teammates. We love our teammates and their family and so we try to help them in every way we can.

Were there any surprises making sure your employees were safe working from home?

Quaine: We definitely use dashboards to evaluate vulnerabilities and risk. We did see an uptick in vulnerabilities as well as malicious emails. From a vulnerability standpoint, we had to, ensure that we had the ability to understand who was logging in through the VPN to get the latest security patches and force those that weren't to do the thing.

I think that was one of the learnings. We didn't necessarily have a forced model. We wanted to make sure for their AvidXchange laptops that they were getting the right security patches for their laptops.

What kind of vulnerabilities increased?

Quaine: It was really just the typical [vulnerabilities] that you see with the laptop. Just ensuring that they had the latest patches included.

What have you seen in terms of phishing?

Quaine: A lot of them, quite frankly, are COVID related. We constantly do phishing campaigns to educate our teammates, and we make sure that those get harder and harder over time. We make sure that they're really paying attention and not just clicking quickly on a link and certainly not adding their credentials anywhere.

There are a lot of attempts to spoof executives. If you think about any company’s website, the executives are posted there. People often will try to go and spoof somebody’s email address and especially the CFO or the CEO and request payment. Those certainly have increased over time.

Also, in terms of how AvidXchange is seen out in the public view. We recently did a capital raise. When we're highlighting our success out to the to the world, people start paying attention, and then they started to really hone in.

How have remote work levels affected how you fight fraud?

Quaine: We’ve definitely tightened down our thresholds on what we would think is acceptable for a certain supplier based on their past payment history. Where maybe we were doing it at the right level that we thought was appropriate before, we tightened that down just to make sure that we have more human eyes on it and not letting things pass through our system without a second glance, because that's just more likely to happen

We also tightened up our controls when we set up a payment method. Our team does a lot for the validation and for the onboarding of customers to make sure that we have the right account number. We only make changes to that account number based on instructions from our buyers.

They ultimately have the responsibility. That's why education of our customers is so important. They could unknowingly pass something along to us. We have our own set of controls that we look at to double check or triple check their work.

How likely are all these changes to become permanent?

Quaine: I would say they're definitely permanent. We hired additional staff, at least one additional individual. We have an intern that's even helping out. We built out the prevention and detection application to do the alerting and these individuals, that's their full-time job to make sure that they're looking through them and releasing them as appropriate.

Any other advice you have for your fellow CISOs?

Quaine: I would probably say overcommunicate, overcommunicate, overcommunicate. It's different at all various levels. The board needs to understand some sort of quarterly report on what the security program is looking like, the maturity with the risk out there, where we're investing, where we're choosing not to and why, and what other controls we have.

They need to understand that story and not just assume security is a given, that it's a “set it and forget it” technology, that it's done. It's constantly evolving. That's why that quarterly risk assessment that I mentioned earlier is so important because it helps you frame up that discussion with the board.

Then I would also say our leaders need to know. Every individual does. Have at least annual training.

I think it's all about risk management from my perspective. That communication is so crucial to the organization so we understand where we're accepting, where we're taking risk.

Copyright © 2020 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline