Cyber security and business success: Board-level leadership is critical
From left: CICRA Consultancies CEO and Director Boshan Dayaratne, Akati Consulting CEO Krishna Rajagopal, moderator Daily FT Editor Nisthar Cassim, ITU Senior Advisor Sameer Sharma, CISCO Secrurity India Principal Consultant Srikanta Prasad and Microsoft Chief Security Officer and Advisor Pierre Noel at the head table
The CEO forum which was the final session of the EC-Council Cyber Security Summit 2015 co-organised by CICRA Consultancies and Daily FT was held on 30 September in Colombo.
The panel discussion was moderated by Daily FT Editor Nisthar Cassim. The panellists were Sameer Sharma, the senior advisor, International Telecommunication Union, Regional Office for Asia-Pacific Bangkok, Srikanta Prasad, Principal Consultant Cisco Security India, Pierre Noel, the Chief Security Officer and Advisor for Microsoft in Asia, Krishna Rajagopal, CEO of AKATI Consulting and Boshan Dayaratne, CEO/Director of CICRA Consultancies.
An exciting video of two ethical hackers demonstrating the possibility of remotely hijacking a jeep was played for the audience to set the premise for the discussions.
Opening the panel discussion, Sameer Sharma explained, “The rapid change in the pace of ICT is creating security concerns. For example it took 125 years for the telephony industry to reach one billion subscribers; it took around 13 years for Google to reach the same number. For mobile subscription it took just 11 years and for mobile broadband it took only five years. In the coming five years, we will have 50 billion devices in the Internet Of Things connecting to each other. This comes with a downside as well because more and more people out there would be subject to breaches.”
“Generally CEOs think cyber security is a technical issue and does not deserve their attention. What is important is to give them the overall impact of the outcome of the risk assessment. In the Target (US retailer store) attack incident, the CEO was questioned and many board members were held very accountable. So it’s very important that CEOs take cyber security seriously. The highest level of leadership starting from the country level, the important integers in the highest policy level in the organisations should consider cyber security an important investment for the business. This can protect your organisation and encourage new customers to continue to improve the business prospects,” he added.
Cybercrime in a non-IT environment
The next panellist was Pierre Noel. “Cyber Security is a board room issue. As Chief Security Officer, I spend nearly 50% of my time engaging with people in the board level and advising them about cyber security. Its impact will be on the entire organisation. It’s not something that will be just constrained to IT. When you have a significant security incident in the organisation, not only will you have the financial impact which is usually quite severe but you will have a reputational impact and in many cases, you will have an operational impact because you won’t be able to operate your system as you used to. We increasingly rely on the IT infrastructure for what we do, sometimes without even realising it.”
Giving a very relevant example of cybercrime in a non-IT environment, Pierre explained the real dangers out there. “This is about an iron factory in Germany and not an organisation that has huge financial assets that you can steal easily. They got subjected to blackmail. An organised crime community sent a blackmail message online to this iron factory saying, we’re the bad guys and we have a way to cripple your factory unless you pay us 100k Bitcoins. Bitcoins is an electronic currency which can be transferred without being traced.
“The iron factory decided to call the bluff! They decided not to pay. They were wrong; they indeed had some vulnerability in their system but not in today’s typical IT systems. They had vulnerabilities in the systems controlling the iron furnace which is not even a sophisticated computer. The bad guy accessed the computer and made sure it was impossible to turn it off. The iron kept on boiling and boiling and you could not turn it off. As a consequence, the people of the iron factory had to be evacuated and finally one of these iron furnaces exploded costing millions of Euros. The benefits for the organised crime group were tremendous because that incident enabled them to blackmail any other iron factory; this is the reality of cyber security.”
Increase the cost of attack
Srikanta Prasad also shared his perspective on security. “If you can increase the cost of an attack you’re much better. Any attack or any incident needs a certain amount of resources. You need to have a good knowledge on hacking, you need to have computer resources and you need to have time in hand. So if you increase the cost of an attack by enhancing security with a well architectured security approach then the bad guys who try to hack in will realise; this is very secure, let’s not waste our time, let’s move on to the next company.”
“Think that two friends are walking in a forest and they see a tiger coming towards them. So they start to run and one friend asks the other if he can outrun the tiger. The friend replies; no I only have to outrun you. Security is like that and you got to be safer than the others to stand a chance of evading an attack,” he explained.
Krishna Rajagopal delivered his presentation while demonstrating a live hack. He explained how easily hackers can break in and take control of your systems.
Krishna discussed how people turn into hackers and what their mindsets are really like. Sometimes, hackers start out of curiosity. When they get into the hacking mode and find interesting or potentially secret information, they get excited and eventually try to make money out of it. He also highlighted that organised crime groups earn more money from cybercrime than by selling drugs.
“Last year I was involved in the unfortunate incident of the missing plane MH370. Right after the incident, Malaysian Airlines was attacked four times. Was it planned for a long time? No. probably someone just watched CNN and thought ‘Oh Malaysian Airlines, I’ve never heard of that airline. Let’s check it up online. Looks like they can lose a plane, they can lose a lot of things so I’ll go target them.’ As you see, the media actually helps the attackers get ideas,” he said.
Cybercrime causes suicides
Taking the famous Ashley Madison website hack as an example, Krishna pointed out that cybercrime can even cause physical deaths. As it has been reported thus far, the impact of this data breach has caused four suicides.
Moreover, there were comments and questions from the audience as to why security needs to be taken to the board level and why awareness has to be created to have stringent security controls.
Pierre Noel then shared his views regarding the organisational structure and why the CSO shouldn’t be reporting to the CIO. “Let’s say there’s an ongoing project and the security team needs to analyse the project and identify if any of those modules can cause a security threat. He finds a security problem and informs the CIO. The CIO’s concern would be; ‘I have to finish the project in one month so you move away and let me carry on’ and the CSO would do so. There needs to be clear governance on the way security concerns are addressed,” he said.
Good security requires people, processes and technology
Boshan Dayaratne stated that good security requires people, processes and technology to be aligned. He highlighted that sophisticated security systems alone would not provide protection if the people using those systems do not follow security practices. This can only be addressed by proper security awareness training. Organisations should take security training seriously and allocate budgets for it. This can help in the long run in preventing cyber crime.
The Cyber Security Summit 2015 came to a close with the conclusion of the CEO forum which was attended by quite a few distinguished members of reputed organisations based locally and internationally.
CISCO and Microsoft were the summit’s Strategic Partners while ICTA was the National Partner. The Telecommunications Partner was Sri Lanka Telecom, the Official Payment Gateway Partner was LankaPay, the Official Insurer was Continental Insurance, Official Printers were OfficeMax, LSP, the creative partner was Triad, and the Electronic Media Partners were LearnTV, TV Derana, FM Derana and Ada Derana. The Hospitality Partner was Cinnamon Lakeside.