As a prelude to the inaugural Security Advisor Middle East Awards 2016, SAME hosted an in-depth roundtable discussion in partnership with BAE Systems, which centred on the ways CISOs can work together to tailor their security efforts to mitigate the effects of data breaches.
Simon Goldsmith, Sales Director of Cyber Security and Financial Crime, ME, BAE Systems, set the tone for the discussion by analysing how TalkTalk and its CEO, Dido Harding, dealt with a cyber-attack in 2015. Roughly four percent of the British telecoms firm’s customers suffered a disclosure of their payment details, but did not incur any financial loss. Nonetheless, TalkTalk lost 101,000 customers, and faced costs of around $85 million in the months that followed. The case provided a fascinating springboard for a SAME forum that covered the reputation and reliability of companies following such attacks.
Dr. Jassim Haji, director of IT, Gulf Air, said it wasn’t simply a case of being able to recover the lost or stolen information, because once a company loses their reputation, the damage has been done. “The market is so harsh nowadays,” he said. “Customers have many options, so why should they even risk one percent when there is a history of breaches?”
Representing RAKBANK in the discussion were K.S. Ramakrishnan, Chief Risk Officer, and Tushar Vartak, Head of Information Security. Vartak agreed with Haji, and concluded that “reputation precedes the financial loss of a company.”
The discussion then posed the question of discovering the ‘magic number,’ in terms of how many products should be implemented to try and prevent these attacks, and how much money should be spent on achieving this balance.
Kamran Ahsan, Senior Director of Security Solutions, Etisalat, stated that it wasn’t about the number of implemented products, and instead it was more about the people behind the security team. “It’s all about your skill-set,” he said. “The people who are the eyes and ears on the dashboard are the important ones. You can buy as many tools as you want, but it’s the security team that need to understand how to use them.”
Goldsmith agreed that getting to this illusive ‘magic number’ should not be the primary aim. “Justifying why you have certain controls or products in place is what should give you assurance that you have spent enough money on security,” he said.
In terms of cost, Haji discussed how the line between spending too much and not enough was extremely thin. “You could be making a monster out of nothing if you spend a lot, when you could spend that money somewhere else,” he said. “If you haven’t spent a lot on security and haven’t had an attack, you could be seen as lucky. It isn’t necessarily an achievement as it means no one is interested in your product. However, if you are really unlucky, you can spend a lot on security and still get hacked.”
When trying to combat the risk of attack, the consensus across participants was that it is of equal importance to look at both internal and external access opportunities.
“The first go-to explanation for an attack 95 percent of the time is ‘it was an insider,’ when it is then later discovered that it was an external attack,” said Goldsmith. “Attackers will take the easiest and cheapest route, and this could be by corrupting an employee. Insiders are important, but companies also need to consider external threats.”
Balancing the important pillars of people, processes and technology was a common theme throughout the discussion, which raised contradicting views from various speakers.
Ahsan maintained that people were the most important factor in a company’s security set-up, but agreed that although they could be a firm’s strongest link, they could also be their weakest if they were intercepted or corrupted. In response to this, Anoop Kumar, Information Security Manager, Gulf News, simply suggested that if this risk of being dependent on people is so prominent, then why not just become more dependent on a service?
Representing National Bank of Fujairah was Hariprasad Chede, Senior Manager of Information Security. He discussed how one of the major weak points in this region’s IT security is the supply chain. “Even if you have the right IT team, there is still a heavy dependence on a vendor, which gives them access to the data,” he said. “This data is also passed around various departments within the company, for example the marketing department, who may already be talking to the press. There is also a lack of awareness about the data being relayed to law firms and translators. Anyone who has access to the data within the supply chain is a risk, and that is a particular weakness in this region.”
Goldsmith discussed his own experience with attacks in the US and UK, where attackers had targeted various people within the supply chain – particularly law firms – because they were the weakest link. He suggested that a way of combating this was to group people’s behaviours within a department, depending on their job title, by way of unsupervised machine learning. “For example, engineers tend to behave a certain way and marketers tend to behave a certain way. By using this technology, it can be identified if someone who HR defines as an engineer starts behaving like a marketer, and you know then that it is something to be aware of,” he said.
All of the discussion members agreed that unity amongst multiple security professionals is key in defeating the ‘bad guys.’ Vartak suggested that a WhatsApp group should be set up in order for members to communicate issues they were facing within their own companies in an informal forum. “The intent is there,” said Chede. “We need to capture it and make it more mature, as it’s better to take feedback from those in the same field. The fairly recent introduction of award ceremonies such as the Security Advisor Middle East Awards also shows that people are recognising the importance of IT security.”