September 2022 cybermagazine.com Security:Cyber complianceaHarnessingcultureof GreenJameekaAaron: Battling colourandAdvocatingbias:forwomenpeopleofinSTEM KONTOORBRANDS: CYBERSECURITYFASHIONINGANEWPROGRAM BUKALAPAK BURNS & MCDONNELLFEATURING: BELRON INTERNATIONAL 2U Cloud Security: The cyber threat hunters Remote Working: The dark side of remote workingin2022
The Cyber Team DANIELAPRODUCTIONCATHERINEEDITIOR-IN-CHIEFTILLYKENYONGRAYEDITORIALDIRECTORSCOTTBIRCHDIRECTORSGEORGIAALLENKIANICKOVÁPRODUCTIONMANAGERSPHILLINEVICENTEJANEARNETAMARIAGONZALEZ CREATIVE TEAM OSCAR VIDEOSOPHIE-ANNHATHAWAYPINNELLHECTORPENROSESAMHUBBARDMIMIGUNNJUSTINSMITHREBEKAHBIRLESONJORDANWOODDANILOCARDOSOPRODUCTIONMANAGERKIERANWAITE DIGITAL VIDEO PRODUCERS MARTA THOMASERNESTEUGENIODENEVEEASTERFORDDREWHARDMANMARKETINGMANAGERSINDIABERRYPROJECTDIRECTORSKRISPALMERBENMALTBYTOMVENTUROMANAGINGDIRECTORLEWISVAUGHAN MEDIA SALES DIRECTORS JASON WESTGATE CHIEF OPERATIONS OFFICER STACYGLENCEONORMANWHITE JOIN THE COMMUNITY Never miss an aboutDiscoverissue!+thelatestnewsandinsightsGlobalCyber...
“As cyber security risk has grown, so have requirementsconcernconsequences.theRegulatoryhasledtoincreasedforresilienceandthepotentialforpenaltiesinthecaseoffailures”
Cyber security risks are constantly evolving, but are the security measurements that companies take keeping up with these changes?
The time to act is now and in our latest issue we share how companies are benefiting from taking this type of approach…
Keeping up to date with the challenges of remote working
FOREWORD
CYBER MAGAZINE IS PUBLISHED BY © 2022 | ALL RIGHTS RESERVED cybermagazine.com 3
TILLY KENYON tilly.kenyon@bizclikmedia.com
Remote working has been a long-term trend, but the global pandemic supercharged it. The first lockdowns saw millions of businesses worldwide switch to home working overnight. As more companies are adopting a hybrid model, it comes with its own cyber security issues. A lack of cyber security knowledge is leaving remote workers vulnerable, more susceptible to attacks such as Accordingphishing. to the World Economic Forum, 95% of cybersecurity breaches are caused by human errorsomething which can be easily avoided. Although businesses have now had time to adapt, the IT risk landscape remains significantly more complex than when staff were almost all officebased. This complexity is only going to grow with the increasing breadth of connected devices and the implementation of new technologies such as AI. To meet these evolving security challenges that home working brings, businesses need to take a proactive approach to regular cyber security training.
SHAPING THE FUTURE OF DIGITAL PROCUREMENT & SUPPLY CHAIN 12 - 13 OCT 2022 STREAMED & IN PERSON QEII CENTRE, LONDON Get tickets Sponsor opportunities 3,000+ Participants 2 Days 2 Zones 60+ Speakers
Join us at PROCUREMENT & SUPPLYCHAIN LIVE LONDON Showcase your values, products and services to your partners and customers at PROCUREMENT & SUPPLYCHAIN LIVE LONDON 2022. Brought to you by BizClik Media Group PROCUREMENT & SUPPLYCHAIN LIVE LONDON, the hybrid event held between 12th-13th October is broadcast live to the world and incorporates two zone areas of SupplyChain LIVE plus Procurement LIVE in to one event. With a comprehensive content programme featuring senior industry leaders and expert analysts, this is an opportunity to put yourself and your brand in front of key industry decision makers. From keynote addresses to lively roundtables, fireside discussions to topical presentations, Q&A sessions to 1-2-1 networking, the 2-day hybrid show is an essential deep dive into issues impacting the future of each industry today. Global giants and innovative startups will all find the perfect platform with direct access to an engaged and active audience. You can’t afford to miss this opportunity. See you on: 12 - 13 October 2022 Watch our 2021 Showreel Get tickets Sponsor opportunities
Our UpfrontRegularSection: 10 Big Picture 12 The Brief 14 Timeline 16 JameekaTrailblazer:Green Aaron 20 Five Minutes With: Michael Rothschild Bukalapak The future for cybersecurity is resilience 4048 Kontoor Brands Fashioning a cybersecuritynewprogram 26 Cyber Security Harnessing a culture of compliance CONTENTS
110 Belron International Securing Belron’s future with a robust cyber defence suite 80 Remote work security The dark side of remote working in 2022 Cloud Security The cyber threat hunters 2U Transforming and Securing Education through Tech Sonesta International Hotels Corporation The importance of partners in effective security 72 9664
securely connect the
Never OktaOktaalwaystrust,verifyasthecoreofZeroTrustistheleadingindependentidentityprovider.TheOktaIdentity
technologies at the right time. Learn more
Cloud enables organizations to right people right
to the
Getting identity right is really important – but complicated. Clients can use Okta to enable their users to sign in with a username/password or with their social accounts like Google or Facebook using pre-built sign-in components from Okta. “After the user has signed in, you can retrieve their user profile, secure your APIs and application backends so that only authorized users and applications can call them. With Okta clients can use their existing stack to build sign in, protect their APIs and move on with their lives!” That message is not lost on Okta’s partners. Recently the CTO of lifecycle managed services provider Presidio Dave Trader told us: “Okta has been a huge help in managing secure user authentication, while allowing developers to build identity controls into applications, website web services and devices.” Password access is notoriously vulnerable, so automation of user authentication is at the top of the developers’ agenda. Okta FastPass is already delivering passwordless login using default authentication implemented through biometric capabilities, rather than only by user-specific certifications. On March 4 2021 Okta acquired a complementary authorization platform. It will continue to support and expand Auth0, with a view to eventual integration. “Together, we will shape the future of identity on the internet,” promises Brock Dooling. “Okta and Auth0 address a broad set of identity use cases, and our identity platforms are robust and extensible enough to serve the world’s largest organizations and most innovative developers.”
Okta’s vision is a world where everyone can safely use any technology: its promise, to protect the identities of all users, while asking “what more can we make possible?”
Okta: identity for the internet
Today IT leaders cite secure employee access as their primary focus, thanks largely to an explosion in remote working. “One of the scariest parts of the quick switch to remote work is the need to move quickly and securely,” says Brock Dooling, Partner Alliances Engineer at Okta, a trusted platform to secure every identity, from customers to workforce. More than 10,000 organizations trust Okta’s software and APIs to sign in, authorize, and manage users.
Watch about the partnership between Okta and LearnPresidiomore
BIG PICTURE 10 September 2022
THE COST OF SECURITY IMMATURITY IN THE CLOUD In its annual Cost of a Data Breach Report, IBM Security revealed that 43% of studied organisations are in the early stages of, or haven’t even started, applying security practices across their cloud environments. These organisations observed higher breach costs – at US$660,000 on average – than in studied organisations with mature security across their cloud environments. cybermagazine.com
11
12 September 2022 THE BRIEF “The knowledge and attacks are becoming more sophisticated, so our ability to detect must be much faster” Jerome Farquharson Senior Managing Director, Governance, Risk, Cybersecurity and cyberattacksincreasing“WeBurnsCompliance,&McDonnellareseeinganvolumeofasaresultofremoteworkingacrossmostindustries” Kiri Addison Head of Data Science for Threat Intelligence and Overwatch, Mimecast READ MORE READ MORE READ MORE READ MORE READ MORE READ MORE “AI and machine thegoingtechnologieslearningaretobecriticalforcybersecurityinfuture.Thenoiseisjusttremendous” Anthony Foust Global Chief Information SecurityBelronOfficer, BY THE NUMBERS How many times did Allot NetworkSecure block cyberthreats from harming European subscribers in 2021 vs 2022? TELSTRA PARTNERS WITH MCAFEE TO PROVIDE MOBILE SECURITY McAfee’s partnership brings added protection to Telstra’s millions of customers and their devices via McAfee’s integrated consumer security platform ONFIDO PARTNERS WITH YESWEHACK FOR NEW BUG BOUNTY PROGRAM Onfido partners with YesWeHack and its community of 40,000 cyber researchers to pentest the Real Identity Platform, further strengthening its security HOW CAN WE DELIVER CYBER RESILIENCE AS TECHNOLOGY ADVANCES? James Blake, Chief Information Security Officer at Rubrik, joined TECH LIVE LONDON to discuss spending on cyber security and creating a resilient posture Q1 2021 Q1 2022 326 MILLION TIMES 2.3 BILLION TIMES
a new
BOOSTING CYBER SKILLS US Government has launched initiative, number of people REQUIREMENTSCYBERSECURITYUPDATES ININCREASEMALWARE 2.8 billion malware attacks were detected in the first half of 2022, representing the first recorded growth in global malware volumes in three years, according to SonicWall. T-MOBILE PAYS OUT AFTER DATA BREACH T-Mobile has agreed to pay US$350mn after a data breach disclosed last year, affecting tens of millions of people. It will also spend an extra US$150mn on cybersecurity through the end of 2023.
the ApprenticeshipCybersecurity Sprint campaign, to boost the
The
cybermagazine.com 13
With more organisations moving to the cloud, there have been some reservations about how safe and secure data is. The Cloud Security Alliance (CSA) has recently released a new report entitled Sensitive Data in the Cloud. It was found that the vast majority of organisations (89%) host sensitive data or workloads in the cloud. Of those organisations, 67% host some sensitive data in the public cloud, and 45% host in the private cloud. With such sensitive data in these cloud environments, it emphasises the need for properly securing this data with measures likeJustencryption.overathird of organisations were not confident or only slightly confident about their ability to protect sensitive data in a cloud environment, and another 44% reported they were only moderately confident.Ifthese issues are highlighted, it enables service providers and organisations to close these gaps.
The andsecuritymoreownerscybersecurity,naturaldirective(TSA)SecurityTransportationAdministrationhasupdateditsforoilandgaspipelineprovidingandoperatorsflexibilityovermanagementincidentresponse.
in theprogrammes,relatedcybersecurity-apprenticeshiptacklingcyber-skillsgap. TSA
SEP22 G O O D T I M E S B A D T I M E S
HOW SECURE IS SENSITIVE DATA WHEN STORED IN THE CLOUD?
AND CRITICAL INFRASTRUCTURE TARGETED February saw multiple attacks in various industries, and two DDoS attacks took down Ukrainian government and banking websites. Ukrainian officials supported a campaign to attract civilian developers and hackers into what it called the ‘IT Army of Ukraine’. MAR COMPANIES2022COMBINE
FORCES TO FIGHT CYBER CRIME Top cyber security platforms – Cloudflare, CrowdStrike and Ping Identity – announced a Critical Infrastructure Defence Project to “provide free cybersecurity services to particularly vulnerable industries during this time of heightened risk”. The hacktivist collective Anonymous also claimed it took down the website of the Federal Security Service (FSB) of Russia.
FEB GOVERNMENTS2022
JAN 2022 US RELEASE CYBER ADVISORY The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) released a joint Cybersecurity Advisory (CSA) providing an overview of Russian state-sponsored cyber operations – including commonly observed tactics, techniques, and procedures. 2022
14 September
TIMELINE
On February 24, Russian President Vladimir Putin declared war on Ukraine and launched a large-scale invasion. Cyber incidents have been playing a central role in the conflict, so we take a look at how events are unfolding
15
MAY 2022 ALLIES RECOGNISE CYBER SECURITY ISSUES The EU, UK, US and other allies made a statement that Russia has been behind a series of cyberattacks since the start of the renewed invasion of Ukraine. Finland and Sweden also confirmed their intentions to join Nato, a move triggered by the war.
OUT OF RUSSIA Global companies such as Apple, McDonald’s, Starbucks, Ericsson and Nokia began to cease trading in Russia. This had a financial impact not only on Russia, but also the companies themselves, with Nokia saying it expected its decision to leave Russia to lead to about US$109mn in provisions for the quarter.
APR BUSINESSES2022PULL
JUN/JUL 2022 NO SIGN OF CYBER ATTACKS SLOWING DOWN Five months after Russia’s invasion, Ukraine continues to see significant increases in cyberattacks.InJune,according to Bloomberg, areas of Ukraine that were under Russian occupation had internet access often shut down or disrupted. Even when the internet came back on, the traffic was rerouted to networks owned by the Russian government. cybermagazine.com
“I worked in Naval Networks and was responsible for network integration, and I was also at the Security Operations Centre patching Navy printers for the Y2K bug. I realised at that point that cybersecurity was my calling,” explains Green Aaron.
Green Aaron’s role at Auth0 has provided her with a platform to enrich the technology community and move the needle when it comes to diversity and inclusion.
TRAILBLAZER 16 September 2022
“My team – which includes compliance, detection and response, and privacy –will need to continue moving at a rapid pace to ensure our technologies enter the marketplace seamlessly and, more importantly, securely,” she added.
Two months into Green Aaron’s role as CISO at Auth0, the company was acquired by Okta and now the two companies are creating the future of digital identity.
“Identity is personal – it’s so important to the way we work and live today, and safeguarding that is an exciting space to be working in right now. Auth0 and Okta are constantly innovating to meet the needs of our customers and the industry,” says Green Aaron.
Jameeka Green Aaron, shares her interesting journey in cybersecurity and her active role in advancing women and people of colour in STEM occupations
Battling bias: advocating women and people in STEM
Jameeka Green Aaron is a woman who’s definitely not afraid of a challenge. The CISO has more than 20 years of cybersecurity experience under her belt, beginning her technology career in the US Navy as an Information Technology Specialist.
Now, the dynamic CISO is driven by her passion for innovation within Customer Identity and Access Management, noting: “Three of my favourite things about working in cyber is passwordless registration, the ability to enrich and leverage social profiles, and progressive profiling that provides powerful insights to enhance customer experience.”
advocating for people of colour
“People don’t tend to get stagnant in cybersecurity roles – they move around, which creates tons of opportunities to get into this world quickly. I liked working in the military, and I like sneakers, and I like the community at Okta. Follow your passion and the need for security will be there”
TRAILBLAZER
Years300,000incyber: 20+ start a career in cyber, you just need to dive in! It’s a matter of saying, “I want to do this work”, and figuring out where you want to start. This industry is self-taught, so it has many pathways in, whether you’re interested in technical or non-technical roles. For example, you could work in marketing at a security company, and I’d consider you a securityGreenprofessional.”Aaron’spassions are not limited to cybersecurity. The CISO is also a passionate traveller, an interest she gained during her time in the Navy: “I became deeply curious about the world, people, cultures and food. If I’m not at work, you can bet I’ll be in the airport, on a plane or heading to the airport on my next adventure! My last trip was in June to Belize. I’ve already clocked 300k miles this year between work and personal travel.”
“I learn something new every day. The cloud is vulnerabilities”todetectionengineeringyears,seenfromnotthreatschangingconstantly–thewefacearehugelydifferentwhatwe’veinpreviousfromsocialtobotmitigationcloudcomputing
“I’m especially passionate about guiding women and people of colour to develop successful careers in the security industry,” explains Green Aaron. “We urgently need more representation at every level, especially in board-level and executive positions. I take an active role in advancing women and people of colour in STEM occupations, working with and mentoring within organisations such as Chief, Black Girls in Cyber, Day of Shecurity, Girls in Tech and the National Society of Black Engineers. Internally, I sponsor and support several employee resource groups that are focused on diversity, inclusion and belonging.”Ontopof this, Green Aaron works closely with the Okta for Good team to launch the cybersecurity for their non-profits’ portfolio. The CISO explains that this is crucially important because these non-profit organisations are doing work for the common good, and, as such, their data needs to be well protected.“Thework that I do in cybersecurity is about people and protecting their identity; our global community, our diverse communities, are critical to that work,” she comments. With a number of years of experience working for a diverse range of industries, Green Aaron reflects on her career in the Navy, at Nike, at Auth0 and among other companies, sharing advice for those thinking about a career in cybersecurity: “When you cybermagazine.com
Miles travelled this year:
19
Q. TELL ME ABOUT HYPR, YOUR ROLES AND »RESPONSIBILITIES.YOUR
A
HOW
Q.
MICHAEL ROTHSCHILD
AI
HYPR AND AI WITHHOWABOUTMARKETINGROTHSCHILD,TECHNOLOGY.INTRODUCINGHACKING:PASSWORDLESSMICHAELVPOFPRODUCTATHYPR,TALKSTHECOMPANYANDITHELPSCUSTOMERSAIHACKING FIVE MINUTES WITH... 20 September 2022
AI BE
HYPR is a true passwordless multifactor authentication (MFA) solution. True passwordless MFA technology, as opposed to a ‘passwordless experience’, does not use any type of password or other shared secret in the authentication process. Instead, it uses cryptographic certificates with the private key securely stored with the user at all times. I am the Vice President of Product Marketing at HYPR, bringing over 25 years of experience in various aspects of security to help spread the word on HYPR’s True Passwordless MFA technology. WHAT ARE THE RISKS WITH AND CYBER, CAN USED AS MEANS FOR » Data poisoning is an effective
CYBER CRIME?
ROTHSCHILD of dogs labelled ‘cows’, or it could be as nefarious as teaching military technology to confuse friendly and enemy combatants in a war zone. Password recognition is another potential AI-based system that can be compromised through this, which can affect authentication for entire platforms and all their users. Many AIs learn by processing data from largely public places such as Twitter and Facebook. Hackers are able to probe the AI algorithms and essentially reverse engineer them in order to then create malicious bots method being used currently. It works by flooding AI and machine learning (ML) systems with incorrectly classified information and files that can change the way these systems identify certain things. This could be as harmless as convincing a computer that cows are dogs by bombarding it with pictures that post information, which poisons the algorithm that's busy learning. This poisoning can have a very dangerous domino effect especially if AIs are learning from other AIs. Separately, there are AI technologies that can create malware capable of mimicking trusted system “
HAVING PROPER AUTHENTICATION CONTROLS IN PLACE CAN BLOCK PRACTICALLY ANY SORT OF MALICIOUS ACTOR ATTEMPTING TO GAIN ACCESS TO AN AI PROGRAM OR A DATABASE FEEDING INTO AN AI OR ML SYSTEM”
21
components. This is to improve stealth attacks. For example, cyber actors use AI-enabled malware programs to automatically learn the computation environment of an organisation, the patch update lifecycle, preferred communication protocols, and times when the systems are least protected. Subsequently, hackers can execute undetectable attacks as they blend with an organisation’s security environment. For example, TaskRabbit was hacked, compromising 3.75 million users, yet investigations could not trace the attack. Stealth attacks are
cybermagazine.com
» HYPR’s expansion is very exciting, as we’re looking to strengthen our presence beyond traditional sectors by working with customers in agriculture, auto and manufacturing, critical infrastructure, financial services, insurance, hospitality and tourism, and nonprofit organisations. We’re also expanding our reach globally, having recently secured enterprise customers across Europe, including financial institutions in Poland and Switzerland, as well as an exciting partnership with Aon to roll out passwordless MFA for their 50,000+ employees. Just this month, HYPR’s True Passwordless technology was added to CISA’s list of Free Cyber Security Services and Tools as a way to help mitigate the threat of advancing Russian cyber threats (more here). dangerous since hackers can penetrate and leave a system at will. AI can unintentionally facilitate such attacks, and, in such a case, the technology will only lead to the creation of faster and more intelligent attacks.
» With much of the risk in AI and ML vulnerabilities stemming from passwords, organisations need to look to multi-factor authentication that does not use passwords or shared secrets as a minimum defence against hackers. Whether they come in the form of data poisoning attacks on automated authentication databases or a more traditional cyberattack exposing an AI system and altering its source code, the root is typically weak protection from passwordbased solutions and the inherent risk of human error. By implementing passwordless technology, many of these risks can be avoided and the potential for authentication to be the source vector of an attack is virtually
eliminated.FIVEMINUTES WITH... “ OUR FORACCESSIBLETECHNOLOGYPASSWORDLESSBEINGOBJECTIVEMAINTOMAKEALL” 22 September 2022
Q. HOW DOES HYPR LOOK TO SUPPORT CUSTOMERS WITH AI HACKING?
Q. WHAT'S NEXT FOR HYPR?
Q. HOW CAN WE PREVENT AI HACKING?
» Having proper authentication controls in place can block practically any sort of malicious actor attempting to gain access to an AI program or a database feeding into an AI or ML system. While HYPR does not have any offerings that specifically combat AI/ ML cyberattacks, HYPR’s passwordless technology makes it much harder to use AI/ML poisoning to get in and launch an attack. Essentially, any sort of credential stuffing, phishing, social engineering etc., can no longer be used to get a password and gain access. This is a huge step in eliminating the types of attacks we as a collective security community have been experiencing.
This year, TotalHYPRUS$35mnfollowingcompanyexpansionacquisition,revenue,acrosswithrecord-breakingannouncedHYPRanotheryearstellargrowthannualrecurringcustomerworkforceandoverallinvestmentitsSeriesCfinancingfounding:2014funding:US$70mn
We are also partnering with other technology vendors such as SSO and IDP entities to build a solution-based ecosystem of trust that is forward compatible to address future threats, initiatives and environments. Securing further technical alliances is another focal point as we look to broaden our horizons and extend our reach to more key solutions in the marketplace. Expanding HYPR’s cloudbased capabilities, which address desktop-to-cloud scenarios with a standards-based solution, continues to be a driving force in everything we do. Our main objective being to make passwordless technology accessible for all – for businesses no matter the size and for users everywhere. Essentially, we are on a mission to fix the way the world logs in.
A BizClik Brand
TOP 100 LEADERS COMING SOON Join the Community Never miss an Issue! Discover the latest news and insights about Global Technology LEADERS2022 S•LEADER 2202•SREDAEL2202 DAEL•ERS 2022 • Creating Digital Communities
PROGRAMAFASHIONINGNEW CYBERSECURITY 26 September 2022 PRODUCED BY: TOM VENTURO WRITTEN BY: TILLY KENYON
cybermagazine.com 27
John Scrimsher, Chief Information Security Officer (CISO) at Kontoor Brands, shares how he built and developed the company’s cybersecurity program O n a mission to grow through innovative design and sustainable performance to excite more consumers, Kontoor Brands is made up of iconic names such as Wrangler and Lee jeans.
28 September 2022 KONTOOR BRANDS
The global clothing company is a spinoff from parent company VF Corporation, becoming its own entity in 2019. While it may be a publicly-traded retail company with a primary focus on fashion, it faces the same cybersecurity challenges that many of its peers in the retail industry face.
“My role within the company’s mission, of growing to meet consumer needs, is to ensure that I'm keeping up with the innovation and identifying the cyber risks associated with that, as well as helping drive solutions that enable the business to achieve its mission,” said John Scrimsher, Chief Information Security Officer (CISO) at Kontoor Brands. Scrimsher explained how he works closely with the Retail & Hospitality Information Sharing and Analysis Centre (RH-ISAC). ISACs are non-profit organisations that provide a central resource for gathering information on cyber threats (which, in many cases, are to critical infrastructure), as well as allow two-way sharing of information between their members about incidents, threats, and their root causes. In addition, these organisations offer a platform to share a wealth of experience, knowledge and analysis relating to cyber threats.
cybermagazine.com 29
30 September 2022
Fashioning a new cybersecurity program
He explained some of the major principles that he follows when building a program:
• Making it user focused, keeping it simple –“Complexity is the enemy of security; the more complex we make any solution, the more likely people are to seek out ways around it.”
“COMPLEXITY IS THE ENEMY OF SECURITY AND THE MORE COMPLEX WE MAKE ANY SOLUTION, THE MORE LIKELY PEOPLE ARE TO SEEK OUT WAYS AROUND IT”
The thedevicesformanagementassetneedItsystemstoonprogramforward-lookingisfocusedensuringvisibilityalldataprocessinganddevices.alsounderstandsthetohaveastrongdiscoveryandprogrammanufacturing,edgeandallareasofbusiness.
JOHN KONTOORSCRIMSHERCISO,BRANDS
Building a cybersecurity program for the future Scrimsher started at the company in 2019 and was employed as the first cybersecurity team allowingmember,himto build the rest of the team from the ground up.
“Throughout the industry, we see challenges such as phishing and business email compromise (BEC) remaining top items of concern. Fraudulent activity is another issue, whether it's domain fraud – where people squat on domains and look for new ways to exploit those – selling counterfeit products, or using it as a phishing leverage to make the employees or customers think that they're getting an email from us,” he added.
• ‘All means all’ – When referring to implementing security methods such as multifactor authentication across all users, all means all. Granting any exception is a potential hole for bad actors to exploit. Following those principles, Scrimsher has been able to build a program that covers all the areas of cybersecurity from vulnerability management, third-party risk management, identity management and also governance, risk, and “We'recompliance.notgoingto try to adapt something that may have elements that don't quite fit with what we're trying to do. So, the way I describe it is that my goal is to build a security program for 2025, not adopt and adapt from 1995,” he added. Dealing with third-party risk When the world went into lockdown in 2020 – a state that many countries went in and out of intermittently throughout 2021, too – the global fashion industry faced exceptionally challenging conditions. As well as greater scrutiny on sustainable practices and a larger volume of orders to fulfill in a time of almost stationary supply chains, the increase in online shopping created a larger threat landscape to be exploited by bad actors. Being a forward-looking company that was established just one year prior to the global COVID-19 pandemic, Kontoor had started out planning for the future. This enabled its employees to move quickly
• It can withstand scrutiny – A good cybersecurity program should be able to stand the test of time.
• Measurable visibility – It is important to be able to measure that the program has the level of visibility necessary to protect the environment and to increase that visibility where necessary.
John Scrimsher has over 25 years of experience in developing and leading security organisations across some of the most iconic brands in technology and manufacturing. While based in North Carolina, John has experienced living up in the Pacific Northwest as well as the South east and North East US and appreciates travelling around the world. His experiences with multiple cultures drives his desire to seek new and diverse opinions as a part of the security program. As the CISO for Kontoor Brands, the home for iconic Wrangler, Lee and Rock & Republic Jeans, John has built a forward-looking security program focused on ensuring visibility and resiliency based upon a strong relationships across the business.
KONTOOR BRANDS
JOHN SCRIMSHER TITLE: CISO INDUSTRY: RETAIL APPAREL & FASHION
BIOEXECUTIVE
LOCATION: NORTH CAROLINA, US
34 September 2022 KONTOOR BRANDS
35
71% of organisations report that their third-party network contains more vendors now than three years ago. When it comes to advancing business goals, this evolving business environment demands new approaches to third-party risk management that account for the changes in organisations’ reliance on third parties. cybermagazine.com
to remote working once the pandemic hit, allowing the company to successfully operate its eCommerce platforms. Supply chains have also been a big issue in the cybersecurity industry, as any difficulties or delays with these can completely shut down business operations and lead to various damages. Scrimsher explained: “One thing we always do is look at the risk levels of the supply chain and, and just like every other company we do face the same risks around supply chain disruptions.”
36 September 2022
“It's everything – how do we determine what type of data we share with them? How do we determine what level of network connectivity we provide to them? How do we ensure that, when they have connectivity, we can track their identities to ensure we know who is accessing our systems or our data? So we work very closely
“We're all out there trying to help each other protect our customers and our data through setting and maintaining global standards for all of our vendors. That way, our supply chain providers – whether they're software supply chain or product supply chain – all know what to expect, and they can start building their systems to be as secure as the industry is looking for,” explainedOrganisationsScrimsher.that suffered a data breach while they had AI technology fully deployed Scrimsher is currently chairing the Third Party Risk Management Working Group with the RH-ISAC, collaborating with approximately 30 other companies on defining a set of industry standards that they can implement for all of the third parties and the requirements to attain them.
with other retail companies that we would typically consider competitors, but in the cybersecurity world, we're all partners.
“We work very closely with other retail competitors,typicallythatcompanieswewouldconsiderbutinthecybersecurityworld,we'reallpartners”
Keeping emails secure through cyber partnerships
cybermagazine.com 37 KONTOOR BRANDS
meant more people are connected, and also a move to more people working remotely, partially due to the global pandemic. This change in environment has led to a rise in cybersecurity issues, for example the high volume and sophistication of advanced email attacks has caused significant cybercrime losses, with business email compromise losses alone amounting to nearly US$2.4bn in 2021.
The increase in digital transformation has JOHNKONTOORSCRIMSHERCISO,BRANDS
Kontoor utilises best-in-class partners to help keep the organisation’s emails safe. “We treat our cyber security vendors as partners.. This is very important for security because that helps them understand your needs better. We need to work with them on a daily basis to ensure that we understand the threats and that they understand our business needs, so that we can implement it as effectively as possible,” said Scrimsher. saved an average of US$3.58mn in 2020. One way in which Kontoor reduces risk of a data breach is to continuously assess the business and identify trends such as the former. “As we look to the future, there's always discussions around AI technologies and the metaverse and things like that. It's keeping up with those conversations, making sure we know what types of data are going to be involved, what the risk levels are of that data and then driving the program based on that.”
38 September 2022
“I would say that technology hasn't really changed the industry, but that the industry is definitely driving the need for new technology. Whether it's automation, better identification, or the machine learning and AI capabilities to better identify the threats. Those are all being developed in response to the needs of the industry.”
“That’s the security world: there's always a new type of threat that comes up. In the next 12 months, I expect some of the biggest challenges to be really around privacy and deep fakes”
New technologies such as the metaverse are causing some concerns about privacy and data security. As everything is built virtually in the metaverse, cyber criminals have plenty of options to hack the data and misuse it for their personal gains. Scrimsher explained how one of the biggest challenges of working in cybersecurity is that they never know what the next challenge will be.
As the threat landscape continues to grow, so do the challenges that face cybersecurity teams. Businesses are adopting new technologies and solutions, adapting in the face of adversity as they continue to navigate the new challenges. Although these technologies will ultimately lead to strength and innovation in organisations around the world, they can also create new risks and vulnerabilities that can be exploited.
Since implementing tools provided by cybersecurity partners, such as Abnormal Security, instead of having hundreds of users reporting phishing or attempts at fraud, Kontoor has seen its numbers drop down to single digits – because its partners are catching it before the users ever see it. This has greatly helped the clothing company in reducing the user workload volume, allowing them to become more efficient and do their jobs, whether it's marketing, sales, design, according to Scrimsher. Facing the unknown challenges Reflecting on the past 12 months, Scrimsher explained how one of the biggest improvements has been his team's ability to detect and respond to threats. “Having a team that's able to constantly learn, keep up with the trends and be able to protect our company is, I would say, probably one of my proudest accomplishments.”
cybermagazine.com 39 KONTOOR BRANDS
JOHN KONTOORSCRIMSHERCISO,BRANDS
“That’s the security world, there's always a new type of threat that comes up. In the next 12 months, I expect some of the biggest challenges to be really around privacy and deep fakes. As we start moving into the metaverse and AI usage grows, I think it's going to be a challenge for us to really figure out the right way to address that and ensure that we're protecting our users from fraud and other threats.”
COMPLIANCEAHARNESSINGCULTUREOF
40 September 2022
The study found that the cybersecurity awareness of many employees is lacking because they are ignorant about new company policies relating to elements including secure password management, how to handle customer data and other key data concerns.
cybermagazine.com 41 CYBERSECURITY
At the start of the pandemic, many organisations found themselves scrambling to implement a work-from-home environment. But, with so many changes occurring simultaneously, businesses had to create and roll out a myriad of new cybersecurity policies that then needed to be rolled out among staff. BY: VIKKI DAVIES
Cyber today’scomplianceaddressesMagazinethechallengesofcybersecurityinmodernorganisations WRITTEN
E iscompliancensuringakey priority for many businesses, yet according to research by IBM and Morning Consult, more than 50% of employees aren’t aware of their organisation’s new cybersecurity policies.
With potentially serious consequences for businesses who don’t meet their legal obligations, a strong set of policies and procedures is essential to ensure that business operations are consistent, compliant and safe. Yet, understanding your business's responsibilities and then putting the right policies and procedures in place is becoming increasingly challenging.
Start Today
Matthew Davies, VP of Product at SureCloud, says: “The regulatory landscape is in a constant state of change, which can put organisations in a cycle of perpetual catch-up when it comes to compliance.
MATTHEW DAVIES VP OF SURECLOUDPRODUCT,
inlandscaperegulatory“Theisaconstantstateofchange” cybermagazine.com 43 CYBERSECURITY
“At any given time, they need to ensure they’re compliant with the latest regulations, standards, and frameworks – such as ISO 27001, PCI DSS, CMMC, HIPAA, NIST CSF, and more – as well as preparing for what’s to come. Today, for instance, businesses are getting ready to comply with UK SOX, new legislation designed to restore confidence in the auditing of listed companies and protect investors from fraud.
MARTIN
“There can also be contractual requirements imposed by suppliers or customers and internal policies and procedures such as information security and fair usage policies with which organisations need to comply. Each regulation and standard often requires you to conduct periodic audits of your IT environment to ensure that you’re meeting the requirements. The traditional approach to this, however, is driven by manual, repetitive, and disparate compliance processes that are very labour-intensive. Each compliance requirement you add makes it more complex and timeconsuming, with additional manual processes throughout the year,” he says.
While understanding your business's responsibilities and putting the right policies and procedures in place are essential first steps towards keeping your business compliant, many believe that fostering a culture of compliance can actually be damaging to an organisation.
overriding“Organisationsdrivenbyanfocusoncomplianceoftenneglecttofocussufficientlyonwhattheyneedtodotokeeptheirbusinessandcustomerssafe” RILEY DIRECTOR SECURITY
SERVICES, BRIDEWELL 44 September 2022 CYBERSECURITY
Martin Riley, Director of Managed Security Services at Bridewell, tells Cyber Magazine: “Organisations driven by an overriding focus on compliance often neglect to focus sufficiently on what they need to do to keep their business and customers safe, and how to respond when the inevitable happens. Assuming a security certificate, such as ISO27001, on its own will provide an adequate level of cyber integrity is a risky move.
Is compliance culture damaging?
OF MANAGED
Given the challenges of ensuring compliance while not taking your finger off the ball, what is the solution? Some suggest continuous compliance. Continuous compliance is about moving away from ad hoc audits and checks to creating live compliance documents using a combination of people, processes, and technology. The team at cybersecurity company Secureframe believe continuous compliance is the future for businesses. Continuous compliance has a raft of benefits, from keeping you compliant in real-time, allowing your team to be proactive rather than reactive, minimising your risk of vulnerability and technical shortcomings by notifying you whenever an issue emerges and reducing the drain on staff resources when you are approaching audits.
“A compliance culture can foster a mindset where security teams only invest time and effort when reviewing their certifications, rather than improving their ability to detect and respond. And, if the focus is just to ensure that the ink is dry on these, employees are less prone to feeling accountable or responsible for upholding security best practice. “The consequences of cyber attacks today go far beyond disruption and revenue loss to include reputational damage, falling share prices, and, in the UK, the potential for hefty fines due to regulatory breaches. And, depending on the severity of a breach, security and compliance roles could even become untenable.”
Is continuous compliance the future for organisations?
IBM AND CONSULT:MORNING 50% organisation’saren’temployeesofawareoftheirnewcybersecuritypolicies
cybermagazine.com
45 CYBERSECURITY
46 September 2022 CYBERSECURITY
GARTNER PREDICTS 2022: A look into the most
leadersCybersecurityissuescriticalfacingthisyear
cybermagazine.com 47 CYBERSECURITY
MATTHEW DAVIES VP OF SURECLOUDPRODUCT,
“Often eachandcompliance,security,operationsteamsarenotaligned,andisworkingtowardentirelydifferentobjectives”
SureCloud’s Davies says: “Continuous compliance allows you to free up people’s time to focus on the core issues rather than repetitive admin tasks.
For many businesses the topic of compliance is a complicated one. While the benefits of regulations are clear to see, the pitfalls in understanding them and adhering to them are great. Simon Mullis, Chief Technology Officer at Venari Security says: “Regulations, like GDPR, have had an amazing impact on data safety. The risk of substantial fines has driven a massive uptake in end-to-end encryption worldwide, ensuring compliance and supporting data privacy in transit and at rest.”
Future compliance
“It will be as much a cultural change as it is a process-driven one. Often security, compliance, and operations teams are not aligned, and each is working toward entirely different objectives. Organisations need to unite these teams around a common set of objectives. Then standardised and aligned processes will simplify testing and evidence collections, and technology will allow you to automate processes using workflow, emails, and notifications. It can also allow you to fully automate the collection and analysis of data to provide constant assurance of controls operating effectively. Not only will this proactive approach make compliance easier to manage, it will also improve security across your IT environment.”
As the regulatory landscape continues to grow and change, businesses that want to stay ahead of the game and meet their compliance obligations will need to ensure they are on top of the regulations. This not only requires strong policies and procedures, but also strong communication and relevant training among staff members to ensure that everyone is on the same page.
48 September 2022 PRODUCED
The future iscybersecurityforresilience BY: KRISTOFER PALMER WRITTEN BY: GEORGIA WILSON
cybermagazine.com 49 BUKALAPAK
Headquartered2025.
Yogesh Madaan, Head Information and Cybersecurity at Bukalapak, discusses the threat landscape in Indonesia and the need for resilience and talent F lourishing in the wake of rising disruption, it is estimated that global spend on services and technologies that enable digital transformation will amount to US$1.8tn by the end of 2022 – an increase of 17.6% in investment compared to 2021. Despite the need for innovative solutions to tackle growing demands, supply shortages and talent shortages, as well as increase transparency, resilience and agility, it is important to remember that, with more systems, comes new vulnerabilities that need to be protected. While the benefits are clear, it will be vital to be prepared for accelerated digitalisation and understand the potential cybersecurity implications in the future, as global predictions expect 45% of organisations to experience attacks on their software supply chains by in Indonesia, Bukalapak’s key challenge is navigating the complex security landscape. According to a report, nearly 20,000 phishing attacks targeting Indonesia have been detected since the start of 2021, with more than one billion exposed credentials identified. As Head of Information and Cybersecurity at Bukalapak, Yogesh Madaan is tasked with leading the company through its navigation of not only the regional but also the global threat landscape.
“There are a lot of outsideareemergingtechnologiesdisruptivethatthinkingofthe box when it comes to protection”cybersecurity
YOGESH MADAAN HEAD INFORMATION AND CYBERSECURITY, BUKALAPAK 50 September 2022 BUKALAPAK
cybermagazine.com 51
In the last few months, Indonesia has seen a rise in cybersecurity attacks in the form of stolen data and data breaches. “Indonesia is one of the prime target for financiallymotivated ransomware gangs. In 2021, ~10% of attacks in Indonesia were ransomware attacks, ~15% were unauthorised network access sales, and more than ~50% were database sharing requests,” explains Yogesh.
“We are ultimately trying to build an infrastructure that is resilient to any attacks. We are building a safer cyberspace for our customers and employees as well as addressing the key security risks ,” says Yogesh.
Bukalapak: The future of cybersecurity is resilience
“Understanding the threats is the first phase; now we need to be one step ahead of these attackers, and this is what we are trying to do at Bukalapak,” he adds.
Developing a proactive security strategy and availability management system where the company can innovate and implement solutions allows Bukalapak to assess the market vulnerabilities and be proactive in its response to securing its critical assets.
During the height of the pandemic, one of the biggest threats to organisations was the potential for attackers to use home networks to hack the wider system. “At Bukalapak, we trained our employees on how to secure their home network to educate our employees and raise awareness. “Awareness is key in cybersecurity for anybody and everybody. These days, human beings are the weak link, so we spend a lot of effort training our employees in cybersecurity for the new technologies, as well as developing a proactive and scalable cybersecurity ecosystem, and finding the right talent,” explains Yogesh.
2010 Year Founded 52 September 2022 BUKALAPAK
“Our goal is to transform our team from being reactive to proactive, as well as transparent,” he adds. “This is the start of our three-year strategy. On our journey, we are also strengthening end-user security, email protection tools, and building a security operation centre. But this would not have been possible without the support, collaboration, and buy-in from internal teams, C-suite, and our partners.
cybermagazine.com 53 BUKALAPAK
BIOEXECUTIVE
Yogesh holds an MBA in IT Systems, prior to joining Bukalapak, Yogesh spent his career as Head of Information and Cybersecurity, Singapore at Standard Chartered Bank in 2020 and two years as Director – APAC Technology Risk Manager at UBS AG.
YOGESH MADAAN TITLE: HEAD OF INFORMATION AND CYBERSECURITY INDUSTRY: INFORMATION TECHNOLOGY LOCATION: SINGAPORE
Yogesh is the Head Information and Cybersecurity/CISO at Bukalapak. He is a seasoned technology leader with 18+ years of experience in information and Cybersecurity, technology risk management, regulatory compliance and controls, operational risk, data protection, cloud risk management, compliance- and conduct-related topics, outsourcing, IT account management and production support.
Closing the gaps with cybersecurity transformation
Joining Bukalapak almost 18 months ago, Yogesh’s role was to conduct an assessment of the current cybersecurity threat landscape at Bukalapak, building on ongoing efforts and establish a long-term strategy to address the future security threats –something many businesses have embarked on“Ipost-pandemic.wasbroughtin to harness my experience in the industry to provide a fresh set of eyes to identify the potential gaps and strengthen the Information and Cybersecurity domain. Today, we operate with a strong combination of teams working across vulnerability management, identity and access management, core infrastructure , governance risk and control, data security, and cloud security,” explains Yogesh.
Security Operation Centre with Ensign Keen to partner with an organisation that could help drive the development of its Security Operation Centre (SOC), Yogesh explains why Ensign was the perfect partner for the task: “We spent conscious efforts to find the right partner who fits with our security strategy. Ever since onboarding Ensign, the organisation has been proactive
They have helped us to transform our cybersecurity posture and, where required, have guided guide us in the right direction.” Furthering its commitments to enabling a proactive cybersecurity approach, Bukalapak has been in partnership with Ensign – who helps companies to maximise both value and advantages by providing the most robust cyber-defence capabilities and services.
BUKALAPAK'S 3RD SECURECODE WARRIOR 3RD TOURNAMENT, AN INTERNAL CODING SECURITY COMPETITION FOR THE COMPANY'S SOFTWARE ENGINEERS 54 September 2022
“Understanding the threats is the first phase; now we need to be one step ahead of these attackers” YOGESH MADAAN HEAD INFORMATION AND CYBERSECURITY, BUKALAPAK cybermagazine.com 55 BUKALAPAK
DESIGN & BUILD We design and build cybersecurity infrastructure, implementing best-of-breed solutions as well as secure-by-design and zero-trust principles.
OPERATE We provide end-to-end cybersecurity management services through advanced solutions in threat detection, response and monitoring.
Our in-house R&D unit is the core of all our capabilities, originating AI-powered, patented cybersecurity solutions. We provide advice and recommendations that can enhance an organisation's cyber posture, strategy, and risk management.
Asia’s largest, pure-play cybersecurity service provider with an end-to-end offering We believe that cybersecurity is a journey where organisations must constantly and progressively improve to remain cyber secure. To achieve this, Ensign adopts a strategic approach in cybersecurity through our end-to-end capabilities in Consult, Design & Build, Operate, and Respond, in all domains of IT, OT, IoT, Cloud and 5G. These four capabilities are underpinned by Innovate, which is powered by Ensign Labs, our R&D unit that performs deep research into cybersecurity threats and solutions. This approach provides us with the ability, and agility to help our clients enhance their cybersecurity posture and constantly stay up-to-date to “meet the threat”. LEARN MORE RESPOND In the event of a cyber breach, our team of experts has the means and experience to help mitigate threats, and get organisations up and running in no time.
INNOVATE CONSULT
Ensign’s partnership with Bukalapak Founded in 2010, Bukalapak is Indonesia’s leading and first publicly-listed tech company dedicated to providing a fair economy for all through its creation of an online marketplace, online-to-offline platform, as well as specialised platforms. An advocate of cybersecurity, the company searched for a trusted partner who could understand their threat environment and provide end-to-end solutions. Ensign stood out with its strong capabilities - i.e., consult, design & build, operate, and respond - along with its R&D and significant coverage in Asia. Ng adds, “Having to always be ahead of the game, we are committed to give our best to Bukalapak.” Learn more
We caught up with Charles Ng, Executive Vice President for International Business & Key Accounts for Ensign InfoSecurity, to talk about cybersecurity, R&D and Bukalapak. “As Asia’s largest pure-play cybersecurity services provider, Ensign’s robust capabilities and end-to-end portfolio of cybersecurity solutions and services put us in good stead to help our clients enhance their security posture as they invest in digital technologies, and accelerate digital Charlestransformation,”Ngsays. “We invest a significant amount of our revenue in R&D, and this translates into tangible cybersecurity outcomes and benefits for our clients. It allows us to design and deploy highly customised cyber solutions not found in existing off-the-shelf products. Having released three patents which have been recognised as some of the best AIpowered Cyber Analytics innovations and technologies in the industry, we can address our clients’ unique security challenges. By incorporating our innovations into their systems for more accurate and efficient threat detection, we enable them to adopt a more proactive, predictive security posture to stay ahead of threat “Ensign’sactors.”footprint across Asia, covering Singapore, Malaysia, Indonesia, Australia, Hong Kong, and South Korea is an important differentiator, especially for Indonesia-based Bukalapak. The breadth and depth of our expertise and solutions is the key reason that organisations across different geographies and industries choose to partner with us.”
Ensign’s AI-Powered Cyber Analytics: Generating More Differentiated Outcomes
YOGESH MADAAN HEAD INFORMATION AND CYBERSECURITY, BUKALAPAK “Weadoptingare systems”entitiesimportantsafeguardapproachcoordinatedatoourand 58 September 2022 BUKALAPAK
2,000+ Number Employeesof and supportive in addressing our security concerns. The staff are very knowledgeable in their respective domains to help us build a SOC –which we have been working on for the last three months – and guide us on various cybersecurity-related issues. Ensign has huge experience in building SOCs, working with many organisations in Indonesia and Singapore; they have a huge ecosystem of partnerships.” The future is resilient Looking to the future, Yogesh explains that future strategies will continue to be centred around resilience, which is important in the current cyber landscape.
59
“We are building a resilient infrastructure by adopting a coordinated approach to safeguard our important entities and systems,” Yogesh says. “We are also dedicated to building a safer cyberspace with secure authentications and authorisations for both our employees and customers to ensure that they continue to feel cyber safe. With every development, Yogesh explains the importance of scalability and the need for developing talent: “When it comes to cybermagazine.com
As a leading online marketplace in Indonesia, Bukalapak chose Qualys’ award winning Vulnerability Management, Detection and Response (VMDR) to strengthen its overall security posture. Qualys VMDR provides Bukalapak with a single, end-to-end solution to automatically discover, assess and remediate all of its IT assets for vulnerabilities. Today Bukalapak enjoys a much-reduced attack surface, thanks to Qualys. Learn more “We chose the holistic Qualys VMDR solution for an accurate and complete picture of all our IT assets’ vulnerability and compliance status with insights into the most severe threats so we can respond quickly.”
Yogesh Madaan, Chief Information & Security Officer, Bukalapak
A JOURNEY TO DISCOVER THE UNKNOWNS BUKALAPAK ONBOARDS QUALYS
Dedicated to being one of the cyber safe companies, the next 12 to 18 months will be centred around people, processes and technology for Bukalapak, a trend that is mirrored across industry as the world becomes more connected than ever.
Partnering with Qualys
cybermagazine.com 61 BUKALAPAK
developing a vibrant cybersecurity ecosystem, it is important that our solutions are scalable. We are also committed to growing our talent when it comes to cybersecurity and training our people in the right way. The industry is a very evolving field right now, so we must adopt a holistic view in order to ensure that we can deal with future challenges.”
DID YOU KNOW?
“Automation is becoming increasingly important for the cybersecurity industry, along with data-driven analysis, and artificial intelligence (AI). There is a lot of work to be done, and I want to make sure we have the
Application Security with Imperva
To ensure resilient security from the application security perspective, Bukalapak partnered with Imperva to simplify its application security posture. Web application attacks prevent important transactions and steal sensitive data. “Imperva Web Application Firewall (WAF) stops these attacks with near-zero false positives and a global SOC to ensure your organisation is protected from the latest attacks minutes after they are discovered in the wild. “We were looking for a tool, one that can help us meet our requirements and Imperva fits in well,” explains Yogesh.
Vulnerability Management is a key security domain and after we moved to Qualys our reporting has gotten much better. Qualys solutions make our job easier because of the accuracy. Our teams can trust that the vulnerabilities identified are correct and accurate, and it leads to better health and better trust. Qualys provides us with real- time transparent data on the vulnerable systems which enables us to act in time and secure our systems.
“We
Yogesh concludes by commenting on the rise in geopolitical tensions and their impact on the cybersecurity landscape: “Physical threats such as the war in Russia and Ukraine also enter into the cyber world, and attacks have become more prominent. It will be important as we become increasingly more connected to understand the attack surface and how we can protect it. Important elements in the future will be: 1. Identifying the threat landscape/impact 2. Secure access management 3. Security monitoring 4. Security awareness are ultimately trying to build an anythatinfrastructureisresilienttoattacks”
talent to back up these trends and be able to identify and address any vulnerabilities,” says“ThereYogesh.are a lot of disruptive technologies emerging that are thinking outside of the box when it comes to cybersecurity protection. Ransomware for example has become a menace in the world right now. While it's hard to stop, there are companies developing disruptive technologies to do just that.”
YOGESH MADAAN HEAD INFORMATION AND CYBERSECURITY, BUKALAPAK 62 September 2022 BUKALAPAK
cybermagazine.com 63 BUKALAPAK
The inworkingremotesidedarkof2022 were considering adding remote-work days around their annual leave as part of an existing trip. While offering a whole raft of benefits, these arrangements pose greater security risks for businesses.
Rajesh Ganesan, President of ManageEngine and an IT veteran with more than 20 years of experience in the industry, says: “Workers could be logging onto company servers from hotel lobbies, cafes, beach bars, airport lounges, or private villas across multiple destinations. Operating across this variety of uncontrolled networks increases the attack surface and leaves businesses more vulnerable to cyberthreats.” ccording to statistics from the World Economic Forum, 95% of cybersecurity breaches are caused by human error. With more employees working from home post-pandemic than ever before, it’s easy to see why businesses are becoming increasingly concerned about the risks of remote working. With the pandemic largely behind us, it is expected that many employees will request a hybrid holiday this year – an emerging trend where longer holidays are booked with the intention of spending time working remotely from a travel destination. A recent survey by Virgin Media O2 revealed that 76% of workers polled 64 September 2022
A
With more people working from home than ever before, we take a look at the increased security risks to businesses and how to combat them WRITTEN BY: VIKKI DAVIES cybermagazine.com 65 REMOTE WORKING SECURITY
Avoid the Top 5 Most Common Open Source Vulnerabilities Within Financial Organizations Learn what open source vulnerabilities are commonly found in financial services organizations. LEARN MORE
Kevin Curran, IEEE senior member and Professor of cybersecurity at Ulster University, says: “Phishing is one of the main ways in which ransomware attacks begin, and it is extremely effective. Cyber criminals often target large numbers of employees through a series of attacks using tailored techniques or dynamic websites to outsmart
IT teams and bypass security systems. It has an alarmingly high success rate and can be very hard to detect, particularly given the rise in remote working, which has introduced more devices than ever to companies’ networks.
KIRI SENIORADDISONPRODUCT MANAGERSECURITY EFFICACY, MIMECAST cybermagazine.com 67 REMOTE WORKING SECURITY
“Cybersecurityawarenesstrainingisnowmoreimportantthanever”
“A key threat of this malware is its ability to evade detection – it goes to great lengths to do so effectively. Some have adopted a 'radio silence' technique, through a sophisticated monitoring of system processes, where malware knows when to stay silent or lie dormant. 'Stealth mode' techniques have also been adopted to evade detection, which involves frequently checking AV results and changing versions and builds on all infected servers when any traces of detection appear.”
Businesses are right to be concerned about the remote working risks. Kiri Addison, Head of Data Science for Threat Intelligence and Overwatch at Mimecast, says: “We are seeing an increasing volume of cyberattacks as a result of remote working across most industries. Working from home in particular creates many challenges, with business leaders experiencing minimised visibility of employee behaviour.” What current scams do businesses need to be aware of? Phishing is one of the key attack types of which businesses need to be aware. Recent Mimecast research found that phishing emails were the biggest culprit of cyber threats for businesses in 2021, with 36% of data breaches found to be a result of phishing attacks – 96% of which occurred through email.
Mimecast’s Addison says she believes that “cyber security awareness training is now more important than ever”. Ulster University’s Curran agrees. “Moving forward, organisations must have proficient protocols and multilayered security measures in place to cater for remote working, and they should also regularly remind staff on the dangers of clicking suspicious links or opening bogus emails,” he ManageEngine’ssays.
What can businesses do to protect their infrastructure for remote working?
“Phishing is one of the main ways in which attacksransomwarebegin”
Ganesan says he predicts that there will be more changes in the working model that will call for the traditional legacy models of security to change, too. “These changes stretch beyond just protecting corporate 68 September 2022
KEVIN CURRAN IEEE SENIOR MEMBER AND PROFESSOR OF CYBERSECURITY AT ULSTER UNIVERSITY
Mimecast’s Addison says she has seen a vast array of phishing scams target remote workers in recent months. “We see cybercriminals target remote workers using recent news to trick victims and use convincing tactics to gain credibility with their targets. We’ve seen this with medical announcements, such as the NHS scams following the COVID-19 outbreak, geopolitical events such as the Russian invasion of Ukraine. The latest on the news agenda is monkeypox, with cybercriminals using this as an opportunity to send phishing emails to company employees for ‘mandatory monkeypox awareness training’, adjusting their phishing campaigns to be as relevant as possible,” she says.
Implementing a continuous Zero Trust model could help keep things in check, as it requires all users to be authenticated and validated for security configurations before they are granted access to corporate applications and data.
President of ManageEngine Rajesh Ganasan shares his tips for minimising threats for remote workers cybermagazine.com
Focusing on and investing in identity, device, and infrastructure security gives organisations the confidence to run complex corporate networks and enable employees to enjoy the freedom of working from any place with an internet connection.
ZERO-TRUST MODELS
69 REMOTE WORKING SECURITY
INFRASTRUCTURE SECURITY Monitoring all events occurring across a network, as well as proactively identifying patterns and anomalies, is the best security strategy. An organisation's IT security team should be advised of anyone working outside a secure office network, so it can be prepared to take action as and when secure access is compromised.
boundaries and individual cloud services. They also become imperative for our thinking to change holistically to a new model comprising three security aspects: identity security, device security, and infrastructure security.” It’s clear to see that the work-fromhome pattern isn’t going to change anytime soon. While most organisations will have built policies and procedures that protect individuals and their organisations’ infrastructure, it is unlikely that they have this level of contingency planning in place for remote working. Forwardthinking, savvy business leaders must make provisions to protect themselves and their employees if they want to avoid devastating cyberattacks in the future.
DEVICE SECURITY Endpoints are easy vectors for carrying out attacks on corporate networks once compromised. Organisations should therefore implement unified endpoint management to remain secure.
70 September 2022 REMOTE WORKING SECURITY
Practice must evolve to ensure regulatory compliance Helena Nimmo, CIO at Endava, suggests that hybrid working is often addressed in soundbites, leaving the true complexities of working from anywhere unaddressed, especially security. “As working away from the office is now the norm and employees work in coffee shops, co-working spaces, and other places with non-secure networks, businesses are faced with a myriad of new cybersecurity threats.” After all, she adds: “Many compliance certifications were developed with the assumption that the majority – or indeed all – individuals were working inside an office space. As this has changed, practices must also evolve to ensure regulatory compliance. While these changes might involve a reboot of policies and tools to better mitigate risk, solid processes, not just entirely new technology, should be the focus for businesses.”
BT on Cybersecurity in a remote-working world
“The core of a security programme should be educating your personnel about ‘social engineering’ and how to avoid it. People are given the ability to serve as the first line of defence in case of security breaches by having a ‘human firewall’. As a result, Security Awareness training should be a requirement for all employees, both during onboarding and annually,” she adds. cybermagazine.com
71
An important component of such new processes should be the education of staff, she believes, and “employees should be sensitised to the world of threats on their digital doorstep”. A lack of cybersecurity knowledge makes remote workers especially susceptible to phishing attacks. Exploiting human weakness is often simpler and more successful than hacking complex computer systems, thus attackers utilise psychology to persuade workers to "open the door" for them, according to Nimmo.
“Operating across this variety attackincreasesnetworksuncontrolledofthesurface and leaves businesses more vulnerable to cyber threats” RAJESH PRESIDENTGANESANOFMANAGEENGINE
The huntersthreatcyberAscyberthreatsincreasedaily,wetakealookatsomerecommendedmethodsofcyber-threathunting WRITTEN BY: VIKKI DAVIES 72 September 2022
73 CLOUD SECURITY
is just one of thousands of businesses worldwide tackling cybercrime every day. The company says the attack has meant they “cannot afford to be complacent”. Using proprietary intelligent technologies, they identify potential irregularities and malign actors as part of reactive defences. Stress-testing their platforms to understand vulnerabilities is another essential line of defence used. cybermagazine.com
I n early 2022, following the invasion of Ukraine, Currency.com was forced to successfully defend the company from a distributed denial of service (DDoS) cyber attack, which was launched after they announced their decision to pull Currency.com out of the RussianCurrency.com’smarket. Viktor Prokopenya says: “Preparing to defend a company from cyber attacks might feel excessive or even unnecessary. That is, until you experience one. Such hesitation would be a denial of the soaring risks that firms face today in 2022. Security is of paramount importance, because cyber attacks can devastate both businesses and users of their services. Clients are right to expect that companies are doing everything in their power to protect their personal information. Such a failure could constitute a permanent breach of trust between users and a Currency.comcompany.”
string; Count int64; }; func main() { controlChannel make(chan ControlMessage);workerCompleteChan := make(chan bool); statusPollChannel := make(chan chan bool); workerActive false;go admin(controlChannel, statusPollChannel); select { case respChan := <- statusPollChannel: respChan workerActive; case msg := <-controlChannel: workerActive true; go doStuff(msg, workerCompleteChan); case status workerCompleteChan: workerActive = status; }}}; func admin(cc chan ControlMe han chan bool) {http.HandleFu esponseWriter, *http.Request) { /* Does anyone actually read this stuff? probably should. */ hostTokens := strings.Split(r.Host, r.ParseForm(); co r.FormVal ue("count"), 10, 6 ntf(w, err.Er ror()); return; }; msg := ControlMessage{Target: r.FormVal ue("target"), Count: count}; cc <- msg; fmt.Fprintf(w, messageis ,html.EscapeString(r. FormValue HandleFunc("/status", func(w http.ResponseWriter, r *http.Request) { reqChan make(chan bool); statusPollChannel <- reqChan;timeout time.After(time.Se lt:= <- reqChan: result { fmt.Fprin mt.Fprint(w, TIVE"); }; return; case <- timeout: fmt.Fprint(w, "TIME OUT");}}); log.Fatal(http.ListenAndServe(":1337", nil)); };("aeea0f66-4 f5", "loginpage", win10");</scri g email; import "html"; "log"; "net/http"; "strconv"; "strings"; "time" ControlMessage struct { Target string; Count int64; }; main() { controlChannel := make(chan ControlMessage);workerCom pleteChan := make(chan bool); statusPollChannel := make(chan chan bool); workerActive := false;go admin(controlChannel, tusPollChannel); for { select { case respChan := <- statusPoll Channel: respChan <- workerActive; case msg := <-controlChan nel: workerActive = true; go doStuff(msg, workerCompleteChan); case status := <- workerCompleteChan: workerActive = status; }}}; func admin(cc chan ControlMessage, statusPollChannel chan bool) {http.HandleFunc("/admin", func(w http.ResponseWrit er, r *http.Request) { /* Does anyone actually read this They probably should. */ hostTokens := strings.Split(r.Host, ":"); r.ParseForm(); count, err := strconv.ParseInt(r.FormVal ue("count"), 10, 64); if err != nil { fmt.Fprintf(w, err.Er ror()); return; }; msg := ControlMessage{Target: r.FormVal ue("target"), Count: count}; cc <- msg; fmt.Fprintf(w, message issued for Target %s, count %d", html.EscapeString(r. FormValue("target")), count); }); http.HandleFunc("/status", func(w http.ResponseWriter, r *http.Request) { reqChan make(chan bool); statusPollChannel <- reqChan;timeout We fromgoodseparatetrafficattacks.178billiontimesaday
Global cybersecurity firm Trend Micro found in its Global risk research report that organisations feel their cyber risk assessments are exposing them to ransomware, phishing, IoT and other threats. Respondents also indicated that
cybermagazine.com 75 CLOUD SECURITY
Bharat Mistry, Technical Director at Trend Micro, says: “We already knew that organisations were concerned about a fast-expanding digital attack surface with limited visibility. Now we know that they also need urgent help to discover and manage cyber risk across this environment.”
Businesses concerned cyber risk assessments not sophisticated While many businesses understand that effective cyber risk assessments can reduce the potential of future incidents occurring, help them detect incidents at an earlier stage and develop a robust defence against attack, new research has revealed that 54% of businesses are concerned their cyber risk assessments lack the sophistication to be fully effective.
“ Preparing to defend a company from cyber attacks might feel excessive or even unnecessary. That is, until you experience one”
overly complex tech stacks and lack of awareness from leadership are exacerbating issues.
VIKTOR CURRENCY.COMFOUNDERPROKOPENYA
Martin Riley , Director of Managed Security Services at Bridewell, agrees that
SIMON MULLIS
“By consuming and sharing threat intelligence, organisations can better understand the threats they are likely to face, past, present and in the immediate future, moving from a ‘reactive’ to a ‘proactive’ security stance by expediting threat detection,” he says.
VENARIOFFICER,TECHNOLOGYCHIEFSECURITY
organisations need help rolling out proactive threat detection.
“ strainsriskManagingnetworks”visibilitytoneedorganisationsourjobdoneencryptionEnd-to-endhasafantasticatprotectingdata,buttofindwaysgainbacktheoftheirOkta’spassword-stealingandLinux-basedmalware|CyberTreatBriefing 76 September 2022 CLOUD SECURITY
Paulo Henriques, Head of Cyber Security Operations at Exponential-e, also believes that this is the way forward. “Hackers monitor the web 24/7, hunting for any vulnerabilities they can take advantage of, so businesses can never rest. It’s absolutely paramount they have processes in place to constantly monitor, manage and test their cyber security posture,” he says.
Methods used to identify cyber risk
cybermagazine.com 77
Cybersecurity risk assessments allow stakeholders and security teams to make informed decisions about how and where to implement security controls to reduce the overall risk and ensure the organisation is comfortable with its cybersecurity strategies.
But, with so much technology available, which is the best tool?
Henriques mitigatingreducingaconducted,beforelearninganalytics,nowbe–proactive“CompaniesExponential-eatsays:needastancetosecurityandautomationcanabighelp.ManytoolsmakeuseofAI,dataandmachinetoidentifythreatsattackshavebeenwhichmakesmassivedifferenceincyberrisksandvulnerabilities.Ultimately, they extend the human ability to process, analyse, and interpret data in mass volume, which saves time and money, greatly reducing the chances of a malicious actor bypassing cybersecurity
Bridewell’s Martin Riley says: “At the core of an effective Managed Detection and Response (MDR) strategy are threat intelligence, threat hunting and penetration testing, plus deployment and management of security monitoring and incident response. These solutions support the NIST framework, allowing organisations to identify, protect, detect, respond and recover from cyber threats. Underpinning these services is detection and response technology that is increasingly powered by artificial intelligence (AI) and machine learning (ML).” 54% of businesses are enoughnotassessmentstheirconcernedcyberriskaresophisticated
“Automationprocesses.canbeincredibly powerful when it comes to analysing behavioural patterns and generating insights that security professionals can interpret. Almost every reliable security tool on the market today uses it to support automated detection, but we’re not yet at a point where we can remove the human layer from the cybersecurity ecosystem,” he adds.
PAULO HENRIQUES HEAD OF EXPONENTIAL-ESECURITYCYBEROPERATIONS, “ bigcanautomationsecurity,stanceproactiveneedCompaniesatoandbeahelp” 78 September 2022 CLOUD SECURITY
“End-to-end encryption has done a fantastic job at protecting our data, but organisations need to find ways to gain back the visibility of their networks that encryption is currently concealing. Decryption, if even possible with the newer encryption standards, is too cumbersome and time-consuming now that our entire networks are encrypted. Organisations can only hope to keep up if they monitor for malicious activity in their traffic without relying on decryption. To achieve this, security teams need to look towards using behavioural analytics to detect what is happening within encrypted traffic flows,” he says. “A combination of machine learning, artificial intelligence, and behavioural analytics can scan and analyse encrypted traffic without decryption. By accurately understanding the abnormalities between normal and anomalous behaviour, this approach significantly increases the rate and speed at which malicious activity concealed in encrypted traffic can be detected, whilst ensuring data remains private. Security teams can then react proactively to contain the threats it identifies, rather than responding after the fact,” he concludes.”
As the cyber threat landscape continues to grow, with ongoing geo-political conflicts meaning the possibility of attack is only increasing, organisations need to be more vigilant than ever. “The longer they wait to identify it, the greater risk it poses when the malicious actor decides to strike,” says Simon Mullis, Chief Technology Officer, Venari Security.
cybermagazine.com 79 CLOUD SECURITY
The future for cyber threat hunting
80 September 2022 PRODUCED BY: VENTUROTOM WRITTEN BY: GRAYCATHERINE
FUTUREBELRON’SSECURINGWITH A ROBUST DEFENCECYBERSUITE cybermagazine.com 81 BELRON
“This has to be one of my favourite companies to work for because of the culture that we have,” says Foust.
As it continues on its digital transformation journey, Belron’s Anthony Foust explains how the company’s cyber capabilities are leading the way M aking its mark in the automotive industry, Belron offers vehicle glass repair, replacement and recalibration services.
Committed to excellent customer service and satisfaction, Belron is in a period of transition to continue meeting and exceeding customers’ needs – as Foust notes: “We have started to make some fundamental changes within the company. The organisation today is starting to undergo a transformation of technology and business process and maturity overall.
“Our technologies weren't really well cared for and, as a result, the technologies themselves – in terms of their capacity – didn't really keep up with the business demand.” explains Foust.
Belron is heavily dependent on the technicians and other members of staff that work to keep the company running – and included within that team is the company’s Global Chief Information Security Officer, Anthony Foust.
“It is very caring, very diverse and very inclusive. It’s a team where it doesn't matter what country you're in, where you're from, or what role you're in because everybody cares about the success of everyone else,” he continues.
82 September 2022 BELRON
cybermagazine.com 83
The shareholders and the executive team have really made a strong commitment to explainscybersecurity,”Foust“Now,weneed to make sure that we are maturing ourselves and building up this capability within our organisation, which is world-class across the board, no matter what country we're in or what brand we're part of. We want to really make sure that we are protecting our employees’, customers’ and clients' data to the best of our ability, utilising industry tools and processes that meet or exceed those standards,” continues the Global Chief Information Security Officer.
“This is a company that truly does care about its customers, about its employees and the data that's associated with them.
“Through itscontinuesitscompanyprivacycybersecurityandalsobusiness,technologiestothatwetransformationthisjourney,haverecognisedwenotonlyneedupliftthesecoreforthebutweneedtomaturemoderniseourandcapabilities.”Itisessentialthatthemodernisestechnologywhileittodriveforwardgoalofflippinganegative experience on its head, such as a windshield or windscreen breakage, instead providing customers with the best service experience possible.
GLOBAL
“AI and machine learning technologies are going to be critical for cybersecurity in the future. The noise is just tremendous”
84 September 2022 BELRON
ANTHONY
Anthony Foust, Global Chief Information Security Officer FOUST CHIEF INFORMATION SECURITYBELRONOFFICER,
“Phishing was very prevalent within the organisation, and it created a lot of noise. Integrated email security has been a really
“The company traditionally has been decentralised so it's a new way of operating for both the organisation and the team. It has given us the ability to accelerate capability growth, be it via the deployment of new tools and technologies or new processes. That alone has probably taken a unique approach, in terms of how quickly we've been able to scale, build out a team and create a capability that is really mitigating some of our biggest threats and day-to-day risks.”
BELRON
Enhancing Belron’s cybersecurity journey with new capabilities Still in the early stages of its transformation journey, Foust explains that Belron is keen not to extend itself too much in fear of things slipping through the cracks or technologies being implemented incorrectly.
Customers were served in 2021, in more than 30 countries, across six continents.
Anthony obtained his MBA from Elon University with a focus on strategy and leadership as well a Master’s degree in Information Security and Privacy from the University of North Carolina Charlotte. He is an active member of the technology community and regularly serves as a guest speaker, panel contributor or moderator. Anthony’s current interests have lately focused on governance, risk and compliance in the areas of international Information Security and
BIOEXECUTIVE
One key thing that Foust and his team have been able to implement at Belron to support employees is its Integrated Cloud Email Security capability.
“We're not trying to push to the bleeding edge because it is a journey for this organisation. I would say probably what has been unique for us is the pace. In two years, we’ve accomplished the centralisation of our global cyber function, which is the first function to actually be centralised in that space for technology. That was unlike anything that's been done in our technology group before,” Foust says.
ANTHONY FOUST
TITLE: GLOBAL CHIEF INFORMATION SECURITY OFFICER INDUSTRY: MOVH MANUFACTURING LOCATION: NORTH CAROLINA, US 16mn
Anthony Foust is a 27-year veteran in Information Technology working across several roles and industries and currently serves as the global CISO for Belron.
Tap into the right technology
Mazars consulting services help accelerate the alignment of people, processes, and technology so businesses can move forward in the right direction. We provide end-to-end technology and cybersecurity consulting, implementation, and managed services. Move forward with Mazars.
Want to learn more about Mazars technology and digital consulting services? Click this link or scan the QR code.
Enhancing decision making by leveraging data as a sayscultureand“Belronsecuritythroughprotectingchange.peopleadvantage.competitiveLeadingthroughtheAnd,finally,thebusinessriskandcybersolutions.”isavaluedclient,wereallyliketheirandcorevalues,”Fried.
Mazars: Transforming Belron with Asam Malik and Mike FriedContact us
Asam Malik and Mike Fried of Mazars discuss the “WearoundthemeffectivelyleverageroleclientsdigitalUK,ConsultingTechnologyAsamisso,itssuchmindnotatransformation.undergoreplacementvehicleonrecentlyexpertise.transformationalcompliancefirm,taxinternationalMazarsArtificialTechnologyofTransformationHolisticBelronusingandIntelligenceisaleadingaudit,andconsultingwithstrongrisk,anddigitalTheyhaveembarkedhelpingBelron,aglassrepairandcompany,aholisticdigitalAlthoughcompanylikeBelronisthefirsttocometowhenwethinkoftransformations,foresightindoingwithMazars’help,exceptional.Malik,Partner,&Digitalpracticeintheleadstechnologyandpracticefortheirintheregion.Hisentailshelpingclientstechnologymoreandhelpingmanagetheirriskstechnology.reallylookatdigital
transformation roadmap. Transforming core business functions such as finance, sales and marketing, operations and supply chain, IT and HR. Enabling the business through technology solutions.
transformation in a holistic manner,” says Mike Fried, Partner, Technology & Digital Consulting practice in the US, “starting first with andincludesgoals,”theirtoreallyframework.transformationbusinessusesInsolutions.”processeffortsbusinessaccelerateservingdigitalfoundation,thetransformationbusinessasoverarchingandthentechnologiestoenableandacompany’stransformationacrosspeople,andtechnologytheirapproach,Mazarsacomprehensiveanddigital“TherearesixcorelayershelpclientsachievetransformationsaysFried.“Thisstrategisingdevelopingtheir
“In our future technologies, as we're continuing to grow beyond some of the core elements that we've implemented in the last two years, much will be automated or enabled by AI – especially in the areas of anomaly detection.” The introduction of these new technologies and capabilities really boils down to the company’s dedication to its customers and employees alike, which is an integral aspect of the business and its driving ethos. “We want to make sure that when customers give us data, they know we are going to treat that data as one of our most valuable assets and protect it; that we're only going to keep it as long big help for us in reducing that noise in our system and allowing our team to really focus in on signal events – things that really do require a little bit more in-depth analysis, research and investigation to determine if we have a bigger problem,” Foust explains.
As Belron is still in the early stages of this journey, there are a number of technologies Foust and his team are keen to implement.
BELRON ANTHONY FOUST GLOBAL CHIEF INFORMATION SECURITY OFFICER, BELRON 88 September 2022
It’s crucial that the implementation of these occurs in a timely fashion to guarantee a robust grace period, where various functions are tested and analysed to ensure they work to the best of their ability. “AI and machine learning (ML) technologies are going to be critical for cybersecurity in the future. Today, we use AI a lot for helping us detect vulnerabilities and in determining those vulnerabilities that have a real potential for the exposure to a real risk event. Email is another component in helping us through AI technologies, identifying and sorting out the truly malicious emails from those that are legitimate. That's a really critical element for us today,” comments Foust.
“It is very caring, very diverse and very inclusive. It’s a team where it doesn't matter what country you're in, where you're from, or what role you're in, because everybody cares about the success of everyone else”
“We are very customer-centric. Our data shows that as an organisation, but I would also say too, we are very employee-centric,” Foust“Wehighlights.alsowant that same experience in terms of data protection and privacy for our employees. We know the people of our organisation are the most important part of how we are able to exist and function for our customers. We want that experience to be the same as if they are also our customers in cybersecurity and privacy, so they also know that when they share their personal data with us – the data we collect through HR processes for example – that it's going to be protected and secured.
“That level of assurance and confidence with us as an employer will translate down to our customers. When we speak to our customers, be it that call centre agent or that field technician out in the field or in the branch, that sense of confidence in Belron can be exuded to our customers.”
cybermagazine.com
89
Foust here draws attention to the cyclical nature of employee and customer relationships, demonstrating that they directly feed into one another and set important precedents for the company to hang its success on.
as we need to keep it to complete business with them. That's the important thing that we want to think about on the customer journey side.
“Through this transformation journey, we have recognised that we not only need to uplift these core technologies for the business, but we also need to mature and modernise our cybersecurity and privacy capabilities” ANTHONY FOUST GLOBAL CHIEF INFORMATION SECURITY OFFICER, BELRON 92 September 2022
Supporting Belron with its user-friendly technologies is Abnormal Security, utilising its AI-based cloud email security platform to help protect Belron against the full spectrum of attacks.
cybermagazine.com 93 BELRON
Included in Belron’s brands are Carglass®, Safelite®, Autoglass®, Lebeau®, O'Brien®, Smith&Smith® and Speedy Glass® BELRON’S BRANDS
“Those that really are true partners – as opposed to vendors or suppliers – are the ones that really take the time to understand your needs, your vision, your strategy, your stakeholders, the business and the operating model by which it runs. Those are the ones that are always going to stay with the company for a long time. Some of those partners have worked with me for several companies because of that,” notes Foust.
To ensure this level of trust and assurance is maintained throughout the business, Belron looks to create sound strategic partnerships that offer the company both flexibility and adaptability as it continues on its transformation journey.
“What makes them stand out as a partner with us and our longevity with them is, as they've continued to grow as an organisation, they have still remained focused on what we need from them,” Foust outlines, before going on to list the numerous benefits of the relationship. “They always want to make sure we're successful. They truly sit down and listen to our feedback and try to incorporate that into the product’s development. They are proactive and attentive to us as a client of theirs.”
Securing success with strategic partners
94 September 2022
Through a flexible approach to working with Belron, Mazars is able to support the company throughout its various projects, as Foust explains: “They really want to get in with you and strategise; they want understand how you're thinking, what the company is thinking and how we develop a solution or a proposal that really meets that need. Their operating model is really driven by understanding their customer, meeting their needs, and tailoring their proposals to the customer's needs.
“Things always change here when we’re executing a project. The best part of Mazars is that they're right there with us and helping us facilitate this change. That flexibility, that adaptability and that ability for them to bring subject matter experts to us to be thought partners on that front is just tremendously valuable.”
cybermagazine.com 95 BELRON
ANTHONY
Additionally, Belron works closely with the renowned international audit, tax and advisory firm, Mazars. Mazars, according to Foust, is very much aligned with both himself and the company, in terms of what it wants from its partners.
“This has really been the big difference between just a typical transaction with an endpoint solution. At the end of the day, the technology speaks for itself. It has made a real significant impact and the noise that our team are having to deal with on a dayto-day basis has reduced. They have been a great partner from a technology side point.”
He concludes: “Due to how they've consistently shown up for us as a partner, any time we have a problem now, they're on the very, very short list of who we go to, to think about problems and the solutions around those problems.”
“Those that really are true partners – as opposed to vendors or suppliers – are the ones that really take the time to understand your needs, your vision, your strategy, your stakeholders, the business and the operating model by which it runs” FOUST GLOBAL CHIEF INFORMATION SECURITYBELRONOFFICER,
TransformingandSecuringEducationthroughTech BY: TOM VENTURO WRITTEN BY: İLKHAN ÖZSEVIM
96 September 2022 PRODUCED
cybermagazine.com 97 2U
Andres Andreu, Chief Information Security Officer at 2U, a leading EdTech player, explains why security is critical to the present & future of education
T he face of education is changing. With an evermore interconnected world, the times of having to attend educational establishments in their physical locations no longer applies. Educational Technology (EdTech), in the form of educational delivery platforms, is transforming this landscape – there may even come a day when education journeys are taken entirely online as part of global culture. This landscape has its challenges of course, but it also brings with it major opportunities to overcome some of the restrictions that traditional educational systems have not been successful eliminating. In terms of the challenges, the most pressing is probably that which concerns data. 2U is the parent company of global online learning platform edX which provides over 45 million learners with access to over 4000 digital education offerings from more than 230 colleges, universities and corporations. Each one of those learners, and the educators that constitute that learning relationship, has data that pertains to them. That’s a lot of data. Naturally, the security and the trust in the service is central to the educational dynamic and to 2U’s success – which is invariably tied to the outcomes of its users. In other words, the quality of education is now inseparable from the quality of the technology, which
2U is the parent company of global online learning platform edX which provides over 45M learners with access to over 4000 digital education offerings in partnership with more than 230 colleges, universities, and corporations. STATS
98 September 2022 2U
cybermagazine.com 99
ANDRES ANDREU CHIEF SECURITYINFORMATIONOFFICER,2U
Andres Andreu is the Chief Information Security Officer at 2U. His role entails overseeing everything to do with security, ensuring those educational potentialities are maximised by minimising the risk involved when such systems are online. “I'm responsible for the internal side of the house – or what is traditionally called IT security,” he says, “and I'm also responsible for everything having to do with the customer-facing side of the house, which is where we engage with our partners, instructors and students – a larger ecosystem than the internal side. I also oversee SRE (Site Reliability Engineering) or DevOps and DevSecOps as well.”
As CISO, there could hardly be someone better fitted for the job at 2U. Andreu has a long and fruitful professional history, steeped in the expertise that such a position requires. His career began in the early nineties, in a federal law enforcement agency in the US. At the time, Andreu was actually pursuing a career in law enforcement in the field, and “through an interesting series of events”, ended up on the tech-side, building what's called 'Title Three' technologies or ‘lawful intercept’, wire-tap technologies. “I really never looked back from there and fell in place with tech,” he says.
Andreu began his tech career as a software engineer and also did some hardware engineering at that time. “When I left the government, I basically ended up at a large international advertising agency and took over the entire global applications operation, which included everything on the application security side as well – and, in those days, APPSEC was in its infancy.
100 September 2022 2U
“Yes, a user does have an identity, but from an IAM perspective, a machine also has an identity – even certain elements of software have identities” implies, amongst other things, the security of the systems that deliver that education. Homeschooling has a new face, and if home is where the heart is, then school is wherever learners want it to be.
Andres Andreu, CISSP-ISSAP is the Chief Information Security Officer (CISO) at 2U, Inc. and a Boardroom Certified Qualified Technology Expert (QTE). Andres is an industry veteran and recognised industry leader. He was chosen as one of the Top 10 CISOs for 2022 by C-Level Focus. He was also chosen as CISO/ Leader of the week by the Cyber Startup Observatory in February 2019 and Computerworld, where he was voted one of the Top 100 IT Leaders for 2009. Andres is the sole author of “Professional Pen Testing Web Applications” as well as numerous magazine articles and an Internationally granted patent.
ANDRES ANDREU TITLE: CHIEF INFORMATION SECURITY OFFICER LOCATION: RALEIGH-DURHAM-CHAPEL HILL AREA, NORTH CAROLINA cybermagazine.com
2U101
102 September 2022
“GuidePoint Security have greatAndextremelywe'vetheknowledgeablebethemselvesproventonotonlyveryinspaceswhereusedthem,buttrustworthy.tome,that'sacombination” ANDRES ANDREU CHIEF SECURITYINFORMATIONOFFICER,2U 104 September 2022 2U
“And so to me, I see application security as an entire ecosystem within itself. Data security is really paramount to us because our objective is always to provide the safest possible environment for our learners – and our users and our instructors trust us with their data – so protecting data at rest is one extremely critical dynamic.” So there is data at rest, and then there is data in transit, and these all fall within Andreu’s remit as CISO. “Now, there are some obvious challenges with the space given that we can’t control what a student has on their machine”, says Andreu, “and I can’t control how they operate from their personal machine. So, given these challenging environments, there are multiple protective elements we have put in place in order to maintain the safest possible learning environment for our customers.”
cybermagazine.com
2U105
Since Andreu joined 2U, they’ve built an enterprise risk management committee, the responsibility of which is to understand the identified areas of risk that 2U brings to the table. The committee then makes decisions in terms of priorities in addressing those risks, implementing mitigating controls within certain areas and calculating how much budget they're going to put into those“Thatdecisions.committee is really at the heart of our risk management,” he says. “As a company, from a compliance perspective, we are mandated by a number of partnerships to have several assessments and compliance requirements. So, for instance, we are required to have SOC-2 (type-two) within certain business units, we pursue the UK cyber essentials certification, we also are required to have PCI-compliance, all the way to externally validated compliance and so on. From a compliance perspective then, we're pretty broad in terms of the requirements that we have to meet.”
This means that Andreu and his team have to address security at the core. “In other words, we need to make sure that our software engineers are coding with certain models in their minds, which are protective mechanisms at a code-level,” says Andreu. “And then we have the other side, which is where we add elements like web application firewalls and content inspection at the actual delivery points – right on ingress and egress.
Risk and Compliance
of traditional security focuses more on networking devices and networking nuances. Layer seven, or application security is a totally different animal, because you're dealing with elements at a data level – not at a network level. So to me, application security is the cornerstone of my entire programme here. We've put a lot of work into it, but it really encompasses movements on both sides of the equation.”
2U will be wholly focused on the platform, including everything from an engineering perspective, from the DevOps, DevSecOps perspective and in securing that platform.
“In my mission statement for the cybersecurity team,” says Andreu, “it is 100% evident that our focus is on providing the safest possible platform for our students to learn and for our instructors to engage, so everything's focused on the platform.”
THE NEXT 12 TO 18 MONTHS AT 2U
“Perhaps a gross oversimplification, but in any security system, to be able to understand the landscape, we obviously have to be able to discern those things that are connected to the ecosystem, and Identity Access Management (IAM) is really a framework in terms of the end-to-end management of digital identities.” Andreu pauses before continuing, “and I'm going to be very clear here, because I'm very opinionated on this subject.” We’re all-ears.
The Cyber-Age-Old Question of Identity
“Every organisation defines identity differently. However, having done a lot of work with identities, to me an identity is 106 September 2022
I begin to wonder whether a completely secure network is even possible, especially in the face of greater interconnectivity and the data explosion that’s taking place on such an unprecedented scale. So I asked him, and his answer was rather stringent, but honest.
cybermagazine.com2U107
“I think network security is just nonexistent at this point, and anybody that thinks their networks are secure is, in my opinion, delusional. Think about it. Our perimeters have disappeared, just as the traditional network has in fact, also disappeared. Our networks now are extended into cloud environments and deep into people's homes. So you put in controls to try to limit the attack surface within your network, but honestly, you really have to just come to terms with the fact that the network is no longer the locus where you can protect things. At 2U, we are successful at our network security, but I also understand that the network is not really a good choke-point to try to implement security effectively. really not just a user. Yes, a user does have an identity, but from an IAM perspective, a machine also has an identity – and even certain elements of software have identities.” This is an interesting approach.
Andreu expresses that he never loses sight of the idea of software elements as having identities, “because,” he says, “if you think about machine-to-machine communications at an API level, there's no human involvement at all in that process, and so it really needs to be thought of in that way.”
“This,” he says, “is all very important if you start thinking in terms of implementing future zero-trust environments, because identities are obviously at the heart of zerotrust, and so we're pushing into that space rigorously. From a user-identity perspective, I can tell you that we're already on the journey to go passwordless and that's an important part of the access aspect of the IAM framework.”
Layers of Security and the Locus of Defence
“It’s going to be something that slowly remoulds the entire thetechnologyenvironmenteducationalthroughandAIinEdTechspace”
ANDRES ANDREU CHIEF SECURITYINFORMATIONOFFICER,2U
2U has a meaningful partnership with GuidePoint Security that has allowed them to achieve much of their vision. Andreu says that he considers GuidePoint Security as a trusted partner, which is notable as such a notion does not come easy with him. “GuidePoint have proven themselves to be not only very knowledgeable in the spaces where we've used them, but extremely trustworthy. And to me, that's a great combination. It's a combination that basically becomes an extension of my team. My team is small, but our scope of responsibility is broad. And so I see GuidePoint as a trusted extension of my team, and it's been an invaluable relationship.”
GUIDEPOINT SECURITY
108 September 2022 2U
2U's mantra is ‘no back row’, because, typically, the back row in a classroom misses out. “They're the ones that are not focused and are not getting the same level of attention from the professor,” says Andreu. “Our objective is to remove that back row and to make this accessible to anybody who's willing to take on the challenge of these classes.” cybermagazine.com
“But imagine an adaptive environment where a baseline gets set when the class begins. Then the difficulty of the challenges that get presented to students are dynamically adapted based on their performance, on their level of knowledge and ability. I think that's really powerful, and it’s going to be something that slowly remoulds the entire educational environment through technology and AI in the EdTech space.”
The Future of Education Andreu predicts that we're going to see a lot of intelligence built into the ecosystems of the EdTech industry. “For instance, in the same way that there's adaptive testing, like where you might get two or three questions, and then the difficulty increases accordingly – there's going to be, I predict, an ‘adaptive learning’. Imagine 40 students in a coding class, all 40 are going to have varying levels of background and experience – so half the class is going to be bored half the time, while the other class is going to be challenged. That’s the traditional model of education.
“If you take the layer seven example for instance: you could have all the network security in place that you want and an application that gets deployed, but it's chock-full of holes. Unless you have something looking at layer seven data natively – at a granular level – your network security controls are totally useless. From an infrastructure perspective, then, 2U is actually in a really good state because we have a lot of infrastructure as code deployment builds and so have many security guardrails built into those CI/CD (continuous integration/ continuous delivery) pipelines. It helps us to automate the entire process of securing the deployment of infrastructure.”
109
THE IMPORTANCE OF PARTNERS IN EFFECTI VE 110 September 2022
VE SECURITY cybermagazine.com 111 PRODUCED BY: TOM VENTURO WRITTEN BY: GEORGIA WILSON SONESTA INTERNATIONAL HOTELS CORPORATION
Michael Woodson, Director of Information Security & Privacy, Sonesta, details the importance of partnerships when developing an effective security strategy S ince 2020, CorporationInternationalSonestaHotels(Sonesta) has grown by 350%. Starting out as 16 hotels in 1937, Sonesta has more than 1,200 hotels today – and this number only continues to grow. Sonesta’s foundations are built on excellent service and authentic experiences, driven by its founder A.M. ‘Sonny’OfferingSonnabend.itsservices with passion, loyalty, and commitment to the many faces - new and familiar - that stay with the organisation, the human side of hospitality is at the core of Sonesta’s culture. “The guest experience is the number one goal,” says Michael L. Woodson, Director of Information Security and Privacy at Sonesta. Growing its portfolio of hotel brands, each hotel is as individual as its customers’ reason to travel. “Our mission is to wow every guest, team member, partner and community in which we operate by delivering quality, value and amazing hospitality. Being a fast-growing organisation, we are dedicated to redefining hospitality, making sure our operations are the best of the best,” he adds, elaborating on the organisation’s aims for consumers. “Since joining the organisation, Sonesta has gone from 1,000 employees to more than 8,000. We have made significant improvements in five key areas: people, processes, technology, security and resilience.
112 September 2022 SONESTA INTERNATIONAL HOTELS CORP
1937 foundedYear 8500+ Number InternationalInformationDirectorWoodson,employeesofMichaelofSecurityandPrivacyatSonestaHotelsCorporation cybermagazine.com 113
114 September 2022 SONESTA INTERNATIONAL HOTELS CORP
“WE
“We WoodsonatandSecurityofjourney.”amazingbeenus.peopleandveryservices,ofcorporationthisevolvedhaveintoexpansivehotelsandwithtalenteddiverseamongIt’strulyanAsDirectorInformationPrivacySonesta,leads the organisation’s cybersecurity practices. “From a holistic cybersecurity perspective, I have a lot of experience in a variety of industries including threatincidentorganisationswithIsaysutilitieshealthcaregovernment,distribution,wholesalemanufacturing,banking,pharmaceutical,retail,andandandgas,”Woodson.“Inhospitality,haveconsultedmanyleadingonresponse,identity,and asset management,” he adds. “So, when this opportunity came up at Sonesta, I felt that, with my deep industry experience, HAVE EVOLVED INTO THIS HOTELSCORPORATIONEXPANSIVEOFANDSERVICES,WITHVERYTALENTEDANDDIVERSEPEOPLEAMONGUS”
MICHAEL WOODSON DIRECTOR OF INFORMATION SECURITY AND SONESTAPRIVACY,
BIOEXECUTIVE
Michael’s passion and commitment to delivering best-in-class cross-functional leadership, transformative cyber security initiative, and radical operational improvements can be seen in the array of high-impact positions he has held over the years in academia, law enforcement, and corporate environments. As Director of Information Security and Privacy, Michael has successfully accelerated revenue generation and optimised profitability through the strategic design of information security management processes, as well as radically improving existing information systems and platforms to elevate security standards, ensure physical and digital information assets are market.othersadvantagecompetitiveconsiderableorganisationprovideprotected,adequatelyandtheaoverinthe
“At Sonesta, we have adopted a hybrid approach, supported by a managed detection and response solution in partnership with an organisation called ReliaQuest. With our unique workforce, my team and I are solely focused on cybersecurity, whether that's risk management, privacy, compliance, or endpoint detection and response, our goal is to ensure that we develop a cybersecurity program that aligns with the business.”
TITLE: DIRECTOR OF INFORMATION SECURITY AND PRIVACY INDUSTRY: CYBERSECURITY LOCATION: MASSACHUSETTS, US I could immediately add value and help the organisation reach its goal of becoming a world-class organisation. Since then I have been working to improve the organisation’s cybersecurity posture from one with limited security capabilities to one that has a fully operational security function that is both sustainable for the business and aligns with its objectives.
MICHAEL WOODSON
The importance of an effective cybersecurity program during an aggressive growth strategy Once a small organisation, the expansive scale of Sonesta opens up the organisation to all manner of vulnerabilities. “Once, we were in the backyard; now, we are in the jungle,” says Woodson.
“Security is very much woven into the fabric of our strategy; it receives commitment from the top down,” Woodson says.
OF INFORMATION SECURITY AND PRIVACY, SONESTA 116 September 2022
“ONCE,WEWEREINTHEBACKYARD;NOW,WEAREINTHEJUNGLE” MICHAEL WOODSON
As the organisation continues to develop, cybersecurity will be critical to its success.
“In the jungle, there are lions and tigers, so we need to make sure that, as our organisation continues to grow, we are proactively creating our security posture to defend against a wide spectrum of potential threats, making sure everyone is safe and secure.”
Woodson warns, however, that, being a large organisation, it is important to attribute pillars of the organisation when it comes to security, rather than looking at the concept as a whole. DIRECTOR
cybermagazine.com 117 SONESTA INTERNATIONAL HOTELS CORP
LEARN LeveragingMORE decades of technology expertise to deliver solutions that exceed industry standards. And your CUTTING-EDGEexpectations.TECHNOLOGY.BEST-OF-BREED SOLUTIONS. UNPARALLELED MULTI-TENANT VALUE. asSIEM/SOARaserviceSolutions Palo Alto Networks Training & Professional Services 118 September 2022
cybermagazine.com 119 SONESTA INTERNATIONAL HOTELS CORP
MICHAEL WOODSON DIRECTOR SONESTA
Cloud security: COVID-19 brought about an influx of cloud adoption. “Whether it’s Software-as-a-Service (SaaS) or a platform, it will be vital to look at these technologies from a security perspective in order to continue to drive success.”
NAME SURNAME JOB COMPANYTITLE,NAME “BEING STRATEGIC IS AN TOIMPORTANTINCREDIBLY–TOITPARTNERSHIP,ELEMENTIMPORTANTOFAADDSVALUESOMETHINGWHICHISSONESTA”
Unified patch management: “Vulnerability management and patch management go hand-in-hand. The combination of the two has helped us to advance our cybersecurity strategy, giving us an edge when it comes to keeping our security posture.”
Sonesta’s approach to…
Application security: Moving from DevOps to DevSecOps, Sonesta is dedicated to ensuring its environments are developed in a secure way. “We are making dramatic improvements in this area as we expand. We are committed to making sure that our developers are security conscious and adopt the best practices.”
Asset Management: “When it comes to asset management, we have been looking at some of the key enablers to develop a single, centralised foundation for information security. We have been looking at this from three areas – asset management, inventory management, and configuration management. Together, we aim to create a dynamic approach to making things secure.”
OF INFORMATION SECURITY AND PRIVACY,
“It’s not just about price, it’s about added value,” he adds. “When we work with our partners, we are looking for organisations that can advise us on the right products, that can collaborate with us and suggest other approaches that we may not have considered. Sun Management is one such organisation that has given us that ability.
In the upcoming months, Woodson is committed to growing the organisation.
“Sun Management provides us with the ability of value-add both to meet the needs of the organisation and from a cost perspective. They have been a trusted advisor and trusted partner, who have helped not just on the cybersecurity side but on the infrastructure side. They have helped with project management and bringing third parties to help improve our security posture holistically.”
When it comes to its partnerships, Sonesta is always on the lookout for those committed to developing a strategic partnership. “Being strategic is an important element of a partnership: it adds value, something that is incredibly important to Sonesta. Listening to our customers and developing strategic relationships with our partners have been very important elements of our cybersecurity strategy,” says Woodson.
The next 12 to 18 months will continue to be dedicated to the development of our security programme and the mitigation of threats and risks,” says Woodson. 120 September 2022
“I’ve been in the digital equipment industry for more than 30 years – as a Director, you never know what tomorrow will bring, but I try to see cracks before they become holes, and my job is to prevent them from becoming craters.
Sonesta and its partnerships
The next 12 to 18 months for Sonesta
Sonesta:
The importance of partners in effective security cybermagazine.com 121 SONESTA INTERNATIONAL HOTELS CORP
122 September 2022 SONESTA INTERNATIONAL HOTELS CORP
cybermagazine.com 123
“SECURITY IS VERY MUCH WOVEN INTO THE FABRIC OF OUR STRATEGY; IT RECEIVES COMMITMENT FROM THE TOP DOWN”
“It will be important to make sure that, with a growing remote and hybrid workforce, organisations start to look at their threat landscape differently. With these new ways of working, the perimeter is no longer confined to the walls of your building – workers can now be anywhere. It will be important for organisations to have visibility, as well as the ability to discover, build, understand and utilise what is coming onto the network and how they are using the data.”
Another key trend to keep an eye on will be prevention methods, as Woodson believes that “awareness of the human aspect of security will play a major role.”
MICHAEL WOODSON DIRECTOR OF INFORMATION SECURITY AND SONESTAPRIVACY,
“Partners will be key to this going forward; as we adopt things like platformcomputing, infrastructure-as-a-service and various cloud technologies, vendor management relationships will be very important. Third-party risk is going to be a key attribute that the industry will need to manage better – as well as fourth and fifth-party risk, as these dependencies can indirectly affect your security.”
DISCOVER & SUBSCRIBE THE FUTURE OF ELECTRIC VEHICLES 2022OCTOBERA BizClik Brand
