Rumi Contractor is President & COO @ Quinnox Inc., a technology-driven services organization for businesses . Here Metin Mitchell interviews the former CIO and Group General Manager for HSBC on the security risks facing corporates and how boards, in particular, should respond.
Metin Mitchell (MM): What are the cyber security threats facing businesses and how well are boards managing these risks?
Rumi Contractor (RC): Cyber security has become a hot potato in recent times with more and more high profile cases emerging – just this week we heard Uber paid off hackers who stole the personal details of 57 million riders last year . However, the reality is that most board rooms do not really grasp the high stakes they are risking each and every day – as the trustees of companies and businesses they are required to help protect as well as manage and grow those businesses.
MM: I recently chaired a panel for CFO Strategies Forum  and the role of CFOs in automation. What should boardrooms be doing to address cyber risks?
The world is becoming more and more connected  and this trend is only going to keep getting bigger and more complex. The more connected systems become, the more breakpoints – these are opportunities to ‘hack’ or ‘leak’ in the fabric of an organization. I do not claim to be an IT security expert but I understand the risks that are out there and I understand how they can happen and I also know the possible ways to breach those gaps. This experience is not easy to come by for most boards. I have always believed that boards need to stop hiring and using the CIO has a technical fixer  and more as an expert who has an ability to translate business goals and needs into technical strategies and blueprints WHILE taking technical issues and translating them into business speak and plans.
MM: What are the main cyber security risks for corporates?
RC: At the end of the day, a security breach which causes real damage involves ‘stealing data’ or ‘manipulating data’ or ‘denying access to YOUR data’. That’s the crux of what really happens in a cyber-breach.
MM: Can you give me some examples of these security breaches?
RC: The first is when someone tries to get into your systems from the outside. These could be hackers trying to bombard your networks and find a vulnerability to get access to your servers, computers, networks and databases. Usually they get into YOUR environment through a loophole that they have managed to identify from a vendor related weakness – say, because your team did not ‘harden’ the peripherals in your IT landscape. Or because your customer and/or employees have allowed these hackers to get into devices they use to access your corporate systems and networks. Or maybe people have left their devices and systems unsecured and through social engineering, access has been gained by those who are intent on causing you harm.
To bring an analogy of a house, this is where the burglar finds a window left open and climbs in, or someone finds your telephone line outside and taps the connection and listens into your darkest secrets, or finds a lock that is really weak and easily manipulates the same and gains access to your home.
The second category of cyber security breach is one which is most common – internally generated. This is where people have opened connections from inside the corporate environment intentionally (to provide access to others from outside) or done this through sloppy work or non-conformance to stated policies. In either case this access is not because the systems were not ‘hardened’ or that you did not have solid security policies, it is either through stupidity or malicious intent. This is usually harder to identify and avoid. Hence it becomes important that you have systems and monitoring tools that are able to detect such abnormalities as and when they occur.
This is akin to someone in your home intentionally or through carelessness leaving the door to your home unlocked or a window open. You might have a WiFi router with a default password (Admin) which is then accessed by someone from outside the house (from close proximity) and gaining access to data that is flowing between the devices inside the house and the internet!
The last category is one where the house is secure both from the outside and the inside BUT the appliances you have inside the house are probably tainted with ‘loopholes’ that allow access to someone with a bit of sophistication and understanding of these matters.
More and more devices are connecting to each other (through the Internet of Things – IOT ). Some examples would be WiFi Routers, Amazon Alexa, Google Home Devices, Android Operating Systems on your TV, streaming video dongles, connected refrigerators, mobile phones and more. If they have any loophole – because of a recent operating system update or downloading a Trojan horse  during an internet or social media surfing session – then it may end up tainting other devices or rendering them ‘exposed’ – and possibly under the control of Ransomware security ‘bots’ .