Photo (GraphicStock) - Oil Palm plantation view
Continuing Computerworld Malaysia's special security insights series suggested by themes included in this year's Security Summit, the country's agriculture sector now comes under the spotlight.
Founded in Malaysia 2007, Bursa-listed global agricultural and agri-commodities company Felda Global Venture Holdings Berhad (FGV) is a major player and investments holder, which oversees production of oil palm and rubber plantation products, soybean and canola products, oleochemicals and sugar products. FGV is one of the companies launched by the Federal Land Development agency (Felda).
I asked its Head of ERM (Global IT Risk and Security Risk), Nishal Bipinchandra, to run through a Computerworld quickfire session to try and get a handle on its enterprise cybersecurity risk approach within the agriculture sector.
Nishal, a guest CIO panellist for the KL leg of last year's Computerworld Security summit, is responsible for driving group level IT risk strategies. This includes collating security measures with various business drivers.
Photo - Nishal Bipinchandra, Head of Enterprise Risk Management, Senior Manager, Group Risk Management Department, Felda Global Ventures Holdings Berhad at Computerworld Malaysia Security Summit 2016.
When asked for a quick rundown of his career, he said much of it involved running his own IT services company and he also acted as consultant and project manager for Tech Mahindra. Other companies he has worked for in project management capacities include Maxis Communication. Nishal holds PMP and ITIL certification and has chalked up 13 years in the IT industry so far.
Let's start with a quick summary of your management approach to IT and business.
[NB] My focus is on marrying business strategies to IT across the group. Essentially, I believe in prioritising cost cutting technologies throughout the chain.
And what drives you in your current role?
What drives me is the will to educate our teams on the realities of risks we have out in the real world, and what type of measures we can have in place in order to prevent 'IT doomsday' from happening!
As a security consultant, how do you actually increase awareness in your sector?
In my career as a security consultant for my company, I like to use case examples used by other companies. We deep dive into how these companies effectively used approaches and see how we can adapt them.
For example, Paytm in India, uses a 6 security model called Six-Dimension of eCommerce Security, which involves (Integrity, Nonrepudiation, Authenticity, Confidentiality, Privacy, and Availability).
I use the similar concept when deploying the GST payment security measures for FGV to meet governance requirements. We were the biggest in the country to implement this successfully. This was back in 2015.
Let's move on, what are your security fears for 2017?
Among the fears we face as leaders for the country's Agriculture industry, are possible breaches in IoT (Internet of Things). This is also because we have made huge investments in this sector. Other risks include phishing for our clients' payment details in our eCommerce business. 'Cyber gangs' who threaten to withhold certain sensitive information via the hostage format (ransomware) as warned by CyberSecurity Malaysia CEO Dato' Dr Amirudin Wahab. Last and not least, are possible attacks on our DC (data centres), which may lead to huge losses of hundreds of millions of ringgit.
We expect a 10 percent increase in 2017 over last year or threats across the board.
Can you reveal how you're handling some of threats?
We're prioritising various methods: the first is the strengthening our data centres (DC) as these of course hold our financial Information. Second, would be the protecting our trading secrets. We have increased certain measures to better protect all sides of our data.
We've also engaged the cyber police to continually monitor cyber threats, crimes, and to alert us in case of an attack.
What's your current take on the cybersecurity war?
We are coming to a peak in the cybersecurity war. I do believe the 'good guys' are now coming on board together. But we're not seeing enough coordinated action yet.
One of the things I would like to see some is for us - the 'good guys' - to re-evaluate our current firewalls, anti-malware protection systems, and antivirus solutions.
We also need to be continually aware of the current trends in the cyber world and how companies are being quietly infiltrated. This collaboration among the 'good guys' may help to prevent or reduce attacks - the key is for more open sharing of cybersecurity incidents.
What do you see as the pros and cons for the security and IT industries in the current operating environment this year?
On the positive side, service providers and clients are becoming more educated and more aware in the current environment, I believe. The damage that criminals could would be better handled than perhaps 10 years ago.
The negative side, both parties are still bounded with government regulations, which means cyber criminals are free to explore the "grey" areas. There's still too much room for criminals to explore the weaknesses of other nations in a borderless world.
One of the recent themes is security as a strategic business driver/enabler? What's your focus?
In my opinion, I believe we should focus on using Security Framework to improve our cybersecurity infrastructure and preparedness. We can then adopt the CSF [ConfigServer Security & Firewall] practices and any other frameworks such as CIS [Centre for Internet Security] and ISO [International Organisation for Standardisation]. All three are sound enough as long as your approach best serves to create and get right the best cybersecurity measures for your company.
What's your advice for business leaders and IT professionals this year?
My advice is to increase your budget for opex and capex and invest in the right protective tools for your organisation. This will reduce the potential risk impact when a breach happens.
Among the basics you should have in place: use next generation solutions to protect your organisation. You will probably use a solution to handle internal treat detection, one to handle antivirus, preferably one that doesn't need signature updates but are AI [artificial intelligence] and machine learning-based. And a security solution to handle your email system is needed.
Is there any difference in how you prepare for a state-sponsored/activist attack vs. a commercially-motivated one?
I would recommend that you treat all attacks as if you would a state driven attack as this requires a very systemic approach. I would use the format of state representation module, then a threat modelling module, and then a risk analysis module, and lastly, a test case selection module. Note: I recommend using a STRIDE approach (a threat classification model developed by Microsoft) to identify high risk states.
The first version of this article appeared on Computerworld Malaysia on 21 February 2017.