Executive discusses cybre security

Business
A lot of information is lost because of cyber security loopholes that exist in organisations around Papua New Guinea. Cybernetic Global Intelligence chief executive officer RAVIN PRASAD spoke to Business reporter PETER ESILA about the importance of PNG companies discussing cyber security in the boardroom.

Q: What is Cybernetic Global Intelligence and what is it doing in PNG?

Ravin Prasad

PRASAD: Cybernetic Global Intelligence is a global cyber-security firm that operates across the globe with its head office in Brisbane Australia. It has come to PNG and formed a partnership with Datec. This partnership has been running for three years. We are proud to offer the public sector and private sector including banking and finance organisations the ability to have these services provided at their doorstep by a local company. Datec is based in PNG, in conjunction with Cybernetic Global Intelligence, have 250 cyber security consultants all having over 10 years of experience working globally in all aspects of cyber security, protecting organisations from cyber attacks daily. We are working with a lot of companies in PNG and finding that cyber security is a key focus in government departments, banking and finance, telecommunications and airline organisations. What organisations are failing to understand what critical infrastructure is at most risk for their business in a lot of instances. It is evident that organisations are not aware of the huge risk and they do not know where to start the work. Unknown to them, they have their network and IT infrastructure easily accessible by hackers. It is not difficult. We have local people based here to help them. We have technical experts going back and forth all the time.

Q: How vulnerable are companies to cyber threats?
Cyber security is the biggest concern in organisations globally and is the key meeting agenda today in board meetings. Any organisation regardless of size – whether in mining, telecommunication, health, emergency services, police, ambulance, banking or airline industry – must understand that they must have cyber security as their key focus. In their board meetings, that should be their core business focus. I am finding that in PNG, the focus is more about how do we restructure, how do we make more money. A lot of these can happen. Executives, and particularly the boards and the government departments across the nation should start thinking about: How secure is our organisation from cyber-attack? How many attacks has there been on our system today? Do we have a cyber-security policy in our organisation? Who do we contact when we are hacked? Do we have a cyber-security risk mitigation policy? Have these discussions in the boardrooms. Organisations that are currently having these discussions will survive in the future with the rapid growth in technology and cyber-attacks. What I am finding in PNG is that there is a lot of talk about cyber security, but there is no action. So we need companies to implement what we say we are going to do.

Easy cyber security steps to take. – Courtesy of cybernetic-gi.com

Q: Are there any interesting cases experienced with PNG companies?
As we are working with organisations, particularly in PNG, there are a lot of systems being used today that are not monitored. There is a lot of old, outdated software which can be easily accessed by hackers. I am finding that there is no policy or procedures when it comes to cyber security. We have organisations providing company corporate laptops to employees, company mobile phones, with no restrictions. People are using company gadgets, and they are actually downloading software, applications onto their company phones and laptops, and using their own email addresses on company-provided equipment. Should those applications have viruses in them, when they come back to the work environment and connect to their work computer, you can be assured that the organisation will be infected with this computer viruses. Organisations need to understand HR policies, implement policies, they must have cyber security policies, and they need to implement cyber security training across their business starting from the board level to contractors. I am finding that there is no training of any form whatsoever when it comes to cyber security. Datec is providing these cyber security trainings and organisations in PNG need to get their employees into these trainings. HR departments are holding a lot of information and they do not have information security policy for scanning documents, police check before they employ anyone in their organisation. What is the on-boarding strategy in relation to information security policies? There is no clear policy documented. What happens when an employee exits? How long before they take their email access away? I am finding that the employees are no longer employed in organisations, yet they are still having access to company networks. The board executives and directors are not wanting to adhere to password policies, they prefer to have the same passwords all year round and these are people that are actually the major risks to their organisations. Companies need to adhere to password policies right across the organisations.

Q: A lot has been said about the Coral Sea cable with commercialisation early next year. What are some of the risks PNG is exposed to as internet price is decreased?
I think it is great. It is going to give a wider access to people across PNG and to businesses. But whenever there is new innovation taking place, it brings with it a lot of risk. I think we are all excited about what it’s going to do. It is going to bring us better network systems, better services. But organisations need to understand that they have to have policies and systems in place for their organisations, and what their expectations are before they actually hand sensitive information over to the cloud providers and other service providers because the cable is going to bring a lot of good networks to the nation. But it is going to bring a lot of risk as well. Hence all information exchanged with this high speed cable needs to be monitored. What level of information we are going to store in Cloud? Who has access to this information? Where is the Cloud provider located and does it comply with PNG regulations in relation to data protection? What levels of encryptions will be used and is it accessible to other business? These are some of the things that we need to think about.

Q: In your experience in PNG, how much is lost every year by companies as a result of the cyber security loopholes?
In my experience, a lot of information is lost by organisations in PNG due to cyber security loopholes that exist in all levels of organisations across PNG. The sad factor is this has been happening for some time now and organisations are unaware. It is hard for me to actually put a dollar value on these losses as organisations are unaware of these attacks. We only find these out when we actually conduct a security audit for these organisations in PNG. Robert Muller the FBI director said in 2012: “There are only two types of companies: Those that have been hacked, and those that will be hacked.”

Q: In your partnership with Datec, what are some of the projects you are working on?
We are working with organisations in the business sector on projects such as security audits to AS27001/2013 International Compliance Standards for information Security. The PCI Compliance Certification: Strategy and Governance, Assessment, Managed security, Compliance review, Cyber security policy and procedures, Web assessment and Penetration Testing, Red Team Assessments, Security Architecture Review and Training with Datec PNG.

Q: Any final comments?
My request to all organisations in PNG is to think cyber security and have this as the key meeting agenda in boardroom meetings. If your organisation gets hacked, that will be the end of your organisation as the cost of rebuilding its trust and confidence for customers will come at a very high cost. Many organisations which have been hacked are still struggling to survive in this competitive world.