Cyber Security: combatting the threats

Welcome to the latest DNV GL Talks Energy podcast series. This series focuses on digitalization and the impact of technology and data. Each week notable industry thought leaders join us to discuss AI, data analytics and all the hot topics impacting the strategies of global businesses, communities and nations as we transition towards a more efficient energy system.

Podcast cyber security

Cyber Security: combatting the threats 

Many companies are adopting new technologies to improve their capabilities, but is this making them more vulnerable to cyber attacks? DNV GL talks to Magda Chelly, Managing Director of Responsible Cyber, about the risks of operating in an increasingly digitalized corporate landscape, and how businesses can better protect themselves.

In this insightful episode, Magda gives us her definition of cyber security; explains what she means by the three key cyber security pillars of people, technology and process; and why these are critical to preventing cyber attacks. She also details some of the challenges faced in protecting our data, and provides her views on how the risks of attacks can be reduced. Finally, Magda gives us an insight into the perpetrators of these attacks, and how they are also using developments in technology to their advantage.

iTunesiTunes

SoundCloudSoundCloud

RSSSubscribe
Read the transcription here

NARRATOR Welcome to the DNV GL Talks Energy podcast series. Electrification, rise of renewables and new technologies supported by more data and IT systems are transforming the power system. Join us each week as we discuss these changes with guests from around the industry.  

MATHIAS STECK Welcome to a new episode of DNV GL Talks Energy. Today, we want to talk about cyber security. And my guest is Magda Chelly, the Managing Director of Responsible Cyber. Welcome, Magda. 

MAGDA CHELLY   Thank you very much, Mathias. Good afternoon. I’m really glad to be part of this podcast today and I hope that it will be very useful for the listeners.

MATHIAS STECK It’s great to have you, Magda. So that the listeners understand better who you are, it would be great before we start if you could introduce yourself and sell us your company.

MAGDA CHELLY Absolutely. So, let me start maybe when I was born. No, I’m just kidding. So, I’m Magda Chelly. I’m based in Singapore and I’m the Managing Director of Responsible Cyber. Responsible Cyber is a cyber security advisory and training company providing the services mainly to companies across industries in Singapore and around the world. So, we have customers in France as well as in Singapore as well as in the UK. So, what I mainly do and I always mention that is I try to actually help companies with their cyber security posture. So, not just implementing a project or just reviewing the security of the solution, but trying to bring that holistic overview of what they need in order to achieve a cyber security readiness and resilience.

MATHIAS STECK Nowadays, cyber security is very often in the media, but I think it would be for the benefit to the listeners if we establish first what cyber security actually means.

MAGDA CHELLY It is definitely a very important question. Nowadays, we are having so many new concepts, online, in general, in the media, on the TV. And if we actually go and talk to people, we realize that those concepts are either misunderstood or either not understood as well. As an example, if we go and ask people what does the cloud mean? Believe me, the answers would be very surprising or sometimes even really I would say dangerous. 

So, what is cyber security? I always mention cyber security relating to three main pillars, which allow people to remember one, people, two, technology, and three, process. So, I started by people because one of the main pillars of cyber security is to have the wide awareness around the risks and therefore, to have the responsibility shared between all the actors within a company. So, cyber security readiness cannot be achieved without those three pillars. Let’s say, a small business or a big company will have all the technological resources in place which, depending on the budget, can be a very heavy and expensive solution for big Fortune 500 Companies. However, they did not enable user awareness. And therefore, even one user, when he clicks on a phishing link, can actually lead to a data breach and therefore, I would say, not a good experience for the company as such.

MATHIAS STECK So, now we have established what cyber security means, coming back to what we read about cyber security in the media, there have been some attacks reported about, which are dangerous to society potentially. So, having in mind that digitalization, internet of things makes cyber attacks even more likely, what is your personal assessment about the criticality of cyber attacks in the future? 

MAGDA CHELLY So, first of all, we need to understand that our landscape is changing. So, whenever we are going into new adoption of technologies, that means that we actually are facing new risks, and those risks include cyber risk. And as we are more going into a digitalization and changing completely our business models, those risks are mainly relating to technology. We see business models like the latest biggest companies only relying on technology. They are not selling a product, they are just using a mobile application to link consumers with service providers as an example. What that means is, if that particular application is down, they don’t have business. 

And where I’m going to is that as we are changing completely the landscape, we’re changing the business models, that not only is relating to the risk, but also relates to how to understand technological risk or cyber risk from a business perspective. Especially for industries that have been traditional, if I can use that word, since a very long time ago. And now they are onboarding technologies like, for example, internet of Things, into a traditional ecosystem. 

And I think the energy industry is a very good example, where we have very legacy systems still in place since a very long time that are still communicating through the network. And at the same time, we have very innovative new technologies that allows consumers to enhance their experience for example. Or, from the business perspective, it adds value to the consumer journey. Where I’m heading to is that this actually makes it not only risky for the business, but I like to bring that analogy of having your closed house; we’ve closed all windows and the door and leaving one window open. So, that means that your house is not protected. It’s exactly the same when we’re talking about business. Let’s say, you have your business and you’re running your usual operations, your business will not exist without your assets, right? So, if you would like to protect your business, what would you protect first? Your assets, right? So, most of the time when you go and you try to understand within the companies if they have enough clarity and visibility of their assets that they manage, they will not have visibility related to data. They will have traditional visibility related to assets, let’s say, like physical assets. We have a building there. So, we need a business continuity plan in case of a fire, which is a very traditional approach. 

But what about your data that actually relates to the customers and that is your main asset in order to continue doing business and generate profitability for your shareholder?. So, this lack of visibility of assets and ownership of assets actually leads to not only data breach, it leads to of course a lack of the right controls, or control over security by obscurity, which I like to call it this way. So, first step for business, no matter which kind of industry you are in is to understand your assets and what you’re protecting, including the data. And here, I would like to add something that is really… I like the example as well. Nowadays, if you use a service and you believe that it’s free, do you really think that the service is actually free? I use this question very often in my training. How do you pay for this service that is free?

MATHIAS STECK Well, there might be another business model or somebody makes use of the data you generate while you use the service.

MAGDA CHELLY   You mentioned the key word. You are actually paying for the service with your data. You are the product. So, again, data is taking an increasing importance for businesses and, with the change of business models, has actually become an extremely crucial asset. So, for a business to lack visibility about the assets and ownership of those assets means that they cannot put in place the right controls. 

The second point that is really important when we’re talking about making sure that you’ve built cyber resiliency or readiness, which is not only implementing a firewall on your network, I’m saying that on purpose as well a little bit to be controversial because I this heard this answer pretty often, is to make sure you reach a certain maturity where you have an overview and controls across all departments and not only IT. 

So, you have a visibility about your assets and I mentioned that cyber security is three main pillars, people, technology and process. So, you need to put in place the right controls, no matter what technology you’re using and apply those three pillars. With the rise of new technologies, internet of things or cloud, we present actually a shared responsibility. What does that mean? 

Often, when a customer or one of my customers or a company just decides to go into a cloud migration, what happens is that unfortunately, it’s perceived that the responsibility of putting in place the security control will be on the service provider’s part. This is a complete misunderstanding of what a shared responsibility model means from the cloud service provider’s point of view. What that means as a model, it means that the cloud service provider will have its own part of the responsibility to make sure that their own data centres are protected with the right measures. However, anything that actually relates, for example, to customer data, protection of customer data, technical controls like access control, encryption etc.; those controls are only the responsibility of the customer, the person or company who adopts the cloud. A very simple example, you are using a cloud storage service for your own private use and your have a username and a password and you store your documents. An eight-character password can be crackable in one second. What will be your part of the shared responsibility to eliminate the risk? You will activate a two-factor authentication as an additional measure to protect your access to your storage. This will not be done by your cloud provider. The cloud providers do not usually activate security by default. They give you all the measures and functionalities and it’s up to you as a customer, as an individual, to make sure that they are properly activated.

MATHIAS STECK I think a very interesting, of course, insight. One issue I see is that in the cyber community, there is a lot of discussion about this, but there seems to be a lack of awareness of this concept that cyber is not only an IT department problem. So, what would you think has to happen apart from maybe podcasts like these to create more awareness for the shared responsibility, not only between different companies but also within a company? 

MAGDA CHELLY   So, the main challenge from the perception that we have around cyber security currently is that unfortunately, there is a miscommunication between the parties. Usually, and that’s from traditional reasons, cyber security has been perceived as a very technical area, which it has a technical part. As I mentioned, technology is part of a cyber security pillar. However, there’s process and people. 

Mainly what happens from the previous three years is that you have very technical professional experts in their field in cyber security, and cyber security is very wide. So, you can have different expertise that actually will have a completely different view around business, around priorities, and around risk that is related to, for example, web applications, than a business. Again, I’m trying to bring two practical examples. 

When you have a start-up that is actually building a new solution, as a business owner, their priority will be to build a minimum viable product that they can market and they can sell to the end users. Will they consider security? No. Why? Because security for them will mean cost or will mean additional delays. And that’s also the wrong perception because nowadays if you have actually a web application that is built without security and privacy by design, I’m really pushing the privacy as well which is a very important point, you are actually opening yourself to various risks afterwards that might cause even actually bankruptcy of the business. 

So, coming back, why it happens is because previously, everyone who was talking about cyber security I think was using a very technical word. Coming back to asking anyone about cloud, people do not understand the technological concept. So, if we’re talking about cyber security, we need to make sure that we address it first in a simple, understandable way. Second, we use the same terminology across every single, I would say, meeting, because unfortunately, there are so many terms that are sometimes used in a different way. And third, we actually talk cyber security in relation with a business. 

Cyber security can allow a business to expand quicker, the reach its own goals quicker. But if we are not able to provide that right communication and the way to explain it and I would say present it to the business owners, then, of course, if we are talking, “okay, we need an intrusion detection system”, what does it mean to anyone? It doesn’t mean anything. But if you provide and say, for example, that if you have a privacy by design, you will be able to clearly understand where your data goes from that application. And therefore, you will be able to understand how to reach your compliance with privacy laws and regulation across, for example, all Asia Pacific and even Europe with the rise of GDPR to the new privacy regulation. Then you change completely the business understanding and as well acceptance of cyber security. 

So, two things. One, is understand what cyber security is, [it’s] not just about implementing a very expensive software. If you have it and you do not have one of the other pillars, you’re still very vulnerable, you’re not reaching the right cyber readiness. And second point is to make sure that you actually have the right understanding, how cyber security can enable your business.

MATHIAS STECK Robert Mueller, who we all know from the Trump investigation, said somewhere in the past, there are only two types of companies, those which have been hacked and those that will be hacked. But there’s also other targets like, for example, maybe even countries. And where I want to go is the change in possible threat actors. So, years back, they were maybe thinking about the nerdy kid trying to have an adventure and get into some system, maybe get some data. Then, you’ve got the next step, people do this to get money and we get ransomware attacks on, for example, Maersk. But then, we had also events like a couple of years back, the power shut down in Ukraine, where obviously some people had stayed for months in the system. How do you see that evolving and which will be the main threat actors who cause concern going forward? 

MAGDA CHELLY   So, it’s a very interesting point of view that I hope that I will share with the listeners. One, I always say that if the businesses are going into digitalization or cloud adoption, criminals are doing the same. So, first of all, let’s say that hackers do not [equate to] criminals. You might have hackers who are actually what we call ethical hackers and are helping companies to understand where the weaknesses and vulnerabilities are within the systems. That’s one. 

So, then, let’s clarify where and how the cyber criminals operate today. We have actually this misconception from probably movies, you know, that yes, the person who is hacking is a kid or someone hidden in the garage and trying to hack this bank to be rich as quick as possible. Nowadays, it is actually much easier, I would say, and accessible to anyone who wants to perform a cyber attack. What I mean by that is as the business is moving in the cloud, cyber criminals are moving into the cloud as well and they’re providing services and technical solutions in order to hack. 

So, we can find today solutions that allow you to perform and deny a server attack on the website of competitors that will actually put down the website and make it unavailable. And what I’m actually here putting also, which is important, is the cost of those services can go as low as $5 an hour. So, knowing that nowadays, you can actually purchase hacking tools on the internet, even with technical support like that. Yes, it’s true. Even with technical support, you do not need anymore the technical skills in order to perform a cyber attack. That’s one. 

The second point is, usually, the attacking, let’s say, a web application, or a system, or a network of a company, or a company as such, can actually be done through either traditional hacking, which means you will attack the network of the company, or what we call social engineering. And social engineering means that you actually try to manipulate the people in order to create confidential information. Those two most of the time are combined in order to reach the maximum goal of the cyber criminals. All this leads me to tell you that actually, there is, I would say, still not a complete change into the landscape of who are the cyber criminals. I would say there is a change of the tools available to criminals to use in order to perform cyber attacks. And as per the statistics, and I had a very interesting discussion when I was at, I would say, two weeks ago, there was a cyber security conference in Singapore, the conversation was really interesting because one of the questions was exactly that. Is it changing? So, it’s still actually, currently, the main attackers remain criminal groups that are trying to attack for financial gain. 

MATHIAS STECK We are unfortunately coming to an end of this episode already. But I would like to come back to you as a person also. You are one of the top 50 influencers in cyber, that’s impressive already. But you do not only look into cyber, you also talk about diversity and inclusion. You have created a platform for women in cyber, I would be curious to learn more about that.

MAGDA CHELLY   Thank you very much for bringing that subject in. It’s really a very important topic for me and I try my best to encourage women in cyber security because that is exactly the reason why I call myself a cyber feminist. So, a lot of people ask me online and on social media, what do you mean by cyber feminist? 

Cyber feminist is a term that I use that relates to again encouraging women into joining cyber security. How do I do that and why do I do that? Those are the two main questions that are important to address. One, why do I encourage women into cyber security? Nowadays, and still since several years, and we can search those statistics, women represent only 11% in cyber security. The reasons behind that are various, and it always creates a debate. However, I believe the main reason why we don’t have more women is because we are lacking role models and we also perceive cyber security as one particular area, and it did not have enough popularity previously. So, let’s say, when I was doing my engineering studies, we were not talking about cyber security, we were talking about information security. And no one was hiring that time, a long time ago, cyber security. Everyone was trying to find either an information security engineer or some different roles. So, we did not have that publicity that we have nowadays around that. 

Why I’m doing that? I launched this platform in order to provide especially young women and also women in the field the availability and the possibility to first find other role models and understand that there are a lot of different paths, a lot of different careers that those women have been through and achieved great success. So, they can read stories, they can feel inspired and they can actually dream and achieve their dreams. 

And the second point as well is to make sure that actually they have a platform, the women who actually achieve something, they have a platform where we can say yes, they did that, they have been an amazing Chief of Information Security Officer for years in that company, but no one actually said it before. And that happens a lot. 

So, I try to bring that visibility to women and make sure that we create a community where we encourage each other and bring the successes and celebrate them together. I think it’s very important especially for, for example, girls who are around 15, 16, where actually they make a decision if they like maths or not, if they like computer science or not. So, maybe the fact that you give them different lifestyles as well, different life opportunities can allow them to take other decisions than what they have been used to.  

MATHIAS STECK Very impressive. Thank you. Magda, we are unfortunately coming to an end. Thank you very much for the very valuable insights and the interesting dimensions and perspectives on cyber but also on women in cyber. And to the listeners, that was Magda Chelly, the Managing Director of Responsible Cyber. 

MAGDA CHELLY   Thank you very much. It was my pleasure. 

NARRATOR  Thank you for listening to this DNV GL Talks Energy podcast. To hear more podcasts in the series, please visit dnvgl.com/talksenergy.