From The Desk Of CISO
Awais Ejaz
GROUP HEAD
Information Security &
Governance at Allied Bank Ltd
My name is Awais Ejaz and I am working as a Group Head Information Security & Governance at Allied Bank Ltd. I am looking after Governance, Risk and Compliance pertaining to Information security requirements of the bank. Design, Development and Security Operations of the bank are also important areas of my job responsibility.
I am an active member of the PBA (Pakistan Bank’s Association) – Cybersecurity forum and also member of different Information Security Groups. Previously at ABL, I was heading the Networks & Communications division and was responsible for the overall design, architecture and operations of the Network Infrastructure.
I started my career from SYSNET Pakistan as a Network Engineer looking after the network deployments at HBL and PTCL. Later I joined Cyber Internet Services, an ISP and a DNOP (Data Network Operator) and was responsible for the Network Operations of the Central Punjab region. I was responsible for setting up WARID’s Enterprise data network and security architecture & design. During my stay at Cybernet I was involved in various projects for Network deployments and integrations with Mobilink, Total Parco, Pepsi, Unilever, Coke, Soneri bank, Saudi Pak etc.
Question & Answer
As you are aware that cyber threats are everywhere in the world and nobody or organization is safe, what is your opinion in this regard?
Cyber threats are everywhere and are rapidly increasing around the globe. The cost of cyber crimes has increased to 6 trillion dollars annually making cyber crimes as the world’s 3rd largest economy after US and China. The digital transformation around the globe has added to this surge in the cyber crimes. If you look at the global threat landscape, following are the biggest cyber security challenges in 2022:
1- Supply chain attacks are on the rise
2- The cyber pandemic continues
3- Cloud services are a primary target
4- Ransomware attacks are on the rise
5- Mobile devices introduce new security risks
6- The next biggest threats would be arising from the IOTs (Internet of things)
Who can be involved in a cyberattack, if we would like to know your enemies & why is it necessary to protect from cyber threats?
In the murky moral universe of hackers, the line between good and evil intentions is often blurred. But the more we understand about the different types of hackers, their motives and their tactics, the better we can prepare for and prevent future attacks. It’s true that some hackers are motivated by ethical or activist considerations, while Nation-state backed hacking campaigns on the other hand, aren’t motivated by profit. They operate legally in their countries of origin; their purpose is to protect national security interests (including espionage and the propagation of fake news). As such they’re often resourced directly by governments. But let’s be clear: cyber crime is a vast, multi-billion-dollar industry and businesses need to get a firm grasp on it if they have any hope of preventing future attacks.
Without an effective cybersecurity program, your organization cannot defend itself against data breach campaigns, which makes it an irresistible target for cyber criminal. A lack of focus on cybersecurity can damage your business in a range of ways including:
Economic Costs
Theft of intellectual property, corporate information, disruption in trading and the cost of repairing damaged systems
Reputational Cost
Loss of consumer trust, loss of current and future customers to competitors
Regulatory Costs
GDPR and other data breach laws mean that your organization could suffer from regulatory fines or sanctions as a result of cyber crimes.
What cybersecurity measures have you introduced and implemented in your company?
The defense of any organization against cyber threats depends upon the robustness and effectiveness of their cybersecurity posture which comprise of People, Process and Technology. The bank has implemented a comprehensive layered security posture with controls like Next generation firewalls, Web & Email security gateways at the Perimeter, Controls like Endpoint Protection, Endpoint Detection & Response and File Integrity Manager are at the Endpoints. Database & Applications Security controls including Cloud based Web Application Firewall are also being implemented. Privilege Access management solutions are in place for monitoring and tracking of administrative activities.
Apart from these controls on Information assets, the bank has established 24/7 Security Operations Center for monitoring and management of cybersecurity incidents. The bank is PCI DSS certified for the last 3 years having strong processes and controls over cardholder data. We have recently formulated a cybersecurity awareness program and have plans to conduct this program for our staff and customers through a knowledge-based cloud platform as People is the weakest link in the chain of cybersecurity.
How would we tackle with non-state actors …black hat hackers?
Dealing with non-state actors in cyber space is a challenge for states experiencing large-scale cyber attacks launched by such actors. Especially since more and more state actors seem to be hiding behind so-called independently operating non-state actors, it is important to get more clarity on how states could respond to such actors.
To protect the Organization’s Information Assets from these Threat Actors, I would again lay emphasis on developing and implementing an effective and layered security posture strengthening your People, Process and Technology.
How do Black Hat Hackers Damage the System?
Black Hat hackers are criminals who break into computer networks with malicious intent. They may also release malware that destroys files, holds computers hostage or steals passwords, credit card numbers and other personal information. These threat actors typically engage in cyber crime operations and use hacking for financial gain, cyber espionage purposes or other malicious motives.
While hacking might have become a major intelligence gathering tool for governments, it’s still more common for Black Hats to work alone or with organized criminals for easy money. The WannaCry ransomware released in May 2017 is one example. Within the first two weeks of its release, it infected approximately 400,000 computers in 150 countries. Fortunately, security experts released decryption tools within days of WannaCry’s appearance and their fast response time limited extortion payments to about $120,000.
Do you have all the information that needs to oversee cyber risk?
The main responsibility of the CISO is to provide maximum visibility to the organization in terms of its threat landscape. This is a continuous process and one cannot be sure about having complete information or visibility to oversee cyber risk.
Here Cyber Threat Intelligence (TI) plays an important part with relevant intelligence to the country and especially the financial sector to manage cyber risk.
Following are some key factors for managing cyber risk effectively:
1. Monitor the risk environment
2. Monitor data assets
3. Implement an incident response plan
4. Gain management support
5. Third Party / vendor Risk Management
6. Build strong external relationships
7. Enforce security protocols
8. Evolve with the technological environment
9. Ensure you comply with the relevant regulations
10. Invest in security awareness
How effective is your cybersecurity strategy at addressing business risks?
While developing cybersecurity strategy for the bank we had two considerations in mind. Firstly, we conducted a gap analysis of what is missing in terms of People, Process and Technology benchmarking international standards and Industry best practices. Secondly, the strategy had to be aligned with our business goals and objectives. Finally, a comprehensive strategy was an outcome both with shortmedium term and long-term specific goals.
This whole process ensured that nothing was left out and provided us complete visibility of what was required at addressing business risk. We believe that we have made a rightful strategic plan which is effectively meeting business requirements against security risks.
How do we protect sensitive information handled and stored by third party vendors?
In today’s interconnected economy, companies rely on third-parties. It’s increasingly common to outsource some parts of your business to vendors who specialize in that function, whether that be via a SaaS vendor, third-party service provider or contractor. These third parties aren’t typically under your organization’s control and it’s unlikely that they provide complete transparency into their information security controls. Some vendors can have robust security standards and good risk management practices, while others may not. Some best practices for third party Risk Management include-
1- Adequate due diligence should be performed during the Vendor Onboarding process.
2- Make a practice of incorporating cyber risk into your Vendor Risk Management Program and vendor contracts.
3- Keep an Inventory of Your In-Use Vendors so as to understand who all your third-parties are and how much is being shared with each of them.
4- Continuously monitor vendors for security risks by monitoring their security controls overtime.
5- Collaborate with your vendors to reduce risk and fix security issues quickly.
6- Talk about third-party risk by having leadership engagement on both the sides.
7- Cut ties with bad vendors – the ones with poor cyber hygiene.
8- Measure fourth party risk – as important as it is to understand your third-party risk, it’s also important to know who your third-parties rely on. These organizations are known as your fourth-party vendors and they introduce fourth-party risk.
9- Follow the principle of least privilege. Many third-party data breaches occur because the thirdparty is provided with more access than they need to do their job.
Do you have the right data governance strategy to minimize cyber risk?
Yes, we have a Data Governance structure in place and a strategy to minimize cyber risk. Are your employees fully equipped with cyber technology and have all required certification? Yes, our team is well equipped with the latest cyber technologies and the required certifications. Here i would like to make a point that with high turnover of cybersecurity resources, you need to have a hybrid model which includes your organization’s staff combined with vendor outsourcing for relevant skillset and areas. This way you can effectively manage HR needs. We have staff certifications including CISM, CISA, COBIT, CYSA, CEH, BSMS, SOC Analyst etc.
What do think the biggest cybersecurity threats right now, especially in perspective of Pakistan and what do you suggest to tackle these threats?
Globally, the continued combined impact of the COVID-19 pandemic, socio-political upheavals and ongoing financial stress is likely to increase the number of careless mistakes that employees make at work, creating more exploitable opportunities for cybercriminals. However, following are the biggest cyber security threats especially in the perspective of Pakistan
• Poor Cyber Hygiene
• Mobile Device Vulnerabilities
• Ransomware • Poor Data Management
• Inadequate Post-Attack Procedures
• Configuration Mistakes
Recently some of our government organizations have been a victim of cyber attack. We need to considerably improve the cyber health of the government sector.
Following measures should be adopted to counter these cyber threats
Information Security Governance structure should be improved
Timely updatIng of all security systems and software
Conducting regular employee cybersecurity training
Reducing your attack surface by improving security controls
Threat Intelligence feeds relevant to the country
Backup and Recover your Data periodically
Managing Third Party Risk (Vendors)
Protecting your physical premises
Conducting Cyber Drills & Incident handling trainings
People receive messages and emails that may be from malicious hackers, how they can be safe?
Banks and other Organizations should develop Information Security Awareness Programs and should conduct Awareness Campaigns to educate their Employees and Customers on regular basis about the latest and evolving threats.
Do we need cyber security insurance?
Yes. We need Cyber Security Insurance. State Bank of Pakistan has also mandated Banks for Cyber Insurance.
What do you think that people of Pakistan are well informed about cybersecurity and threats …if they are not well informed please advise ?
Cybersecurity is evolving in Pakistan. Cyber-attacks and Digital Frauds are also on the rise as digital transformation is taking place in the country especially in the last two years of the COVID Pandemic. I think people are not well informed about cyber threats as they should be. I believe mass level security awareness campaigns and programs should be conducted through Social, Print & Electronic media to provide awareness to the people.
Please give some suggestions for our viewers to what safe guard they adopt to avoid cyber mishappening?
Some best practices that can be followed to avoid cyber mishappening..
1. Keep your software and systems updated
2. Implement security controls like firewalls etc.
3. Make regular data backups
4. Activate multi-factor authentication
5. Ensure endpoint protection
6. Get appropriate cybersecurity knowledge
7. Control access to your systems
8. Create strong passwords and change them regularly
9. Secure your network devices and wireless connections (wifi)
10. Train your staf