BCI Regus Worldwide Signature Speaker Series - Kuala Lumpur
There is something to be said about the current wave of cybersecurity incidents and the continuing need for the comprehensive integration of business continuity and business resilience activities, and that is they are increasingly worrying and on the active radar of not only BCM practitioners being made responsible, but also many other levels in the organisational hierarchy all the way up to the C-suites and BOD.
When commercial planes were hijacked and flown into the towers of the World Trade Centre, the reaction was immediate as everyone could see what was happening and were acutely aware of the consequences of not taking action (not many situations motivate people as well as the potential loss of life).
Put that scenario alongside the data breach episodes that have now almost become commodity news - a ‘so what else is new’ cliche. These cybersecurity incidents keep appearing in the news as if nothing is being done to address them. Truth is, the typical measures usually taken to prevent, detect and correct (e.g. policy, firewall, IDS/IPS, multifactor authentication, awareness) give a false sense of security that ‘we have done all we can to address cybersecurity concerns.’
That brings us to the BCI tea talk held last Tuesday by the Malaysian Forum of the Business Continuity Institute. With the event taking place right in the heart of Kuala Lumpur, I was just praying that the rain would give The Muddy Confluence a miss that day, lest I spend more time trying to navigate the gridlock that inevitably comes as a bonus with any downpour here.
With the tea talk initially catering for 45 delegates, there were hints of success at the outset when 10 extra chairs were brought in for additional delegates who registered at the last minute.
After the customary opening and introductions by Mohan Menon, Chair of the BCI’s Malaysian Forum, we quickly got down to business, and the speakers brought in that day were top billings right from the get-go.
Topic 1: Cyber attacks 2017 and implications for BCM - a demo-based presentation
When Mr. Clement Arul, CEO of Kaapagam Group took to the floor, the subject matter presented inevitably riveted the audiences as the issue of data breaches and ransom-ware is still very fresh in everyone’s mind (think WannaCry, NotPetya, Equifax, Yahoo….I could go on). The real time demonstration of how hacks can be perpetrated without arousing investigation or suspicion impressed upon audiences the tired old adage that ‘a chain is only as strong as its weakest link’, and when it comes to cybersecurity there are a lot of links to stress test such as configuration, competency, active logging and monitoring, attitude, awareness and culture, to name just a few.
The impact of this topic to the audience was considerably hard hitting as local examples were brought into the live cyber-attack demonstration, and they were not small fry companies either (remind me to never again completely trust that little golden keylock on the top left corner of a web browser whenever I go into a supposedly secure website).
Cyber attacks are no longer the exclusive domain of hackers who spend their lives creating complex scripts in order to gain access to sensitive organisations. Now you can just download a Microsoft Office equivalent of a cybersecurity hacking suite of products that is even menu-driven, to boot. How easy is it now for some bored high-school students with too much time on their hands to just tick a few boxes on a computer screen and defraud an organisation for their benefit and self-enrichment without writing even a single line of computer code.
The exponential propagation of mobile devices that is outpacing the increased security awareness and culture required of their owners is not helping matters either. As an example, still too many of us relish the idea of free wifi access without asking ‘what’s the catch?’. Nothing in life is ever really free, and in this day and age the cost of losing personal information for just a quick peek into your email inbox or for some online banking in between conference breaks is just too high. Apathy and a false sense of security incur a higher toll on individuals and organisations these days. They just take longer to materialise since the realisation that one’s assets or identity have been compromised doesn’t happen as instantaneously as watching airborne transportation turn into flying missiles that extinguish thousands of lives in a matter of seconds.
Topic 2: Reducing impact to people in a crisis via integrated BCM
Mr. Henry Ee, Founder and Managing Director of BCP Asia and the current Chair of the BCI’s Asia chapter, addressed the concerns of BC practitioners attempting to have continuity and resilience practices integrated into business activities, rather than just as separate and isolated, triggered events. The non-integrated and trigger based treatment of BC can often neglect considerations of human impact, and we are not just talking about replacing headcount.
It was a sombre moment, to recount the recent arsonist fire that claimed the lives of 23 tahfiz (religious school) students. It reminds us that continuity plans that emphasize rebuilding brick and mortar, fall short in addressing the trauma and personal loss of a crisis. An integrated BCM strategy and plan needs to consider people-impact, and that is more easily said than done as long as BC is treated as an isolated discipline without integrating it in all key parts of an organization.
The Q&A session thereafter was a lively affair with a myriad of topics raised ranging from cross border policing and prosecution of cyber crimes, ransom-ware events that don’t make headline news but are no less serious, bitcoins, crypto-currencies, BC cost vs benefits and various others. The discussions show how the diverse range of attendees from consultancies, securities, government, financial, system integration, automotive, property and certification bodies are engrossed in the far reaching influence business continuity concerns have in cybersecurity and the need for better BCM integration with day to day business activities. (this and the fact that the organisers said they’ll send back the pizza and soft drinks if there are no questions asked during the Q&A).
That aside, the tea talk was also a good avenue to catch up with old friends that took the CBCI certification exam with me a few years ago and to network with people from other industries.
Mohd Nazlan Eza Bin Mohd Jamzari Wasi AMBCI
About the author
An IT & operational internal auditor with experience in auditing automotive manufacturing/assembly/distribution,logistics,services,property,hospitality,education through past employment with DRB-HICOM BHD & NCB HOLDINGS BHD. Proficient in ACL CAATS use and certified in Business Continuity (CBCI) and is a Certified Information Systems Auditor (CISA)