TCC-DNG : How to Justify Cyber Security Spending

//TCC-DNG : How to Justify Cyber Security Spending

TCC-DNG : How to Justify Cyber Security Spending

By | 2019-08-09T10:55:16+00:00 August 9th, 2019|

The next Keynote Speaker, discussing the topic of justifying cyber security spending, was Paradai Theerathada, Chairman & Director of Business Operation at Section 31 Co., Ltd. Paradai started off his speech by stressing how transformation and change have always been an essential part of his career. Paradai shared that when he joined Orange, the company transformed and became True. Soon after, he joined the Retail Bank, which then changed strategy to buy Bank of Ayutthaya, or Krungsri Bank. He then joined the Thai Military Bank, which then rebranded to become TMB. Now, Paradai transformed himself to become a performance coach to help people become the best they can be.

At TMB, Paradai shared that it was the first time he encountered a hack.

The second incident was when Paradai was a Chief of Corporate Affairs at DTAC. Paradai revealed that at that point, the one thing he realized was that only security consultants from other countries were helping them to navigate through these issues. This was why he decided to partner up with trusted people he knew to set up this cyber crime, cyber security agency to help Thai companies aspiring to be Thailand 4.0 digital world.

Paradai then gave a background to align the audience onto the same level. 1980 was the start of digital technology, where we started having the first PC. Then we had the personal pagers. And then we jumped into 1990, the launch of the internet, where the Dot Com Boom began. This was really when messenger services started on the PC platform, AOL, MSN, Yahoo, etc. Then, we started getting into the smartphones that were not so smart, but began getting features such as email, calendar, etc. But this was when we started seeing the essence of data. Then came the Apple iPhone in 2006, where these data are starting to get utilized. 2010 then saw the rise of the Appstore, and everything was about Apps, which started the perfect storm of when people began to maximize their uses of data. This was the first real storm of data retention.

Today, everything is digitized and interconnected. In 2000, Orange had this VDO called “Orange World”, which was showing people running on the beach with headphones talking to digital assistance hand-free, and at that time, people thought this was impossible. Now it has all come true. Everything is digitized. Your car now can talk to the garage, your fridge now can talk to the grocery store. You can monitor your entire home security and thermometer with a single touch on your phone. In fact, it is not even a touch on a button anymore, but rather a voice activated command. All of this is designed to make our lives easier. Everything has been designed to make our lives much more efficient, and we are supposed to be happier. Yet, there is a dark side to this digitization. As Thailand aspires to reach Thailand 4.0, there is one lucky thing as a result of being slow and not as robust.

By not being as robust, we are able to do this in the right way. Today, everyday we see in the news stories about cybercrime. For example, Russia’s attack on the Ukraine was made entirely on the cyber world, starting from knocking off telecommunication in the Ukraine, blacking out the entire country. During this blackout, the Russian military started moving in. This is why there is a new quote on the Economist, “The world’s most valuable resource used to be oil, now it’s data.” But the world is struggling to keep up.  Who is taking charge? Who are the stakeholders?

There are different types of hackers in the world today. White-hat Hackers are the good guys, the security consultants who are helping corporates to deal with cyber security issues. The Grey-hat Hackers are what we call the Hacktivists. The Hacktivists have two motivations, either for fun or to make political statements. The Black-hat Hackers are the bad guys in the cyber world. These are rogue corporations, people who are interested in corporate espionage, people who want to bring down a country, or use sensitive information to sell to the highest bidder. Yet anyone can be a target. If you open your phone or your PC in the Spam Folder, you might find a list of emails from your friends in Nigeria, also known as the Nigerian Scam. As of 2016, 5.8 billion dollars were sent to Nigeria, all these people sending money to Nigeria were tricked by the Nigerian Scam.

Where the individual and corporate world converge is ransomware and phishing. Ransomware is where they take your computer as hostage, and you have to pay them money to release or unlock access. Phishing is like the Nigerian Scam, and sometimes they like to act like the organizations such as Banks and try to gain your personal information like your mobile banking account. Internal system infiltration is where they get in and started to steal information to steal to other corporates. Surveillance is where we need to be careful what we type on our computer. Most of the time, these hackers are after money, valuable data and information, or malicious attacks.

The damage could affect everyone. Facebook, for example, came out to admit they have grown too fast, and by doing so, had compromised their users’ data security in exchange for growth. Customer Data are tidbits of information such as your home address, your credit card number, etc. Personal data are data such as who your friends are, where you like to go out and eat, etc. These are data the hackers are often after. Per piece of information, they are able to earn approximately 148 USD.

On average, companies that are not concerned about cyber security take about 196 days to realize they had been breached. Imagine the amount of the data that could potentially been stolen within those 196 days. This could amount to a loss of about 2.2 million USD for 50,000 data records stolen. According to IBM Security, the things people have to take into account regarding cyber security are:

  1. Detection and Escalation – how long does it take to even notice, and what are the immediate internal process to tell your stakeholders what is happening; who do you inform externally as your stakeholder? Many companies go through crisis management exercises.
  2. Notification Cost – when and at what point do we have the duty and responsibility to tell our customers that we have been breached?
  3. Post-Data Breach Response – what do we do to address and reconcile the issue with the customers; how do we keep them onboard, how do we bring them back; what are the compensation we have to give; what assurances do we have to give to the regulations
  4. Loss Business Cost – this is because all of your system could be down, and you might be getting customer churn; what are the cost of your reputation loss, etc.

This is not just a financial aspect, but it is also about your corporate brand and reputation, especially when you are dealing with data of bigger group of customers.

Paradai then went on to discuss why do we need a Cyber Security Consultant. There is a blue thinking and a red thinking. Blue Thinking is the existing IT Maintenance People. These people are focused on maintaining the status quo operation. The Red Team is needed to set a compliance framework or governance framework. This is where the Cyber Security Consultants come into play, working with the red and the blue team to protect the company.

On how much money should be spent, Paradai explained that this really depend on the size of your business, which correlates to how big the firewall needs to be. You need somebody to map out how big the vulnerabilities are in your organization, and then you need to determine the timeline in order to patch up those vulnerabilities. You also must keep in mind that every month, there are new vulnerabilities that are coming out, so this is not a one-time investment. But generally, companies should be spending about 23% of their IT spending on cyber security. And because of new vulnerability, this proportion should be increased by 15% on a 3-year interval. In conclusion, this is the end of innocence. We are headed toward Thailand 4.0, but we have to be smart in the way we do it, protecting ourselves and be vigilant. Cyber attacks are inevitable, and we have to protect our reputation moving forward.

              Let’s watch full session here

About the Author:

Corporate Communications
OPEN-TEC website uses cookies to give you the very best experience. Cookies also help us understand how our website is being used. If you continue without changing these settings on your browser, you consent to our Cookie Privacy Policy.