Select a category
Cybersecurity: shared risk, shared responsibility

Cybersecurity: shared risk, shared responsibility

by Augie K. Fabela II

One of the most important things to recognize about the Internet and about the digital age we are currently living in is that it is isn’t simply the product of amazing technology. It is the product of the sharing of this amazing technology – sharing ideas and data on the one hand, and sharing networks and infrastructure on the other.

The sharing has brought immense and immeasurable benefits, by giving people access to unprecedented amounts of information and many unimaginable opportunities. It also brings security risks, which require critical stakeholders such as mobile operators to be able to quickly resolve crises, while also spreading responsibility for prevention across a broader range of network participants.

From my experience as Board Director and Chairman of the Board at VimpelCom, we need to ask the right questions to ensure the prevention of cyber crises:

  • What systems do we have in place to guard against cyber-attacks?
  • What teams do we have in place to ensure rapid response programs can be implemented to limit cybercrime?
  • What processes do we have in place in the event of a crisis? Do you know what they are?
  • What notification and decision-making escalation systems do we have in place that cross management levels and geographies?
  • How closely are we working with our partners’ cross-company and cross-interest to ensure we are having the right conversations about what needs to be in place to identify, manage and counter cyber-attacks?

Given VimpelCom’s unique footprint, which covers markets with some continuing instability and conflicts, this is an area where we have much experience. Two cases are particularly illustrative: the first, where we fended off an attempted hack of Gemalto SIM data that involved one of our countries as a result of having had the right system in place beforehand—in this case, an additional layer of data exchange security. In the second, we had the ability to respond to a physical attack on one of our key business facilities that allowed us to make a decision that protected the entire customer database of one of our companies within 30 minutes.  Without a pre-agreed and committed escalation process in place, we could have faced massive customer exposure and revenue loss.

Robust internal approaches to preventing and managing cyber crises can only go so far however. A broader approach to shared responsibility for prevention is more important now than ever because the growth of the connected world is accelerating. All kinds of data is moving over to the cloud—the space where connections between systems becomes most critical. Mobile operators will need to take this very seriously as they move their own data to the cloud. It’s every bit as crucial to customers, as they rely on operators to manage and protect their data as they use it to engage with the people and institutions of their world.

Indeed, just as we are increasingly part of an ecosystem for developing digital services in the corporate world, we need to take a leading role in creating and sustaining an ecosystem for digital security. This means taking shared ownership of the security picture, participating in industry forums, cross-industry initiatives, and global platforms like the World Economic Forum, and keeping this high on the global agenda.

Without a collective, collaborative and innovative approach to digital security, we may fall short of delivering the true potential of what the digital world has to offer. The opportunities are too great for us to take that risk.

What do you see as your role in sharing responsibility for cybersecurity? And are there examples of effective behaviors or practices you would like to share?

2 COMMENTS

  1. Aleksandr Sdelnikov
    Posted 2 years ago - 0 reply

    How do you think, what is the limit of using clouds? Will all the data move into clouds? It is cost-beneficial, but it takes so many risks now, and there is no absolute confidence that data will be protected safe enough.

  2. Mario Procopio, Director, Cyber Security, VimpelCom
    Posted 2 years ago - 0 reply

    Usage of Cloud Infrastructures for data and services is a trend that will continue as connected devices expand in type and number and people demand and rely evermore on digital services.

    This trend is certainly driven by cost-savings, but it’s also about guaranteeing a seamless device-independent digital experience to the end-user.

    Indeed this change of paradigm places new challenges, some of which are related to security risks for exposing data on someone else’s infrastructure.

    This topic is actually controversial as, in principle, dispersing data on different infrastructures could actually improve availability of the data itself, that can be replicated across geographies, improve resilience to some cyber-attacks as DDoS, being the best defense against a Distributed Denial of Service attack, the distribution of the targeted service itself.

    The major concern then is the confidentiality and the integrity of the data that is hosted somewhere in cloud infrastructures. How do you mitigate these risks when third parties are managing the cloud infrastructure ? Well, the very first, opportunistic, countermeasure for a truly Global Telco, like VimpelCom, would be to rely on its own well-structured, specialized and optimized private cloud for hosting its data and the data of its customers!

    In general though, when deciding to move to cloud infrastructures, the very first concern should be understanding exactly what data will be transferred to the Cloud and what its classification is. Some data just cannot be transferred to the Cloud (judicial data, for example), while other data types (as customer personal data, for example) could be transferred and handled in the Cloud when specific guarantees are provided (and certified!) by the supplier:

    – Explicit specification of the geography in which the service will be physically located, and in which the databases will be stored;
    – Availability of documented and certified logging features provided to the Customer, allowing monitoring of access-to and usage-of the cloud infrastructure;
    – Availability of SOC certifications and security reports based on security standards guaranteeing the infrastructure;
    – Logical separation of data instances between Customers on the same Cloud Infrastructure.

    In addition to all the above, active or passive data encryption must be supported by the Cloud for required data types, allowing the Customer to mitigate the risk of data breaches by protecting its data, possibly at the origin and end-to-end throughout the service; this last point is extremely important (and difficult to obtain), as it requires security to be embedded ‘by design’ and throughout the development life-cycle of the digital service.

    Encryption of the “pipe”, by the way, is the new hype for connecting to digital services as Google, Facebook, etc., but this countermeasure can only protect access to the service, mitigating the risk of identity theft, without protecting the confidentiality of data stored in the Cloud.

    With these countermeasures in place, the Cloud could actually be more secure than a local infrastructure and even more than a local infrastructure managed by external suppliers !