By Melissa Hancock
Ray Stanton, the global head of BT's security division, talks about how an unpredictable business environment is prompting the need for greater security.
Today attacks on a business can happen at any time and from any place. "What organisations have to remember is that while they might not operate globally, they're still accessible globally. The days are long gone when a thief would walk in and pull a gun on you," says Ray Stanton, global head of Business Continuity Security and Governance practice (BCSG) at communications giant BT.
That the nature of the criminal has changed can be explained by the fact that we are now living in an internet age. Consequently in recent years major fraud has become synonymous with computer crime. As global head, Stanton oversees all of BT's BCSG operations. He stresses that the Middle East is a target region.
"We cannot be a global company and not be in the Middle East." That there is a heightened need for BCSG in the region is always the case when there is a rapid growth of the economy, but the need is heightened further by "the astronomical growth of the financial sector.
"Organised crime recognises that it is very difficult to monitor everything when there's accelerated growth of organisations." Stanton adds that because of the faster rate of growth, the region's position on the BCSG maturity curve also needs to be accelerated. "There are some global and international organisations that are already here and have a lot of experience in dealing with business continuity, security and governance. However, there are many organisations who don't. This is where BT's BCSG capacity will be invaluable to the region in acting as an advisory board.
"We want to bring knowledge and expertise into the region to help educate businesses here. The region has a great opportunity. It wants to grow and it wants to be a global player, but it's not to repeat the mistakes of other organisations in other countries," he warns.
In order to ensure that these ‘mistakes' aren't repeated, Stanton believes that practicing business security needs to be a collaborative effort and that large companies have a duty of care to support their smaller counterparts. "Larger companies have greater resources at hand to address the risks," explains Stanton. "Just like BT are working with the British Department of Trade and Industry to educate SME markets - we should see similar things happening in the region. For example, the Central Bank should be educating the smaller banks. All the M&A activity that is going on here is just massive and they particularly target organisations that are going through M&A."
As Stanton goes on to explain: "Security has never been more important as organisations, supply chains and customers become welded together in the digital networked economy." In terms of acting as an advisory body, Stanton explains that it gives BT the ability to have the "right conversation" with people so that they can make an informed and cognisant business decision. "A really good example is they've just determined that there's a fault line 120km from the UAE. How many companies here have really good business continuity plans in place?"
Stanton points to a recent example as evidence of the need to have a resilient infrastructure and mechanisms in place during times of an emergency in order to ensure a company can still operate. "I was out in Asia-Pacific at the end of January and they'd just had a sub-sea earthquake. I was at a breakfast meeting with two CIO's of two different banks and one of them was poking fun at the other who didn't have a business continuity plan in place. He stood up and said: ‘Well, I'm alright because I haven't lost any business because I'm with BT'. Ignoring the BT element I was so happy that they'd made a really good business decision. BCSG is all about making the right decisions of what to and what not to invest in."
Stanton says there are two main negative ramifications to not having any BCSG plans in place. Firstly, in worst-case scenarios, a bank may get so badly affected that it has no ability to continue operating or conduct transactions. For a region like the Middle East where the financial sector is huge, this could be enormously detrimental. "I'm having conversations with CIO's who are saying ‘Ray, we need to shave milliseconds off transaction times between systems on our trading floor' and they can tell you that those milliseconds are worth hundreds of millions to them. So just think of that bank in Asia-Pacific that lost all those hours when it was down - what was that worth to them?" Stanton says in an incredulous tone.
The second negative ramification is that it's in such cases that other businesses poach from the business that has been ‘hit'. "It's in such situations that companies move in and say ‘Why are you with them? Why aren't you coming to us? Look at what it cost you.' It's a massive impact and we're actually monitoring to see who moves."
Financial ramifications also exist where, in extreme cases, a business may be forced to close, but remember that it also has a duty of care to its employees.
Stanton, however, is well aware that natural disasters are not a real threat in the Middle East and that the main way a company in the region could suffer a hit is through cybercrime. "That's why aeCERT (Computer Emergency Response Team) is an excellent initiative," says Stanton, referring to the cyber-fighting squad recently set up by the UAE's Telecoms Regulatory Authority (TRA). "It will bring groups together, they'll be able to share information as soon as something happens and distribute information in the GCC."
Stanton explains that the aeCERT team will not be working in isolation but as part of a huge joint community of CERT teams around the world. "We know that when there's a problematic event, these teams have a proven track record of reducing the timescale by which it impacts organisations. These CERT teams are dedicated people who understand the threats that are going on around the world, and we're very much involved with them."
By being ‘involved', what Stanton is referring to is that BT representatives sit on the global advisory body known as the Form of Instant Response, which was responsible for the creation of aeCERT. BT sits on many globally-respected advisory bodies including the regional Internet Engineering Task Force (IETF). "This is a group of people who together are defining the way the internet is going to work as a body. We all share information, and it helps us to deal with incidents around the world in a very quick and meaningful way."
It is also on some of the region's networking and telecom advisory boards. Stanton explains that he frequently lectures at the Etisalat academy. "They have a week long conference and I teach on the university course and at the paid conference. I really enjoy it and there's a desire to learn here, but we do have a dearth of good skills and capabilities and that's where, unfortunately, they will have to look at external resources."
Stanton, however, is quick to praise banks in the region that he believes are "doing an enormous amount" to secure themselves, particularly through the comprehensive use of technology in their risk management solutions. "Some of the banks operating here have excellent fraud teams and I've had first-hand experience of that. A few months back when I was at home in the UK I got a call from the fraud team of the Dubai branch of HSBC saying ‘We've received a request for use of your card at an online casino in Lagos. Are you there?' Is that not being proactive?"
BT is itself bringing specific risk management solutions to banks. "We've developed a set of risk solutions but it's just one part of an overall risk treatment. And I think this is where some organisations get it wrong - risk solutions are just one part of the wall. We have something that is the ICT risk component and we call this the ‘BT Risk cockpit'. We use this in BT internally so I have first hand experience that it is effective. So there are some very specific financial risk solutions around but actually 80% of threats to financial institutions are common across the world in every sector and every company."
Ironically, for a man who works in communications, Stanton believes communication with the media over the risks and what is being done to combat cybercrime is severely lacking. "I was talking to my friend who is the head of security at HSBC and I said ‘why aren't you telling people this?' People aren't aware of how much headway is being made and I get really upset about that. It highlights the risk as well as showing that banks are being pro-active in ensuring business security." Indeed, highlighting the risk as part of the education process is crucial as far as Stanton is concerned.
"If you look at other countries around the world that are doing this - Australia, Singapore back to the UK, the US - there are very big education awareness campaigns going on for the home-user. And it's extremely important. Ignoring the banks we've mentioned, phishing attacks can happen to Carrefour supermarkets or to anybody who does financial transactions. You need to build an education early on, but there are some brilliant initiatives by governments around the world. For example, the UK has ‘get safe online'. It's a brilliant piece of activity that is supported by a number of corporates who educate and give top tips. You have to do your piece - it's not just the consumer sector that is responsible." Stanton believes that delivering education is a combined effort involving the media, the government and private companies, and that the GCC region has a "wonderful opportunity" to avoid the pitfalls of other regions.
"They can implement the technology and the processes. People Process Technology (PPT) is a passé term now but people forget its relevance. I think we really need to focus on that now," explains Stanton enthusiastically. "We're just working out final numbers of how many people we will be putting in place over the next three years.
"A number of BT's business partners are also buying companies and investing in the region. It's a challenge in that it is an area of high interest, but it's also the biggest growth region that there is, so it's an incredible opportunity for everyone."