For our first cover story of 2024 we meet with Lloyds Banking Group’s CIO for Consumer Relationships & Mass Affluent,…

For our first cover story of 2024 we meet with Lloyds Banking Group’s CIO for Consumer Relationships & Mass Affluent, Martyn Atkinson, to learn how an ambitious growth agenda, combined with a people-centred culture, is driving change for customers and colleagues across the Group.

Welcome to the latest issue of Interface magazine!

Welcome to a new year of possibility where technology meets business at the interface of change…

Read the latest issue here!

Lloyds Banking Group: A technology & business strategy

“We’ve made significant strides in transforming our business for the future,” explains Martyn Atkinson, CIO for Consumer Relationships & Mass Affluent at Lloyds Banking Group. “I’m really proud of what the team have achieved. There’s loads more to go after. It’s a really exciting time as we become a modern, progressive, tech-enabled business. We’ve aimed to maintain pace and an agile mindset. We want to get products and services out to our customers and colleagues. We’ll test and learn to see if what we’re doing is actually making a meaningful difference.”

AFRICOM: Organisational resilience through cybersecurity

We also speak with U.S. Africa Command’s (AFRICOM) CISO Ryan Larsen on developing the right culture to build cyber awareness. He is committed to driving secure and continued success for the Department of Defence. “I often think of every day working in cyberspace a lot like counterinsurgency warfare and my time in Afghanistan. You had to be on top of your game every minute of every day. The adversary only needs to get lucky one time to find you with that IED.”

OLYMPUS DIGITAL CAMERA

ALIC: Creating synergy to scale at speed with Lolli

Since 2009 the Australian Lending & Investment Centre (ALIC) has been matching Australians with loans that help build their wealth. It has delivered over $8.3bn in loans to more than 22,000 leading Australian investors and businesses. Managing Director Damian Brander talks ethical lending and the challenges of a shifting financial landscape. ALIC has also built Lolli – a broker enhancement platform built by brokers, for brokers.

Sime Darby Motors: Driving digital, cultural, and business transformation together

Sime Darby Berhad is one of the oldest and most successful multinational companies in Malaysia. It has a twin focus on the Industrial and Motors sectors. The company employs more than 24,000 people, operating across 17 countries and territories. Sime Darby Motors’ Chief Digital & Information Officer Tuan Jean Tee shares how he makes sure digital, cultural, and process transformation go hand in hand throughout one of APAC’s largest automotive multinationals.

Also in this issue, we hear from Microsoft on the art of sustainable supply chain transformation, Tecnotree map the key trends set to impact the telecoms industry in 2024 and our panel of experts chart the big Fintech predictions for the year ahead.

Enjoy the issue!

Dan Brightmore, Editor

Doug Laney is Innovation Fellow at West Monroe and a leading Data & Analytics strategist. We caught up with the author of Infonomics and Data Juice to talk tech and how companies can measure, manage and monetise to realise the potential of their data

Our cover story explores the rise of data and information as an asset.

Welcome to the latest issue of Interface magazine!

Interface showcases leaders aiming to take advantage of data, particularly in a new world of AI technologies where it is the fuel…

Read the latest issue here!

How to monetise, manage and measure data as an asset

Our cover star is pretty big in the world of analytics… We meet the guy who defined Big Data. Doug Laney is Innovation Fellow at West Monroe and a leading Data & Analytics strategist. We caught up with the author of Infonomics and Data Juice to talk tech and learn how companies can measure, manage and monetise to realise the potential of their information. In his first book Laney advised companies to stop being fixated on hindsight-oriented analytics. “It doesn’t actually move the needle on the business. In the stories I’ve compiled over the last decade, 98% have more to do with organisations using data to diagnose, predict, prescribe or automate something. It’s not about asking questions about what happened in the past.”

Canvas Worldwide: A data-driven media business

Continuing this month’s data theme, we also spoke with Alisa Ben, SVP, Head of Analytics at full-service media agency Canvas Worldwide. Data has transformed the organisation, and what its clients do. “We look holistically at the client’s business and sometimes the tools we have might be right for them, sometimes not. It’s more about helping our clients achieve their business outcomes.”

TUI Musement: from digital transformation to digital pioneer

At travel giant TUI, handling data effectively is paramount when communicating consistently and meaningfully with up to 25 million customers annually. David Garcia, CIO for TUI Musement, talks about the tech evolution driving the travel giant’s provision of experiences, transfers and tours. It’s a big part of its operational shift from local to global. “As a CIO, I’ve always been interested in how the tech innovations we drive can support the business and add value.”

Hiscox: making cybersecurity more accessible

Liz Banbury, CISO at Hiscox and president of (ISC)² London Chapter, talks to us about how cybersecurity can become a more accessible, realistic career path for almost anybody. “When I was at school, topics like computer science didn’t even exist,” Banbury explains. “In one of my first jobs, over in Hong Kong, we were still using a typewriter! A lot has changed. My key point here is that there’s a lot of cybersecurity professionals who are really good at their job. They are inspiring, and have come from all walks of life. Crucially, they don’t have a maths, computer science, or technological background at all. But they still make great cybersecurity professionals.

Portland Community College: Risk vs Speed in Cybersecurity

Reet Kaur, former Chief Information Security Officer at Portland Community College, discusses the organisation’s transition to the cloud amid a digital transformation journey. I don’t want to work with people who just say yes all the time. I want my ideas challenged to help forge the excellence in the security programmes I help build.”

DBHDS: Cybersecurity in healthcare

The Virginia Department of Behavioral Health and Developmental Services (DBHDS) exists to create ‘a life of possibilities for all Virginians’ and transform behavioural health. Its focus is on supporting people across the entire commonwealth. It helps them get the support they need in order to take wellness and recovery into their own hands. In an area like healthcare, sensitive information is all over the place, meaning cybersecurity is a priority – and this is where Glendon Schmitz, CISO at DBHDS, comes in. The security team exists to help the wider organisation achieve its objectives with data. We’re there to protect the business, not the other way around.”

Also in this issue, we schedule the can’t miss tech events and get the lowdown on IoT security from the Mobile Ecosystem Forum.

Enjoy the issue!

Dan Brightmore, Editor

Financial services organisations are trusted with far more than just money; they’re also responsible for keeping customers’ highly sensitive personal and financial data under lock and key. We’re hyper-aware that the growing value of this data means financial organisations are prime targets for cyberattacks – but this isn’t the only threat they face.

In fact, not a day passes without these firms’ own employees putting data at risk from within, says Tony Pepper, CEO. Egress…

You might think that, when it comes to reducing overall breach risk, employees represent low-hanging fruit – surely it is easier to control the actions of a company’s own team members than it is to defend against external attackers? However, this not the reality experienced by financial firms worldwide. While external attackers are always motivated by malicious intent, the employee population is far more heterogenous and, in a sense, much more human. This makes understanding and mitigating insider risk a more nuanced exercise. Just because it is difficult, however, doesn’t mean it is impossible. It’s crucial that financial services companies shift the dial on insider risk and reduce breach frequency, because the penalties for failing to do so are becoming increasingly draconian and the repercussions from customers much more severe.

The recent Egress Insider Breach Survey aimed to understand the different attitudes towards data sharing and ownership among employees in financial services companies and the approaches that IT leaders in the sector are taking to managing insider breach risk.

We found a whole range of diverse profiles of people who put sensitive financial data at risk for very different, but very human, reasons. Some need monitoring to keep their less-than-honest traits from getting the better of them, while others need a helping hand to save them from making genuine, well-meaning mistakes. And across all respondents, we also found confusion over who really owns data, contributing to the more cavalier attitudes displayed by some.

Deliberate “data breachers” – from well-intentioned but reckless to disaffected and destructive

Our study found that the financial services sector has more than its fair share of deliberate “data breachers”. Of the thousand employees we questioned, almost a third (32%) said they or a colleague had intentionally broken company policy when sharing or removing information in the past year. This compares with just 15% of healthcare workers and 11% of government sector employees.

The reasons given for this deliberate flouting of security policy varied. One-third said they were simply trying to get their job done but didn’t have the appropriate tools to share data safely. On the face of it we might have some sympathy with those employees, but would consumers and businesses want to bank with those firms?

It’s more difficult to be sympathetic with those motivated by self-gain, including the 41% who took data with them because they were moving to a new job. And we have even less sympathy for the 15% who compromised data because they were angry with the company and wanted to deliberately cause harm.

Operator error – mobile, tired, under pressure

Even with their firm’s best interests at heart, employees still make mistakes. 30% of financial sector workers said they or a colleague had caused an accidental data breach in the past year – again more than twice as many as their public sector counterparts. A third had sent an email to the wrong person and a further third had clicked on a link in a phishing email.

Their reasons behind these breaches varied from the pressure of working in a stressful environment, to tiredness and rushing. A significant proportion, however, said they made an error due to using a mobile device – and given the current requirement for mobile remote working during this COVID-19 pandemic, this is a definite cause for concern.

Breach detection gaps and technology limitations

Next, we examined what IT leaders in the sector have in place to mitigate insider breach risk. Concerningly, 60% said the most likely way they would discover an insider data breach was via internal hand-raiser reporting by either the employee themselves or a colleague. Only one third felt that their breach detection systems would pick up the issue.

In a similar vein, traditional data protection technology use was surprisingly inconsistent across financial firms. Email encryption, anti-malware and secure collaboration software were in use by fewer than half of financial sector companies. Again, raising the question whether consumers and businesses would be willing to trust their data to financial firms if they knew they didn’t have systems in place to protect it.

So, why is this the case? From the data we uncovered, it seems as though organisations are resigned to a proportion of insider breach incidents occurring, accepting them as an inevitable result of doing business and employing people. But this doesn’t need to be the case. It is possible to apply human layer security solutions to mitigate these risk factors and make a positive impact on breach frequency figures.

Human layer security – a helping hand and a watchful eye

Take the issue of rushing or tiredness. This can lead to users adding the wrong recipients to emails or failing to spot the subtle changes in familiar email addresses that denote targeted phishing attempts. This risk can be overcome with tools that use contextual machine learning to analyse what the good security behaviour looks like for each user and support them with alerts that tell them they’ve added an unusual recipient to an email, or that they are about to answer a phishing email. A small prompt is all these users need to stop them from making an error and causing a data breach.

Similarly, when using mobile devices with smaller screens, it is very easy to choose the wrong attachment and send sensitive data outside the organisation to the wrong recipient or to the right person unprotected. If an employee is less than honest, our always-on, constantly connected culture also enables them to deliberately do so too. However, it is possible to stop these incidents with an intelligent solution that scans email and attachment content and identifies data such as personally identifiable information (PII) or bank account details to alert users that they are about to send information to an unauthorised recipient, or without the correct level of encryption applied. If the user persists, the risky email can be blocked from being sent and administrators alerted to a potentially intentional attempt to breach data, so they can respond accordingly.

Ultimately, the most effective way to address human-activated threats to security is by implementing tools that support and manage users when they are at their most humanly vulnerable; tired, rushing, under pressure, angry or self-interested. As our research and wider evidence shows, the financial services sector is more than averagely vulnerable to insider data breaches, meaning human layer security must be a priority for IT leaders in the field if they hope to reduce breach frequency and keep sensitive data firmly in the vault.

How digitalisation is bringing the fight to industrial security threats ~ It’s no longer a question of whether your business…

How digitalisation is bringing the fight to industrial security threats ~

It’s no longer a question of whether your business will be attacked, but rather when it will be attacked. Cyber attacks, particularly those on public sector and utility businesses, are now a regular, often daily occurrence. Here, Robin Whitehead, managing director of systems integrator Boulting Technology, explains how this is impacting the role of the chief information security officer (CISO) and resulting in the need for end-to-end digitalisation.

It’s a simple fact that data makes the modern economy turn. Being the first business to take action, based on the insights gained from some pivotal piece of information, gives businesses a distinct competitive advantage. However, it’s also quickly becoming a fact of life that the same data is being targeted by skilled cybercriminals intent on stealing this new currency and even causing maximum damage to infrastructure.

We can see the potential scale of cyber crime if we look at the number of data breaches made each month. For example, in December 2017, security firm IT Governance reported that 33.8m records — including a mixture of personal and business information — had been leaked around the world. In November 2017, the number was 59m.

Sophisticated cyber attacks

With the world facing the likes of WannaCry, Petya and NotPetya in 2017, sophisticated cyber threats are the biggest technological fear in 2018. Although sectors such as financial services and the public sector are most at risk, there have also been numerous high-profile attacks on utilities, oil and gas and food manufacturing environments in recent years.

At 9:30am on 27 June, 2017, confectionary manufacturer Cadbury was hit by a cyber attack, which halted production at its Hobart factory in Australia. Computers at the facility were infected with the Petya ransomware virus and displayed a message on the screen demanding payment in cryptocurrency.

Later that same day, NotPetya — a variant of the Petya virus — went on to do further damage to facilities across Europe. NotPetya exploits a backdoor in the update system of a Ukrainian tax-preparation programme running on Windows and used by around 80 per cent of all Ukrainian businesses.

It uses a vulnerability in the Windows operating system called EternalBlue — originally believed to have been developed by the US National Security Agency (NSA) — to encrypt the filesystem’s master file table (MFT), preventing the system from locating its own files.

Launched on June 27, 2017 — on the eve of Ukraine’s Constitution Day holiday — NotPetya quickly spread to networks in Russia, France, Germany, Italy, Poland, the UK and the US and affected many sectors. “It’s massive,” Christiaan Beek, a lead scientist and principal engineer at McAfee, told WIRED about the situation in Ukraine. “Complete energy companies, the power grid, bus stations, gas stations, the airport, and banks are being targeted.”

The new CISO

It should come as no surprise then that the advice of IT and security experts is now being sought at the highest levels of business. The role of the chief information security officer (CISO) is also changing in response. Acting as the head of IT security, the CISO has traditionally been responsible for things like operational compliance and adherence to ISO standards as well as performing IT security risk assessments and ensuring that the business is using the latest technologies.

However, increasingly, the CISO must now also drive IT security and strategy, guiding everyone from the shop-floor staff to the most senior officials in the business on how best to protect them from cyberattacks. The modern CISO now takes a seat at the boardroom table, ensuring business continuity, come what may.

Modern CISOs need to be visionaries and good communicators in their own right, exerting their influence at all levels of the business to bring about long lasting technological and security change.

End-to-end digitalisation

For industrial businesses, this change cannot come soon enough. The desire to integrate manufacturing networks with the outside world and the increased use of smart data is driving efficiencies and cost savings in sectors from food and beverage, pharmaceutical and automotive to utilities such as gas, water and energy. At the same time, it’s also leaving them vulnerable to attacks that can lead to business disruption and extended periods of downtime.

Part of the reason for this is that many businesses have traditionally operated in silos, with information technology (IT) and operational technology (OT) experts not historically well aligned to the same objectives and outcomes. However, as we increasingly use more internet-connected devices such as PLCs, HMIs, intelligent motor control centres (MCCs), telemetry devices and smart meters — all relaying millions of data points to centralised and often remote SCADA and ERP systems — it will become crucial to take a joined-up approach to industrial operations. Cue end-to-end digitalisation.

For many businesses, replacing hardware and software to allow functionality such as standardised Fieldbus communications, real-time cloud data, analytics and centralised control across every aspect of their operations is neither a cheap undertaking nor one that is quick to enact.

After all, most engineering plant managers have built up a complex system over many years, retrofitting new components and modules to existing equipment. This is driving the need for end-to-end digitalisation, moving away from fragmented system control, maintenance and upgrade towards a holistic approach that encompasses system-wide transparency, alarms and notifications, including analytics that can deliver actionable insights to improve process efficiency.

At Boulting Technology we’re helping our customers introduce cybersecurity measures to retrofitted equipment in existing industrial setups. Our range of control systems, networking products, intelligent motor control centres and more, form an integrated system that gives engineers easy and secure access to their operation around the clock. Ultimately, end-to-end digitalisation will help companies respond to attacks and breaches in minutes rather than hours or days.

So, while we come to the realisation that cyber attacks are simply a normal part of doing business, take heed of your CISO’s advice and rethink your end-to-end digitalisation strategy.