The safety of data is perhaps as important to businesses as oxygen is for humans. Fahad Zahid, the large enterprise director at SAP-Pakistan, sat down with The News on Sunday recently to talk about the need to ensure proper firewalls to safeguard data against possible threats. Excerpts:
he News on Sunday: What has the journey of data in the pre-and post-digitalisation eras been like?
Fahad Zahid: The journey can be defined simply as the conversion of information previously carried in paper registers to Excel sheets. Initially, when the businesses became too complex and large organisations were unable to manage data, each department adopted specialised software according to their unique needs. This practice continues in Pakistan. It is responsible for many technical hazards.
Such isolation results in disintegrated approaches. The company, although digitised, is not centralised or unified. This impacts transparency and efficiency. Working as separate individual units of a company becomes a barrier to standardisation and creates problems and data discrepancies. For best outcomes, we need unified systems with strong firewalls.
TNS: Can you explain the significance of data protection?
FZ: Many organisations switching to digital platforms are unaware of the importance of every bit of information they store on their computers. This information, which we call data, is their asset. That is why it needs to be protected.
We come across data theft incidents at public as well as private organisations of all sizes. It might sound like just another piece of news, but it is a huge setback to the company involved and can considerably impact profit margins. In extreme cases, where timely data recovery is not possible, it can lead to closures. Many people here do not understand the importance and vulnerability of their data. Creating awareness of data privacy and system security is a challenge. Most business owners are stuck with the mindset, “It is okay; it’s working. We will think about it later. Do we need it? Can we hold it until next year’s fiscal plan, etc.” Such approaches lead to unexpected situations where the chances of data recovery are generally poor.
TNS: Data breaches and cyber threats have been cited as a barrier to digitalisation in Pakistan. What can be done to improve the situation?
FZ: I would not say that this is a barrier to digitalisation, but it is certainly an important factor to consider when digitising your business. It is common practice in Pakistan to avoid digital transformation. Lack of vision and a know-it-all attitude is to blame for it. The next generation, however, is helping the seniors realise that there is no sustainability without digitisation.
All companies have their manuals for action in times of emergency – intrusion, theft, robbery, etc. They need similar formatted action manuals and assigned teams for data breaches. Various tier-1 and tier-2 systems ensure that sensitive data is secure. ERP solution providers like SAP make sure that they provide patches and updates regularly. They give professional hackers (white-hat hackers) a chance to test the system for phishing incidents. Depending on the review analysis, relevant updates are implemented, including encryption of all data. Even if there is an incident where the company’s database comes under attack, encryption firewalls prevent intrusion.
TNS: Is cloud a better option for companies today?
FZ: There are two types of solutions: on-premise-solution, where software is installed on clients’ hardware and the client is responsible for its security. The other is a cloud solution - a distributed collection of servers that host software and infrastructure. It is accessed over the internet. This ensures complete protection by the solution provider.
The Big 4, i.e. Microsoft, Oracle, IBM and SAP, are all cloud companies. As I mentioned earlier, understanding of data security is fairly limited in corporate Pakistan. In this context, cloud solutions provide an excellent opportunity to mitigate cyber risks. They can offload the monitoring and protection against these threats to companies like the SAP, who make sure that their cloud environments are secure. All tier-A cloud companies have data centres around the globe, they manage their clients’ data securely in accordance with global privacy standards such as GDPR, end-to-end security and take necessary measures to ensure the resilience of their solutions.
Cloud has changed the dynamics for secure digital transformation. Over the last two years, 80 percent of our sales have been cloud-only because it is cost-effective, safer and easy to scale.
TNS: With the rise of remote work and bring your own device policies, how do you maintain data privacy without hindering productivity?
FZ: Ideally, a company should give secure and configured devices (company-owned) to their employees. However, many employers are encouraging employees to bring their own devices. In such cases, the company must have the right to monitor all devices. Even then, the risk of a data breach is higher. The concerns can be mitigated with authorised access control, multi-sector authorization and strong passwords, etc. However, continuous tracking and safety protocols are still needed.
Security is always seen as an obstacle to productivity; hence businesses must identify sweet spots where they don’t undermine employers’ ability for efficient work. At SAP, user experience is a key consideration when developing solutions. We put a lot of effort into delivering solutions that are secure yet easy for the users.
Security is an “invisible pillar” in our cloud solutions. It remains active in the background without requiring the user to change the way they work.
TNS: What should an organisation’s response plan include in the event of a data breach?
FZ: The response plan depends on the severity of the data breach. One can remove servers from the internet so that there is no communication with the world outside. Else, the servers can be shut down. However, tiered strategy is needed to counter attacks. It should be in place and approved by the management long before a situation arises. It is also important to understand that with an efficient system in place, the software will have in-built alerts and ping the system for possible data breaches.
In my opinion, it is near impossible to ensure 100 percent security in the era of powerful zero-day exploits. It is important to identify and restrict access to threat actors as early as possible. Most companies find about such incidents months or years after their systems have been compromised. By that time it is very hard to determine what backdoors have been planted, which systems have been compromised, and what data has been extracted. With solutions like SAP threat intelligence, there is a lot of focus on picking up on deviant behaviour and threat pattern identification in order to reduce the breach window down to a minimum of “hours and days” as opposed to our industry average of months.
Another point many companies struggle with is to clearly define and implement roles and responsibilities of all employees in their business systems and place safeguards to ensure that in case anyone tries to access beyond their limited role the system is able to raise an alarm immediately. This is important as, unfortunately, most cyber-attacks are still perpetrated from within.
TNS: How important are regular audits and assessments of data privacy to identify improvements and updates?
FZ: A practice followed in most developed countries for testing any system or software is to engage ethical hacker teams. They come in and try all kinds of attacks and alert the customer to possible weaknesses in the system for immediate rectification and further strengthening. This is a kind of external audit for your IT landscape.
However, I think in Pakistan, this also poses a set of challenges. We don’t have proper regulations for cyber ethics, or privacy of data. Delinquent test team members can therefore become a reason security gets compromised.
We need laws to foster trust between security providers and corporate organisations. Without these, the customers put themselves at a high level of risk by providing access to their systems to third parties. In my opinion, internal tools to determine such vulnerabilities may be more cost-effective and safer for most customers.
A straightforward option might be to consider a “Tier A” cloud solution wherever possible. You may be able to sleep better at night knowing that data recovery, system backups and system uptime all become the responsibility of the service provider.
TNS: How do you get third-party vendors to follow the same data privacy standards as the client company?
FZ: We do not advise that vendors should enter the system where all company information is available, as this increases the chance of data breach. Sandbox replicas and QA environments are provided for vendors where they are given limited access. This makes the company data more secure. Background checks of vendors and supplier audits of critical third parties may be considered for large-scale customers.
TNS: Is artificial intelligence an enabler for data breaches? Will it facilitate the hackers?
FZ: AI is a double-edged sword. We have still to see who will wield it better. Most of the time, the sheer determination of either party will determine the outcome. AI will likely become a necessary tool to fend off attacks and identify threat chains that have been augmented or developed with the help of AI tools.
TNS: Do you have a general comment on cyber security for businesses in Pakistan?
FZ: Digital transformation and data security awareness must be addressed as a unified topic. Cyber security should not be a “post-event” board agenda item. We have seen large global organisations going bust or reduced to a fraction of their former selves in the aftermath of a cyber breach. Most businesses operate in global markets. This puts them at a higher risk as huge penalties can be imposed on them in case it is determined that data leaks have taken place due to a lack of controls or security at their end.
Our companies might not get business from international customers if they don’t comply with international security and privacy regulations.
The interviewer is an educationist, a content developer and a public speaker. She can be reached at shahajamshed