Loblaws cyber risk manager weighs in on cloud computing security

While cloud computing can introduce a whole new level of cyber risk, it can also help bolster a client’s information security, the cyber risk manager for one of Canada’s largest retailers suggests.

“I will say without any hesitation, as I have been saying for over five years, the potential for security in a cloud architecture is much higher than any single organization,” Vivek Khindria, vice president of cyber security and technology risk for Toronto-based supermarket chain Loblaw Companies Ltd., said during the recent International Cyber Risk Management Conference.

Loblaw’s retailers include No Frills, Real Canadian Superstore, Shoppers Drug Mart, Provigo, valu-mart, Zehrs and Fortinos.

Some cloud providers are adding more security options to their services, Khindria said.

“With the exception of the major banks and [a large] organization like Loblaws, most companies do not have the resources to manage all the complexities, all the threat intelligence sources, all of the technologies and being subject matter experts on every element of that infrastructure,” Khindria said April 16 during a panel discussion at ICRMC, held at the Metro Convention Centre and produced by MSA Research Inc.

ICRMC panelists discussed the importance of “hygiene,” which Symantec Corp. (the maker of Norton anti-virus) describes as a metaphor (like brushing teeth to prevent cavities) about resisting cyber threats. Proper hygiene could include things like password protection, a network firewall and anti-malware software, Symantec says.

“It’s great to say good hygiene is where we should be focussing and it’s true, because if we did the baseline best practice stuff really well, we would be in good shape, but the world is so different now,” Nick Steele, deputy chief security officer of Dell Technologies Inc., said during ICRMC. “The company perimeter is kind of gone.  We outsource stuff, we have stuff in cloud, we have third parties everywhere. The interaction that we have with other parties – customers, vendors – is just so diverse and complex, that even just saying good hygiene is a complicated statement.”

So this is where risk management comes in, said Steele.

“What do you care about the most? And how do you protect it and how do you do those basic principles well in the things that matter to you most? Is it users clicking on phishing links? Is it patching? Is it vulnerability management?”

Cloud computing does raise some hard questions for risk managers.

“As risk professionals and security professionals, we’ve got to look into that cloud and we’ve got to look at, what are the controls? What’s the monitoring? What’s the protection? Who has access to this data? What are the safeguards?” said Khindria. “So with the increased appetite for cloud, and the speed at which the businesses can move and the options that the business can move – in many cases, it’s a new shadow IT. They can completely bypass internal protocols. It’s a lot of pressure to secure those, identify those and make sure at the end of the day, customer data remains protected properly.”

Most large companies detect on the order of 100 cyber attacks every hour, Khindria said.

“If you’re not, you’re probably not setting your sensors up right,” said Khindria. “At that level, how is a company with 10 people looking at security possibly going to know everything that everything that is going on?”