Noble Group: Best practice lessons from a business-threatening cybersecurity challenge
Image: Getty Images
Tweet
Share on LinkedIn
Share on Xing
Share

Noble Group: Best practice lessons from a business-threatening cybersecurity challenge

Mark Samuels — March 2020
Shane Read, CISO at Noble Group, shares the inside story of how the Asian commodities trading company dealt with a near-catastrophic IT security breach — and shifted to best-in-class approaches.

Digital leaders in all areas of the IT industry spent the bulk of the past year in crisis-management mode. But for Shane Read, chief information security officer (CISO) at Hong Kong-based commodities trading firm Noble Group, the experience of helping to manage technology operations during the challenges of a global pandemic is, in some aspects, a throwback to the trials he encountered only a few years ago.

Read joined Noble in the wake of a cybersecurity incident that had a huge impact on the business. In 2015, a rogue insider wiped billions off the company’s value through unauthorized exfiltration of data from the company. The share price of what was once a 5,000-strong company collapsed.

“We were taken out by a former employee who used internal documents to short sell to the market. We went from being a $12 billion company down to around $300 million. We collapsed and we’ve been trying to repair ourselves since then,” he says.
Building a benchmarking

Read’s remit, as a seasoned information security professional with more than 20 years of experience in government and private sector organizations, has been central to this rebuilding process.  “My role was really to come in and establish a formal cybersecurity program to take the organization forward into the 21st century,” he says.

Read says the approach he’s had to bring in for cybersecurity at the company has been completely new. His predecessor had taken a policy-level approach to security, but there was a recognition that the company needed a more technical approach that linked cyber-systems and services to business priorities.

“My work’s been about engaging those two areas,” he says. “Before I arrived, for example, we were doing a lot of clear text and sharing data with the outside world. Now, that’s not breaching any kind of laws, but it’s just the worst practice.”

“Shane Read, Noble Group”

One of the first things Read did was to assess what kind of international framework would be best suited to the organization’s requirements. For help, he reached out to the Center for Internet Security (CIS), and has used its framework as the company’s cybersecurity benchmark since.

The institute provides an annual update of the top 20 technical controls that businesses can implement to make sure they’re protected against major cyber-attacks. These controls cover everything from the external firewall through to internal devices.

The aim is to build an effective stance on data-loss prevention and to try to ensure that what happened to the company six years ago can never happen again. “The individual who stole the data managed to exfiltrate it from the organization and then use it against us at a later date,” says Read.

“Controls are meant to be in place that don’t allow regular end-users to just take data out, so you want to have an effective data-loss prevention control in place. Now we monitor all inbound and outbound traffic; we don’t allow people to go to dodgy websites, we lock down things like USB sticks. It’s all about knowing who’s moved what data and what time it is moved.”

While the 2015 incident had a huge impact on the business, Read and his colleagues have worked hard to ensure lessons learnt are encoded as best practice.
Keeping check of users

However, not all companies are alert to the cybersecurity risk, despite the ever-growing threat vectors across both internal and external actors. The 2020 annual CIO survey from recruiter Harvey Nash and consultant KPMG shows that, in addition to the cyber-crime challenges faced by business before the coronavirus outbreak, more than 4 in 10 (41%) IT leaders have experienced additional security incidents in the past 12 months.

Read says companies that are struggling with cybersecurity must focus first on the basics. He believes that implementing an industry framework, like the CIS benchmarks he’s applying at Noble, could be your saving grace .

“When you install standards, that tells you what you need to do as a minimum,” he says. “CISOs are only human. We need a guideline that we can keep following, and that’s what CIS does. It says: ‘Know your admins, know your users, know your systems.’ If you don’t know them, then there’s a problem.”

To ensure the authentication of individual user access across the company’s network, Read has focused on creating a robust Active Directory, the Microsoft system through which access permissions are enforced on files and data.

When he joined Noble, Read inherited an Active Directory with 14,000 named users but only 5,000 real ones. People had left the organization and their accounts on Active Directory had not been removed, which constituted a major cybersecurity threat.

“That kind of situation gets messy very quickly — it's like a department store that's only selling items in a quarter of store, but everyone still has access to items in rest of the the store. You need to shut that down but you need to do it in a way that’s consistent and doesn’t block anyone’s access, remove databases or move services and software,” he says.

To ensure effective use of Active Directory (AD), Read called in cybersecurity specialist Alsid,  whose technology surfaces potential weak points in AD implementations. A proof-of-concept that demonstrate benefits within just 10 minutes was followed by a long-term partnership. “When you can efficiently identify and removed thousands of dormant accounts, that has a big impact on  your organization’s risk posture,” says Read.

“We got into this as CISOs because we love when there’s an incident. The role of the CISO is all about enduring excitement.”

Read says his current cybersecurity priorities include dealing with the governance challenges surrounding the support of large-scale remote working. Like companies around the globe, many of Noble’s staff are working from home and, naturally, the company needs to ensure these staff are accessing services in a safe and secure manner.

Noble is also exploring how cloud access security brokers, technologies that help organizations protect and use sensitive data in the cloud, can be extended to the end point.

Beyond the application of technology, some of Read’s efforts are related to ongoing developments in Hong Kong, where it has its corporate headquarters. He is keeping a watching brief on the impact of the new legislation that the Chinese state has being enacting in the past year. “The international business community in Hong Kong has been given multiple reassurances from the state that this is actually good for business; that the laws are there to further protect people and business,” he says.

“For cybersecurity professionals, the big issues are the erosion of encryption and privacy If the Great Firewall of China reaches over Hong Kong, then we’ll see a lot of changes,” he says.

But addressing big challenges is what makes CISOs tick, he says. “We got into this because we love when there’s an incident. The role of the CISO is all about enduring excitement.”

First published March 2021
Tweet
Share on LinkedIn
Share on Xing
Share

    Your choice regarding cookies on this site

    Our website uses cookies for analytical purposes and to give you the best possible experience.

    Click on Accept to agree or Preferences to view and choose your cookie settings.

    This site uses cookies to store information on your computer.

    Some cookies are necessary in order to deliver the best user experience while others provide analytics or allow retargeting in order to display advertisements that are relevant to you.

    For a full list of our cookies and how we use them, please visit our Cookie Policy


    Essential Cookies

    These cookies enable the website to function to the best of its ability and provide the best user experience for you. They can still be disabled via your browser settings.


    Analytical Cookies

    We use analytical cookies such as those used by Google Analytics to give us information about the way our users interact with i-cio.com - this helps us to make improvements to the site to enhance your experience.

    For a full list of analytical cookies and how we use them, visit our Cookie Policy


    Social Media Cookies

    We use cookies that track visits from social media platforms such as Facebook and LinkedIn - these cookies allow us to re-target users with relevant advertisements from i-cio.com.

    For a full list of social media cookies and how we use them, visit our Cookie Policy