Page 1


Handle to hold on too

PART 1: RSA Conference 2017, San Francisco PART 1: CiscoLive!, Melbourne

Interview with Brett Lovegrove, former Head of Counter Terrorism, City of London Police Crisis Communication & Reputation Management

Canalys Partners Forum, Macau

MAKING AN INDUSTRIAL DIFFERENCE Blocking Cyberattacks against Control Networks


$8.95 INC. GST

TechTime, Quick Q&A, Cyber Security and much more...

Industry Recognition

Organised by

Founding Partners


Contents Editor's Desk 8

Executive Editor / Director Chris Cubbage Director / Co-founder David Matrai

RSA Conference 2017 Reature Review


Co-creating the workplace of the future


A year into CICSO'S digital networking architecture 'DNA'


Editor's Interview - A handle to hold on too


Editor's Interview -Retired head of counter terrorism


Corporate Security Crisis Communication - Reputation Management when a crisis hits



Art Director Stefan Babij

Surviving through sharing: The kilted rogue runner story


Feature Promotion Correspondents Jane Lo Sarosh Bana

Making an industrial difference


International Operational security management structure for inimical environments



Anti fraud and corruption: More cultivating a culture than prevention & control 37

CCTV Feature Series 2017


T | +61 8 6361 1786

Copyright Š 2015 - My Security Media Pty Ltd 286 Alexander Drive, Dianella, WA 6059, Australia T | +61 8 6465 4732 E | E: All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.

Page 30 - Making an industrial difference - COVER FEATURE

What it takes to be a 'Smart City'


About pixel densities and what they mean


Cover Feature Russia's Cyber War"Options before the US


Cyber Security The Chinese New Year heist


Women in Security Series : Rachel Falk


Canalys Feature Review


TechTime - the latest news and products


Editor's book review


Page 46 - Russia's Cyber War


Page 48 - Chinese New Year Heist


Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.

Correspondents* & Contributors

Page 56 - Canalys feature review

Eddie Idik

Jane Lo*

Ben Field

Prince Lazar



Dr Bill Bailey Greg Hamm Vlado Damjanovski Boaz Fischer Jason Nelson

| MySecurityAustralia

6 | Asia Pacific Security Magazine

Morry Morgan

Tony Campbell*

Rachel Falk

Sarosh Bana*

Editor's Desk


7 1 20

Asia Pacific Security Magazine | 7

Editor's Desk

“I’m going to be brutally honest. We are in the fight of our digital lives and we are not winning… we are facing 21st century threats, with 20th century technology and with a 19th century bureaucracy.”

- Michael McCaul, House Homeland Security Committee

Chair, 14 February, RSA Conference 2017


t’s been a busy first quarter to 2017. We’ve attended the RSA Conference, CiscoLive! and we now head to the ACSC Conference and more. The cybersecurity industry is buzzing. But is this a good thing? Be it record spikes in ransomware, DDoS attacks and manipulation of information systems to influence elections or commit fraud on a massive scale, the Internet is clearly an unsafe place. Add to this the use for terrorist financing, recruitment and radicalisation. The RSA Conference hardly put me at ease in terms of the cybersecurity challenges ahead of us. ‘Nuclear’ and ‘Atomic’ were two ear-pricking words used in the opening keynote sessions. Read Part 1 of my RSA review to find their context. Yet regardless of the context, these terms already have a place in the threat landscape and need to be acknowledged by Governments throughout the world and at all levels – that includes State and Local, not just Federal. CiscoLive! in Melbourne was inspirational yet again, as this vendor links their distributed network architecture (DNA) and partner community solutions with a look out to the future in the next 3 – 5 years. Indeed, this year they went out to 10 – 15 years, predicting 500 billion devices will be connected to the Internet in this time. Kevin Bloch, Chief Technology Officer for Cisco outlined how, as a company spending

8 | Asia Pacific Security Magazine

$6 billion a year on research and development, as well as making many acquisitions, they need to understand what the micro transitions are and then look from the outside in, as well as to customers, partners and the media. Such as why is Cisco making investments in some areas and not others? It’s not just about the technology, it’s also about the timing. The world is moving from a ‘world of data’ to a ‘data driven world’ – there is a clear divergence occurring from the ‘old world’ to a new world of digital platforms, data intensive +AI (artificial intelligence), global scales and innovation investment in what is a boundary-less market. Indeed, according to Cognizant’s Frank, Roehrig and Pring, “we are now entering the ‘digital build-out’ phase of the fourth industrial revolution.” We need to accept this is the case – the digital transformation has begun and will continue to occur at a rapid pace. The scale in compute processing, network bandwidth and applications we see today will be dwarfed with the use of quantum computing platforms, artificial intelligence and smart infrastructure becoming the norm within 10-20 years. The societal benefits on offer should be immeasurable and the opportunities astounding. However, as a security practitioner, I see risk, uncertainty and threats that need to be recognised and managed. Ignorance is

no excuse and should not be tolerated, especially within government. A large proportion, if not all, of the 20th century security threat challenges, physical and cyber, have not been solved and we continue to stubbornly abide by our 19th century bureaucracies. The thought of radical reform to our institutions and legal frameworks is often met with mistrust and dogged oppression. But there is a way, and thanks to Kevin Bloch at Cisco for highlighting the two possible concepts of managing the consequences of digital transformation. These being ‘constructive disruption’, such as the likes of Uber who charged through taxi industry regulations around the world, breached the laws, paid the fines and went to court in battle. Ultimately, they have achieved industry deregulation. The second approach is ‘sandboxing innovation’ where technologies, industries and locations can be trialled with moratoriums of legislation, regulation or deregulation trials in locations and for industry to be freed up to try out new ideas. The second approach is most preferred but not widely enough adopted – as yet. In Australia, speculation of the formation of a Homeland Security Department has been quashed by the Prime Minister. However, with national policing issues abounding (too many to

Editor's Desk Chris Young, Intel Security, RSA Conference 2017 Keynote

list) and prisons full, we should not be so quick to reject radical reform ideas. A national discussion is needed and I would submit it is urgently needed and increasingly so. Nor should it be limited to just law enforcement. Reform is needed across the security sector. To do nothing shows ignorance. Is it not ‘insane’ to think if we keep doing the same thing, we should still expect different results? Let us be bold and brave and review digital transformation reform across public and private security systems, federally and across the states. And this could go further to be expanded across the region, with better alignment between public law enforcement and private sector agencies, allowing them to share systems, data, intelligence and training platforms. For the private sector, cyber and physical sectors must be fully converged in order to scale and be better consolidated for public safety applications, support roles and for adoption of skills development, security technologies and information gathering and reporting. New models are clearly needed, highly possible and achievable. Outcomes would be applicable to Australia and ASEAN partners. When COAG failed to acknowledge a rapidly changing and emerging landscape of the security industry in 2008, it failed to design legislation that would properly recognise the extent of the

industry’s technology and innovation. But the landscape was clearly foreseeable, predictable and the Governments and Industry Associations of the day (some people still hold the same positions) were advised of the tsunami of technology innovation coming over the next decade. Yet here we are today, still with a security sector in Australia not only vulnerable to cybercrime, but unable to support a regulatory and compliance framework across the country. Cybersecurity is not a new thing. Go back to the Australian computer crime and security surveys from the 1990s – even then the consistent theme was a call to increase education, training and awareness. Yet, it would seem from the perspective of the Australian Government with the emphasis on the Australian Cyber Security Strategy that it is all new – indeed launching a Cybersecurity Growth Network suggests it is the ‘only’ worthwhile part of the security industry, despite the national terrorism threat level sitting at ‘probable’ since 2014. Thwarted terror attacks have become the norm rather than the exception. We shouldn’t have to wait for a successful attack before changes are made. Like terrorism, nor is ransomware a new thing – I was writing about it in 2005 – but unsurprisingly it has continued to evolve and increased 650% in recent years. Indeed, my book published in 2009 – Security

Risk Management in Corporate Governance highlighted the convergence of corporate crime and terrorism and need for companies to get their security policies in order. At the time of my 2005 study, less that 30% of the sixty companies I surveyed from the ASX 200 had ‘any’ kind of security policy – yet I now understand that the Australian Government is instructing all ASX 200 listed companies to conduct security audits and policy reviews. While many understand the importance of cybersecurity, a new study conducted by IDC proves that little has actually changed since my own survey, with very few companies ready to battle the threat. In fact, IBM says that 68 percent of companies aren’t ready for cyber-attacks, leaving themselves dangerously open out of ignorance, a lack of funds, or an unwillingness to rock the boat by acknowledging a threat. Yes, this is an ‘I told you so’ moment but it is also another warning. Maybe even a demand. The States and Federal Government must reform national security regulation and legislative frameworks in order to reflect the security threat landscape, and professionalisation across a converging sector, cyber and physical. Breaches of the state legislation are being wilfully ignored by regulators and egotistical cybersecurity practitioners. With every penetration test, with every signoff to an ISO27000 management plan, with every Smart facility or Smart city project – there is a likely prima facie breach of state security laws. The Victorian Police Minister admitted that to regulate this would be overly burdensome but that despite this they didn’t’ see a need to change the laws following a KPMG review. It is why I will take any security project in Australia from hereon in and offer my services but I will not get additional licences–the Victoria Police clearly don’t have the interest or resources to regulate the security industry and the Government is too lazy to change the laws. Be it ‘constructive disruption’ or ‘sandboxing innovation’, in my view, it is open slather and police officers, intelligence officers and any licensed security agent, consultant and technician should be ‘demanding’ responsive government and reform! And on that note, as always, we provide plenty of thought provoking material and there is so much more to touch on. Stay tuned with us as we continue to explore, educate, entertain and most importantly, engage.

Chris Cubbage Executive Editor

Asia Pacific Security Magazine | 9


THE BIGGEST ‘MUST GO’ CYBERSECURITY SHOW ON EARTH - PART 1 Editor’s RSA Conference 2017 Review & Austrade Cyber Security Trade Mission KEYNOTE TAKE-AWAYS RSA is named after Rivest, Shamir, and Adelman, the three inventors of public-key encryption technology. The RSA Conference therefore is unsurprisingly the event where the cyber trends are set and the security deals are made. Situated in San Francisco, giving rise to Silicon Valley, the RSA Conference is recognised as the largest cybersecurity gathering on the planet and is a ‘must-go’ cybersecurity vendor-rich conference. The impact is obvious across the city. Bus stops, bill boards and key advertising locations are taken up by the likes of Cisco, HP, McAfee and Ixia. Purple RSA lanyards are proudly worn by up to 45,000 technology and security professionals, entrepreneurs, businesses and support staff as they crisscross the city, to and from hotels, meetings and micro events. All this creates a dominant presence and a city-wide ‘cybersecurity’ buzz. Even passing former RSA Security CEO Art Corveillo at pre-registration, and the early appearance of Michael Dell, both at the pre-event media and analyst function

10 | Asia Pacific Security Magazine

and on stage for the opening morning keynote, gave an initial and suitable appreciation of the importance of RSA Conference 2017 and what it will contribute to the global cybersecurity sector. Opening with a monologue by actor John Lithgow, contemplating a world without security and without trust, naturally heightened the experience and created a ‘rock concert’ vibe. This adds to the natural spectacle, entertains and captivates the audience, and gets them ready to listen.

// PLAN FOR CHAOS “Embrace uncertainty and difficulty because human nature drives towards chaos. Chaos forces progress that can be painful and in these moments, our darkest and hardest, we have to stop and look in the mirror and ask ‘what am I made of?’ “ Dr Zulfikar Ramzon, RSA’s Chief Technology Officer opened with a message speaking to the thousands of ‘individuals’ in the room. The message being “don’t draw lines, draw

Michael Dell & Dr Zulfikar Ramzon Opening Keynote Address

connections.” Directed towards the conference theme of ‘business driven security’, whether it’s developing code, writing policies, managing teams or running businesses, today you need to be a business-driven security leader and living up to the expectations and redrawing the boundaries. Referring to the ‘butterfly effect’, Dr. Ramzon highlighted the potential for big consequences when playing with large integrated, complex systems. Such as the idea of a foreign government setting out to influence a democratic federal election. The problem is not the immediate impact but the long-term ripple effect.


“Ripples move faster and wider now with connected devices and we are fighting against human ingenuity which is a powerful thing. Innovations create ripples. Start by adopting a business security strategy and establishing the ‘gap of grief’. Business leaders want to understand the pay off. First treat risk as a science and use scenario analysis - ask what if! But as acknowledged, with a reference to Neils Bohr, ‘prediction is very difficult, especially about the future’. “Simplify what you control”, Ramzon explained, by noting he had recently spoken to a CISO who had 84 different security vendors. “How do you manage and measure that? Consolidate vendors and plan for the chaos you cannot control with an Incident Response plan based on the ABC’s - availability, budget and collaboration. Collaboration being the skill of bringing together IT, finance, sales and others across the business to work together. Connections, like those made at RSA 2017, will have lasting impact on the industry, and cybersecurity now ripples and impacts throughout society.

// CYBERTHREATS IN UNCERTAIN TIMES: Microsoft President Brad Smith Starting with the problems, customers are clearly worrying about being hacked and the economic loss that will result, estimated to be worth $3 trillion by 2020. In the past year, there has been more and more nation state attacks. Geo political controversies have become more pronounced. The Sony (2014) attack was a turning point and in the two and half years since, the attacks have evolved and cyberspace is the new battlefield. Cyberspace is for all of us. This includes it being owned and operated by the private sector and private property. It is a different kind of battlefield than the world has seen before. The industry has become not only the plain of battle but also the first responders. It is a sobering thing to consider that for over two

thirds of a century, the Government has been protecting civilians in times of war. But now the Government turns to civilians, the private sector, to protect itself from (cyber) attacks on them, in times of peace. This is not the world the Internet’s inventors envisaged but yet it is the world we inhabit today. We each need to do more. Ninety per cent of intrusions start with a phishing attack. Using threat intelligence and advanced data governance tools can better harness the power of data. Microsoft’s datacentres around the world are connected to over a billion endpoints, creating over a trillion data points each and every day. With advanced threat protection systems scanning over 200 billion emails a month for malware. All of this data is becoming the game changing defence mechanism. Smith stated “we need to call on governments to come together. They came together in 1949 for the Geneva convention to protect civilians in times of war. But now we need a convention to protect civilians in times of peace. Like a United Nations body, able to agree to norms in cyberspace. We need a

Asia Pacific Security Magazine | 11

RSA CONFERENCE 2017 FEATURE REVIEW digital Geneva convention, supported by a new and independent organisation for the best and brightest and this will be the only way Governments recognise that cyber-attacks and cyber-war is not the way forward. We need to act collectively to do more and build a global technology sector Accord, similar in concept to a digital Switzerland. Focused on 100 percent defence and 0 per cent offence.” “Technology needs to retain the world’s trust. Every Government, regardless of its policies or politics needs a national and global IT infrastructure that it can trust. An example being a world partnership around Artificial Intelligence (AI) and Government spying. Bringing the world together as an industry – technology, products and people – and with 157 countries represented, Microsoft, Smith proposed, is like the United Nations of technology, with a unique level of mutual understanding and inspiration. “Build on what we can share. An industry than serves the world and even in an age of nationalism, the technology industry can still be a neutral Switzerland.”

// SWEATING THE SMALL STUFF: Christopher Young, Intel Security The role of data security was on display in 2016, with data manipulation designed to influence people making decisions. Now, big data and analytics is the bedrock of the economy. But leveraging on big data analytics to make decisions, we have to focus on the integrity of the small data going into the big data pools. Connected Cars, alone, are forecast to create 4,000GB of data per day. With 1 billion cars, 200 petabytes of data. But what about the data models we will use that the cars will rely on to allow driverless cars to function and for transport systems to operate at highest efficiency. When big data is compromised with small bad data, we will see the next cyber threat evolution - the weaponisation of big data. We are still dealing with the same threats we always have - we have not overcome any of them. The growing attack surface, continues to grow every day. Given the amount of data, the new attack surface is large in aggregate but small in isolation. It is in the home, increasingly

12 | Asia Pacific Security Magazine

where people do their work and the home has more powerful and more connected devices. These home devices are also being used to launch more attacks. Who is taking the home into the consideration of security architecture for the business? This requires policy to be driven down and locked down but ask yourself the question…if what I’m doing is right, what about the person next to me? The Mirai botnet and Dyn Attack (2016) is considered to be just a test of what is the limit to the attacker’s capability. As an example, a DVR was connected to an open network and left unsecured - it was

attacked and compromised in less than a minute. The ‘Internet of terrorism’ is a risk into the future. Everything we knew about data security is changing again and turning around. It starts with all of us recognising none of us can go it alone - it is a difficult problem to crack. Young called the industry to “check egos at the door and focus on a bigger goal.” How do we make the world safer through technology? Threats are getting faster, using smarter tools and scaling themselves - industry has to do the same and together. The global challenges need the highest call to action. Children get the

FEATURE REVIEW RSA CONFERENCE 2017 Michael McCaul, Chairman of the House Committee on Homeland Security, RSA Opening Keynote

of the Netherlands’ police, Europol’s European Cybercrime Centre with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals. The Cyber Threat Alliance has also been established with Cisco and Checkpoint joining as co-founders and will be led by Michael Daniel, former White House Security Coordinator.

// WE SHOULD START OVER THE INTERNET TODAY IS REALLY ALREADY OVER: RSA Cryptographer’s Panel complexities of the future, but are also counting on us to get the small things right. “As a small part of a much larger effort,” Young stated, “we need our own dream team for cybersecurity.” Intel Security is splitting the McAfee brand in 2017 to focus purely on cybersecurity. The

company is providing an SDK for OpenDXL as part of a threat intelligence sharing initiative and is now available as a development platform. Intel Security has partnered with Kaspersky Labs for the website, in support of an initiative by the National High Tech Crime Unit

Chaired by Paul Kocher and sitting with Whitfield Diffie, Susan Landau, Ronald Rivest, Adi Shamir, this was a high-level discussion around the exponential growth in the number of devices attackers can target, the amount of logic in those devices and growth in the value of systems, both to the owners and attackers. Cryptographic algorithms are one of the few,

Asia Pacific Security Magazine | 13


if not the only, security technologies that has withstood decades of scaling and the greatest ability to withstand years of further scale. It is anticipated that 15 years from now, the largest amount of data being gathered will be generated by Artificial Intelligence (AI). Though AI will be helpful in the defence side, the panel did not consider AI withstanding against a zero-day attack, where creativity is required for deviations – nor is AI considered suitable for offensive cybersecurity applications. Neither is quantum cryptography appearing to be moving as fast as quantum computing, though not one the highest of issues. Possibly in the next few decades, today’s cryptography algorithms could be broken by future quantum computing, though the mathematics is designed for 2,000 years. Adi Shamir led the discussion centred on the Russian strategy of ‘war by other means’ and democratic election integrity. With the Trump election being a case study on when normally you have to convince the loser but with Trump, you have to convince the winner. Though Russia has been involved with Election interference before, and the USA is hardly an innocent party in its roles in influencing elections around the world. The 1956 Hungarian elections was also highlighted as a suitable historical case of stolen documents influencing an election. Mossad and the CIA stole the speech of Russian leader Nikita Khrushchev,

14 | Asia Pacific Security Magazine


FBI Stand

which later shocked the Soviet Union and Hungary by denouncing Stalin and detailing the dictator's crimes. The speech was smuggled out of Moscow and published in full in the New York Times. Susan Landau considered law enforcement is being somewhat assisted by how easy it is to do investigations over mass surveillance. The Apple iPhone case highlighted the FBI wanted the Apple hacking tools, which have now been released. Overcoming encryption means creating a backdoor and the panel did not think that was an option. Ronald Rivest referred to a December 2016 Encryption Working Group report from the Judiciary, Energy and Commerce Committees that concluded four outcomes, namely any measure that weakens encryption works against national security, encryption is widely and increasingly spreading, there is no one size fits all solution

and Congress should encourage collaboration between law enforcement and industry. Whitfield Diffie proposed we are doing everything wrong and the confinement problem is trying to be solved with interactive security and if as much money was spent on improving the quality of devices we would get much better results. The home is the place and basis of education and emphasis needs to be on education and people skills development. Shamir, presenting a paper later in 2017, titled ‘IoT going Nuclear’ described how we are approaching the time, with aggregated devices, when with the simple use of IP lighting, that by plugging in a single smart light in a hotel room, could feasibly, within minutes, infect an entire city. In having this capability, it is critical that the government should not allow devices that are not sufficiently secured to be connected to the public internet.

Michael McCaul, Homeland Security Committee chair confirmed adversaries from Russia and China are stealing secrets and financial data, stating, “I’m going to be brutally honest. We are in the fight of our digital lives and we are not winning.” Terrorists are using social media to call for recruits and radicalisation. The phone in your pocket is the new battlefield. Cyber intrusions have the potential to interrupt the fabric of society. The volume and complexity of network intrusions is overwhelming, laws have not kept up with the digital age and the high speed of technology means the pace of adaption is too expensive for government to maintain pace. McCaul stated, “we are facing 21st century threats, with 20th century technology and with a 19th century bureaucracy.” The sharing of information between agencies and industry is still far too weak and deterrence is difficult in a cyber realm – reporting of attacks is too low. Government does not have a clear proportionate response against cyber criminals or nation states, nor do we have the manpower or legal structures. The paradox of national security and digital security means we are faced with a new generation of terrorists and their ability to recruit over the internet, globally. There is an unprecedented spike in terrorist plotting online and terrorists can stay under the radar and are using end-end encryption on their phones to cover their tracks. However, we also need to resist the temptation to go after encryption with simple knee jerk responses. “I believe that creating backdoors into security platforms would be a huge mistake.” It will make us all vulnerable to intrusion. It starts with the right mindset and we need to acknowledge we are under siege in cyber space. We need to double down to protect the private sector networks and the public. We need to continue the bleeding edge work in the professional private sector and developing a talented cyber workforce. Government plays a critical role in coordination but we should not have military protecting public networks. The creation of a Digital Security

Asia Pacific Security Magazine | 15


Commission is underway and will be focused on breaking down bureaucratic barriers in order to collaborate and protect against adversaries targeting critical infrastructure. We know, with reports from the head of the NSA to Congress, that adversaries are leaving digital fingerprints on critical infrastructure systems, as a warning to America to watch what you say and do. ‘We can hit you from within and it is only a matter of time before this happens.’ The US will be developing a new national cybersecurity strategy to deal with the tectonic shifts and review response options, as well as conducting regular cyber exercises with allies. The US ability to win a war in cyberspace means having the ability to respond in a cyber realm and counter attack if necessary. We have to say ‘enough is enough’, and figure this out quickly because the attackers won’t give us the benefit of time. There must be clear rules of the road, especially when it comes to cyberwarfare. In times of crisis and uncertainty, it can cause situations to spiral out of control, so we should refer with our partners on major incidents, work together to build mutual defences and put infrastructures in place for joint action. We should make sure we are prepared for what lies ahead. We need

16 | Asia Pacific Security Magazine

FEATURE REVIEW RSA CONFERENCE 2017 Australian Cyber Security Showcase Evening

to be ready for the era of quantum computing, the digital atomic bomb is on the not too distant horizon and the first such nation to gain this capability will pose a serious threat to the rest of the world. The US should lead a coalition of nations to prepare for the quantum future and ensure we have the right cyber defences in place when it comes. The year 2016 was a watershed year for cyberspace and for a lot of the wrong reasons. But it has made us more realistic about the danger we face and more clear eyed about what needs to be done. And although the cyber future is bleak, we cannot let the fear of the unknown out way what we do know, in that we have the world’s greatest minds working to defend our networks.

// CYBERROOS HEAD TO SILICON VALLEY Releasing the Australian Cyber Security Industry Capability Statement in San Francisco, alongside the RSA Conference 13 – 17 February 2017, about thirty Australian companies gathered at the lush Fairmont Hotel for an Australian Cyber Security Showcase event, hosted by Chis Oldfield, Australian Consul-

Craig Davies, CEO ACSGN

General to the USA. According to the Capability Statement, “In terms of citation impact, an indicator of research quality, Australian cybersecurity research ranks ahead of the US, Canada, England, Germany, Japan and Singapore.” The Austrade and Australian Cyber Security Growth Network Trade Mission to the San Francisco Bay Area had set out to make the link between Australia’s leading research and close a comparable gap when it comes to

Dr Vikram Sharma, CEO QuintessenceLabs

correlating this to an established industry. This gap is noticeable. With prominent pavilions from Germany, England, Korea and Israel on the RSA Conference Showroom floor, some of the leading Australian cyber security companies being promoted on the Mission have already left Australia, basing themselves in Silicon Valley. Among the delegation, made up of predominantly service companies, there is some impressive new technologies needing

Asia Pacific Security Magazine | 17


VR Display1

as much support as possible. Robert Morrish of Haventec, a company which has developed a process to decentralise critical information stores to massively reduce organisation security risk, asserted “Australian companies need to ‘re-tune the pitch’. America is more ready than what Australia is. Australia’s corporate sector doesn’t look locally for new innovation. Our first deal was in the USA and our second was in Singapore.” Now backed by Macquarie Bank and being supported by Nuix, a sister company, Robert Morrish used the Trade Mission opportunity to hone his own pitch to leading American venture capitalists and potential clients, as well as learn from colleagues and coAustralian companies on their market approach. Another ‘wish I’d thought of that’ innovation

18 | Asia Pacific Security Magazine

is FunCaptcha, led by young CEO Kevin Gosschalk. FunCaptcha stops bot abuse by verifying humans with image-based, easy to solve games for website registrations and online payment systems – a simple and effective idea created by Gosschalk and co-founder Matthew Ford. Now proven effective, FunCatcha is suitable across social networks, voting systems and ecommerce platforms – plus with a 3D image technology patent pending. Other standouts include QuintessenceLabs, Randtronics and ResponSight. QuintessenceLabs now based in Silicon Valley, headed by Dr Vikram Sharma, CEO, highlighted the advancements this Australian born company is making in high-speed quantum random number generation with

advanced key and policy management. As part of the Trusted Security Foundation (TSF) – the technology combines FIPS 140-2 Level 3 hardware security modules, which can be deployed across a customer’s international data centres. Customers include financial services, government and defence. Based in Melbourne, ResponSight, a data science software development company, provides security and hacker detection through behavioural analytics. Focusing on behavioural profile management at the individual endpoint, this can now integrate with SIEM and forensic systems to enhance priority identification. Undertaking a data analytics pilot with an invitation-only enterprise, they expect commercially available algorithms to be available in mid-2017. With just a team of eight, the focus is on financial services, critical infrastructure and telecommunication sectors. Finally, Randtronics, established 15 years ago, has patent pending technology centred on the Data Privacy Manager (DPM), protecting structured and unstructured data using encryption, key management, masking, tokenisation and anonymization, with additional attributes of access control and auditing. Austrade is progressing their strategy to identify opportunities for cyber security activities and initiatives in global markets. In doing so, Austrade will work closely with Craig Davies and the tight but growing team at the Australian Cyber Security Growth Network to identify Australian cyber security companies with the capacity, capability and appetite to enter and expand into global markets. The RSA Conference Mission was also used to highlight the San Francisco hub, just one of five global Landing Pads, as part of the Government’s National Innovation and Science Agenda. Austrade has established other Landing Pads in Berlin, Shanghai, Singapore and Tel Aviv. For more information visit www.australiaunlimited. com/landing-pads

RSA Conference 2017 Review Part 2 will examine Vendors, Start-Ups and Key Innovations on display across the two showroom floors.

Asia Pacific Security Magazine | 19

Cyber Security

Co-Creating the workplace of the future By Chris Cubbage EDITOR

20 | Asia Pacific Security Magazine


isco hosted 600 partners and welcomed over 6,200 delegates to Cisco Live! in Melbourne in early March, stamping itself as one of Australia’s largest technology and digital innovation conferences. Discussing developments around technology digitalisation, business and industry, “it has gone from ‘why’ to transform, to now ‘what’ do we transform and how do we go about it,” said Ken Boal, Vice President, Cisco Systems Australia New Zealand. “We are now changing customer and workplace operations with the shift in the marketplace, across networks, platforms and security capabilities.” As Diamond Sponsors, Optus is seeking to consolidate a firm foundation built with Cisco. John Paitaridis, Managing Director of Optus Business said “The Cisco and Optus partnership has been building over 20 years. We have 1,000 Cisco certified personal and 3-5 certifications per Optus person across the Cisco architecture. Last year the two companies co-invested AU$12 million in innovation and building labs, product teams and capabilities, with key clients including the Australian Tax Office, Vicinity and ANZ Bank. Referring to the Optus Smart Disruption Report, which surveyed 25 key business leaders, Mr Paitaridis highlighted a common theme was disruption, and that technology is not just an opportunity, but a challenge. It is pervasive, social, digital and is transforming the workplace. “We need to create enablement, customer engagement, productivity, efficiency and speed to market – be it enterprise or government”, said

Mr Paitaridis. Optus Business is working with Cisco to help accelerate digital transformation among Australian businesses and government organisations. Announcing a $2.3M revitalisation enablement project for SouthWest TAFE, as part of new learning methodologies and techniques, the project claims to bring these education facilities into the digital era. With 15 intelligent, tailored Smart Classrooms, the focus was on collaboration capability. The case study sets out how Optus is delivering unified communications, mobile pervasiveness and key innovations around the launch of four service announcements. New services and updates announced by Optus Business include Optus Business Contact-Centreas-a-Service, Cisco Spark managed by Optus Business, Cisco Meraki fully managed by Optus Business and Optus VideoConferencing-as-a-Service (VCaaS) Development. Through the partnership, Optus Business and Cisco have launched new services and technologies designed for the workplace of the future, enabling organisations to re-imagine the way they work, empower users to be more productive, engage with customers in new ways, increase teamwork and efficiency and reduce cost and complexity.

A year into CISCO’S digital networking architecture ‘DNA’ Panel session with Anand Oswal, Senior VP Engineering (Enterprise Network) for Cisco Global, Dave West, VP Architectures for Cisco APJ, Jan Dethlefs, Associate Director, Facilities Service Standards, University of Melbourne and Chris Locke, CIO of Flight Centre.

By Chris Cubbage EDITOR


he Cisco DNA is based on an evolved network infrastructure, with network fabrics, virtual functions and Application and data hosting. The enterprise controller manages automation, analytics and assurance. Orchestration and service management houses the service catalogue, policy definition and toolsets. These three platforms are cloud enabled for centralised management and flexible operation, and protected with security and compliance for policy enforcement and threat mitigation. Across the stack is the Operations, Governance and Organisation for incident management, business intent, process and services. The enterprise network compute system provides the virtualisation system, so customers can virtualise services and run their own branches with network functionality, firewall and WAN optimisation and that needs to be run across the infrastructure. Cisco has also released an advisor tool to allow customer’s to go through a methodology and understand where they are in the process. Customers may be manual today but want to get to a self-driving, automated process tomorrow – the advisor tools allow them to go through the process of taking advantage of the digital networking architecture. According to Dave West, “The greatest traction around the world is probably in Europe but the second is in the Australia and NZ market. It’s a progressive market and customers are

thinking ahead – they are seeking more cognitive learning and analytics are driving a 5x to7x growth. Customers are experimenting and figuring out how to start driving automation and maintaining simplicity in the architecture. The ANZ market is a fast adopter and the uptake has been strong, in particular for security products such as Threat Grid.” Jan Dethlefs confirmed the University of Melbourne is uniquely situated for embracing technology with its proximity to the CBD. With seven campuses in Victoria, including the main campus in the CBD, the university has 55,000 students, expanding to 65,000 and 6,500 staff across the campuses, as well as a rural campus. The University of Melbourne is ranked as the top Australian university and thirty-third in the world. Their key priorities are looking at three strands, being teaching and learning, research and engagement. The challenge is enhancing the best research environment with the engagement strand and the main objectives are bridging to activities, industry and a priority link to the City of Melbourne. The University of Melbourne is using location analytics and leveraging the technology for decision making. Jan Dethlefs explained, “we started working on this a year ago, and wanted to learn how do visitors, students and staff experience the campus and across spaces. We know how

Asia Pacific Security Magazine | 21


they attend classes but what about when they’re not at class. Where do we put cafes, infrastructure, which buildings are the most used and when? Some places are more popular than other places. From a pure utilisation point of view, we have come to better understand what they do when outside the classes. The Melbourne Metro Rail will also have implications on the campus life with an underground rail line and will provide a station directly on campus. But for 5 years we will have a construction site on campus and this will be a big 400-metre-long hole, cutting the campus in half. We wanted to know how this will impact on building occupancy and analysing the traffic as it is now. We learnt that we have about 20-25,000 people crossing this space on a daily basis, so the impact will be massive. We have to examine timetabling and people movement so we limit the impact and reduce impacts on the campus experience. We are measuring success in a variety of ways but a good example is the Melbourne School of Design building which is the most popular building on campus. We know this from analysing the data. The building was designed to be a meeting place for all kinds of students, so for the first time we are able to prove the concept of the building, which has worked perfectly well. We have the ability to prove concepts of space design and can use these outcomes for future buildings and design. Chris Locke, CIO Flight Centre explained the travel agency has interests in 13 countries and in Australia has 1,100 sites across the country and continuing to grow and

22 | Asia Pacific Security Magazine


make acquisitions. The key business priorities is growth as an organisation and the traditional growth pattern is under some strain. As a result, Mr. Locke explained, “we are turning to knowing the customer better and knowing the data we have and leveraging that information. We have introduced Cisco Meraki into the business and have embarked on this just over six months ago. We have progressed to 60-70% into the roll out.” Meraki is the cloud managed portfolio of Cisco’s networking products. “We have deployed in some flagship stores and our Brisbane headquarters, which houses about 1,700 people. The first focus was on work and mobility, so staff can roam anywhere in the building and this is the same in flagship stores. Staff can go home and continue to work if necessary. Plus, we will know who the customer is when they walk into the store or even if they walk passed the store. We know if they have looked at a holiday and allows us to personalise the offer. This has not yet been deployed but is a journey for us and will be an Opt in for customers. The Flight Centre board is very cognisant of security and security is a big part of what we do.” “Some of the challenges being assisted is in the resourcing space. At a skill level, it is getting harder to get and maintain. Meraki provides a simplified administration model and allows rolling out VoIP across the stores and gets more value out of the network and more carrier independent. The outcomes are a modernisation program for branches, customer insight data, ICT administration and these are all big factors for us.”

“The greatest traction around the world is probably in Europe but the second is in the Australia and NZ market. It’s a progressive market and customers are thinking ahead – they are seeking more cognitive learning and analytics are driving a 5x to7x growth. Customers are experimenting and figuring out how to start driving automation and maintaining simplicity in the architecture. The ANZ market is a fast adopter and the uptake has been strong, in particular for security products such as Threat Grid.”

Asia Pacific Security Magazine | 23

Cyber Security

A HANDLE TO HOLD ON TOO Editor’s Insight Interview with Simon Ractliffe, SecureWorks


anaging an information security solutions company which is technology agnostic is not just about focusing on ‘what’ is being protected. It looks into the likely threats and the capability required to detect and respond to those

threats. For one such company, SecureWorks, “it is about having an open conversation about what clients need to focus on to protect themselves from cyberattacks, Simon Ractliffe, Director and General Manager for South Asia Pacific explained. “Despite various systems deployed, we as experts still need to rationalise and figure out, from multiple sources, how to make sense of what the event or alarm may be. The difference in the client environment means you need to determine what solutions clients need. We do this effectively by partnering with our clients to co-manage their various security technologies. When you look at the number of vendors in the market there is no surprise that CIOs and CISOs are struggling and we’re steadily becoming ‘a handle for them to hold on too.” In the last two years, SecureWorks has experienced significant growth having added a number of new clients to its portfolio. The market is trying to address the confusion for clients and there is no single vendor who has all the answers and solutions, which is a challenge in terms of security outcomes. “We’re increasingly finding you have to provide very insightful, actionable intelligence upfront and help the client solve the problem in the first instance. Then subsequently, continue to deliver mitigation, response and deal with ramifications of real and suspected breaches. The differentiation for SecureWorks lies in client intimacy. You still need to have people engaged on the ground constantly optimising the services and products to the full benefit of the client,” Mr. Ractliffe said. Budgets are being under estimated by organisations, which means models for phased roll-outs are required to manage the client’s needs versus the budgets being assigned to security. It is clear the attack surface has expanded in respect to the cloud and giving transparency across various cloud solutions is paramount. SecureWorks is driving the managed security services market with managed detection and response solutions, as a subset of managed security service providers (MSSPs), that offer solutions in reducing the time to identify and combat threats. SecureWorks is committed to expand its capabilities in the region and is focused on increasing its pool of threat intelligence, project management, implementation and service delivery experts at SecureWorks. The company has invested into the Australian cybersecurity market with skills, and expanded upon sense-making solutions. Mr. Ractliffe confirmed, “we have hired a number of folks who have held key positions at significant government organisations, and we are also looking to develop a substantial team based in ANZ, to work with our Counter Threat Unit TM (CTU) research team”. Mr. Ractliffe explained, “every client needs assistance and is generally found to be in the transformation phase to ensure that the business is efficient. Hence, the nature of the business requires us to work with them throughout the transition period.” Currently, SecureWorks maintains four Counter Threat Operation Centres (CTOCs), where certified security analysts continually monitor the networks of SecureWorks’ 4,300 clients. The CTOCs are located in the U.S and in Europe. Additional personnel support SecureWorks’ CTOC operations from locations in Australia, Japan and Romania. SecureWorks has remained dominant amongst MSSPs and backed by the latest threat intelligence and the expertise of the SecureWorks CTU research team. The CTU is made up of a range of experts, several who formally worked with CERT/CC and various country CERTs. They are identifying and studying the patterns of adversaries. CTU researchers also track the activities of Threat Group-4127 (TG-4127), known to target governments, military, international non-governmental organisations (NGOs), journalists and Russian dissidents. The group is believed to be working out of

24 | Asia Pacific Security Magazine

the Russian Federation and gathering intelligence on behalf of the Russian government and targeting Hillary Clinton’s email. The activity used the same technique as a 2015 spear-phishing campaign that targeted more than 1,800 Google Accounts. Components of TG-4127 operations have also been reported under the names APT28, Sofacy, Sednit, Fancy Bear, and Pawn Storm. From a global standpoint, Jon Ramsey, Chief Technology Officer for SecureWorks, based in Atlanta with 25 years of hands-on experience looks at what’s the latest in cloud, what technologies are available and what clients will be looking for to give them transparency across the market. SMB clients with 500 or fewer end users can now purchase the “MDR for SMB” solution at a special price, which bundles together the following services: Advanced Malware Protection and Detection (AMPD); Advanced Endpoint Threat Detection Red Cloak (AETD Red Cloak); the iSensor Intrusion Prevention service; and an optional Incident Response retainer. Enterprises clients interested in the MDR Solution can choose from any of the services below: • Targeted Threat Hunting • Advanced Endpoint Threat Detection • Advanced Malware Protection and Detection • Enterprise iSensor • Advanced Remediation Management • Targeted Threat Response • Incident Management Retainer • Incident Response Remote & On-Site “Whether threat actors are leveraging zero-day threats or living off the land, using little to no malware, staying secure requires having real-time visibility, expert detection, and the ability to respond to incidents when they occur,” said Matt Eberhart, vice president of global product management at SecureWorks. “With our Managed Detection and Response solutions, SMBs and enterprises can both receive the comprehensive protection they need in order to detect, validate, contain, and eradicate sophisticated attacks before advanced adversaries can steal critical data.” In February, SecureWorks launched a new solution called Advanced Endpoint Threat Prevention (AETP), a next-generation antivirus service powered by Carbon Black’s Cb Defense. By leveraging Cb Defense, SecureWorks’ AETP service will offer enterprises and SMB clients: • Protection Against Advanced Attacks: Carbon Black’s new “streaming prevention” technology prevents malware, ransomware, 0-days, and non-malware attacks. • SecureWorks Intelligence: SecureWorks adds curated Threat Intelligence and analytics, going beyond point-in-time protection with the complete visibility needed to rapidly respond to threats identified by less-certain triggers. SecureWorks experts from its Senior Intrusion Analyst teams provide documented, actionable guidance on how to eradicate adversary activity that cannot always be blocked. • 24X7 Monitoring: Non-stop coverage from SecureWorks gives small to mid-sized businesses (SMBs) and enterprises alike the ability to offload the time and energy of managing endpoint security to a trusted team of specially trained experts skilled at detecting and defending against advanced threats. As the number of significant security incidents continues to rise, including those involving marquee organisations, managed security services has become a vital part of an organisation’s security program. SecureWorks’ primary goal is to work hand in hand with the client to ensure that its clients’ critical data is protected, while enabling the clients’ business to thrive.

BRETT LOVEGROVE, RETIRED HEAD OF COUNTER TERRORISM FOR CITY OF LONDON POLICE Editor's interview with RMIA keynote tour 2017: Keynote tour starts 27th March 2017

ASM READER DISCOUNT CODE: 'ASMMEM' will give readers the same price as RMIA members What is your opinion on the current US Administration’s hard-line policy on immigration, and do you see this, potentially, exacerbating global tensions and raising the risk to Americans overseas? The tensions will rise notably in different sectors. I think that the immediate signs of discontent will certainly play out where American interests are visible overseas and this does not necessarily mean just in countries where the Muslim faith is prominent. Increased targeting could include internationally based supply chains to US concerns as well as coalition providers. This policy plays into the negative narrative that Islamist groups transmit to more vulnerable groups and individuals that the West wishes to attack the Muslim faith. Do you see risk perceptions, of the general public and for business, changing with the trending rise of populism and nationalism? The perceptions have undoubtedly changed as a result of a number of regional decisions in the last couple of years. Brexit has been misinterpreted as a ‘green light’ to some right wing oriented individuals as a sign that their interpretation of nationalism is the right one. The media has reported an increase in right wing activism/politics as a result of the refugee crisis. These views are giving the impression to the wider public that markets are contracting back into their home states and an overall defensive posture is being adopted. This can be disconcerting to the wider pubic and creates uncertainty within the business and investment sectors. Would you consider the current situation in Mosel and likely demise of Islamic State control over the city being the catalyst of increased risk to Western countries and recruitment efforts from related groups such as Al Qaeda and other supporters and sympathisers. The successes in Syria will mean that Daesh will have to re-think their strategies. They know that self-deployed cells work and need little guidance or training or contact with the Daesh command. I think that we may be looking at increased attacks in urban areas as well as city centres and at the risk of seeming bleak, a resurgence in asymmetrical attacks in Syria on a smaller scale. How do you see the convergence of physical security risk and cyber security risk impacting on the CRO role, as well as other C-Suite roles? I think the impact will be a positive one. The development we may see on a more global scale is the accreditation of the CRO role and an internationally recognisable

career path that must have physical, cyber, people, asset, information and technology security experience as standard. What is your opinion on how resilience can be better imbedded into new and emerging technologies? I am a mentor for new technological 'start ups’ and the advancement of resilient technology increases so fast and I advise on this. Taking a step back to basics can be important, such as educating individuals and businesses to think twice about what information they record and where they store it. Most importantly, they should be protecting the most valuable part of their operation and investing heavily on protecting what could affect them the most if attacked. There is a lot of innovation being applied to the concept of a Smart City, what would you consider to be the key aspects of a Smart City that would contribute towards the management of terrorism, crime and security risks? Again, taking a step back to basics is important here. At an early stage, society must explain the benefits of smart city management and information collection to the wider population, the business, law enforcement and government sectors and reassure them about any impending ‘big brother misconception. If effort is put into this aspect at an early stage, information sharing and intelligence processes may be better understood and appreciated and more community intelligence about terrorism and crime may be more readily forthcoming. Given your experience over the last 20 years in the security domain, what do you foresee into the future, in 2037 – how do you see the state of the world in a security risk context? Better, worse or the same? What current trends are likely to have the largest impacts on societal risk? A difficult question to answer, but I do think that globally we need to understand that in addition to conflict based on differing faiths, there is a significant shift in sources of fuel, oil and gas provision. This will create power bases away from the traditional wealthy states that we see now and this loss of power may create an economical shift which may make them vulnerable to terrorist attack. Separately, as ‘rare earth’ and other non-renewable resources are used up, territories where they can be found may become more valuable and subject to dispute and conflict. This may spark an increase in the current refugee crisis for affected populations and for businesses trading in those regions, while enabling the clients’ business to thrive.

Asia Pacific Security Magazine | 25

Corporate Security

: N O I T A C I N U M M O IS C

s t i h s i s i r c a n e h w t n e m e g a n a M n o i Reputat


A By Eddie Idik

ll too often, leaders within companies, organisations and governments involved in a crisis have had to learn the hard way that major disruptions, or events once seemed unthinkable, can become a reality. Whether it be death caused by an accident within the workplace, share prices declining due to a failed takeover, a major environmental catastrophe such as an oil spill, or toxic food and medicines leading to boycotts and community outrage, the attention quickly falls on the organisation responsible and other perceived ‘guilty parties’. Thanks to the internet and social media, information about a situation or a crisis in Sydney can reach Dubai, London or Moscow within minutes. In many cases, details will often be grossly exaggerated by the media before any official comment can be made. Stakeholders, familiar with past events such as the Tylenol Affair (1982), BP Deepwater Horizon (2010), Volkswagon Emissions Scandal (2015) and more recently, the DreamWorld Ride Accident (2016), will not only be demanding explanations but closely watching how the organisation manages its response. A “No Comment” approach or burying your head in the sand just doesn’t cut it anymore. What is Crisis Communication? I define it as “a proactive response to protect the reputation of an organisation during a crisis by maintaining a level of media control”. It also includes the collection and dissemination of information in a timely manner to address the crisis situation. Many organisations fail to address the communication

26 | Asia Pacific Security Magazine

issues related to crisis response – leadership teams often don’t understand that in the absence of internal and external communications, stakeholders don’t receive the necessary information to know what’s happening, resulting in confusion and anger. Operational responses break down and the financial impact to the bottom line becomes more severe. Internal crisis communication is vital to mitigate the stress of the event on employees, and also to inform them as to how they can be ambassadors or assets for the organisation during this crucial time. When my clients ask me “what is the best approach to crisis communication?”, it’s simple – preparation! Anticipating crisis scenarios, assembling the crisis communications team and on-going training is the key. Crisis Communication Principles - Preparation, Speed and Consistency Preparation (Pre-crisis)

Be proactive. Always assume the worst case scenario. Do not assume that nothing will go wrong. Why? Because when an organisation plans for the worstcase scenario, they take all potential issues into account. It is better to think about the possible responses now, rather than under pressure during an actual crisis. Have a plan

A Crisis Communications Plan is an essential tool in dealing with a crisis or disaster event. Regardless of the sector in which they operate, every organisation needs an up-to-date plan. At every stage of a crisis, from the moment it breaks to the post-crisis evaluation, the company’s image, reputation,

Corporate Security

When my clients ask me “what is the best approach to crisis communication?”, it’s simple – preparation! and good name is at risk. The Crisis Communication Plan needs to address the objectives of: • communicating the right message; • at the right time; • to the right people. Selecting the Crisis Communications Team The team members within this small group need to be agile, alert, reachable and have absolute authority when a crisis unfolds. This team will usually be led by a senior executive such as the CEO, owner or ultimate stakeholder, and include the company’s legal representative, two official spokespersons (in case back up is required if one is unavailable), the lead in-house communications manager and/or an external public relations agency to support in-house communications where additional expertise is required. In my experience, having legal representatives as members of the crisis committee (remember, these are the key decision makers during a crisis) can potentially lead to disagreements when strategy and messaging are involved. Legal representatives that are included last minute may adopt a low-risk approach and push for a “no comment at this stage” response, which can bring an organisation’s reputation crashing down, especially when media and the public are hungry for information. I recommend having legal representatives involved as a proactive measure at the planning stage, rather than as a reactive response, to ensure a clear, structured and timely response during a crisis. Crisis Management Team Roles and Responsibilities

a majority vote is received for all decisions made relating to the crisis. This will avoid delay in taking required actions. Depending on the crisis, the committee may also need to include subject matter experts with specialised knowledge to inform decisions. The ‘Doer’ – Communications Manager In the event of a crisis, it’s important to have one person at the centre of all communications to ensure timely and consistent messaging reaches all audiences. This is the role of the Communications Manager, who is responsible for: • activating the Crisis Committee (the Head); • developing close media/press contacts who can be notified directly when required; • having access to the company website to update company information for the public; • communicating the decisions of the Crisis Committee to the Spokespeople (the Voice); • preparing ‘holding statements’ for the Spokespeople; • approving communications messages before they go live; • reporting developments back to the Crisis Committee as they happen. The ‘Doer’ is also responsible for pre-preparing media messages and contacts and having this information, as well as standard company collateral, available at all times. This will ensure operational readiness – an understanding of possible crisis scenarios, what the organisation’s response will be in advance of an event occurring, and to whom it will be directed. It’s important to remember that during a crisis, time is of the essence and the Communications Manager does not want to be developing or recreating materials from scratch. Consider having high-resolution images of the company, spokespeople, company products/media documents and stakeholder information already uploaded to an accessible location, such as a cloud server, in case of a power failure. This ensures all relevant crisis information and media contacts are retrievable via any browser or device in any location.

Each team member will have a specific function in a crisis. The ‘Voice’ – Spokespeople Spokespeople alone do not decide what is communicated to the media. They convey what information has been agreed on by the Crisis Committee. They are the ‘Voice’ of the organisation and must be professional, well presented, and comfortable standing and presenting in front of a camera and dealing with the press. Media training helps to build this confidence and is essential for anyone representing the organisation. CEOs commonly assume this responsibility, but let’s face it, they are not always the right person to be fronting the cameras. If this is the case, then best leave the task to the nominated spokespeople.

Communiations Manager

Crisis Committee CEO, COO, CFO, FM Legal Advisor Spokespeople

External PR Team

The ‘Head’ – Crisis Committee The Crisis Committee is led by the CEO, and is also known as the ‘Head’. The committee, generally comprising 3-5 members as discussed earlier, is responsible for ensuring

Figure 1: Crisis Communications Team

Asia Pacific Security Magazine | 27

Corporate Security

When Crisis Hits!

Analysis (Post Crisis)

In most cases, by the time an organisation first learns of a crisis, they are already on the back foot and in a reactive position. The goal is to gain control as early as possible. In this world of always-on social media, news will spread globally whether it’s with information provided by the company, or with information the media has ‘assumed’ or obtained from uninformed sources. By being prepared, organisations can be in control of this. Be proactive, utilise holding statements and address the media without delay. Holding statements are short messages prepared in advance; designed to be used immediately after a crisis hits. They are ideal for filling in the media ‘vacuum’, and give the Crisis Committee more time to prepare their full response. A company’s reputation can be an advantage at this time. A good reputation not only supports business growth, it can help deflect or minimise negative events when they occur. A crisis may be perceived as a ‘one-off ’ incident which the public trusts the company will resolve quickly and effectively, however it is still important to be proactive in communications as soon as possible. An example of a basic but effective holding statement is:

After the dust has settled and the media approach is no longer ‘in your face’, it is important for the Crisis Committee to sit down and evaluate their communications approach: what did they do well; what have they learnt; and what will they do better next time? Answering these questions will improve the Crisis Communications Plan and help the organisation to be better prepared in the event of a future crisis. I recommend documenting this round table debrief and filing it along with communications documents such as media logs and holding statements for use at future training sessions. And I can’t stress enough the importance of spokesperson/ media training in benefiting a company’s reputation in times of crisis – an organisation’s public face throughout a crisis must be calm, confident and trusted by both the media and community. In conclusion, it is one thing to anticipate a crisis event; however, it is another to be prepared when the event unfolds. I hope that organisations are getting the message these days that the need for crisis preparation, whether it be crisis communications, disaster response or business continuity, has significantly increased over the past decade. In today’s ever-changing environment of high speed communications through digital and social media platforms, organisations cannot afford to just have a plan in place. The question they must ask themselves is, “are we really ready to act on it?!”

“At 9:30am this morning, we were informed of a power failure to our network. No injuries have been reported at this time. The cause is under investigation and we expect to have more information within the next couple of hours. For updates, please visit our website (web address) or contact our communications department (contact details).” Remember: Human life must always come first. Ensure this message is evident across all communication channels – press conferences, media releases, radio, website and social media.

Concern, Relief and Reassurance All communications should convey “Concern, Relief and Reassurance”. Concern • First, ensure messaging demonstrates concern and consideration as to what has happened. • Be honest and open that a crisis has occurred. • Communicate that the organisation is doing everything in its power to find out exactly what has caused the event. Relief • Express relief by demonstrating some of the company’s safeguards. • Provide information on any positive outcomes regularly (e.g, “all persons have been evacuated from the building without injury”) Reassurance • Provide reassurance that all possible steps are being taken to right the wrong. • Communicate the actions the company is taking to prevent the event from occurring again. • Keep the public and media informed on a regular basis (usually every hour in the initial stages of the crisis).

28 | Asia Pacific Security Magazine

About the Author Eddie has a background in the development of security, emergency / crisis management frameworks and specialises in the convention, exhibition and live event sectors in Australia.


Cyber Security

A Vision of IB Consultancy th



21 -23 March | Marina Bay Sands Asia’s only CBRNe & EOD Conference series is back in Singapore! DSO National Laboratories from Singapore and IB Consultancy are proud to announce that the 2017 editions of SISPAT and NCT will be held in conjunction at the Marina Bay Sands Singapore on 21-23 March 2017. The 8th edition of SISPAT will again be the premier scientific forum in the field of CBRN. The 24th and 25th editions of the NCT CBRNe Asia and eXplosive Asia conferences will continue to be the main forum for CBRN and C-IED/EOD professionals in the Asian region. During the three-day event, the three conferences will have one shared exhibition showcasing the latest equipment from the global CBRN and C-IED/EOD industries. The event will host three separate conferences: the 8th SISPAT, NCT CBRNe Asia and NCT eXplosive Asia, with a shared opening/ closing plenary and exhibition area. NCT Asia will welcome presentations from H.E. Ahmet Uzumcu (DG of the OPCW), Douglas Bryce (JPEO), Dr. Ronald Hann (DTRA), Quek Gim Pew (Singapore Ministry of Defence) and many more. NCT Asia has more CBRNe commanders (civil & military) present than all other (non NCT) CBRNe events worldwide combined! +31 71 744 0174 @ibconsultancy

Asia Pacific Security Magazine | 29


Surviving through sharing: 'The kilted rogue runner' story Raising Awareness of Anxiety, Depression, PTSD and Suicide Prevention. By Jason Nelson

30 | Asia Pacific Security Magazine


am 45 years old, and I live with my family here in Perth Western Australia and this is my journey: I am a Royal Navy veteran and an ex UK and WA Police Officer, I survive Depression, Anxiety, PTSD and associated issues. I'm grateful that I have personally suffered because it has given me the insight into the power of sharing my story to help others. During my life there have been many short stories of trauma that I have been exposed to, and the way I used to deal with them was by locking them away on my sub consciousness bookshelf. Sadly these traumas include being sexually assaulted by a person in a position of trust when I was young, active service in the Royal Navy, the tragic death of a dear friend on my stag night, the devastating loss of my Grandmother, to responding to numerous horrific incidents during a distinguished policing career with Cheshire Police in the UK and here with WA Police. For me, my policing career is from where most of the trauma I have endured still affects me to this day. These include seeing numerous dead bodies, traumatic scenes, delivering death messages, horrific road traffic collisions, observing autopsies and working on covert policing teams in high risk situations. While working on a covert policing team here in Australia my supervising officers, attempted to have me removed from the team for under performing by setting me

up to fail during operations.
 This was happening within two years of moving to Australia and trying to settle my family in to our new life down under. Over a period of 6 months I became severely depressed and as a result I contemplated, planned and attempted suicide.
 On numerous occasions, in the darkest of that time, I placed the barrel of my loaded service Glock 27 pistol in my mouth with my finger on the trigger and gently squeezed. I was a mess. Thankfully with the help and support of my family I found the strength to report what was happening to me and sought the professional help I needed, which, along with distance running helped me become mentally fit again. My roller coaster of a journey continued about 3 years ago I underwent surgery for a routine hernia repair, shortly after surgery I suffered a delayed reaction to the anaesthetic and my heart went from a resting 50bpm in my sleep to over 160bpm, the crash team was called and they worked frantically to reduce my heart rate as they readied the defibrillator to shock my heart back to normal rhythm. Unfortunately for me this was the event as the trigger point to having all of the trauma short stories falling off my sub conscious bookshelf and reappearing in the fore front of my mind once more. I didn't understand the symptoms and struggled to cope with what was happening to me, the flash backs, the


sensitivity to noise, being hyper vigilant, paranoid and severe anxiety. I tried and failed to deal with it on my own and again became severely depressed and 3 months later had another breakdown. Again I sought professional help and 12 months working with my Psychologist, and undergoing cognitive writing therapy I was able to desensitise myself to much of it and become happy again. I still suffer from some associated issues such as OCD, hyper vigilance and the occasional flash back, but now I recognise and understand my symptoms. Sadly, our family felt another blow from mental illness last year when our daughter Holly then 17, who had been suffering from depression and anxiety attempted suicide by overdosing on paracetamol and codeine. I'm so happy to say Holly is much better now, after getting the right balance of help and treatment and in August Holly enjoyed her 18th birthday celebrations and is aiming to follow in her older sisters footsteps by becoming a nurse. Recently Holly showed great outrage and strength when we both spoke about our experiences at a Cross-Fit event raising awareness for mental health and following on from that completed the Perth Half Marathon together. Having been through what I have endured, and survived, I now share my experiences, speak in public and at events about mental illness and help educate others to break down the stigma that surrounds it. It has also inspired me to undertake further studies to educate myself beyond my own experiences and I'm currently studying a CERTIV in Mental Health with WAAMH to gain further knowledge on how to help others. One of my greatest tools that helped me face mental illness head on, is distance running; and to date I have run 22 marathons and countless other events. Running to me is one of my most powerful mindfulness therapies, gives me time to concentrate on my breathing as the sound of my feet strike the ground as I meditate. As a founding member of the Rogue Runners Club Australia and now a committee member for Sirens of Silence Charity. I raise awareness each event I run, by wearing a full weight Napier tartan kilt, with kind permission from my friends at the WA Police Pipe Band. Our Rogue running crew, was established here in Perth in 2011. The club is free to join with an ethos based upon fitness, fun, family, and fundraising. From our 4 founding members we now have over 120 members across Australia, New Zealand, the US and UK and to date we have raised over $75,000 for worthy charities. From 1 July 2016 the club made a permanent ongoing partnership to support the newly formed Sirens of Silence Charity (commonly known as SOS) to raise funds and awareness for our Police, Fire and Paramedics and their families who suffer from the effects of work related mental illness such as PTSD, Depression and Anxiety. The objective of the club is to become the go to running crew, through Sirens of Silence, for serving and ex-emergency service workers and the wider population who wish to gain improvement in mental wellbeing through running, fitness, exercise and nutrition advice.

For further information please visit the links below: The Kilted SOS Rogue Runner: Jason Nelson LinkedIn: Rogue Runners Club Australia: Sirens of Silence :

Sirens of Silence Charity Inc. is a registered charity with the ACNC and the ATO, all donations over .00 being tax deductible.

Asia Pacific Security Magazine | 31

Feature Promotion

Making an industrial difference Unidirectional gateway security blocking cyberattacks against control networks – Editor’s Insight interview with Lior Frenkel CEO, Waterfall Security CONTROL NETWORK ENVIRONMENTS

Lior Frenkel

32 | Asia Pacific Security Magazine

Framing the network environment will help focus your attention when explaining this technology. Waterfall Security is an industrial cyber security company. Industrial being the key term. Waterfall’s unique technology is used to protect the cyber and network perimeter for an Operational Technology, or OT, environment. The controllers of a physical environment, most commonly based on a SCADA (supervisory control and data acquisition) architecture for software application programs and process controls – is the network that controls machinery, plants and processing equipment. The critical infrastructure that gives us energy, power, water, transport and supply chain functionality. The OT networks may go by different names, depending on the different industry, but in essence, they all apply and operate in the same type of OT network environment. Within these critical network environments, there is a fundamental difference to that of any other network. The difference is their purpose. Yes, there are also computer networks, communication networks and in most cases, there is also real-time operating systems, applications and embedded propriety systems or special protocols, along with real time management systems. But in the end, this is not the main difference. In terms of an attacker’s perspective, the difference

remains on the purpose. The purpose of OT is to maintain, above all else, reliability, operability and safety. A power plant, for example, needs to be at peak performance, 24/7. Bad things happening within a power plant is intolerable. Yet, the purpose of an Information Technology, or IT, network, by its very name, is to process information. The management and processing of information, such as for a bank, is about processing financial transactions and customer data. When you put the difference in focus, the OT network manages a physical asset and an IT network manages a virtual asset. With an IT network, we can copy and move the asset (information), but for an OT network, the machinery, plant and equipment does not move and cannot be replaced quickly or cheaply, and cannot be ‘restored from backup’... To highlight the point, with a worst-case scenario, Lior Frenkel, CEO of Waterfall Security, explains it this way, “If I was to bomb a major Bank’s headquarters, however bad that would be, the bank’s network would most likely be up and running again within hours, as they come back online with their off-site back up servers and Disaster Recovery systems. Or like your home computer or smart phone that crashes or is lost. You should be able to recover your data and get back online within a very short time because your information and data is backed up and replicated. However, on a SCADA

Feature Promotion

network, this is not possible. The assets are physical things. the technology that enables the business requirement to be Be it a rotating turbine at the power station which is broken, fulfilled with access to this data, without the need to access there is no backup. I would have to ship in a new turbine the control network. and hardware, or new machines. There is no offsite backup to The technology is built of four parts, all deployed on the restore operations from. Sometimes there are no spare parts industrial site. Two being hardware which is for security and to simply fix and replace. In many cases, it can take months two being software for visibility. The hardware is referred of downtime and sometimes new manufacturing is required. simply as TX & RX, or more simply transmit (T) and receive With each hour of down time, it is costing money with the (R). The TX is connected to the OT Network and has an loss of continued production.” optical port that has a laser “This difference, and it is directed to the RX, which is the essential, core differential 'With any IT system, a focused then connected to the external between OT and IT network network. The RX has only an types. Once this is realised attacker can take a relatively short time optical receiver. The optical and appreciated, you will ports are connected via a single understand why OT security is and with limited funds, sometime as fibre cord which means that different too. In the IT world the only thing that can happen if the worst case happens, I can low as $5,000 on the black market, to between these two modules go to the backup plan. But with is that the laser light can pass an OT environment, there is no acquire the ability to break in.' through from the transmitter backup plan – if it breaks, its to the receiver. There is broken. Therefore, the number nothing to send backwards one priority in a security program for an OT environment is and is physically impossible due to the optical fibre design. the prevention of an attack. The one thing not to have happen This creates such a secure process that it can be put into use is to have an attacker get into the OT network – this is above even at a nuclear power plant. The TX connected to the OT all else.” network and transmitting data to the RX, which is then Firewalls are a good product and used widely. However, connected to the internet. There is no physical way to connect firewalls were designed for IT networks and assume both back into the TX aspect of the network. You could have the sides of the network are IT Networks, so they will abide access codes, credentials and blueprints to the plant, yet there by the same rules and protocols. When one side is an OT is no vulnerability or possibility to get access unless you have network, like a SCADA system, the question is, ‘does it still the required physical access to get in through the gates and fit?’ The answer, according to Lior, is No! “A firewall is a going direct to the on-site hardware. Be it a targeted attack, a router with a rule set and the security is provided by software. virus propagation, malware, nothing can get from the RX to Every software in the world has bugs and vulnerabilities. Any the TX. line of code can be exploited. The security that is provided is considerable but you can put in place a plan to misconfigure it, so it is possible then to acquire access to the network, be it a power station or a pharmaceutical plant. Plus, the firewall configuration is secured by credentials and if I get my hands on those credentials and passwords, then again, I have access to the OT network.” “With any IT system, a focused attacker can take a relatively short time and with limited funds, sometime as low as $5,000 on the black market, to acquire the ability to break in. For a billion-dollar power plant, producing hundreds of millions of dollars of energy every day, it should not be protected by a firewall, that may take a $5,000 hacker to breach.” UNIDIRECTIONAL GATEWAY Waterfall Security has designed their basic technology and flagship product to be called the ‘unidirectional security gateway’, providing the main need requiring remote access for OT networks, which is visibility and access to real time data. With any critical infrastructure and operational environment, there are managers, vendors and customers whom have a valid ‘need to know’ what’s going on in the production cycle, in real time. This need is an important and crucial business requirement. Yet despite this need, one doesn’t want to open up all these platforms to the Internet. Waterfall has designed

Asia Pacific Security Magazine | 33

Feature Promotion

"Most of our deployments are on existing sites and designed to replace the perimeter firewalls that were there before. Deployment is relatively easy, as our Unidirectional Gateway has off-theshelf connectivity to almost every type of control network systems" Rather than trying to solve the need by making a trade-off from the business side, this technology actually facilitates it. The two software components sit on both sides of the TX and RX modules. The software on the TX module runs on the SCADA network and reaches out to every system that is needed or selected to be interfaced and gathers all of the data and which is changing in real time. This data is then transmitted through the unidirectional hardware – the TX to the RX and is received by the RX software to be extracted and populated by the Waterfall software into another copy of the same SCADA system – so the system on the SCADA network is the same on the RX side but is repopulated. The SCADA copy is installed on the external side and the gathered data sent to the outside and copied in real time. A fully functional and fully updated replica copy is now available and functional - but on the outside of the OT network and visible to the business end to see, check and measure. This technological approach is solving a hard and dangerous cybersecurity problem, by exporting data to the outside of the OT network, it is effectively transforming it from an OT issue to be a classic IT issue – so you’re back to dealing with the data integrity and reliability on the outside. Once you deploy the gateway this is the only problem you have. Lior Frenkel confirms the technology has already been widely deployed, “Most of our deployments are on existing sites and designed to replace the perimeter firewalls that were there before. Deployment is relatively easy, as our Unidirectional Gateway has off-the-shelf connectivity to almost every type of control network systems. We have deployments in power, nuclear, chemical, transport, train, water, off-shore platforms, worldwide. The biggest by number is in North America and in Israel, where we’re deployed in the vast majority of Critical Infrastructure. Our next biggest market is in the Asia Pacific, including Singapore, South Korea and Japan. We have established a local presence in Japan and have a number of partners in the region. Our efforts in the APAC region is based on the security concerns being high and customers seeking solutions. Waterfall Security has recently also created another solution based on its unidirectional gateway technology, being the Unidirectional CloudConnect. The CloudConnect is a security appliance and uses specially built software that allows industrial sites to securely and easily connect to cloud based services. It has an internal unidirectional gateway

34 | Asia Pacific Security Magazine

and software on both sides, to allow cloud-based big data analytics of pre-emptive maintenance. This is considered a significant market for industrial sites, but is not getting adopted fast enough due to the security concerns. Cloud service providers going to an industrial site have a pitch on how good the service and opportunities are, along with cost efficiencies but these prospective clients can’t connect because it is too unsafe and insecure. In addition, the cloud, by definition, sees all the sites the same way and wants to connect to everything in the same way. Industrial sites are very different with different protocols, languages, devices, and each deployment becomes a complex integration project. When you deploy the CloudConnect, it connects between the internal network and external network and it knows how to talk to the internal network and converts it to one single unified protocol that the cloud can consume – so when you connect to the CloudConnect you get a secure access to the site and a secure single type of connection to the cloud. Lior Frenkel says, “We are talking to many companies now to sell this as part of their cloud service offering because they see the push back from the customers – based on security concerns and deployment complexity.” Waterfall’s gateway products are provided ‘off-the-shelf ’, with integral support of the market’s widest array of industrial systems, including the OSIsoft PI™ Historian, Schneider Electric’s ClearSCADA, AspenTech IP.21, the GE Proficy™ iHistorian, Siemens SIMATIC™/Spectrum™ solutions, GE OSM™ remote monitoring platforms, as well as OPC, Modbus, DNP3, ICCP and other industrial and IT protocols. The company’s headquarters are in Israel with sales and support offices located in North America, and local representation in Japan and France. Visit for more information.

Cyber Security

Asia Pacific Security Magazine | 35


Operational security management structure for inimical environments By Dr. Bill Bailey

36 | Asia Pacific Security Magazine


apua New Guinea (PNG) is an enigma for most companies wishing to set-up and function safely and securely in the country. Anecdotal evidence is rife, as are the newspaper reports, on all aspects of the impact of crime in PNG. Reports related to urban crime point to the underlying reasons including high levels of poverty, healthcare, education and lack of basic infrastructure. The primary factor is considered to be the failure of law and order to bring civil stability, followed by high levels of corruption. The major urban centres of Port Moresby and Lae are considered the most problematic. The ability to develop an operational security management plan is dependent on accurately assessing the actual threat, risks and capability of adversaries to impact on the working environment. Extensive background information needs to be obtained from a number of sources in order to produce a Security Risk and Threat Assessment (SRVTA) (W J. Bailey & Doleman, 2013, p. 57). To be effective in this task requires an understanding of how grave the problem is, and in which specific areas, before any meaningful action can be taken. PNG is not unique as crime is insidious in most developing countries and its impacts affect all sections of society. Therefore, undertaking a comprehensive security, risk and threat assessment is necessary to fully understand the nature and scope of the problem first. A Security Risk Assessment requires an all-inclusive understanding of the social, economic and political factors before successful and meaningful security managed programmes can be implemented or even suggested.. Based upon these criteria, this paper assesses how this indispensable security management process can be accomplished given the far-reaching restraints that are present in undertaking any such process in PNG. The recent trend from incident reports, newspaper articles and anecdotal evidence indicates a steadily rising level of crime in PNG. Changes in socio-economic expectations and the high price of goods have all contributed to increasing social strains. The completion of the PNG-LNG pipeline has seen a decrease in employment that is believed to be associated with increasing levels of crime. This trend in crime is in both urban and rural areas. Without a major investment in infrastructure by the Government to create more employment or another major oil and gas project, which seems less likely at current prices, growing social unrest will rise as will crime.

Risk Situation Port Moresby was ranked as one of the world’s least liveable cities scoring 138 out of 140 on list prepared by the Economist (Economist Intelliegence Unit, 2016). However, sometimes there is no choice for some who need to live here for work purposes, which is why it is included in the Economist list. Figure 1, indicates that even though the security risk is at 61D, it is not the most severe indicating that is can be managed with sufficient safeguards. Perhaps what is more concerning is the EIU’s rating for Government effectiveness at 68D and Infrastructure, which has fallen from 78 D, in 2015 to 81 E. Both of these high scores show increased concern from analysts regarding the situation in PNG. Creating an operational security management structure It is commonly accepted that operating in PNG presents challenges to companies, but these are not insurmountable, when compared to operations in Iraq, Algeria, or other conflict zones. PNG is not a conflict zone, nor does it have a terrorist or civil war problem. The problems are predominately crime related based upon social inequality and aggressive cultural behaviour. These problems can be managed with sufficient safeguards integrated into the security management structure. However, first there always needs to be a structured, comprehensive risk, threat, vulnerability and criticality assessment conducted in order to develop the necessary safeguards. Understanding what is meant by risk and how to define it is crucial to the process. AS/NZS 31000:2009 considers it to be the “effect of uncertainty on objectives…[when] an effect is a deviation from the expected-positive and/or negative”(Standards Australia, 2009). Kaplan (1981) states “we are not able in life to avoid risk but only to choose between risks” and in order to accomplish this we need to quantify risk by using what Kaplan defines as a set of risk triplets: scenario, probability, and consequences. • What could happen, when and how? (i.e. What can go wrong?) • How likely is it that it will happen? ( i.e. likelihood) • If it does happen, what are the consequences?

International The Risk scenarios and ratings from EIU are b)

Targeted (sabotage, hijacking, assassination, kidnapping, armed incursion, etc); c) Operating environment including local flash points, landowner disputes or grievances; d) Inadequacy of essential services or infrastructure, including police support; e) Natural event (fire, earthquake, flood, storm etc). 3. Vulnerability assessment to determine the extent and appropriateness of loss prevention and protection measures currently being considered or in place.

"It is commonly accepted that operating in PNG presents challenges to companies, but these are not

Figure 1 Risk Scenarios and rankings (Economist Intelliegence Unit, 2016)

When analysing this approach, the important concept to bear in mind is the relationship consequence has in the whole assessment process. Ezell (2007) argues this further where, “vulnerability highlights the notion of susceptibility to a scenario, whereas risk focuses on the severity of consequences within the context of a scenario”; proposing a series of definitions to accommodate this concept . It is important to understand, “vulnerability assessments are not the same as risk assessments”, because “risk assessments are employed to help understand what can go wrong, estimate the likelihood and the consequences, and to develop risk mitigation strategies to counter risk.”(Ezell, Farr, & Wiese, 2000). Consequences are therefore the prime concern for dealing with threats and hazards in relation to the potential damaged caused and how difficult it might be to put right. A security vulnerability assessment is far more comprehensive than many managers appreciate as: Only by taking this more holistic approach can all the risk scenarios be captured and thus dealt with effectively. The starting point is the creation of country security assessment, which is a report to provide a working baseline. This report will include the operating environment, geography, the people, social and economic conditions, government and infrastructure, security, risk, threat and vulnerability assessment. The environment includes access conditions, the roads, water, power, medical facilities, local tribes, community harmony, key figures, in fact anything that can impact on the project and its personnel. There are a number of considerations that can impact on the assessment process (Figure 2) and these will drive the next phase. A single event may have multiple ripple consequences causing a series of knock-on effects. Each of these effects needs to be fully deliberated, understood and mitigation measures built into not only the Security Management Plan, but also the Business Continuity Plan. Therefore, in order to understand the prevailing risk environment, a three-staged approach to a security review should be used: 1. Resource appreciation to identify those assets requiring protection, such as people, property and/or information, as well as criticality analysis in terms of the specific processes, systems and/or activities being undertaken. 2. Threat assessment to determine potential including motivation and capability, which may include; a) Criminal (theft, robbery, assault, vandalism, kidnapping, murder, fraud, etc);

insurmountable, when compared to operations in Iraq, Algeria, or other conflict zones. PNG is not a conflict zone, nor does it have a terrorist or civil war problem." Figure 2 Risk Ripple Considerations (W J. Bailey, 2015)

The ‘Consequence’ should be assessed based upon the criteria above and the: • Comprehensive understanding of current and proposed operations and activities; • Consideration and prioritisation of the most likely worst-case events/consequences affecting the facility, operations, staff, contractors, visitors and the surrounding community; • Characterization of how malevolent acts might occur and assessment of the prevalence of such malevolent acts from defined threat sources, such as criminal, insider, determined vandal, casual vandal and terrorist; • Determination of the most critical assets (targets); identification of their inter-relationships within other assets in the system; identification of the consequences of malevolent acts that could be directed against those assets; and evaluation of the effectiveness of both existing and proposed protection systems. • An appreciation of the limitations of the supply-chainimpact, that is the amount of time needed to replace the damaged assets and the likely cost to the operation. Consequences become the determining factor and are therefore extremely pertinent to the structure employed to manage the security and the safety of the project. Failure to fully address potential negative outcomes could possibly seriously prejudice the project, or worse!

Asia Pacific Security Magazine | 37


Proposed Model A security management model for hostile environments was identified in (W.J. Bailey, 2014) as the ‘Aid and Humanitarian agencies security triangle’ (Figure 3) based upon: acceptance, deterrence and protection. Acceptance being foremost, “to remove or reduce the threat by seeking widespread acceptance for one’s presence and work among the populations and from the official and de facto authorities”. Consequently, the company needs to gain wide approval from the local community imbuing them a vested interest in the project. Only by achieving this objective, can the other two pillars of the triangle function (Humanitarian Policy Group, 2010). The proposed model (Figure 4) has been adapted and incorporates an additional arm, ‘Intelligence’, which is deemed essential to developing a robust and successful security management structure. The Inimical Model (Figure 4), also moves protection more forcefully into structured Security Management System (SMS). Integral to SMS is a comprehensive security, risk and threat assessment in order to create the necessary systems based upon documentation, such as a Security Management Plan (SMP and Standard Operating Procedures (SOPs). Furthermore, there is a need to accept that ‘deterrence’ can only be achieved by incorporating a designed security process aided by community support: accomplished by an integrated intelligence network. Intelligence adopts a much wider meaning in this context, as it must be integrated to allow for a free flow of informed information, which is capable of picking up early warning signals should threats arise for any reason. Only by working directly with the community and supporting local initiatives will this have any chance of success. In addition ‘by design’ stemming from the ‘deterrence ‘segment not only means engineered to incorporate access control, detection and technical solutions, but also to ensure the security personnel employed are ‘fit for purpose’; through dedicated professional training. Furthermore, more local senior security management staff need to be employed and for them to gain tertiary degree qualifications to allow them to supervise, develop and administer the security work force. The benefits of using local staff at senior management levels is their ability to empathise communicate and understand complex local issues. In order to achieve these goals more training, mentoring and local recruitment needs to take place.




Figure 3 Adapted from the Aid Agencies Security Triangle (Martin, 1999, p. 4)

Conclusion To operate safely and securely in PNG requires a steadfast approach to ensure a comprehensive security management

38 | Asia Pacific Security Magazine

approach is put into place. Incorporating a more inclusive structure by engaging the local community more formally, is seen as a more progressive and sustainable long-term model. To strengthen and underpin this approach, it is necessary to utilise more local PNG citizen managers. In order to accomplish this objective requires employing and empowering more talented citizens for senior management roles. However, with the limited educational opportunities available for tertiary qualifications in security management in PNG, this will also require the Security Industries Authority (SIA) and the government to support the creation of tertiary degrees at universities in PNG. Based upon community support

By design & community support

Structured security management





Integrated local network

Figure 4 Proposed Inimical Security Model (W J. Bailey, 2015)

The model proposed in Figure 4 requires a substantial mind set change as it has to be developed with the acceptance of the community. Most large companies in PNG already have a Community Affairs (CA) section, which deals with all aspects associated with the impacts projects have on local communities and ensures structures for contract negotiation and dispute resolution. Security needs to be aligned more formally and closely with CA, sharing intelligence, networks and resources. PNG is changing and acceptance of predominately expatriate personnel is meeting with more local resistance: it is no longer socially acceptable nor is it operationally sustainable or cost effective. The problems associated with this framework are obvious, consequently there needs to be a change in approach to one that recruits and trains security staff locally. There are a number of advantages and multiple benefits that can be harnessed by employing local people from the community. The difficulties of operating in potentially hostile environments such as PNG requires a more integrated security management structure, which is based upon greater local acceptance by the community coupled with more social engagement leading to better intelligence. The role of security is evolving requiring more inclusive structures capable of ensuring the safety and security of all personnel. The purely defensive model is no longer appropriate and needs to be tempered with the additions as outlined in this article.


Corporate Security

Anti fraud and corruption: More of cultivating a culture than prevention & control

I By Prince Lazar Malaysia Country Editor

n today’s world, Fraud is a real serious problem for all organizations to come to grip with, given the fact that regardless of the line of business, employees (and nonemployees also) commit fraud. Technology changes that occur so rapidly have had a cascading effect on Organisations to adapt to the dynamism of this fast paced world. This constant change, whilst good for business in many ways, has also precipitated a steep rise in fraudulent activity, which continues to evolve and requires individuals and businesses to be more prudent in their practices and corporate culture. Fraud can happen anywhere and occurs every day all over the world. While major fraud situations are typically that attract wide media attention and sensations which are disastrous in many ways, especially to the fact that there are huge sums of money lost by all types of businesses as a result of the high number of even smaller frauds that are committed. It is seen that Fraud generally does not occur in a vacuum or isolation; many times it happens within an environment that, while maybe not overtly, is a breeding ground by itself facilitating fraudulent activities. Most frauds are an ongoing work; once it starts it does not stop by itself, and as it

continues, it grows until it gets detected. Fraud is widely prevalent, and more interestingly it’s nearly impossible to identify a potential fraudster with any degree of confidence. The overwhelming majority of people who commit fraud are first-time offenders. It is informed that only 5 percent of fraudsters caught have had a prior fraud conviction. Therefore, no matter how diligently a background check is conducted, the likelihood that it will unmask a person who eventually will steal from the business remains a limitation or challenge. Today, in an increasingly interconnected world, digital technologies that enable business to be conducted in the wink of an eye also help disguise the identities and machinations of the people conducting that business, thereby enabling fraud to become vastly more sophisticated and pervasive. Likewise, fraud’s impact — on businesses, stakeholders and entire economies — has similarly magnified in a profound manner which is a great area of concern. A shaky economy is rife with fraudulent activity which could be internal fraud from employee abuse of purchasing cards to large-scale fraud involving high-value contracts and breaches of controls that could have serious consequences

Asia Pacific Security Magazine | 39


The roots of a fraud rarely can be traced to a single unethical individual operating maliciously in a vacuum. A fraud is perpetrated when that person meets a specific environment to businesses. This is precisely the time to step up fraud prevention and detection measures in organisations and entities which support the economy. Some companies/ organisations are on a self-insulated mode as “nothing could go wrong” or take an “it won’t happen to us” approach; others implement controls to try to keep individuals likely to commit fraud from entering the business; and still others outsource the work of combating fraud to external auditors. These tactics and strategies are helpful but are limited. There is a greater need for companies to create lower risk environments for fraud by implementing an effective conducive corporate culture. To do so, organizations first must understand their own corporate ecology — the interrelations between people and their workplace along with the tailor controls to the nature of those systems. In the case that companies incentivized winning and maintaining business to the extent that it closed eyes at law breaking, nurturing an environment in which corruption could flourish. In fact, it is the environment or culture in which company employees leads them to feel that they were not acting abnormally but rather in the best interests of the business while protecting their colleagues’ jobs. The trend of ‘lacks culture’ prevalent could envelop further to improve the revenue thereby boosting the appearance of profitability, and beyond this there could be a pressure to conceal inventory shrinkage losses which is a fraudulent trend. The evolution of this practice has been blamed on the low staffing levels maintained by the organisation, making accurate inventory management difficult. This establishes an environment of scarcity in which deceptive inventory processes are, at best, gets ignored by managers and, at worst, applauded, thereby discouraging those in charge from coming forward. In essence, the corporate ecology or culture would normalize the financial statement fraud, creating fraudsters where, in a different environment, this might not have happened or detected or approved. Internal controls Most organisations will contend that there are sufficient internal controls in place to deter, or even eliminate, fraudulent actions. But, the fact is that internal controls do not entirely prevent fraud. Also, the internal controls need to be reviewed because existing internal controls may no longer be as effective as when they were developed. Businesses changes, and as they do more/different employees are hired which brings dynamic new changes in the Organisational environment.

40 | Asia Pacific Security Magazine

It is proven that internal controls generally have weaknesses that can be exploited. There is a need to look at one hundred per cent of the transactions and compare data from different applications and systems and look for matches that occur that really shouldn’t be there or look for duplicate entries in the transactions that indicate either fraudulent activity or perhaps inefficiencies in the system. This has to be done regularly, using automation in high-risk areas so the fraud can be detected/ caught as it occurs and before it escalates. Of course, uncovering some sort of fraudulent activity that has been going on for several years is clearly an important win but finding the issue before it becomes material is going to serve the organization better in the long run. The implementation of internal controls is more effective, and obviously more proactive, than external ex post facto audits. These controls should include management reviews, real-time data analysis of transactions (as close as it could be), robust whistle-blower programs, rigorous client and partner vetting, and a wide range of soft compliance strategies, including tipster hotlines, qualitative interviews with employees and a process for continually collecting employee feedback. Not only do these strategies help companies keep their finger on the pulse of the organization, Anti-fraud policies also help deter potential fraudsters who would take advantage of a company’s lack of such oversight. Bribery & Corruption take centre stage Managing bribery and corruption risk is taking centre stage in corporate boardrooms and becoming one of the most critical compliance challenges for employers. A corruption scandal can destroy an organization’s reputation and result in significant fines, penalties, and even imprisonment. With a changing legal landscape and increasingly aggressive enforcement efforts, it is critical that legal, compliance, and human resources professionals understand the laws that impact their organization, institute robust and meaningful compliance programs, and take aggressive steps to ferret out and prevent corruption in their business dealings. It is not enough to have well-articulated standards and comprehensive procedures for an organisation but it should be embedded in the values of each and every employee through continued training and reinforcement which should be evident in the actions. There should be a monitoring mechanism to check, if the executives specifically are condoning the excessive risk-taking and for dodging regulators who have expressed concerns. This is doesn’t imply that companies should neglect conducting due diligence in their hiring processes. Just like internal and external audits, screening processes are among business first lines of defence and should remain a part of the company’s good housekeeping practices. However the fact is that these practices are not as effective as commonly believed and perceived. The question is that with many of the regulations that are in place, are the corporate executives doing a better job of promoting a culture of compliance? Of course it’s a known fact that ‘Compliance really starts at the top, no matter what regulatory regime you put into place’, but there is renowned trouble in measuring tone at the top which is notoriously difficult. Almost every business - including the most talked


after ‘Enron’ had always said the right thing on paper, via a code of conduct or business ethics, regardless of what the ethical train wrecks or integrity dilution might be happening in the real world. Across industries, governance experts say top executives are generally more willing to spend time and money on cultivating a culture of compliance. There is seemingly a concerted effort on the part of companies about how they can better ensure the right tone or culture that is set for the organisation to prevent fraudulent activities and corruption which is a healthy emerging trend. Protect your organization with a strong compliance culture & training program Any organization seeking to do business lawfully and ethically should have in place a compliance program designed to detect and prevent corrupt payments which at the bare minimum should include: •

POLICIES - A policy or code of business ethics that clearly prohibits the use of bribery to obtain business or a business advantage. PROCEDURES - Detailed procedures, standards, internal accounting controls, reporting mechanisms, and guidance that make sense given the nature and extent of organization’s operations. This includes creating clear reporting channels so that affected parties know how to seek guidance and report potential issues internally in the organization. TRAINING - Training programs designed to provide the appropriate education to employees based on their job responsibilities, geographic location, and line of business. Training should communicate the commitment of the organization and its leaders, and provide clear guidance on how to report questions and concerns. COMMITMENT TO DETECT, INVESTIGATE, AND REMEDY SYSTEMS – there should be a program to detect and investigate suspected violations, to monitor the effectiveness of the program, and to remedy violations. BUSINESS DEVELOPMENT STANDARDS - in order to assist in obtaining or retaining business for or with, or directing any business, the bribe need not be authorized or given to obtain business.

Creating a Fraud-Resistant Culture Every organisation has its own unique way of doing business, usually referred to as the organisational or ‘corporate culture’. This includes the shared values, norms, beliefs and ethical practices which make up the character of the organisation. However, in practice, there can be a great deal of difference between the culture which the organisation appears to be promoting as perceived by external stakeholders, and the culture which employees within the organisation actually perceive. Nowadays, shareholders, regulators and other stakeholders expect executives to promote a culture where everyone is aware of, and supports, the message that the organisation will carry out its business in an honest and ethical way. How resistant that organisation will be to fraud

will depend a lot, on the strength of the ethical culture being enforced and practiced. It’s nearly impossible to predict whether any given employee will be inclined to commit fraud. However, the environment in which an employee works can be controlled by a company’s leadership in both formal and informal ways to make fraud more difficult and cast it as an affront to the business’ social norms. Most people wish to act as their colleagues do, and, therefore, if the corporate norm is one of zero tolerance for fraudulent activity, the commission of antisocial acts within the context of the business becomes, ideally, inconceivable or improbable. Companies must strive to make their offices and facilities places fool proof where it is hard for an individual to commit fraud and even harder to imagine that he or she could get away with it. It benefits when the company is able to establish a low-risk environment for fraud and provide incentives for ethical behaviour by its executives, managers and employees.

People commit fraud, and because people are social animals, their actions, in great measure, are governed by the culture and environment in

Conduct periodic Risk Analysis

which they find

To create a fraud-resistant environment and culture, Organisations must begin with a thorough risk analysis that should include a review of existing corporate policies, an analysis of internal compliance systems and processes, and an examination of the organization’s communications strategies and practices keeping in mind the varied regional risk profiles, and organizations operations in multiple jurisdictions. These reviews will enable leadership to assess the company’s risk profile holistically. This risk analysis should not be wholly quantitative since such a confined assessment would neither register nor reflect the ecology of the workplace. Ideally, an independent analyst, whose vision would not be clouded by the current culture, could provide open-minded leadership with an understanding of how people in the company are interacting, how managers are relating to employees and how informal information is shared in the workplace. Such an analysis could reveal where pockets of discontent exist, where dysfunctional behaviour is tolerated and where there are cracks in more formal compliance processes — cracks that breed fraud. Companies can control those environments by defining both formal and informal procedures in place and by constantly reviewing to understand the mostly unseen, unexplored ecology of their organization which is a “must have” culture more importantly.

themselves in

Live the Corporate Culture A positive and ethical work environment prevailing in an organisation can prevent employee fraud and theft. There should be a clear organizational structure, written policies and procedures and fair employment practices which are inculcated and practiced throughout. An open-door policy can also provide a great fraud prevention system as it gives employees open lines of communication with management. It remains that Business owners and senior management should lead by example and hold every employee accountable for their actions, regardless of position and that could set the tone to bring in the required culture.

Asia Pacific Security Magazine | 41

Smart City Series

What it takes to be a 'Smart City'

I By Morry Morgan APAC Sales 'Guru' and Published Author on Sales and IoT

42 | Asia Pacific Security Magazine

t may come at no surprise that this year Singapore was named Global Smart City. The city is a metropolitan marvel that supports 5.4 million inhabitants, within a concrete and actual jungle, and even boasts a reservoir within the CBD; one that incredibly supplies 10% of Singapore's water needs. Singapore was listed ahead of Barcelona, London, San Francisco and Oslo, with 'technology', 'transport', 'energy' and the 'economy' all main themes within the Worldwide Smart Cities white paper, produced by Juniper Research. So too was 'open data'. But then again, 'openness' is easier for some cities than for others. Faith in the government is high in Singapore, where Prime Minister Lee Hsien Loong launched the Smart Nation program in 2014. Since its launch, the small island city-state has deployed an undetermined number of sensors and cameras across the country that has allowed the government to monitor cleanliness of public spaces, the density of crowds, and even in the not so distant future, the precise movement of every locally registered vehicle. Very smart, but a bit too 'Big Brother' perhaps? The upside of such a monitored society is Singapore's low crime rate - ranked 118 out of 119 countries. Smart cities are safer cities. This is certainly the belief driving India's own '100 Smart Cities Initiative'. Within it's 10 core infrastructure elements is included "safety and security of citizens, particularly women, children and the elderly." India is serious about creating smart cities, and this endeavour is being supported by IBM. This year, three Indian cities (Allahabad, Surat and Vizag) were part of 17 international cities selected to benefited from IBM Smarter

Cities Challenge. The program, initiated by IBM in 2010, has since deployed over 800 top experts and has helped more than 130 cities around the world 'do more with less', 'bridge silos of information', 'grow civic engagement with the community' and 'make better investment decisions in infrastructure'. According to IBM, these are the main talking points that make a smart city. And when IBM talks, others listen, because this drive to become smarter is a fantastic business opportunity. One such company that is betting on the smart city trend is HERE. The company, co-owned by German auto giants Audi, BMW and Daimler, includes the consumer app, called Here WeGo, that converts data to provide up-to-the-minute information on current traffic conditions and incidents, much like Google Maps. However, where HERE differs from Google is with its smart city, next generation automotive services. Through the 'Internet of Things' (IoT), data created by one vehicle, for example, by heavy breaking before a pothole in the road, is shared across the vehicle network, warning other drivers of the upcoming road hazard. Modern cars have a myriad of onboard sensors, measuring everything from braking, windshield wiper speed, GPS and even use of hazard lights. HERE takes this assortment of independent data, and combines it through the IoT and data analytics to create, what it refers to as 'cooperative mobility'. The outcome is a smarter car, smarter road network, and ultimately a smarter city that can boast smoother traffic, reduced congestion and accidents, less frustrated drivers, and very soon fully autonomous vehicles.

Smart City Series

Which brings us back to Singapore, and the location of the world's first self-driving taxis that are already picking up passengers. In August this year, selected members of the public were able to hail free taxis via their smartphones, and travel within a two kilometre block. While multiple companies, including Google and Volvo, have been testing self-driving cars on public roads for several years, nuTonomy is the first to offer rides to the public. It even beat Uber by a few weeks, which now offers rides in autonomous cars in Pittsburgh. For now, Singapore's nuTonomy taxis are only operating within a small business and residential district called 'onenorth', beside the National University of Singapore (NUS). Pick-ups and drop-offs are limited to specific locations, and while the car is autonomous, just like Uber's Pittsburgh study, a standby driver is present - for now. By 2019, another player in the autonomous vehicle race, Delphi Automotive, plans to enter the 'shared economy' in Singapore and eliminate drivers completely, as well as steering wheel and pedals. Delphi is already planning for a 100% driverless taxi fleet of 50, which could reduce an average $3-a-mile ride to only 90 cents. This movement from an 'owned' to 'shared' economy, it would appear, is a smart city prerequisite. The Nokiasponsored report, The Smart City Playbook by Machina Research, includes 'shared' within its six 'Ss' for a smart city's success, alongside smart, safe, sustainable, secure, and scalable. The report was based on a study of 22 cities of varying sizes and geographies at different levels of planning, testing and deployment. The challenge of 'shared' is that it requires an open partner

ecosystem allowing for a diverse mix of technology vendors, application developers, service providers, system integrators, utility companies, research institutions and many others. For this reason, smart cities must also have smart leaders. Creating smart cities requires budgeting, planning, negotiating, and of course a deep understanding of human behavior. Technology serves a role, to a point, after which human decision making is necessary. And good decision making is only possible when all the information is 'shared' - meaning intra-agency politics and competitive businessto-business behavior must be minimised. That requires smart leadership. Once shared, however, simple data becomes incredibly powerful, because it can lead to cost savings, increased efficiencies and ultimately a stronger economy. Which is what Singapore needs right now. A slump in oil prices as well as in global seaborne trade has greatly affected the island-nation's exports. Imports remain high, with the tiny nation importing over 90% of the food that its citizens consume. But this isn't why Singapore subscribes to IBM's Smarter City Challenge of 'do more with less'; this has always been Singapore's mantra. It's already investing in high-tech, indoor farming, that is able to produce about 54 tonnes of vegetables a year from as little as 344 square metres. And with vertical gardens, the sky is literally the limit. With most of The Smart City Playbook's 'Ss' ticked off, it's only 'sustainability' that Singapore needs to overcome in order to become the unquestioned Global Smart City. But mark my words, "Grown in Singapore" is coming to a green grocer near you!

Asia Pacific Security Magazine | 43

Cover Feature





Organiser :

OfямБcial Media Partners :

Follow us @ BIGIT Technology

44 | Asia Pacific Security Magazine

+603 2261 4227

Over 8 hours of Networking Opportunities with Leading Airport Emergency Services Experts & Crisis Management Authorities from World’s Busiest Airports!

Cover Feature

Emergency Management for Airports Summit 2017 ■

Main Summmit: 29 & 30 March 2017

Workshops: 28 & 31 March 2017

Venue: Singapore


Wilfried Covent Head of Security, Brussels Airport Company

Dvir Runinshtein Aviation Security Operation Center Manager, Israeli Ministry of Transport

Mitchell Fox Programme Manager – Crisis and Rapid Response, International Civil Aviation Organization

Nick Orwin Emergency Planning Manager, London Luton Airport

John Trew Vice Chariman, International Aviation Fire Prevention Association

Timothy Sampey Assistant Deputy Fire Commissioner, Chicago O’Hare International Airport

Benefits of Attending Emergency Management for Airports Summit 2017 DON’T MISS OUR INTERACTIVE WORKSHOPS! Managing Aircraft Related Emergencies

Systematic and Pragmatic Approach to Manage Crisis Heighten Airport Security and Deter Malicious Criminal Activities

Handling Terrorism Emergencies within Airport



Security: Dealing with airport bombs and/or terrorism related threats

Security: Handling aircraft bomb threats

Crisis Management: Reviewing current threats in aviation industry

Crisis Communication: Internal and external communication during an emergency

Security: Managing airport hijack- ► Resilience Building: Different ing emergencies types of post-accident recovery system ► ARFF: Evaluating an aircraft crash landing emergency ► Emergency Exercises: To design, conduct and evaluate emergency ► ARFF: Effective management of exercises an aircraft evacuation ► Alternative Emergency ► ARFF: Managing an aircraft enPlanning: Coping with deviations gine failure on the runway and discrepancies

Researched & Developed by:

Media Partner: PHONE: 65 6376.0908 EMAIL: WEB:

Asia Pacific Security Magazine | 45

CCTV Feature Series 2017

About pixel densities and what they mean By Vlado Damjanovski CCTV Specialist ViDi Labs Pty Ltd

46 | Asia Pacific Security Magazine


n IP surveillance system may be used to observe and protect people, objects and people’s activity inside and outside the objects, traffic and vehicles, money handling in banks, or games in casino environment. All of these objects of interest may have different clarity when displayed on a workstation screen. The image clarity depends primarily on the camera used, the imaging sensor, its lens and the distance from the object. There is one parameter in IP CCTV that expresses the image clarity in a simple way with just one parameter - Pixel Density. The Pixel Density is usually expressed in pixels per metre (Pix/m), at the object plane, although it can be expressed in pixels per foot. Pixel Density in IP CCTV sense should not be confused with the Display Pixel Density quoted by various LCD display manufacturers which defines the screen density, in Pixels Per Inch (PPI). The advantage of expressing object clarity with its Pixel Density is that it combines the sensor size, pixel count, focal length and distance to the object in just one parameter. This is one of the main functionalities of the ViDi Labs Calc application. When using Pixel Density metrics all variables are included and makes it universally understandable what details you will get on an operator’s workstation screen. When designing a system, or a tender for a system, one can request Pixel Density for a particular image quality. So, instead of asking for a 6 mm lens for your camera in a particular location, for example (which means nothing without knowing the camera sensor it is used on), it would be much more useful if a particular Pixel Density is defined for the view. This will then be used to calculate the required lens for the particular camera used and the distance from the object. This will guarantee the clarity of the image (assuming the lens is focussed optimally and there is sufficient light, of course). This can be done very easily with the ViDiLabs Calc. Pixel Density can be used for any object that IP CCTV user might be interested in: face, licence plate, playing card, money and similar. Let us now explore how many pixels per metre are attributed to various objects. One of the most commonly referred pixel densities is for Face Identification. Face Identification in CCTV means sufficient clarity of the image so that one can positively identify who the person on the screen is. According to Australian Standards AS4806.2, for Face Identification in analogue CCTV, we require 100% person’s height to fit in the monitor screen height. The details of 100% person’s height on a screen have been tested many times and it’s been verified that they are sufficient for such a person to be identified. We know that PAL signal is composed of 576 active TV lines, so, according to AS4806.2, a person’s height would occupy all of the active lines to make it 100%. Head occupies around 15% of a person’s height, which is equivalent

to around 86 lines (576 x 0.15 = 86.4), which is the same when converted to pixels (assuming recording is made full TV frame mode, which is equal to two TV fields). If we agree that an average person height is 170 cm, the head would occupy around 25 cm of that. The Pixel Density at the object, which is required to make a positive Face Identification according to AS 4806.2, can be calculated to be 86 pixels at 25 cm of head height. Since there are 4 times 25 cm in 1 m of height, this becomes 4 x 86 = 344 pix/m. So, one can say that with pixel density of 344 pix/m at the objects plane it should be possible to positively identify a face, according to AS4806.2. Some other standards may require different values, and one such (newer) standard is the IEC 62676-4, which defines 250 pix/m to be sufficient (i.e. suggests that with slightly lesser pixel density than the AS standards one should be able to identify a person). Clearly, this number is not fixed in concrete, and it will depend on the observing ability of the operator, as well as other parameters (lens quality, illumination, compression artefacts, etc…), but the key is to understand that such a Pixel Density can be calculated for any type of camera, irrespective if that is SD, HD, 4k or any other format. Any number for Face Identification Pixel Density can be specified in the ViDiLabs Calc, although the shortcut buttons are designed to show the IEC standard suggestion of 250 pix/m. The next image quality down, as defined by the standards is for Face Recognition. The details of Face Recognition image should be sufficient to recognise the gender of a person, what he/she is wearing and possibly make an assertion of who that person might be, if picked from a bunch of people that have already been identified somewhere else (e.g. passport or drivers licence photo). This is basically an image with half the pixel density to the Face Identification, which according to AS4806.2 should be around 172 pix/m, while IEC62676-4 suggests 125 pix/m. The following examples are from real systems: Similarly, pixel density can be defined for vehicle licence plates visual recognition (not software automatic LPR). In the AS 4806.2, this is defined as 5% characters height on a display screen, which is around 30 TV lines (pixels) (to be very accurate 576 x 0.05 = 28.8). If we assume that a typical Australian number plate has characters of around 90 mm in height, than this equates to 11 x 30 pixels = 330 pix/m. The number 11 is obtained from dividing 1000 mm (1 m) with 90 mm. One may say that for visual licence plates recognition similar pixel density is required as for face identification. When money and playing cards are observed in banks or casinos, many practical tests have shown that at least 50 pixels are required across the notes or cards longer side in order to positively identify the values. Standard playing cards

CCTV Feature Series 2017

dimensions are B8 according to ISO216 standard, which is 62 mm x 88 mm. So, we need the 88 mm card length to be covered with at least 50 pixels for proper identification. This means around 550 pix/m (1000 mm / 88 mm = 11 => 50 pix x 11 = 550 pix/m) should be sufficient for playing cards. We may require slightly better pixel density for identifying money, since notes size is typically larger than playing cards, so if one takes the Face Inspection pixels density of 1000 pix/m, it should attain pretty good identification, although as it can be seen from the real life example below, even 770 pix/m might be sufficient. So the following table can be used as a rough guide for various pixel densities.

Minimum required pixel density (Pix/m)

Object Inspect (IEC-62676-4)


Face Identification (AS-4806.2)


Face Identification (IEC-62676-4)


Face Recognition (AS-4806.2)


Face Recognition (IEC-62676-4)


Observe (IEC-62676-4)


Intrusion Detection (AS-4806.2)


Detect (IEC-62676-4)


Licence Plates visual identification (AS-4806.2)


Playing cards


Casino chips (39mm)


Money (notes)


Money (coins)


About the pixel blur effect of moving object Most objects that we observe in IP CCTV, such as people and vehicles, are not static, but moving. When objects are moving their image will never be sharp and clear like static objects. The faster the objects moves the more blurry it will appear. The closer the moving object is to the camera, the more blurry it will appear. The longer the camera exposure is the more blurry the object will appear. The camera sensor size and focal length of the lens play also a role in how blurry the image will appear. And finally, the angle under which such an object moves relative to the camera viewing direction also plays a role. So, there is a very complex correlation between all the parameters mentioned above. The ViDiLabs Calc has been designed to calculate the effects of such a motion in the recorded video, and show it as pixel blur. To put it simply, this calculation shows how smudged a moving object image is.

Face Identification as per AS4806.2

Face Recognition as per AS4806.2

This blurriness is an unwanted effect, as it makes it difficult to recognise the details of the moving object even if the camera is in focus at that point. By knowing how many “blurry pixels” will appear for a given object speed and the camera exposure setting, using the ViDiLabs calc it is possible to find the camera Exposure setting which will produce lesser or acceptable sensor blur. To produce “live” video in CCTV, we require at least 25 fps (or 30fps). Each of the TV frames are therefore typically exposed at 1/25s = 40ms (in analogue 1/50s for TV Fields). In the bright daylight, the auto iris lens closes to reduce the amount of light for a correct exposure. If it is very bright, then the sensor electronic exposure kicks in. In low light, the auto iris lens opens up fully, and if this is not sufficient, the sensor electronic exposure increases further (this is usually called “integration”). Here are some practical examples. If the object is moving at an angle relative to the camera optical axis, the same rules apply, but this time the projected speed “v” has to be used as a “real speed” of the moving object. The projected speed can be found as a “cosine” of the speed “v” relative to the angle alpha that is between the moving object direction and the perpendicular direction to the optical axis. For example, if a bicycle rider moves with 40 km/h at an angle of 30˚ relative to the optical axis, this would produce an angle of 60˚ between the direction of movement of the bicycle rider and the perpendicular plane to the optical axis. Then, the cos 60˚ = 0.5, which means the projected speed of 40 km/h will be 20 km/h for the purpose of calculating the pixel shift. To continue with the same example, let’s assume the bicycle rider is passing at 100 m away from the camera, and riding at the mentioned angle above. Let’s also assume we have an HD camera, with 1/3” sensor and have 8 mm lens installed. If we use the normal camera shutter of 1/25 s to produce live video, the resulting object motion blur from such movement will be 7.1 pixels. Over 7 pixels of smudged moving image might be just too much to be able to recognise the rider. So, we need to reduce the shutter speed so that there are much less blurred pixels. Using 1/250s shutter exposure will bring the blurriness to less than 1 pixels (0.7 in our example) which is much more acceptable.

To produce “live” video in CCTV, we require at least 25 fps (or 30fps). Each of the TV frames are therefore typically exposed at 1/25s = 40ms (in analogue 1/50s for TV Fields).

Money and play cards shown above with 770 pix/m

Asia Pacific Security Magazine | 47

Cyber Security Cover Feature

Russia's Cyber War: Options before the US

U By Sarosh Bana APSM Corespondent

S intelligence’s findings holding Russian President Vladimir Putin directly responsible for a cyber campaign that ensured Republican Donald Trump’s victory in the 2016 presidential election betrays Washington’s weakness as much as Moscow’s deceit. After initially discounting Russia’s manipulation, President-elect Trump accepted the findings and spoke of possible action in response, his incoming chief of staff Reince Priebus said on January 8. Priebus, however, did not clarify the line of response contemplated or whether Trump agreed specifically on Putin’s role in this regard. In the 20-page declassified version of its report: Assessing Russian Activities and Intentions in Recent US Elections, released on January 6, the US Intelligence Community - comprising the Central Intelligence Agency (CIA), Federal Bureau of Investigation (FBI) and National Security Agency (NSA) - details how Putin ordered an influence campaign aimed at the 2016 US presidential election. The report discloses Putin and his government’s “clear preference” for Trump that motivated the denigration of his Democrat rival, Secretary Hillary Clinton, and ultimately harmed her electability and potential presidency. The most alarming assessment, however, concerned “Russia’s goals” to undermine public faith in the US democratic process. The report cited Moscow’s cyber onslaught as not only the most recent expression of its longstanding desire to undermine the US-led liberal democratic order, but also demonstrative of “a significant escalation in directness, level of activity, and scope of effort compared to previous operations”. Such an evaluation unequivocally signifies a direct Russian attack on the US and its interests. After all, universal suffrage is the underpinning of the democracy the US is, and its concerted subversion was aimed at advancing a sort of ‘regime change’, no less. If Moscow can install a US President it desires with such alacrity, Washington stands completely vulnerable to such excesses. Russia has simultaneously proved it can subjugate its most powerful adversary without firing a single shot or launching a single missile. “Putin’s public views of the disclosures suggest the Kremlin and the intelligence services will continue to consider using cyber-enabled disclosure operations because of their belief that these can accomplish Russian goals relatively easily without significant damage to Russian interests,” the report notes. American intelligence determined that its Russian

48 | Asia Pacific Security Magazine

counterpart researched US electoral processes and related technology and equipment since early 2014, gaining access to Democratic National Committee (DNC) networks as early as in July 2015 and maintaining that access until at least June 2016. It also found some Russian paid social media users or ‘trolls’ starting to advocate for Trump by December 2015. It besides established that Russia’s General Staff Main Intelligence Directorate (GRU) targeted cyber operations at the US election from March 2016, collecting against primary campaigns, think tanks, and lobbying groups it viewed as likely to shape future US policies. The US intelligence report makes no mention of when the Obama administration was made aware of the Russian campaign, though President Obama likely knew this early enough through the intelligence-focused Presidential Briefs scheduled for him daily at the White House. Yet, ‘retaliation’ came only on December 9 when he ordered a full review into the malicious cyber activity. Twenty days later, once the intelligence report was out, he issued an executive order providing additional authoritative response to cyber activity aimed at interfering with or undermining the US’s election processes and institutions, or those of its allies or partners. By that new authority, the President sanctioned

Cyber Security Cover Feature

'if Congress were to pass a Constitutional amendment for ratification by 38, or threefourths, of the 50 States. The US’s Supreme Court too could order a re-vote if it ascertained massive fraud in the electoral process.'

GRU, Russia’s military intelligence, and FSB, the civilian security service, four GRU officers and three companies that provided material support to GRU’s cyber operations. Obama also ordered the expulsion of 35 Russian diplomats and the closure of two “recreational facilities” in New York and Maryland that were allegedly used for Russian intelligence activities, pledging further actions, “some of which will not be publicized”. It is curious why this reprisal was so late in coming. It raises questions whether US intelligence had failed to adequately gauge the Russian campaign early enough, or it had the knowledge but failed to inform the Obama administration in time, or if it did inform in time, Washington had been unable to counter, or incapable of countering, the cyber intrusion or even control the damage it was causing. If the Obama administration now concludes that the election result has been completely stage-managed by a hostile external power, it must redress this fraud on its nationhood by using the option of declaring the 2016 elections null and void and seeking a re-election. After all, the winning candidate, Trump, too has acknowledged Russian meddling. As Moscow has denied any intervention and

called for evidence of its involvement, Obama must heed the call by all Democratic senators on the Senate Intelligence Committee to declassify the full intelligence report. While the US Constitution provides no scope for re-election, it can be allowed if Congress were to pass a Constitutional amendment for ratification by 38, or three-fourths, of the 50 States. The US’s Supreme Court too could order a re-vote if it ascertained massive fraud in the electoral process. Washington can also well approach the United Nations and its International Court of Justice under Article 2(4) of the UN Charter. The Article proscribes the threat or use of force by all UN members against the territorial integrity or political independence of any state. The UN Security Council can take or authorize measures of collective enforcement against the aggressor, the International Court identifying ‘force’ as regardless of the weapons employed. This would include cyber operations, once their effects are deemed comparable to armed aggression. The Security Council’s responsibility extends to maintaining international peace and security in cyberspace. Any further inaction on this cyber war will only embolden the assailant and render the US vulnerable to greater hostility in future.

Asia Pacific Security Magazine | 49

Cyber Security

The Chinese New Year heist

A By Jane Lo Singapore Correspondent

traditional Chinese New Year celebration with volumes of ‘prosperity and good luck’ money gifts, asynchronous working days across 2 time zones, procedural and regulatory vulnerabilities, straight-through automated processing – these were among the elements that contributed to delays in detecting and responding to the Bangladesh Central Bank cyber break-in, and allowed sophisticated well-organized criminals to successfully launch their attacks on the payment system linking the Bangladesh Central Bank, The Federal Reserve Bank of New York and a network of commercial and correspondent banks, and almost carried off a haul of US$1billion - had not 2 words raised red flags and stopped 31 out of the 35 fraudulent transactions, but not before US$81million made their way into the casino industry in Philippines. What do we know so far? The attack combined the modern technique of hacking into computers with malware and old-fashion money laundering skills. Investigations by the authorities suggested that preparatory work may have begun as long as a year ago in May 2015 with the opening of bank accounts in the Philippines bank (Rizal Commercial Banking Corporation), after which the bank accounts were left dormant without any transactional activity till the attack in February 2016. The introduction of the malware into the Bangladesh Central Bank was likely to have taken place at least a month prior to the attack. Audit trails suggested the possibility of

50 | Asia Pacific Security Magazine

trial runs being conducted beforehand. According to the Bangladesh Police Criminal Investigation Department, the computer network at the Bangladesh Central Bank was not adequately secured – an unprotected firewall combined with weak password, and unused ports and remote access channel which were not adequately hardened - opened up entry points and allowed the criminals to penetrate the network perimeter. Procedural vulnerabilities where contingency plans in an event of breakdown of equipment (in this case the cross-border payment SWIFT software and the printer which would have listed payment instructions) and alternate communication channels failed to kick-in, and prevented the rapid detection and response to the breach. Additionally, timeliness of response was complicated not only by time zone differences but also asynchronous workweeks between Bangladesh and New York. Extra layer of protection from anomalous patterns detection - the materiality and frequency of the payment instructions from the Bangladesh Central Bank which appeared out of norm, a misspelled word, and a name under United States' sanctions list against Iran – raised red flags but by then $81million was already cleared and paid out. And, the heist perfectly timed during a holiday period when significant fund flows into the casino accounts were not unexpected and so failed to disrupt the attack at the end of the chain. Crucially, the CCTV cameras in the Philippines bank were disabled during this period, highlighting the organized nature of the attack. Timeline of key events during the attack - 35 fake transactions from the Bangladesh Central Bank was sent

Cyber Security

"Two attacks have come to light since the Bangladesh Central Bank heist – $12 million stolen from Ecuador's Banco del Austro in 2015, and a foiled attempt at Vietnam's Tien Phong Bank in May 2016. " on 4th February 2016 Thursday over a span of a few hours. Detection and response stretched over the next few days, including the following Monday 8th February 2016, the first day of Chinese New Year in Philippines. Mitigating the Threats and Vulnerabilities Two attacks have come to light since the Bangladesh Central Bank heist – $12 million stolen from Ecuador's Banco del Austro in 2015, and a foiled attempt at Vietnam's Tien Phong Bank in May 2016. To address the vulnerabilities and update elements that contributed to the weakened defenses, including areas where there are legal and regulatory arbitrage opportunities making funds stolen from one country and transferred to another difficult to recover, SWIFT (Belgium-based co-operative owned by its user banks) and the Philippines government have introduced several initiatives. SWIFT announced that from December, a 'Daily Validation Reports' listing the messages sent from the client's SWIFT terminal to allow a bank to better spot fraudulent payment instructions, and also show anomalies in the transfer instructions – deviations from the client's typical payment patterns. As an added safety measure, these would be sent to clients’ payments and compliance teams through a separate channel from the SWIFT terminal, minimizing the exposure to a single point of failure. At the Black Hat USA Conference in 2016, Alain Desausoi, SWIFT’s CISO, emphasized the need for greater levels of intelligence sharing across the global financial community. Highlighting the work of the cooperative’s Customer Security Program, he underscored SWIFT’s commitment to exchange threat intelligence with its community: “Having accurate, up to date information on relevant cyber threats is critical. We are committed to driving greater levels of intelligence sharing across the global community through our Customer Security Program.” The Philippines Casino Anti-Money Laundering and Combating Financing of Terrorism Act Bill (House Bill 14), introduced by Quezon City Representative Feliciano Belmonte Jr, aims to tighten money laundering regulations and make it mandatory for casinos to report all financial transactions that are suspicious irrespective of the amount of the transaction. The proposed bill requires casinos that are regulated by the Philippine Amusement and Gaming Corporation (PAGCOR), the Cagayan Economic Zone Authority or any other regulatory body to mandatorily report all suspicious transactions to the Anti-Money Laundering Council (AMLC). In the explanatory note to the proposed bill, Belmonte said “The significance of including the casino sector under

the coverage of the Anti-Money Laundering Law was underscored by the Bangladesh Bank heist. Attempts to trace and recover the money encountered several setbacks, as casinos are excluded from the coverage of the country’s present anti-money laundering laws. This bill seeks to address this deficiency by putting the necessary amendments to discourage the use of the casinos as avenues of illicit activity. The provisions of this bill will help ensure the integrity of financial and banking institutions in the country, and is a crucial step in making the Philippines compliant with international standards.” “The work of the compliance department is more important now, and bank management appreciates that,” noted by the Association of Bank Compliance Officers president, and the Association of Certified Fraud ExaminersPhilippines Chapter, president, Dante Fuentes. The Philippines National CyberSecurity Plan 2022 The Department of Information and Communications Technology (DICT) launched on 8th December the initiative known as the National Cybersecurity Plan 2022, crafted by the Cybercrime and Cybercrime Investigation and Coordination Center (CICC), an attached agency of the DICT. The framework aims to ensure the continuous operation of critical “infrastructures”, public and military networks, businesses and supply chains and to launch a public awareness campaign. It intends to establish a National Computer Emergency Response Team (NCERT) to build the capability and capacity of the government for quick response and recovery during hacking incidents and other cyberattacks. “A capability building program of international standard must be set in place in accordance to the demands of digital forensics, network analytics and defense conceptualization, among others,” said Allan Cabanlong, DICT assistant secretary and CICC executive director. “Included in the cooperation are detection and mitigation approaches, frameworks for coordination of international originators of attacks, and co-design of stakeholder engagement strategies.” Under the cybersecurity governance framework, the DICT will be in charge of coordinating national protection, prevention and mitigation and recovery from cyber incidents, dissemination of domestic cyber threat and vulnerability analysis, security of government and civilian infrastructure and investigation of cybercrimes under its jurisdiction. The Department of Justice (DOJ), Philippine National Police (PNP) and the National Bureau of Investigation (NBI) will be the lead agencies for the investigation and prosecution of cybercrimes, as well as the enforcement of cybersecurity laws. The Department of National Defense (DND) will be in charge of defending the country from cyber-attacks, intelligence gathering of foreign cyber threats, securing

Asia Pacific Security Magazine | 51

Cyber Security

Sources: Reuters, Bloomberg, Financial Times, PhilStar, New York Times, BAE Systems, Wall Street Journal

national security and military systems, and investigation of cybercrimes under military jurisdiction. The CICC, mandated to establish cybersecurity measures to guard against cyberthreats, is expected to enforce, evaluate, and monitor the cybersecurity policies through regular assessment and compliance activities, conduct of annual cyber drills and exercises and cybersecurity education and awareness program. “Rest assured that the DICT is in the frontline of cybersecurity protection for the Filipino people,” DICT secretary Rodoflo Salalima said at the press briefing. What to expect next? According to recent updates announced in December, the Head of the Forensic Training Institute of the Bangladesh Police's Criminal Investigation Department, Mohammad Shah Alam, mentioned that arrests are likely soon. With Chinese New Year fast approaching, the authorities will likely be extra vigilant and watch out for modus operandi of an impending attack by the same or another criminal syndicate. That last year, Chinese New Year fell on Monday 7th Feb and was a declared public holiday in Philippines would have formed part of the calculations when the criminals timed their attack. As the Chinese Year of Rooster is ushered in on 28th January this year – a Saturday with no extended long weekend to evade and delay detection - it would be a knee-jerk reaction in the extreme to suggest this denies the attackers the perfect window of opportunity to perpetuate the same crime. After all, it is not unrealistic to believe that the attackers

52 | Asia Pacific Security Magazine

have grown more resourceful, sophisticated and adaptive in the past year, and they very well have the skills, determination, boldness, ingenuity and the nerves to strike again. About the Author Jane Lo has more than 15 years of experience in enterprisewide risk management and writes on risk themes relevant in the financial services sector. She started her career in Canada after graduating from Electrical and Computer Engineering studies, and worked in the City of London for 10 years consulting for Corporates and Banks, before relocating back to Singapore 6 years ago. Outside of work, she is a marathon runner and enjoys spending time with friends and family.

Cyber Security

Public Venue Security & Safety Summit Developing effective security and safety strategies to ensure operational continuity of public venues, events and facilities

28 -30 March 2017


Radisson Blu, Sydney

th th Public events attracting large crowds are vulnerable to deliberate and accidental threats that could disrupt event continuity with serious physical and financial consequences. Public event operators, governments, infrastructure owners, emergency OVERVIEW services and all other security and safety stakeholders need to find the right balance between infrastructure, technology, operations and manpower to ensure public venue security and safety.

FROMSecurity OVER and 30+Safety SECURITY, SAFETY ATTEND FORUM The HEAR Public Venue Summit, being held in Sydney on 28th – 30th March 2017 THIS brings together leading security professionals to explore how the implementation of effective and practical strategies of prevention, preparation, & EVENT RISK EXPERTS: AND LEARN HOW TO: response and recovery can ensure operational continuity and sustainability. • Identify and protect against internal and external threats

Ziad Khoury Wilfried Covent Head of Safety and Security Security Expert UEFA EURO 2016, Brussels International Airport France Vice-Chair Security Committee Europe Airports Council International Belgium

Peter White General Manager Australian Office of Transport Security

Platinum Sponsor:

Murray Hodges General Manager NSW Events V8 Supercars Australia

Danny Baade Head of Security Gold Coast 2018 Commonwealth Games

Craig Sheridan APM Lead Security and Risk Advisor Sydney New Year’s Eve Event 2016 NSW Department of Premier and Cabinet Lead Security and Risk Advisor Vivid Sydney 2017 Destination NSW

Gold Sponsor:

Partnered with:

• Develop smarter approaches to counter violent extremism • Improve current public event security, safety and risk strategies and capabilities to face the current threat environment and to ensure operational continuity • Benefit from new collaboration, communication and engagement methods between all different safety stakeholders • Optimise crowd management operations and outcomes

Silver Sponsors:

Media Partners:

Asia Pacific Security Magazine’s readers 10% discount! Quote VIP Code AFXD1 Visit for full agenda and early bird discounts FIND OUT MORE 54 | Asia Pacific Security Magazine



Cyber Security




Network. Learn. Explore. Asia’s most encompassing trade show for the ICT industry will connect to more than 1,100 international exhibitors! On the show floor, establish valuable new relationships with industry players and learn from experts at the specially curated seminars and workshops.

Pre-Register Now

@ Entry to the exhibition is free!




A Part of:





Hop onto the free shuttle service to also visit BroadcastAsia at Suntec Singapore

#CommunicAsia2017 Organised by:


Worldwide Associate:

Hosted by:


Held concurrently with: @ Marina Bay Sands, Singapore

In support of:

Endorsed: @ Suntec Singapore

Supported by:

Held in:

Asia Pacific Security Magazine | 55

Women in Security

From law to cyber security With Rachael Falk Director of Technology, Security & Strategy at .au Domain Administration Ltd Rachael practiced as a lawyer in Australian and overseas law firms before commencing with Telstra. Moving from legal to cyber security, Rachael had several roles in Telstra Security Operations, including National Security Advisor. Now in a new executive position, Rachael has a clear remit to shape auDA's role in the cyber security ecosystem both with Australia and internationally. ASM: How did you get into the security Industry? I have always liked solving problems and challenges and when I was at Telstra, I became more involved in data breach issues and it became clear to me that cyber security was regarded everywhere as more of an IT problem. I saw an opportunity to change this and help the business understand that cyber security was a risk that everyone from the board down should understand and manage. So, I was offered a one year secondment from Telstra Legal to Telstra Security Operations and it was a great move. Telstra hired a new CISO in 2013 who had a very strategic approach to cyber security and approached it as a business risk. Since then, I have never looked back. ASM: How did your current position come about? The .au Domain Authority (known as auDA) is both the regulator of and manages the .au domain zone and it has gone through a period of transition over the last 12 months. They wanted an innovative approach to security and to play their role in Australia’s cyber security eco system. I had left Telstra and was enjoying a long break but the opportunity to help shape a different cyber security narrative was too hard to refuse. ASM: What are some of the key challenges you think the industry is faced with and what difference do woman in leadership roles make to meeting these challenges? The key challenge is for leaders to understand that cyber security is a risk that can be effectively managed but the tone is set from the top. Leaders who demonstrate that they care about customer data, they invest in effective security outcomes and that they have thought about how they can recover from an incident is critical. I still think there is far too much reliance on a magical technology solution or for compliance frameworks to solve this issue. Compliance does not equal security and putting a whole bunch of tech toys in your SOC (Security Operations Centre) does not equal effective security. It has to be a combination of leadership, culture, good tech and awareness. I think women, no matter which industry they are in, bring diversity of thought. I see my key strength as not necessarily being female but being a former lawyer, who can think critically and can write in accessible English. So, I think we bring our backgrounds and a different perspective.

56 | Asia Pacific Security Magazine

ASM: Where do you see the industry heading and are women sufficiently or increasingly being recognised and respected? I see it heading towards hopefully a greater understanding that cyber security is a business risk. I think recent events have shown us that Australians are becoming more cyber aware and that they in turn should demand that anyone wanting to use and store their valuable data need to be accountable should it be lost or stolen. All of us (me included!) want to know that our valuable data is being protected at all times. And I want to know that the boards and Leadership Teams of all organisations that handle valuable data care about that data and build security into all that they do. I still see far too many conference flyers with all men in the photos and the fact that this seems to not be noticed by those conference organisers astounds me. But thankfully there are great men in the industry who share these views and go out of their way to promote women into leadership roles, recognize their talent and not attend those conferences. I think women to need to be confident and put themselves forward for events. ASM: Are you an active mentor or being mentored and how important has a mentoring framework been to you? I am a strong believer in mentoring both for me and for what I can give to others. There is nothing better than being able to bounce an issue or problem around with someone else. It is great therapy but also broadens your perspective. There are a range of very talented women I talk to within the industry. Some are still students right through to working in cyber security. I see my role as bringing others through with me and where I can connect them with other people in the industry or help create opportunities for them. I also like sharing information or ideas with them. As for me being mentored, I have a panel of advisors (not sure they all know they are on my panel!) because I do often ask for advice on a particular issue or situation but I am a strong believer in being open to different perspectives. I am very fortunate to have a wide range of people I can call on should I have an issue or question. ASM: Do you have a particular agenda or focus that you would like to highlight? I see great opportunity and challenges in cyber security. It is a great area to work in although when I was admitted to practice law 20 years ago, this role didn't even exist. The importance of cyber security is a leadership issue that needs to be addressed at a board level but also filter down an organisation. I also don't mean that boards should be bombarded with what I call ‘packs & stats’ which traditionally involve lots of ‘attack’ and ‘threats’ numbers in large packs. Do that with a board or leadership team and you are in eye glazing over territory. Engage all leaders with stories about the impact of losing valuable data both at a customer level and at a reputational level. You need to engage the hearts and minds so that the organisation understands that cyber security is a business essential and not an optional extra. My second point would be that diversity within the industry is key and we need to involve key men in the industry because those with strong voices pave the way for others as well. ASM: What do you do when you're not working? I work full time so far too much cleaning!! I enjoy cooking, reading, being with my kids (when I can get them off devices) and planning our next holiday (where no one seems to agree on any destination). I am afraid I'm not a good example of work life balance but having a good long break last year really made me appreciate the little things.

THE FUTURE TECH WORKFORCE IS HERE Women continue to be vastly underrepresented in the global technology workforce. This is both a societal concern and a major workforce problem, given the critical shortage of skilled technology professionals faced by many enterprises. From a persistent gender bias in the workplace to continued pay gaps and a lack of female mentors, many challenges still need to be addressed to solve this problem, according to ISACA’s 2017 Women in Technology Study. To view the full survey report, learn about ISACA’s Connecting Women Leaders in Technology program, and get guidance on the path to a more equal technology workforce, visit


8 in 10

women report their supervisors are male

9 in 10

women are concerned about the number of women in the tech field

33% 22% 14% 14%

Tech leaders/role models are largely males

IT is perceived as a male-dominated field

There is a lack of work/life balance

Educational institutions do not encourage girls to pursue tech careers

1 in 5

organizations very committed to hiring and advancing women in tech roles

1 in 5

organizations not at all committed to hiring and advancing women in tech roles


Lack of mentors


Lack of female role models in the field


Gender bias in the workplace


Unequal growth opportunities compared to men


Unequal pay for the same skills



27 % say they often or always experience gender bias

43% report male

colleagues are paid more without reason

23% report men and

women are compensated based on merit

Source: The Future Tech Workforce: Breaking Gender Barriers, ISACA, 2017 Asia Australian Pacific Security Magazine | 57


// CANALYS CHANNELS FORUM – MACAU MySecurity Media attended the Canalys Channels Partner ‘Digital First’ Forum in Macau in late October for the always insightful annual briefing from CEO Steve Brazier on how the APAC region is fairing both politically, economically and technologically. As Brazier highlighted to a sold-out delegation of over 1,000 delegates, from over 530 channel partners, China is increasingly separating itself with far different dynamics than the rest of the Asia Pacific (APAC). The South China Sea is a key risk and “you can't emphasise how important the South China Sea is… issues of security are going up and up and up.” With this in mind, Asia has been late to discover the importance of security and as an example, in IT Security, according to Fireeye, the average time taken between a data breach and its detection in Asia is 520 days, whilst the world average is 146 days. With a host of mergers and acquisitions forming a convergent technology industry amidst ever increasing security challenges, two of the biggest, Hewlett Packard Enterprises and DellEMC had a busy 2016 – one was planning a new business structure having de-merged and the other planning around a major merger – here’s a snap shot into their story.

// THRIVING IN AN AGE OF DIGITAL DISRUPTION Briefing by Peter Ryan, Chief Sales Officer, Enterprise Group, Hewlett Packard Enterprise When you look around the world, every industry, every customer, every size, every government and taste of consumers in every part of the world is changing dramatically. Digital transformation is happening everywhere and you have a choice – either disrupt or be disrupted. It is not an option to just sit still. What you would have seen from HPE in the

58 | Asia Pacific Security Magazine

last 12 months is to be very decisive about the choices we’ve made, to be competitive and to be successful in helping our partners and customers as they go through these transformations. After the separation with HP Inc in our spin out and merging the Enterprise Services Business with CSC and the spin out of the software business with Britain’s Micro Focus International – what that leaves us with is a very focused strategy around secure hybrid IT, around the intelligence edge and around the transformation services that our customers need. We view ourselves as a critical player in the eco-system that will drive transformation going forward. HPE still have over 22,000 services people within the company, still a reasonably sized workforce. But our strategy has always, unashamedly, been to partner. We’re part of the open eco-system so we’re bringing our services to bear to help drive transformation but also encompass all the services from our partners, whatever size and shape of business that they are.

Hybrid IT will win! HPE has a few basic beliefs. We have a strong belief that hybrid IT will win. The way IT will be delivered will be a combination of public, private and traditional. Some people will run it themselves, some will get other people to manage it for them. Our aim there is to make hybrid IT simple.

The second belief is that there will be explosive growth at the edge. The edge for us will mean mobility and industrial IoT. We will see a lot of applications emerge there. We will power the intelligence edge. And the third platform for the strategy is that we have the ability and competence to execute the transformation required. That comes back to our service capability and the partnership eco-system. If you look at HPE going forward it is a $28 billion company. In terms of relevance, we’re a strong global player. If we look to Asia, 80 per cent of our business goes through our channel partners. We’re number 1 or number 2 in every category that we operate in across the piece. The core software assets that we have kept are around hybrid, around the edge, around Aruba, around our server compute, hyper converge and this creates incredible opportunity for our channel partners. The addressable market we have between us is more than US$250 billion and we’re a US$28 billion company. So the question of relevance and opportunity is do we have room to grow? The answer is surely we all do. From a business perspective, there is fantastic opportunity and everyone should be energised by it. The guidance we have given securities analysts is that we will have GDP like growth and within that there is some pressure on traditional aspects of the business and then there is massively growing aspects of the business. On a worldwide basis, our Flash business grew last quarter 44% and we’re the only one of the top venders to have grown Flash year on year over

CANALYS | FEATURE REVIEW the last 10 consecutive quarters. Here in Asia we’re growing 3-4 times the market. For hybrid performance computing we’re still the leaders in this area, which is an US$11 billion addressable market and growing 7-8% and have cemented our position with the acquisition of SGI (Silicon Graphics International) and we’ve had pockets of great growth, such as in hyper-converged and cloud computing. All of these pockets of growth give us a chance, together with our channel partners, to continue to execute real revenue, grow profits, improve cash flow but also make revenues more sticky. One of the things we’re seeing with growth is as consumption models change around hybrid IT, people want to pay as they go, everything as a service, as a utility. So, we’re finding our HPE financial services business is giving our channel partners a great new stream of income and margin. But also, critically, the ability to manage the install base in a better way. In our acquisitions, we’ve clearly said we will be looking at organic and in-organic roots. Our acquisition of Aruba, in many ways, has been a gift from the gods. It has been a fantastic driver of growth and the areas of business it is opening up for us has been phenomenal. The sales energy from the Aruba team has been fantastic and we also like the recent SGI and Docker acquisitions in similar ways. We are one of the few companies that can explore all options because we have that strong financial grounding to do it.

// EDITOR’S INTERVIEW With Steve Wood, Vice President Asia Pacific, Aruba, A Hewlett Packard Enterprise Company. Steve is the former President of Nortel in Australia, with a long history in the networking and telecommunications space and now head’s up Aruba in the APAC region. “I’ve been in the networking business for the best part of 30 years and have been with Aruba since the time of the acquisition by HP and then which became HPE. We’ve seen great opportunity off the back of being a 13 year start up, with the charter to bring secure mobility to life, which has been what has driven our business over the years". With the merger into HPE, it has been

great for us and allowed us to showcase our technology into many of the world’s largest accounts, which previously we were unable to access. Over the last year we’ve been operating as two entities and as of November 2016 we have been able to pull it all together, with a single operating model and a new partner ready program, which has picked the best of both worlds out of Aruba and the HP switching side and bringing a new channel, as part of the Enterprise Group, with the partners and distributors. It has been very exciting. Our Partner Ready for Network Program is the core of our ‘go to market’ business. This means a single price list in local dollars, partners have been trained in stock keeping units for switch and wireless devices and the businesses have been fully rationalised. So with what Aruba, now with HPE, can offer into the market, means we’re getting a lot of phone calls from people who want to check out what’s on offer. We’re very strong in defence, tertiary education, retail, such as Westfield malls and hospitality industries. Westfield use our Aruba mobility solutions and allows the landlords to track foot traffic, right down to the half metre and then use analytics to send messages to customers and potential customers as they use the strong Wi-Fi in the mall - these concepts are creating new business models. Another example would be the Levi Stadium which hosts the Super Bowl. Through an App, we can deliver food and beverage right to the seat. This also allows targeted merchandise offers, such as if they are sitting in the sun they get a cold beer offer. So it is creating lots of new ways you can interact with your customers and this is driving the growth and in some cases it is the marketing department that is buying the network. In hospitality, we have recently won the contact for the MGM Casino in Macau, and now four of the six largest casinos are standardised on Aruba. We have found the Aruba brand a real differentiator for setting apart the business networking unit, which I’m in charge of for the Asia Pacific. Having joined with HPE we have gone on to win the Home Depot in North America which is a US$120 million order, the single biggest order in the history of HP networking, formerly a premium Cisco account. We also won BestBuy, United Airlines, Department of Defence in Australia. Defence is probably our biggest single customer in the world on the Aruba side because of the Class B security that we can bring and encrypt in the air which is a feature defence find very attractive

and that has made us very strong across the defence industry around the world. With our Clear Pass product, it is our leading product because it securitises the perimeter of the network, and the network edge is now mobile. So the way in which you once provided security to your switch and branch office network by putting in firewalls and locking down each user at a desk, those rules don’t apply anymore. Our secure mobility product Clear Pass allows CIOs to get security around a perimeter they can no longer see and if they can see it, provides them the context. Aruba is also responsible for the IoT strategy of HPE and our compute platforms Edgeline and Moonshot are sitting right at the very edge of the network. The Moonshot cartridge sits inside the edge of the network and Edge Line is a compute engine that can pick up a lot of data, analyse it and shoot it back to the IoT device rather going all the way through to the branch and into the datacentre and then back out again. This reduces the latency, so you don’t have to wait for the instruction to turn the switch off, be it a controller such as for air-conditioning or lighting. As these formerly analogue systems are becoming connected IoT devices and sitting at the edge of networks, the way the instructions are being transported is over wireless and Wi-Fi networks, so we have a number of solutions in this space.

// HPE ARUBA EXECUTIVE PROFILE | STEVE WOOD Steve Wood is responsible for leading the networking business unit for Hewlett Packard Enterprise across the Asia Pacific region. Prior to this role, he served as a Chairman of Aruba

Asia Pacific Security Magazine | 59

| FEATURE REVIEW Networks Advisory Board in Australia. An accomplished Chief Executive in the technology, sports and media sectors, Steve has led the Asia Pacific operations of numerous high growth technology businesses. He was most recently Chief Executive Officer of Tennis Australia where he was responsible for the Australian Open Grand Slam and the National tennis industry. He has also served as President of Australia & New Zealand for Nortel Networks, Vice President of Asia Pacific for Alteon Websystems and has previously held leadership positions at Bay Networks, SynOptics Communications Inc. and MPA International. Steve currently serves as the Chairman of the Board for the University of Melbourne Networked Society Institute, Australia's premier research institute in broadband technologies. Steve holds a Bachelor of Business Administration from Louisiana State University.

// HEWLETT PACKARD ENTERPRISE REPORT REVEALS TRIALS AND ERRORS OF SECURITY OPERATIONS SOCs forgo security basics, leaving 82 percent of organisations below target maturity levels and vulnerable The fourth annual State of Security Operations Report 2017, provides an insight and analysis of the effectiveness of security operations centres (SOCs), and best practices for mitigating risk in an evolving cybersecurity landscape. With increased pressure to align security initiatives with business goals, an organisation’s SOC provides the foundation for how to protect the most sensitive assets, and detect and respond to threats. This report’s findings show that the majority of SOCs are falling below target maturity levels, leaving organisations vulnerable in the event of an attack. Nearly 140 SOCs in more than 180

60 | Asia Pacific Security Magazine

assessments around the globe were examined and measured on the HPE Security Operations Maturity Model (SOMM) scale that evaluates the people, processes, technology and business capabilities. A SOC that is welldefined, subjectively evaluated and flexible is recommended for any modern enterprise; however, 82 percent of SOCs were found to be failing to meet this criteria and falling below the optimal maturity level. 1

Key Observations •

SOC maturity decreases with hunt-only programs. The implementation of hunt teams to search for unknown threats has become a major trend in the security industry. While organisations that added hunt teams to their existing real-time monitoring capabilities increased their maturity levels, programs that focused solely on hunt teams had an adverse effect.1 Complete automation is an unrealistic goal. A shortage of security talent remains

the number one concern for security operations, making automation a critical component for any successful SOC. However, advanced threats still require human investigation and risk assessments need human reasoning, making it imperative that organisations strike a balance between automation and staffing.1 Focus and goals are more important than size of organisation. There is no link between the size of a business and maturity of its cyber defense centre. Instead, organisations that use security as a competitive differentiator, for market leadership, or to create alignment with their industry are better predictors of mature SOCs.1 Hybrid solutions and staffing models provide increased capabilities. Organisations that keep risk management in-house, and scale with external resources, such as leveraging managed security services providers (MSSPs) for co-staffing or in-sourcing, can boost their maturity and address the skills gap.1


// DELLEMC MERGER: GLOBAL CHANNEL PARTNER PROGRAM LAUNCHES FEBRUARY 1ST Having merged early in September, DellEMC’s John Byrne, President Global Channel was in Macau seven week’s later briefing APAC Channel Partners on the newly formed company’s revised channel leadership team and channel partner programme. At the time of the merger, EMC had 800 channel partners and Dell had 3,000, with the combined channel market sitting at US$35 billion and growing 3-4 times faster than the rest of the market. Global numbers had 53% of the business selling through channel partners but across APJ (Asia Pacific & Japan) the rate

was much higher, sitting at 69%. India and China being in the top three countries in terms of sales and the region growing 6 times the rest of the market. Throughout the merger process there were partner advisory boards, partner councils and a global partner webcast with 2,000 partners to discuss how a new growth engine would work. John Byrne highlighted “we want to grow from the top lines as well as to the bottom lines”. Even at US$35 billion, DellEMC considers itself a ‘dark horse’ because they still see so much upside. Within the new Dell EMC structure is the PC Organisation, or the Client organisation, the Infrastructure Solutions Group (ISG), and Services. Within these areas there are three sales segments, Enterprise, Commercial and Consumer Small Business (CSB). The global channel sales organisation has been centralised and launches the DellEMC Partner Program as a new Channel Program. The program will be based on three key elements, simplicity, predicable and profitability. Channel partners will be allocated based on Tiers, Tracks and were awaiting the final criteria,

announced in December which will define where the partners sit. The new program will be effective as of February 1, 2017. The DELL and EMC channel programs have been working separately until the February launch but both DELL and EMC had made significant progress in selling through the channel and John Byrne acknowledges the channel community is changing significantly, “they do not want to be treated like resellers.” Channel tiers include Gold, Platinum, Titanium, and despite only three tiers – there remains a special extra tier - Titanium Black. The tracks represent channel profiles being SP (Solution Providers), OEM (Original Equipment Manufacturers), CSPs (Cloud Solution Providers) , MSPs (Managed Service Providers), RSA, remaining the security division, and VirtueStream. Pivotal, Secureworks and VMware are all remaining separate as part of Dell Technologies. John Byrne asserted confidently, “the advantage is that we can now offer the end to end solutions, from the PC to the cloud, services and the widest portfolio on products. DellEMC spent $4.5 billion on research and development and that is double that of the competition – and we remain dominant in 20 of Gartner’s magic quadrants. We’re number one on several fronts. DellEMC is the fastest growing PC company and number one in servers, number one in workstations and fastest growing in storage. We want to be number one of everything.” IoT is naturally seen as a big market. An example of a DellEMC smart city partner project involves a 100,000 vehicles equipped with GPS devices, tracking the movement of the cars and using DELL solutions to analyse the car movements to design traffic management policies. Another in a Thailand province is working with the aging population and seniors are tracked with wearable devices and these are connected to hospitals, with data being analysed for health benefits and early medical response. Also in late October, LogRythym announced that it had formed a worldwide resale partnership with Dell EMC, with LogRhythm being one of Dell EMC’s largest OEM customers. LogRhythm uses Dell servers and storage to build security appliances for rapid threat detection and response solutions, which Gartner expects to reach US$23 billion by 2020. LogRhythm’s Security Intelligence and Analytics Platform unifies next-generation SIEM, log management, network monitoring, endpoint monitoring, and advanced security

Asia Pacific Security Magazine | 61

| FEATURE REVIEW analytics. It also helps organisations meet compliance requirements and respond to IT operations and events. “Demand for solutions that can detect and neutralise cyber adversaries before they can cause a material breach has never been greater,” said Mike Reagan, chief marketing officer at LogRhythm. “This partnership with Dell EMC bolsters our ability to capitalise on this burgeoning market by bringing our awardwinning security intelligence and analytics solutions to more enterprises around the world.”

// PRIVACY AND NATIONAL SECURITY Briefing by Rachel Lachford, Vice President Marketing, Canalys European Union General Data Protection Regulations (GDPR) will be entering into application on the 25 May 2018 after a two year transition period. The wider implications of the GDPR are focused on data privacy controls without country or regional boundaries. This is reflecting the nature of the data flows and that’s being enable to the new technologies and the creative and disruptive business models emerging in new digital economies. Over half the countries in the world now have some form of data protection or privacy laws and many of those are strongly influenced by the EU approach. What we are now starting to see is a trend towards global ubiquity of data privacy emerging. The EU GDPR is probably the most ambitious endeavour so far in terms of securing the rights of the individual in the digital realm. This is probably the case for this generation as they were last created in 1995 and so finally we have this huge refresh that adopts technological advancements over the last twenty years. The requirement to confirm to the GDPR will prevail, not only within the EU but across a majority of countries and will have significant impact on a global level. This will start to create a new standard for all data processes and transfers across the global. This will most initially impact those companies that are operating internationally but will also see a ripple down affect into country level business operations. 2017 will see more conversations within the business communities, of all sizes, around data

62 | Asia Pacific Security Magazine

privacy regulations and will be a critical year in Europe for implementation with compliance required by 2018. This is not just a ‘large’ company issue, even for the SMB market, they will need to be thinking about how they are going to comply and combat the myriad of threats and emerging threats across the global supply chain. SMBs take up a majority of supply chains and though they may tend to operate on a small local scale if they are linked to a global supply chain then they will be impacted. Data transfers know no boundaries. As we move to 2020 the numbers suggest the proliferation of IoT devices and there will be an overwhelming bulk of industrial devices that are transferring digital information and will fall into the realm of privacy and data transfer regulations. Japan, as an example, is looking to reform and implement their own regulations and will be a certified country approved to deal with EU countries. This will be a global issue around privacy and data encryption. Cloud is also a major factor in the reason this becomes relevant

In the last 18 months Hong Kong has seen three convictions under its direct marketing legislation with fines of HK$10,000 and HK$30,000 issued. to everybody. If you are hosting applications, finance, CRM or any business process, where is the data being hosted from and transferred too. Cloud providers are bringing in new requirements into their contracts, such as wording similar to, “it is your responsibility to encrypt the data that is being sent to your customers’. The primary responsibilities will be to encrypt data when sending to customers and notify of any breaches within 72 hours. Sanctions will be a big incentiviser for

Cyber Security

CANALYS | FEATURE REVIEW businesses to protect themselves. We’re seeing implementation of large fines in EU, US and South Korea has introduced punitive damages to some stringent privacy laws. In the last 18 months Hong Kong has seen three convictions under its direct marketing legislation with fines of HK$10,000 and HK$30,000 issued. This is more about ‘big data’ but more focused on ‘big personal data’ and working out what is personal and what is not and developing a trust system of data protection with accountability, privacy by design, clarity and understanding what sanctions will be applied. Companies are encouraged to get back to basics, have data discovery processes, data privacy and risk assessment processes, provide staff training, develop user awareness and training, and historically, user awareness is a key to success.

// COMMISSION PROPOSES HIGH LEVEL OF PRIVACY RULES FOR ALL ELECTRONIC COMMUNICATIONS AND UPDATES DATA PROTECTION RULES FOR EU The Proposal for a Regulation on Privacy and Electronic Communications aim to update current rules, extending their scope to all electronic communication providers. They also aim to create new possibilities to process communication data and reinforce trust and security in the Digital Single Market – a key objective of the Digital Single Market strategy. At the same time, the proposal aligns the rules for electronic communications with the new world-class standards of the EU's General Data Protection Regulation. First Vice-President Timmermans said: "Our proposals will complete the EU data protection framework. They will ensure that the privacy of electronic communications is protected by up to date and effective rules, and that European institutions will apply the same high standards that we expect from our Member States." Věra

Jourová, Commissioner for Justice, Consumers and Gender Equality said: "We are also setting out our strategy to facilitate international data exchanges in the global digital economy and promote high data protection standards worldwide." • Better online protection and new business opportunities The proposed Regulation on Privacy and Electronic Communications will increase the protection of people's private life and open up new opportunities for business: • New players: 92% of Europeans say it is important that their emails and online messages remain confidential. However, the current ePrivacy Directive only applies to traditional telecoms operators. Privacy rules will now also cover new providers of electronic communications services, such as WhatsApp, Facebook Messenger, Skype, Gmail, iMessage, or Viber. • Stronger rules: By updating the current Directive with a directly applicable Regulation, all people and businesses in the EU will enjoy the same level of protection for their electronic communications. Businesses will also benefit from one single set of rules across the EU. • Communications content and metadata: Privacy will be guaranteed for both content and metadata derived from electronic communications (e.g. time of a call and location). Both have a high privacy component and, under the proposed rules, will need to be anonymised or deleted if users have not given their consent, unless the data is required for instance for billing purposes. • New business opportunities: Once consent is given for communications data, both content and/or metadata, to be processed, traditional telecoms operators will have more opportunities to use data and provide additional services. For example, they could produce heat maps indicating the presence of individuals to help public authorities and transport companies when developing new infrastructure projects. • Simpler rules on cookies: The so called "cookie provision", which has resulted in an overload of consent requests for internet users, will be streamlined. New rules will allow users to be more in control of their settings, providing an easy way to accept or refuse the tracking of cookies and other identifiers in case of privacy risks. The proposal clarifies that no consent is needed

for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history). Cookies set by a visited website counting the number of visitors to that website will no longer require consent. Protection against spam: Today's proposal bans unsolicited electronic communication by any means, e.g. by emails, SMS and in principle also by phone calls if users have not given their consent. Member States may opt for a solution that gives consumers the right to object to the reception of voiceto-voice marketing calls, for example by registering their number on a do-not-call list. Marketing callers will need to display their phone number or use a special pre-fix that indicates a marketing call. More effective enforcement: The enforcement of the confidentiality rules in the Regulation will be the responsibility of national data protection authorities.

International data protection A strategic approach is being taken to the issue of international personal data transfers, with the aim to facilitate commercial exchanges and promote better law enforcement cooperation, while ensuring a high level of data protection. The Commission plans to engage in discussions on reaching "adequacy decisions" (allowing for the free flow of personal data to countries with "essentially equivalent" data protection rules to those in the EU) with key trading partners in East and South-East Asia, starting with Japan and Korea in 2017. In addition, the Commission will also make full use of other alternative mechanisms provided by the new EU data protection rules to facilitate the exchange of personal data with other third countries with which adequacy decisions cannot be reached. Next steps With the presentation of the proposals in early January 2017, the Commission is calling on the European Parliament and the Council to work swiftly and to ensure their smooth adoption by 25 May 2018, when the General Data Protection Regulation will enter into application. The intention is to provide citizens and businesses with a fully-fledged and complete legal framework for privacy and data protection in Europe by this date.

Asia Pacific Security Magazine | 63

Cyber Security



INTENSIVE ESCAPE TR AINING Anti-Kidnapping & CounterAmbush This full-day training drill tests your mettle against life-or-death situations your VIPs, Chief-suite Executives and other personnel may face in the fulfilment of their duties. Deploy with unerring confidence in demonstrable response techniques with this precision-training masterclass: 1. Risk Elimination Practices 2. Anti-Kidnapping Measures 3. Counter-Ambush Survival Techniques International Trainer: Nathan Hughes Training Director CSEC4, UNITED KINGDOM Former Firearms Instructor, Specialist Firearms Officer and Advanced Driver DEVON AND CORNWALL POLICE, UNITED KINGDOM

SHOWCASING PRESENTATIONS AND CASE STUDIES BY KEY DISTINGUISHED SPEAKERS Yang Yu Regional Security Director – Asia Pacific MICROSOFT, CHINA Dean Fitzmaurice Regional Security Director Middle East, India & Sub-Saharan Africa SNC LAVALIN, UNITED ARAB EMIRATES Li Hongliang Deputy Director of Security Management BGP INC., CHINA NATIONAL PETROLEUM COMPANY, CHINA Stanley Aloysius Director, Asia Pacific Safety & Security PAYPAL, SINGAPORE Patrick Wang Head of Security BEKAERT ASIA, CHINA Founder & Chairman SECURITY PROFESSIONALS ALLIANCE OF CHINA (SPAC), CHINA

Julius Badillo Security Cluster Lead – Philippines, Vietnam, Thailand DHL, PHILIPPINES Ruben Morales General Manager, Corporate Safety HONG KONG AIRLINES, HONG KONG Mark Niblett Vice President & Global Head of Security HALLIBURTON, UNITED ARAB EMIRATES Mark Sharp Director of Corporate Security SHANGRI-LA, HONG KONG Wynnford Medrano Director – Procurement, Property, Information Security and Business Continuity Management AXA, PHILIPPINES Nick Crouch Director, Global Safety & Security (EMEA, India and APAC) YAHOO! INC, SINGAPORE


• •

Protecting people, profit and brand Unlocking investment opportunities in high risk destinations Defending high value products and corporate assets from theft and damage Perfecting emergency response planning for your company Guarding valuable executives against threats in vital business destinations

Vice Presidents, Directors, Managers and Heads of: Corporate Security Business Resilience Physical Security Business Continuity Asset Protection Brand Protection Loss Prevention Cold Chain Investigations Sites & Facilities Risk Corporate Campus Security Contingency Intellectual Property Emergency Response Planning Business Travel Risk Crisis Management

High-value business interests can only be properly safeguarded with investment into the right corporate security, asset protection and travel risk programmes. marcusevans

large scale events 64 | Asia Pacific Security Magazine


THE PROGRAMME - DAY ONE monday 17th july 2017 0800

Registration and Morning Coffee


Opening Remarks by Chair



Delegates and speakers are encouraged to get to know their peers and exchange business cards CORPORATE EMERGENCY PREPAREDNESS






Coffee and Networking Break






Networking Luncheon

Preparing Your Company Crisis Response Plan for High-Calibre Active Threat Management As business opportunities grow so does the security risk your company faces. Evolving operational threats such as terrorism, kidnapping, theft, piracy and blackmail mean that a robust crisis response plan is critical to defending and protecting your business. In this session the keynote speaker will detail top-of-the-line anticipatory and preparative measures you can use to ensure you are ready for the worst before it happens. Ensuring Resilience with Stress-Tested Business Continuity Planning and Disaster Recovery Procedures Eventually something will happen. Your company is a target and corporate security is the crucial line of defence, but you are also the guardian of the company post-incident. This session will define and design a Business Continuity and Disaster Recovery system that allows corporate objectives to be met, and products to be delivered even as the corporate security and crisis response teams are still in action.

Staving Off Business Damage from Fires, Flooding, Earthquakes, Typhoons and More: Mitigation and Resolution Disasters can strike at any time. From typhoons, floods, fires and explosions, to any weather situation that shuts down operations, delays transportation and short-circuits your immediate business plan, what is the disaster management planning in place? Whether monitoring the weather or ensuring security for personnel post-disaster, our panellists have the critical intelligence to help you deploy with confidence. Mass Communication Tools and Global Tracking Methods for Instant Monitoring of Employee Welfare Whether you are operating in a constellation of global locations with executives positioned worldwide, coordinating staff safety across a nation’s worth of outlets, or keeping tabs on heavy duty and high risk facilities or NGO bases, crisis communication and instant tracking ability is paramount to your corporate security responsiveness. This session provides a keen line of sight to your new communication and tracking plan and hardware setup.




Protecting Company Supply Chains Against Clear and Present Threat Trends to Guard Your Products • Effective process controls to buttress logistics and transport security against fraud, theft and disasters • Layered defences and security posture options for the door-to-door, stop-bystop security of goods in movement • Fleet security and detection enhancement in coordination for end-to-end security in a sequence of different operational environments Following a 25-minute presentation our expert will give an example supply chain process and delegates are challenged to assess the potential threats at each point along it.




Forging Concrete Anti-Counterfeiting Process Control to Secure and Protect your Company’s Brand • Loss control for tangible and intangible assets in trucking and railroad supply chain situations • Coordinating anti-counterfeiting and anti-fraud efforts with security support to prevent potential disasters and loss of reputation • Availing opportunities to leverage consumer service support to perform root cause analysis on historical counterfeiting and fraud activity Following a 25-minute presentation our expert will present the audience with a range of product examples for comparison to test your observation and retention skills. Can you find the fake?


Shielding Overseas Employees With a Provable Corporate Travel Planning Duty of Care Programme • Prevailing legal and moral frameworks for travel risk policy assessment • Ascertaining infrastructure for emergency contact methods and support in place for medical emergencies, evacuation planning and travel disruption mitigation • Flexing for ad hoc inclusions in response to pandemics and changing natural disaster landscapes Following a 25-minute presentation our expert will moderate as audience members contribute their suggestions for the ultimate corporate travel safety checklist. A show of hands decides what stays in!


Instilling Heightened Situational Awareness into Executives in HighRisk Locations • Identifying travellers, calendaring travel and establishing training for Emergency Response, Emergency Medical Technician, tactical driving, antiambush and counter-kidnap • Dynamics of executive responsibility for personal wellbeing and insurance needs in various situations • Preparing codes for conduct and integrity and communicating expectations for overseas-stationed executives Following a 25-minute presentation volunteers from the audience will be brought to the stage and wear a blindfold while they are quizzed about their surroundings during the conference. Find out how good your situational awareness is!


Coffee and Networking Break


Coffee and Networking Break






Running a Best Practice Security Operations Centre to Ensure Corporate Safety and Asset Protection • Garrisoning customized security services and infrastructure needed to support the SOC and maintain SOC integrity • Entrenching full-capability disaster recovery hot sites, redundant communications arrays and backup power supplies • Securing resources and synchronization for everything from one-man SOCs to worldwide security coordination



Each table will have an expert moderator to run through detailed best practices for crucial aspects of corporate security in an engaging delegate discussion.

Each table will have an expert moderator to run through detailed best practices for crucial aspects of corporate security in an engaging delegate discussion. Table One: Implementing Thoroughly Planned Options for Timely Executive Evacuation from a Foreign Business Location

Table One: Discovering and Deterring Corporate Espionage to Maintain Site and Product Security

Table Two: Executing Detailed Preparations for Company Medical Emergencies Abroad

Table Two: Developing Physical Security Infrastructure to Protect Company Intellectual Property



Delegates will have the opportunity to select from one of the following scenarios:

Delegates will have the opportunity to select from one of the following:

Participants will get the chance to summarise their discussions and wrap up their practical takeaways.

Protecting Business Interests with Unassailable Security Measures for Sites in High Risk Locations • Obtaining available local assistance and cooperation in the operational host country • Tracking information and area surveys for an overseas network of facilities and assessing threat levels at posts • Allaying vulnerabilities to aged, acquired, and temporary corporate bases

Participants will get the chance to summarise their discussions and wrap up their practical takeaways. 1730

Closing Remarks from the Chair and End of Day One

Closing Remarks from the Chair and End of Day One

large scale events

PAG E 2 Asia Pacific Security Magazine | 65

THE PROGRAMME - DAY TWO tuesday 18th july 2017 0800

Registration and Morning Coffee


Opening Remarks by Chair






Coffee and Networking Break






Networking Luncheon

GLOBAL PHYSICAL SECURITY Discretely Emplacing Scrupulous Counter-Surveillance Processes to Protect Company Sites and Staff The key to forewarning and forearming against tangible threats to security or emergent crises is surveillance. How do you perform counter-surveillance and mobile surveillance on your surroundings whether in a crowded place or empty area, without drawing attention to yourself, your executives and your company assets? What equipment can you leverage? This session arms you for the daily needs of scrutinising operations, travel and movements. Preventing Loss of Life and Business with Systematic Approaches to Close Executive Protection What new risks and threats does your principal face in a climate of slowed economies and multiplying threat factors? What resources and strategies do you have at hand to provide consistently rigorous close personal protection? This keynote is the compact and comprehensive readiness plan you need.

Mastering and Implementing the Operating Standards and Requirements for a Vigilant Corporate Security Corps Increasingly global corporate activity worldwide needs highly standardised security operations, which should meet consummate international standards wherever possible. This session outlines the A through Z that the corporate security function must fulfill and fortifies you for the hurdles and rigorous needs of booming business and ever-changing global threat scenarios. Building on Measures Taken to Enhance the Relationship and Collaboration Between Public and Private Security Teams Corporate security functions work closely with governments and public agencies for a reason – we are stronger together! Whether liaising with your national security bureau or operating in tandem with foreign police, this session highlights ideal collaborative scenarios and how to reach them.









Coffee and Networking Break


Coffee and Networking Break






Comprehensively Ensuring Access Control and Break-In Prevention • Bolstering the guard force’s detection and monitoring best practices with CCTV surveillance, X-ray and alarm system systems • Developing security programmes and procedures, preventing intruders and safeguarding company assets and critical infrastructure • Equalizing and ossifying accreditation, auditing, reporting and recording across your corporate security footprint Enforcing an Exhaustive and Fruitful Investigations Process for Incident Management and Corporate Crisis Response • Root cause analyses on incidents, breaches and threats and analysing various production pressures versus external forces • Working in league with an external investigations corps towards provable results • Consolidating the clear facts needed for effective incident management and followup

Each table will have an expert moderator to run through detailed best practices for crucial aspects of corporate security in an engaging delegate discussion.


Strengthening Global Security with a Sure-fire Reassignment Risk and Expatriate Protection Scheme • Reconciling business gains with the risk scenario presented to the employee • Bracing top-level corporate security with confirmable intelligence on risks to the company via the employee’s overseas assignment • Steeling company operations against international risk frontiers by mapping out and mitigating bribery and extortion potential

Each table will have an expert moderator to run through detailed best practices for crucial aspects of corporate security in an engaging delegate discussion.

Delegates will have the opportunity to select from one of the following

Delegates will have the opportunity to select from one of the following

Table One: Countering the Threat of Terrorism Toward Company People and Property

Table One: Comparing and Analysing the Security Situation in Different Countries

Table Two: Hardening Corporate Security Planning Against Known and Potential Criminal Damage and Incursion

Table Two: Safely Managing Corporate Hospitality and Event Security in Unfamiliar or Volatile Destinations

Participants will get the chance to summarise their discussions and wrap up their practical takeaways.

Participants will get the chance to summarise their discussions and wrap up their practical takeaways.

Final Countdown! Wrap Up Time Still have burning questions? Are there problems unsolved? Let the chairperson field your questions or field it back to your fellow delegates for their input. Use this session to take advantage of the amazing expertise in the room.


For missed connections and specific questions, write to to help set up meetings and introductions at the next event! 1730


Establishing a Community of Defenders: Leveraging Local Connections for a Security Footprint in Business Destinations • Deconflicting security structures to consolidate protocols and guard forces • Insights into personnel selection, technical teams and staffing structures that build toward mutual trust equity and sound collaboration • Supporting business continuity planning with local liaisons and strengthened government relationships

Closing Remarks from the Chair and End of Day Two

BUSINESS DEVELOPMENT OPPORTUNITIES Does your company have services, solutions or technologies that the conference delegates would benefit from knowing about? If so, you can find out more about the exhibiting, networking and branding opportunities available by contacting: Ellyna Merican, Media & PR Coordinator, marcusevans Malaysia Tel: +603 2723 6662, E-Mail:

Final Countdown! Wrap Up Time Still have burning questions? Are there problems unsolved? Let the chairperson field your questions or field it back to your fellow delegates for their input. Use this session to take advantage of the amazing expertise in the room. For missed connections and specific questions, write to to help set up meetings and introductions at the next event!


Closing Remarks from the Chair and End of Day Two

marcusevans would like to thank all the world-leading visionaries, solution providers, associations, operators, end-users and delegates who have contributed to and supported the marcusevans Corporate Security Asia Large Scale Event. We would particularly like to mention our speakers for their help in the research behind the event and also our sponsors for their continued support and commitment. On behalf of marcusevans we hope you have a rewarding, enjoyable and productive time. We personally look forward to meeting you all and working with you at our future Large Scale Events planned in 2017. See you in July!

REG IST ER NOW large scale events 66 | Asia Pacific Security Magazine

Tel.: +603 2723 6662 Fax: + 603 2723 6699 Email: PAG E 3

W INTENSIVE ESCAPE TRAINING - DAY THREE wednesday 19th july 2017 PREVENT AND PROTECT: Frontline company personnel on deployment in hostile, volatile or simply unfamiliar environments can be profiled as targets as can their families and residences. Kidnapping, ambush and ransom are very serious security issues for companies operating in or traveling to high risk destinations. You know the risks. Business lost, financial damage, reputational uproar and worst of all a threat to your colleagues’ lives. Insurers have estimated up to 40,000 kidnapping cases per year involving business travelers. Can this happen to your company? What can you do? Understanding the motivation for kidnapping in the context of financial gain and opportunism, and enhancing your situational awareness are just the first steps to mitigating and managing these threats.

INTERNATIONAL TRAINER Nathan Hughes, Training Director, CSEC4, UNITED KINGDOM Former Firearms Instructor, Specialist Firearms Officer and Advanced Driver, DEVON AND CORNWALL POLICE, UNITED KINGDOM Within the police Nathan worked on a team responsible for conflict/crisis resolution and counter terrorism operations. He provided armed venue and residential security for members of the Royal Family, Foreign Royalty, British Prime Minister, MP’s and VIP’s. He was an Advanced Police TPAC (Tactical Pursuit and Containment) Driver and Integrated Firearms Surveillance officer (foot and mobile). He is a licensed National Police Firearms Instructor. His other duties during more than 14 years of police work included police search team, extradition and public order engagements, warrant executions and major incidents covering the whole of the force area.

This full-day training drill tests your mettle against life-or-death situations your VIPs, Chief-suite Executives and other personnel may face in the fulfilment of their duties.

His five years in the 42 Commando Royal Marines of H.M. Royal Marines provided him with heavy weapons (anti-tank), sustained fire (SF), beach landings and assaults, arctic and jungle warfare experience as well as disaster relief in Montserrat and Anguilla following volcano and hurricane damage.

Deploy with unerring confidence in demonstrable response techniques with this precision-training masterclass:

Nathan is certificated for First Person on Scene and Close Protection among many other industry relevant qualifications.


CSEC4 is involved in the training and development of International Police Departments, Military Units and Security Organisations with the intention of providing international best practice.

• Minimising risks and opportunities for abduction and ambush • Clear motivations (wealthy appearance, company affiliation) versus leaked and known motivators (remuneration details, connections, other criminal intelligence) and how to reduce them • Even top-shelf provision of secure housing and transport can leave opportunities for criminal interference: contending with opportunists


ANTI-KIDNAPPING MEASURES • How to know if your principal is being targeted or profiled for criminal intervention • Paranoia vs. obliviousness: building appropriate expectations, behaviours and dynamics in the destination • Low-profile training and counter-surveillance techniques COUNTER-AMBUSH SURVIVAL TECHNIQUES • The first minute: what should you do when you realise a kidnapping or ambush is underway? • The essentials of how to behave and what to say (if anything) • Survival options: weighing your various escape routes, potential extraction plans and safe houses • The long arm of the law: leveraging your connections with local authorities and knowing their parameters for involvement The Intensive Escape Training Drill is suitable for all personnel charged with ensuring the security of company executives in all situations, as well as those tasked with maintaining the impermeability of sites and supply chains to intrusion and unwanted surveillance and profiling.

Your company is a target. There are high levels of security risk to increasingly global and high profile corporations based in Asia, and Corporate Security is the critical support department. Gain best practice insights into protecting people, profit and brand at Corporate Security Asia in Shanghai. Unrest and criminality affect crucial business destinations in parts of Asia and Africa. Meanwhile cost-cutting measures and third party operations are presenting criminals with alarmingly rich opportunities for interference and wilful damage. Protect company products, sites and executives and secure your company against emergencies and crises by joining brand new conference formats. The exclusive Situational Awareness Trial is where your observational skills and surveillance abilities will be tested in a blindfolded trial, while in the Counterfeit Investigations Session you will be tested to catch out tampered products with comparison and analysis exercises. Travel Risk Policy Checklisting is a heads-together delegate-led exercise letting you contribute important considerations for corporate travel planning and take a copy of the checklist home with you after while the Supply Chain Observational Testing lets you assess potential threats along example supply chains. Invest in our upcoming 3-day conference ‘Corporate Security Asia’, which provides you with access to the latest intelligence, preventative security management and emergency response planning. Plug in for ‘Preparing Your Company Crisis Response Plan’, ‘Ensuring Resilience with Stress-Tested Business Continuity’, ‘Counter-Surveillance Processes to Protect Company Sites and Staff’ and ‘Systematic Approaches to Close Executive Protection’ in our sunrise plenary sessions. During our post-conference Intensive Escape Training, get hands-on experience with Anti-Kidnapping and CounterAmbush to pre-emptively prevent and protect your executives from being profiled and targeted in high-risk operations and locations. Follow your own plan with a choice of two exclusive breakout streams: Assets, Sites, Stores, Facilities & Supply Chains: Preventing break-ins, ensuring access control, incident management, anticounterfeiting and layered defences to goods in movement are essential to companies dealing with high-value production and items, as well as those with supply chains extending through multiple jurisdictions with vacillating risk profiles. Join this stream to benefit from detailed security setups for your assets and sites.

SCHEDULE 0830 0900 1045 1245 1400 1545 1700

Registration and morning coffee Training commences Morning refreshments Networking lunch Training commences Afternoon refreshments End of training

large scale events

Corporate Travel & Overseas Assignments: Readiness and planning for situational awareness and duty of care programmes are critical to executive safety and avoiding travel disruption and business damage. Join this stream to benefit from insights into establishing a security footprint in the destination via local contacts and well-protected corporate sites, evacuation preparedness and proper medical planning. This event will give you access to the latest anti criminal intelligence and product security techniques, case studies on successful theft prevention, Emergency Response Planning (ERP) techniques and more. PAG E 4 Asia Pacific Security Magazine | 67

Available online!





















ed PP2


See our website for details ma








.a www





nal natio ar, in Inter ASIS nual Sem, USA An aheim An

d PP1





te A Sta ISAC , Perth e rinngferenc e e in o l eng attCacks Socia





ep 20









ov 20



s utive ch E u AZIN exec MAG ITY Why to be m CUR d E SE e e n hier ORAT ORP C c ND mu NT A THE



rity in Secu ment, rn Gove anberra C

of cult The ware the a




FEAT RISIS t LS C men SKIL le an e hum ation e h T form in in ction prote



S P UP w.a WRA ww al ENT ation e, L EV N IA A C AIS nferenc e SPE Co ourn Melb ra ust




ess a busin -high y strakliing ill Au Ta curity sk w How up? se keep

ption dece s of Sign $8.95


ren n child s satio cting bullie adicali art III R s – P ria Prote cyber y s m S e fro Proc is over lys para The Time Tech




Time Tech

erl Cyb


city Safe The need for ity Its and roperabil inte

reat ted a er Th Insid be elimintive c n a a o C a pr with oach appr


Get each print issue per year for only $88.00



A, k Q& , Quicrity and . Time u Tech ber Sec h more.. Cy muc




SUBSCRIBE TODAY... DON’T MISS AN ISSUE Yes! I wish to subscribe to the Australian Security Magazine, (1 year). ☐




(inc GST)





(inc GST)


Yes! As an additional bonus I wish to receive direct to my inbox the Asia Pacific Security Magazine (emag)

No business or government organisation survives in a vacuum. Sharing knowledge is fundamental to the development of successful security planning and implementation. That is the role of our magazine: sharing knowledge of developments in security management for public and private sector organisations, both for internal management and for external obligations in public safety and security.

Go to and fill in our subscription form online. Dont miss an issue! Phone: +61 (8) 6465 4732 during business hours AWST (Australia Only)

68 | Asia Pacific Security Magazine

PRIORITY FAX Credit Card Details Australia +61 (8) 9467 9155

FREE POST My Security Media 286 Alexander Drive, Dianella. W.A. 6059


GST This document will become a TAX INVOICE for GST when payment is made. My Security Media Pty Ltd ABN 54 145 849 056

Within TechTime you will find the very latest information, news and products from a wide variety of security industries, ranging from cameras, computers, software and hardware.

Spotter RF: A2000

To have your company news or latest products featured in our TechTime section, please email

Latest News and Products Asia Pacific Security Magazine | 69

TechTime - latest news and products

Multitone launches 'EkoSecure' for campus worker protection Multitone Electronics has announced the launch of its EkoSecure solution, for the campus or site wide protection of workers. EkoSecure builds upon the company’s EkoTek staff protection system, featuring a wider coverage area which is ideal for outdoor and remote locations around any workplace facility. Husam Al-karnaz, Solutions Architect at Multitone, commented “EkoSecure is a development of our highly successful EkoTek solution. It widens the coverage area using a mesh network of repeater units, which can be up to 60 metres apart, that extends the protection quickly and efficiently, reducing installation and operational costs.” Using the mesh network system also adds significant redundancy mitigation to the solution, as Husam continued, “Using this approach, if there is any failure in the network it can be instantly compensated for, the alarm raised and assistance called for, when a worker is in trouble. Additionally, the handheld EkoSecure device uses a loud audio alarm to direct a response team directly to the incident, which is vital in large areas where pinpointing a precise location can be a challenge.”

Multitone: EkoSecure

User pager EkoSecure pagers offer four types of alarm, ensuring users are fully protected and that the assistance team is informed what type of emergency it is. These consist of: •

• • •

Red Button Alarm – A single or double press of the button will call for immediate assistance. Man Down Alarm – If the user falls the alarm is raised after a short period. Snatch Alarm – Should the alarm be forcibly taken from the user. Deadman Alarm – The user is polled at predefined intervals and prompted to respond.

Interaction with EkoTek As well as operating as a stand-alone solution, EkoSecure is also able to operate with Multitone’s EkoTek indoor staff protection system, for even greater flexibility and location accuracy. The new EkoSecure pager can be used to roam within the EkoTek mesh network and uses the repeaters for alarms and location in the just the same way. Husam added, “EkoSecure is the perfect

70 | Asia Pacific Security Magazine

extension of the EkoTek system, allowing a user to roam an entire site or campus buildings, safe in the knowledge they are protected wherever they are. This is particularly useful around a large site such as a hospital, prison or university, with a broad mixture of different buildings and large outdoor spaces, where it would be very easy to go unnoticed if there were a problem.” Alarm Escalation Once an alarm has been triggered, the alert can be escalated to a rescue team via a choice of communications platforms, including mobile devices, DECT/Wi-Fi enabled phones or by email/IM. This can also be automatically routed to different devices at different times to ensure the right person or team is alerted immediately. EkoSecure also logs all events for audit purposes. Husam concluded, “EkoSecure is a potentially life-saving solution which is perfect for lone worker protection, offering wide area coverage and reliability at a highly scalable and affordable price. It requires minimal training for use and can be installed rapidly, with additional capacity being simple to add, especially for

customers that already use EkoTek for indoors emergency alerts.” To find out more about EkoSecure please visit the Multitone website: or telephone 01506 418198 About Multitone As a pioneer of wireless messaging, Multitone Electronics plc is a specialist developer of integrated communication systems for on-site and global use. The organisation; which is best known for its supply of critical communications, continues to explore and develop reliable communications and controls, whilst offering robust, targeted systems that effectively and reliably integrate with customers’ existing systems and technologies. The product offering combines the best in wireless telephony, radio-paging systems and personal security systems with professional services and tailored software to create a truly cohesive communication platform. Multitone is part of Kantone Holdings, with a turnover in 2015 in excess of £224 million.

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

TechTime - latest news and products

SpotterRF Awards pile up for drone detecting A2000 radar SpotterRF caps off the year with worldwide praise for its new industry leading A2000. This winning technology is the first CSR to provide cost-effective wide area deterrence against the growing threat of low flying UAV (drones) proliferating worldwide. SpotterRF also leads industry efforts to improve FAA rule changes allowing electrical utilities and other critical infrastructure to rapidly respond to incoming drones intent on destruction of people and property. “The FAA estimates the number of commercial drones will explode from less than 20,000 to 600,000 in the coming year,” states Logan Harris, CEO for SpotterRF. “This increases risk of drone misuse against our critical infrastructure. We are pleased to provide immediate relief to power substations and others that have become targets due to the ability of low-cost drones that can carry dangerous payloads.” The Spotter A2000 has garnered the 2016 Platinum Homeland Security Award, Best Drone Detection Perimeter Protection from American Security Today; been named 2016 ASIS International Accolades Winner; and most recently won Best Alarm & Detection Product 2016 from Detektor International—the only U.S. company so recognized by this Europeanbased program. SpotterRF competed and was named winner among such industry goliaths like Axis, FLIR, Bosche, and Milestone Systems. As a leader in drone detection technology, SpotterRF has shared its expertise on the topic during a recent Security Industry Association (SIA) webinar and in a SIA Technology Insights article. “We are pleased to work with SpotterRF to increase awareness of the unique dangers that can be created by drones,” SIA Director of Industry Relations Ron Hawkins said. “Their understanding of the nature of the threat and the countermeasures that are required can help security professionals to manage this new risk and keep people and property safe.” SpotterRF is rapidly becoming the de facto standard for affordable wide area perimeter protection across the globe. Five of the top ten U.S. utility companies now us SpotterRF radar as a key component in protecting the nation’s electrical grid. SpotterRF delivers its award-winning compact surveillance radar (CSR) systems through more than 60 strategic integrators to a global marketplace in 24 countries on six

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

continents. SpotterRF will be displayed along with IndustrialENET at the upcoming show, Distributech, held in San Diego on January 31February 2 at booth 4003. About SpotterRF SpotterRF provides protection beyond fences with the world’s most advanced Compact

Surveillance Radar (CSR) system for perimeter security and force protection. Made in the USA and engineered for extreme conditions, SpotterRF technology is the most compact, lightweight, energy efficient, and costeffective radar for elite warfighters and critical infrastructure requirements, such as electrical utilities. For a more information visit https:// .

Asia Pacific Security Magazine | 71

TechTime - latest news and products

City living under the microscope A new CSIRO research initiative has launched will lead the way for the transformation of liveable urban spaces and sustainable cities of the future. In partnership with property developers Celestino, CSIRO has established its first operational Urban Living Lab at the Sydney Science Park in western Sydney – a place where researchers, industry, government and communities can get together and create, design and test innovative urban development concepts, moving beyond the lab into the real world. Within the Urban Living Lab’s test environment, researchers will examine the connections between issues such as urban greening, energy efficiency, demands for water, community well-being and health and the impacts of technological advancements, all within a real urban environment. The research will be critical for developing and renewing our cities and urban spaces to be sustainable in the face of pressures such as population changes and climate change. Examples of the research topics already under consideration include: The impact of increased urban greening on local temperatures and ecology, changes in energy and water demand and consumption, and the influence on community well-being and health; Smart water systems that can efficiently provide different classes of water for different uses on demand; The influence of digital disruptions and information technology advances on urban structure, industry development and community connectivity. Assistant Minister for Science Craig Laundy said the new initiative was set to deliver significant urban, environmental and innovative outcomes for the region and beyond. “The Urban Living Lab initiative offers a new way for researchers, industry, community and government to co-innovate and provide a place

to address a range of challenges facing the urban sector,” Minister Laundy said. “It’s great to see CSIRO engaging in this public-private collaboration which will not only tackle important issues for our cities, but also provide a boost to the local economy with jobs and opportunities for STEM students.” CSIRO Land and Water Acting Director Paul Bertsch said collaborative science initiatives like the Urban Living Lab would enable our cities to move towards a more sustainable future. “By working with government and industry, our research will enable Australia’s cities to become more economically, environmentally and socially resilient,” he said. Celestino CEO John Vassallo Celestino said he wasthrilled to be partnering with CSIRO on the project. “We could see people creating new ways to harness solar energy in the workplace and developing novel ideas to store heat and keep homes cool,” Mr Celestino said. “New sustainable transport solutions will also be encouraged as well as inventions that conserve water and energy and drive down utility bills. The possibilities are endless. “Once developed, all of these technologies

will be tested on the homes, businesses, shops, roads and parks of Sydney Science Park. “Just like you test new medical technologies in a lab, you need to test new urban-living technologies in a real urban environment. Sydney Science Park is the perfect testing ground for these inventions of tomorrow.” Mr Vassallo said the Urban Living Lab would connect inventors to mentors, scientific expertise and importantly, venture capital. “We don’t just want inventions, we want new prototypes commercialized and rolled out to the market,” he said. Mayor of Penrith John Thain welcomed the new development. “The creation of the CSIRO Urban Living Lab embodies the innovative and progressive direction Celestino have set for the Sydney Science Park – located within the Penrith LGA,” Mr Thain said. “The partnership is a very welcome announcement. The Urban Living Lab fits with Council’s vision to not just build Penrith as a city of the future, but to reap benefits for communities well beyond our own boundaries.”

Four reasons the security tide will rise in 2017 Almost a quarter of Australian organisations deal with security breaches that interrupt their business on a monthly basis. This is according to Telstra’s 2016 Cyber Security Report, which also revealed this unnerving figure has more than doubled since 2014. As the fourth industrial revolution creates a new wave of data to be gathered and stored, Australia’s threat landscape is also rapidly

72 | Asia Pacific Security Magazine

expanding. Phishing email scams, critical breaches and data leaks are becoming the new norm. Today, companies, government agencies and individuals are in a race against the clock to find ways to outsmart their online adversaries. With this in mind, it’s time to look beyond traditional security solutions, to data protection and recovery. Here are our top four predictions

on what will create this year’s biggest waves in cyber security: 1. Internet is a Critical Infrastructure DDoS attacks like the Australian Census outage and the Mirai botnet powered on Dyn have proven that the Internet is more vulnerable than we dare to think.

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

TechTime - latest news and products

To ensure systems stay online at all times, we’ll see more organisations focusing on detection over prevention. A good example is the University of Adelaide. Looking for a way to more quickly recognise and respond to attacks, the university deployed a data-driven, enterprise security solution. This saves their IT team hundreds of hours per year in security analyst time, by automating log search and providing faster insight into potential threats. In addition to identifying the initial problem, the solution correlates the associated data and remediates the issue before it becomes a significant threat. This shift in mentality – understanding what you need to detect, not only preventing attacks – has been in the works for years, but 2017 is the year the industry will start to turn over a new leaf.

multi-vendor environments. In 2017, we expect to see a rapid increase in the adoption of both. Machine learning based solutions will become more mainstream in 2017 as organisations become quicker and smarter at responding to threats. An example of this is behavioural analytics. This allows security teams to apply more data and automation techniques to monitor and verify identities, API requests, machine-to-machine interactions and signal anomalies that could be a threat. 3. Internet of Things (IoT) will be the Favoured Vector of Cyberattacks

2. More Focus on Machine Learning, Behavioural Analytics and Adaptive Response

Telsyte expects the Australian ‘IoT at home’ market to climb to $3.2 billion in 2019 when an average household will have 24 Internetconnected devices compared to nine in 2015. As ‘IoT at home’ is only a section of the rapidly expanding IoT market, it’s crucial to

The aforementioned attacks prove that hackers have refined their art, and are outpacing security defenses. To combat this, more organisations are adopting an analytics-driven approach to security, leveraging machine learning and enabling adaptive response. This encourages automating retrieval, sharing and response in

note the security pitfalls these devices can pose not only to their owners but to external organisations as well. Backdoors in IoT systems may provide hackers a gift – millions of unprotected gateways into IT infrastructure. Large enterprises are facing hundreds of millions of automated attacks per day, and IoT growth

is likely to increase this figure exponentially. The proliferation of IoT devices and its lack of maturity in security design will demand better strategy in enterprise topology, network zoning and operational intelligence. 4. A Ransomware Marketplace is Emerging This year we’ll see ransomware being commoditised in dark web marketplaces, as cybercrime syndicates around the world cooperate to establish structure and a value chain for ransomware tools. In effect, this marks a fast growing underground industry on the dark web in which the makings of cyberattacks can be bought and sold, and profit reinvested to better the tools to generate even bigger returns. To combat this, enterprises are seeking dynamic resources for real-time intelligence that help detect ransomware threats. But it’s also crucial companies identify their risk tolerance to place the highest security around their most valuable assets. This will increasingly help prevent the propagation of ransomware and enable companies to put ‘bodyguards’ around the most critical assets.

Department 13 launches MESMER Version 1.0 counter - drone solution Revolutionary Patented Technology Enables Control of Airspace Through Non-Kinetic Mitigation department13_logoDepartment 13 commercially launched its flagship counterdrone product, MESMER Version 1.0 (“MESMER”), a unique patented, low power, non-jamming, non-line of sight, non-kinetic drone mitigation solution, enabling an effective and safe method of protecting personnel and infrastructure from dangerous drones. With customer demonstrations and trials of MESMER currently underway, the company has secured global distributor agreements to support the launch. Jonathan Hunter, CEO of Department 13, said: “MESMER is designed to secure commercial, public or government airspace from the increasing threat of drones. It utilizes unrivalled protocol manipulation technology, enabling it to take control of drones and land them safely in a defined exclusion zone. Our solution is superior to other technologies available in the market that jam or shoot

Information presented in TechTime is provided by the relevant advertiser and are not necessarily the views of My Security Media

drones down and pose significant risk for the personnel and infrastructure they are designed to protect. Having delivered MESMER on time and on budget, Department 13’s focus is now to drive sales, both directly and through our partner channels, and to establish the product as the global market leader in counter-drone technology.” MESMERThe MESMER technology was highlighted on January 19 in a segment on The Today Show in the USA. To view the segment, please visit the following link: http://www. onnbcs-today-show/ The MESMER platform uses sophisticated automated detection and mitigation strategies to stop, redirect, land or take control of drones across a range of national security, defense and commercial scenarios. MESMER’s key differentiator is its ability to manipulate weaknesses in all digital radio protocols and take control of a drone’s computer, allowing it to land drones safely by flying them into a defined exclusion zone.

The patented technology is built on open source software architecture ensuring it can seamlessly integrate into existing security and surveillance systems, making it attractive to a range of government and commercial partners, including military bases, prisons, stadiums, airports and other critical infrastructure. The vast range of applications support forecasts for the counter-drone market to reach US$1.14 billion by 2022, according to Markets and Markets Anti-Drone market report. A number of tier one customers have commenced commercial trials and scheduled demonstrations of MESMER, which follow a series of successful validation exercises conducted last year including Black Dart and the MITRE Challenge. Department 13’s global distribution network enables MESMER to be marketed to an initial 37 countries. The sales channel comprises strategic partners Booz Allen Hamilton in the United States, EPE in Australasia, Phoenix Group in Latin America and ISM in the UK and Europe.

Asia Pacific Security Magazine | 73


Data & Goliath by Bruce Schneier


s Bruce Schneier acknowledges, he doesn’t write a book from beginning to end but rather from bottom to top – working on the entire book at once. Bruce’s latest book, Data & Goliath, is about the biggest question of our time – how do we design systems that make use of our data collectively to benefit society as a whole, while at the same time protecting people individually? Schneier gives great credos to Edward Snowden and his ‘legacy’ of being the beginning of a worldwide movement that recognises privacy as a fundamental human right, which is applied in a

74 | Asia Pacific Security Magazine

“meaningful and enforceable way’. Yet despite a perceived ‘worldwide movement for privacy’, Bruce takes the reader through the ominous extent of mass digital surveillance, by both government and corporations. Digital and electronic surveillance has developed to become capable of a rapidly progressive erosion of personal privacy, to the near fulfilment of ubiquitous surveillance, as effective in practice known as the ‘panopticon’, conceptualised by Philosopher Jeremy Bentham in the 1700’s – being a prison where every inmate can be surveilled at any time, unawares, and on this assumption the inmate has no choice but to conform. With our personal and daily data behaviours being stored, potentially forever, Schneier notes that an informationage surveillance state would go beyond even Bentham’s “wildest dreams”. The first two chapters should be enough to raise the eyebrows of even the average ‘aware’ reader. As a former national law enforcement officer, where relationships and criminal contacts are reviewed across organised crime groups and across state and federal databases, the extent of how metadata can be used to create not only organisational patterns of behaviour but individual patterns, are as effective in detail as a telephone intercept. Schneier highlights a Stanford University experiment that examined the phone metadata of 500 volunteers for several months – the deduction made from just metadata included being able to identify an automatic weapons owner, home marijuana grower and personal health matters including someone having an abortion, suffering a heart attack and someone diagnosed with multiple sclerosis. Schneier cites former NSA general counsel Stewart Baker, “metadata absolutely tells you everything about somebody’s life. If you have enough metadata you don’t really need content.” Worse still, the former NSA and CIA Director Michael Hayden is quoted, in 2014, “We kill people based on Metadata.” Yet despite this capability, public security is not necessarily enhanced with mass capture of metadata, as being attempted with Australia’s data retention laws. Schneier asserts… “there is no scientific rationale for believing that adding irrelevant data about innocent people makes it easier to find a terrorist attack, and lots of evidence that it does not. You might be adding slightly more signal but you’re also adding much more noise. And despite the NSA’s ‘collect it all’ mentality, its own documents bear this out. The military intelligence community even talks about this problem of “drinking from the fire hose”: having so much irrelevant data that it’s impossible to find the important bits.”

Yet the public is told that more mass surveillance is required to make us safer? The 9/11 Commission Report described a failure to ‘connect the dots’, which Schneier highlights… “the proponents of mass surveillance claim requires collection of more data. But what the report actually said was that the intelligence community had all the information about the plot without mass surveillance, and that the failures were the result of inadequate analysis….Whenever we learn about an NSA success, it invariably comes from targeted surveillance rather than from mass surveillance.” I would argue even this relates to Australian examples also. Schneier asks the right questions and presents a comprehensive and factual account of international data and digital surveillance activities which puts the ‘freedom’ of any western public at risk to future ‘unknown’ government policies. Schneier says, “The harms from mass surveillance are many, and the costs to individuals and society as a whole disproportionately outweigh the benefits. We can and must do something to rein it in.” I will leave it to you, the reader, to get this New York Times best seller and make your own mind up. Having heard Schneier speak publicly a number of times and during my interview with him in Sydney last October, I’m convinced he has written a book every high school student should read and why I’m concerned that Australia’s Federal Attorney General, George Brandis introduced mass data surveillance laws and then famously was unable to even define what metadata was when being interviewed on national television. When law makers take away individual freedoms in a misguided belief they are doing good for the whole, then it’s indicative of the time when the system as a whole is fundamentally and irrevocably broken – and at our peril when faced with an unknown future. Bruce Schneier, aged 53 years, is an American cryptographer, computer security, privacy specialist, and author. Having written several books on general security topics, computer security and cryptography his latest book, ‘Data & Goliath’ is not only a best seller but a MUST read! Get your copy at books/data_and_goliath/

Have you recently published a security related book? Or have you just read a new, great security book? Please email us at

AUSTRALIAN & NEW ZEALAND DELEGATION TO INTERPOL WORLD 2017 INTERPOL World 2017 is a biennial exhibition and congress event that connects

law enforcement, government bodies, academia, international security professionals and buyers with security solution providers and manufacturers. This event provides a strategic platform for the public and private sectors to discuss and showcase solutions to evolving global security challenges.

ABOUT INTERPOL WORLD 2017 “We came to meet senior police leaders from other countries with a view to exchange criminal records, biometrics and fingerprints. We achieved ten new partners.” - Ian Readhead National Police Chiefs’ Council, UK

The mandate of INTERPOL World, a global exhibition and congress platform, encapsulates the vision of a safer world through using innovations and engaging government, organizations, and strategic think tanks in a multi-stakeholder approach. INTERPOL World 2017 showcases innovations and solutions from 300 international suppliers and manufacturers. More than 10,000 public security professionals and commercial buyers from around the world will convene in Singapore to find and forge mutually beneficial alliances leading to faster and more accurate responses to global security threats. INTERPOL World is an event owned by INTERPOL, supported by Singapore’s Ministry of Home Affairs, World Economic Forum and Singapore Exhibition and Convention Bureau.

CONGRESS TOPICS 4 July 2017 - Shedding light on the “Dark side”– Cyberspace and the future of security. Managing cyber threats to society from the “hidden” Internet.

6 July 2017 - Identity management and detection in a borderless world. Law enforcement, migration and border management in an age of globalization.

5 July 2017 - Prevention – Getting smarter, faster and more precise. Preparing policing strategies, approach and tactics for managing urban centers and global cities of the future.

Please visit for more information about the Congress and Exhibition in Singapore, including the current Congress agenda.



Dates Suntec Singapore Congress 4 – 6 July 2017 Exhibition 5 – 7 July 2017

Location Suntec Convention & Exhibition Centre, 2017SINGAPORE

Convention & Exhibition Centre Apply by 31 May, 2017



Chiefs, Heads, Directors, Officers, Security Professionals, Security Consultants, System Integrators from: • • • •

Homeland Security Departments Law Enforcement Agencies Regulators and Policy-makers Critical Infrastructure, including Telecommunications Airports/Ports/Harbours Public Transportation Public Utilities

• • • •

Sports Stadiums Commercial Sectors Including: Banks & Financial Institutions E- and M-commerce Data Centres Hotel Chains Pharmaceutical Oil and Gas Brand owners Commercial, Residential & Industrial Property Developers R&D Institutions Academia Media

WHY YOU SHOULD PARTICIPATE Sourcing Platform - Source for the latest

Networking Platform - Industry networking

information communication technologies,

receptions allows you plenty of opportunities to

public safety and security products, vehicles,

expand your business contacts.

robotics and unmanned systems and gears and accessories and many other innovative solutions

Business Platform - Look out for our Online

that will address your security challenges.

Business Matching to schedule meetings with exhibitors, delegates and speakers prior to

Knowledge Platform - Learn from security think-

your visit.

tank and best practices from various government agencies and commercial companies at the


INTERPOL World Congress.

CONGRESS FEES MySecurity Media will coordinate your participation in the program as a member of the official Australian and New Zealand delegation. Participants are required to arrange their own flights.

PRIVATE SECTOR PARTICIPATION Group of 5 and more up to 31 May 2017

Early bird up to 31 May 2017

3-day pass



2-day pass



1-day pass





2-day pass


1-day pass



Est time to exhibition & venue

Room rates (Single)

Room rates (Double)

Internet access

12 min walk

SGD 310++

SGD 340++


9 min walk

SGD 275++

SGD 305++


12 min walk

SGD 260++

SGD 290++


15 min walk

SGD 190++

SGD 210++


15 min walk


SGD 170++


*List of Hotels available on request REGISTER NOW AT IMPORTANT INFORMATION If you are considering this delegation, MySecurity Media recommends that you consult ‘Smartraveller’, the Australian Government's travel advisory service, which is available at Travel advice is updated regularly on this site.

KEY CONTACT To discuss your participation options further, please contact: Chris Cubbage Director, MySecurity Media ph | +61 (0)432 743 261 e |

16 – 18 May 2017 Asia World Expo, Hong Kong









Mission Systems 78 | Asia Pacific Security Magazine


Asia Pacific Security Magazine, Mar/Apr 2017  

The Asia Pacific Security Magazine is published bi-monthly and features news, articles and promotes partner events from across the region. S...

Asia Pacific Security Magazine, Mar/Apr 2017  

The Asia Pacific Security Magazine is published bi-monthly and features news, articles and promotes partner events from across the region. S...