Omodele Adigun
The socio-economic disruptions caused by the Coronavirus pandemic have triggered paradigm shift in security risk management, According to Mr. Wale Olaoye, the Group Managing Director/CEO of Halogen Group, these have instigated a deeper understanding across the business and public governance landscape of the urgent need for a real paradigm shift in security risk management from mere physicality and brick and mortar solutioning. In this interview, he canvassed a more intensive, holistic and digitally compliant approach that integrates knowledge, technology, and people.
“Now all companies must begin to understand what it means,” he stated.
Excerpts:
What is your insight on business instability and the security risks which organizations may face after this coronavirus pandemic?
Personally, I think society has been ill-prepared. Nobody was prepared for the pandemic, but at the same time, having followed the trend in the last four months, what is confronting most nations now is that there are a lot of debates, and there is no single agreement among nations on the parameters or basics of returning to work. But there is a basic scientific requirement or framework that is incumbent upon any organization that wishes to return to work under this circumstance and context such that for an organization to resume operations as it were, there are some imperatives that are required and indeed demanded to ensure the safety of operations. These requirements are now fundamental as COVID 19 has now placed heavier demand on businesses’ enterprise risk management. Focused enforcement of enterprise security risk management strategy, practices, and infrastructure has become critical to ensuring business preservation, resilience, and sustainability. Most importantly, the coronavirus pandemic has also tested the hearts of who we are as humanity because this has taught us that the most important thing in life is actually the air that we breathe like human beings.
It has been established that most countries did not envisage the possibility of a global risk like coronavirus? Would you say security organizations like Halogen Group had any contingency plans that might help to provide some mitigation?
All governments across the globe have been ill-prepared for this pandemic. It is no longer news that our world has changed; our world is no longer what it is; nobody is mixing freely, people are not traveling out there, which is the new normal. This has made people to now understand the depth and the seriousness of what is confronting us. Interestingly, a core element of our transformation programme at Halogen Group has been the recognition that the world is becoming more and more open and borderless and volatile and that human interaction and myriads of work and business processes are bound to migrate more and more from the tangible, physical plane to the virtual plane, thereby redefining security risks and placing emerging technologies at the heart of everyday life and security risk solutions.
This comprehensive transformation journey which started about 4 years ago and which had seen us embark on significant investment in building cutting edge digital infrastructure and in-depth redesigning our security risk management approaches, seem to have preemptively prepared us at the Halogen Group for stronger and quicker response to exigencies of COVID 19 disruptions. Similarly, and importantly, it has placed us in a very strong position to assist our diverse clientele to tackle enterprise security risk management compliant with the new demands of COVID 19 disruptions. What we have basically done at Halogen Group is that we have developed a business segment assessment framework that is comprehensive; we are confident that it fits any best practice anywhere in the world. It looks at everything, that confronts our health, security, and safety, and the issues that COVID 19 has thrown up into seven clear headings.
Are there regulatory frameworks which can help organizations to mitigate possible health, security, and safety risks of COVID-19 as many are ready to return to their offices?
For any organization that wants to go back (to work) now, there has to be a solid understanding of what regulatory requirements of compliance for any executive that wants to go back to work. So what are the regulatory considerations? There are several Acts: The Nigeria Data Protection and Services Regulations Law. There are some provisions there that will compel organizations to do certain things. Business leaders, especially their Security Risk Responsibility Officers need to understand what that Act says; and, of course, the NCDC guidelines that are also given. But beyond that, there is a lot in relation to what the professionals need to understand. Secondly, in that same framework, there is a change of what we used to know as Health, Safety, and Environment; HSE. In the new order, there is a C advantage to that: that is why at Halogen, we have come up with what we call HSE plus C – the C standing for COVID 19 compliance. Thus, within the new Halogen framework, Health, Safety, Environment and COVID Imperatives are rigorously examined. So, there is a lot of activities within that framework; under that heading that organizations must understand and comply with and change when they deal with those things. Of course, the facility itself, there is several things that impact your facility that must be robustly interrogated. So, professionals have quite a lot to do in the area of strengthening institutional protection and resilience. These are the elements we comprehensively addressed within the new Halogen business resilience and sustainability framework to aid security risk analytics and Solutioning decisions for enterprises and organizations across the public and private sectors. Fourthly, the notion of security risk management itself has moved. Now; there are imperatives upon the way you acted on some facilities and the way you change the arrangement around the facilities.
Five, the people. So managing people’s risks has got to come to the fore. Without people, no business or company can exist. Most organizations are underestimating the imperatives around the risks, health, and safety of their human capital assets and what it means for their people as they return to work.
Let me say this to you. If your organization wishes to return to work and ensure its survival and build sustainability into the business and continue to be in the business that cannot happen if you (the employee) are not in the right state of mind or health to return to work. So the biggest resources for your media house are the gentlemen of the press: the journalists, the editors, and other people that work in that place. If they don’t get there to do it, now what will the company aspire to be? Nothing! So without the people, there is no Daily Sun! So there are a lot of headings; a lot of parameters that we put under that heading where we focus on people’s safety and what it means within the context of health safety parameters. Similarly, there is the matter of school work. How do we, government, educational institutions, teachers, and students bring sustainability to learning in a disrupted environment where physical contiguity and mass gathering is no longer feasible?
And, further, on returning back to work, how can the people travel to work? Must they begin to trek to that organization? How does he travel to work from home to the office? How is the individual employee’s home condition? Is there a risk that careless individuals can get exposed even at home, making the newly reopened workplace an endangered zone brimming with deadly contagion? These are the few dynamics that we build a lot of parameters around for that organization to understand what it is. What they need to do to return to work.
Number six is mobility. How the organization now ensures the people move. The other day, I was going to work. On the first day of the lockdown relaxation on Monday, I was in my vehicle and each bus that I saw in Ikeja had a full load of people. And at the bus stops you see people disregard (lockdown relaxation guidelines). What it means, is that any of our staff or yours could have been there. And it has implications for other people when they come to work.
What’s your perspective on the level of compliance of the people following the government’s decision to relax the lockdown in parts of Nigeria?
There are quite a lot of things we have taken for granted. Look at what happened at the banks on Monday and Tuesday (last week)! So there are quite a lot of imperatives that are critical to a sustainable and safe return to work. It is far more complex than the government just asking people to return to work at 50 percent capacity. Social distancing and streamlined workplace density as prescribed is just the beginning. The government can only give the basic framework. Enterprises, relying, where possible on professional counsel from security risk management experts, need to marshal a comprehensive safety regime that will help them optimize protection through and beyond COVID 19. So what does 50 percent mean for a Danfo driver or Danfo union where there may not have been solid enlightenment? You have not told them how a Danfo bus looks like; how they sit in those buses or that this is what 50 percent means in their own specific context. Assigned agencies must visualize these things; go to the unions; let the union have an understanding; have an agreement with them because fundamentally, a Danfo driver is in business. He doesn’t have a full load. But with a full load, he knows how much he used to make. So these are the things that, once you have confronted and face the union, by the time people return to work, there will be an understanding, whether they want to increase the fare to make up for the number or they want to be supported to make up the number. Take for instance offices that have just 20 people; or some offices that have just five or six people. What does the 50 percent stipulation mean for them? How will it happen? In some of these things, how will you drive compliance? Do we have a compliance enforcement plan primed for optimal results? How do you drive it, even though you expect people to be self-accounting and self-regulating? But that is what we are; we have seen that already. How do we organize where enlightenment and information have been deficient? These are the reasons why Halogen helped to develop a business readiness and resilience framework to assist more structured organizations in processing their thoughts for effective risk mitigation through and beyond this pandemic.
The last one is technology. We have to now understand that technology has come to be. And thankfully it is an affirmation of the messages which Halogen has been preaching in the last few years. If you remember, sometimes, last year, in June, when we unveiled our new brands and our new operating companies, we did say that operations of some of our businesses have changed because it is now a digitally connected and open world that is daily becoming more volatile. The world is open; the world is borderless. Technology has come to the centre. And technology will drive the way the world goes now. This pandemic has come to underscore that. So we keep on looking up to technology. But we have to come to understand that technology itself is a risk on its own, but there are ways we now understand and build technology and plan and mitigate risks around that. So those seven domains represent the assessment framework we have developed, and it is a huge process that we also automated to help clients that want to return to work, understand what the imperatives are. And it is quite robust and very compelling for this task
More than ever before cyber-attacks are reported to be on the increase. As a security risk expert, we would like you to explain in detail what are the causative factors behind the seeming increase in cyber-attacks?
In those days, when you talked of crime, we talked of the crime triangle. They are those things that make the criminals commit the offence. Number one is the desire of the criminals to commit the offence. But the desire will not come until he has a target; the target of the criminal desire. That is something that is there. Then thirdly is the opportunity. Opportunity means that there is a value that he needs, and there is a soft point, the vulnerability that he can easily access. You have a desire, you have a target and you then seize the opportunity. A few years ago, in the early days of our business, thieves would go and rob offices when it was month-end because the paymaster paid salaries by cash in some offices. People that moved bullion vans cash from the banks to the offices. We used to have armed robberies in those days. They would waylay and go and take the money in transit at month ends. There used to be a spike in crimes in those days. They would waylay the bullion vans or they would attack the bank itself or they would steal your money towards month-end; there used to be robberies in buses more of people that received salaries in cash; they would waylay and robbed them. That was the case then. When last did you hear of people going to anybody’s house to go and rob him at home? This is because the value has moved from physical to virtual space. And therefore, cybercrime is going to increase significantly. So there is a desire for criminally minded people to come to that domain because there would be an easy target there. As recent as even yesterday, we have clients that talked to us of an attempt to break into their systems. Thirdly, in the crime triangle is the opportunity. Once the opportunity is there, and riches are stored, they can look for ways and penetrate. So you can break the crime triangle by not giving the criminals an opportunity. So we need to look at investment in cybersecurity. That has to come to be the norm. it is no longer for big operators that are driven by regulators, no longer just for the banks and the Telco’s but small and medium businesses, SMEs, faith organizations, and public agencies must now begin to focus on cyber-security. We put this to most of our clients in the last 15 months. Sad as it is, the unexpected COVID 19 challenge has validated our technology-centric transformation and our complete overhaul of security risk management practice. Importantly, the severe disruptions attendant to the pandemic has instigated a deeper understanding across the business and public governance landscape of the urgent need for a real paradigm shift in security risk management, from mere physicality and brick and mortar solutioning focus to a more intensive, holistic and digitally compliant approach that integrates knowledge, technology, and people. Now all companies must begin to understand what it means. Most criminals connect to your server with foreign devices from home. You are not able to control the devices. In most cases, they look for the soft belly which is the vulnerability that those rogue staffs require. That is the point of vulnerability. So there is a hugely significant shift around cyber-crime consideration and how it applies. So these are the things that organizations should accelerate and take advantage of in this new order. So we must recognize that it is a new order; it is a new day; the world is open; the world is vulnerable; the world is volatile; nobody is safe anymore; the boundaries are down; it is a borderless world.
Despite heavy investments made by Nigerian banks in cyber-security, cyber-crimes seem to be on the increase. Our country Nigeria seems to be particularly notorious as a major centre for this crime. What do you think should be the solution?
If you look at the various sectors in Nigeria, the cost, the Acts, and the CBN specifically put a lot of pressure on the conditionalities for universal banking, there are conditionalities for mobile banking and internet banking. All these provide that you must address the risk elements and also what the Cyber Crime Commission Act provides. Most of the banks have invested in cyber security, though it is not at an equal level, some more than the others. But there are minimum standards. But is it adequate? It may not be adequate for most of them in the new post-COVID 19 dispensations. But the key thing in the crime triangle is that it is still the man that is at the other end to ensure that what to be done is being done. So man is still at the heart of mitigating; man is part of the equation. Let me explain: If you look at a cybercrime like when they do a SIM swap; it is so easy. Maybe you have your SIM card, suddenly you see that the phone is not working for a few hours or a few days and you are wondering. Somebody has swapped your SIM.SIM swap is not easy without the connivance of somebody inside. So within the hours or days that the phone did not work, any information that comes to you from your banks is received by those guys. The bank has done what it should do, so it is not the bank’s problem. So at the other end, maybe there is one insider that has given one or two pieces of information. Maybe you have been careless the way you keep your card; maybe you keep your phone on the table and they stole your SIM. By the time you realize, they have taken some money out. Now is it the banks that have not invested in cyber-security? Yes, they have. But somebody is not careful enough somewhere or somebody somewhere somehow finds a way to circumvent the security of your system. So a lot still needs to be done on enhancement scale. Do we have constant data on various ways that people have been breached? The banks need to invest more in enhancement in exposing ways and means at which people are coming to make attempts to access people’s accounts.