• News
  • Columns
  • Interviews
  • BW Communities
  • Events
  • BW TV
  • Subscribe to Print
  • Editorial Calendar 19-20
BW Businessworld

Case Study: The Risk of Unpreparedness

“Technology gives us power, but it does not and cannot tell us how to use that power. Thanks to technology, we can instantly communicate across the world, but it still doesn’t help us know what to say” — Jonathan Sacks

Photo Credit : Shutterstock

“Technology gives us power, but it does not and cannot tell us how to use that power. Thanks to technology, we can instantly communicate across the world, but it still doesn’t help us know what to say” — Jonathan Sacks

Suvrat Bhardwaj walked into the office of Jaidev Rana, Head, Customer Operations to find him sitting head bent, intently listening to a complaint track.

Customer Madhur: I am very angry that your site has been retaining my card information without my permission and now my card has been used by someone in Luxembourg!”

Voice of Atul Bali (Prescott’s agent): But how is Prescott responsible?

Madhur: Because only you are retaining my card details. Yours is the only site I use – for books, for furniture, for electronics, to buy gifts, everything!

Atul Bali: I am sorry you are distressed but Prescott has nothing to do with the theft of your card.

Madhur: You are deliberately skirting the issue. My card has not been stolen, my data has been breached. I had a long chat with your CS agent, Jyoti…. How dare you keep my card online with yourself? And now don’t bother to reply to me. My lawyer will make that easy for you…

Jaidev looked up and seeing Suvrat, greeted him and switched off the audio clip. “Every day some new problem!” said Jaidev laughing. He is alleging that his card data was breached through our website, How do they make such allegations? Seriously….”

Suvrat: Did he call you?

Jaidev: Not me, but my colleague Bali.

Suvrat: Maybe you should report this to the Risk & Compliance team? Only they are properly equipped to examine the veracity of a complaint. And I would not take the complaint lightly. Once I know somebody is complaining, then the matter should be cascaded to the CEO and then, it reaches all the right levels. But things don’t always boil over. Many times they simmer and fester. So, if I were you, I won’t wait to see if that fellow will really file a suit or call the chairman. What he is alleging should be checked. He has indicated that he has spoken to a customer service agent, why don’t you call for the customer call record and verify, establish the precise nature of his angst?

Jaidev: This happens all the time

Mr Bhardwaj, who all to listen to?

Suvrat: How long has it been since you are hearing these complaints?

Jaidev: This is the 10th complaint I have received in the last three months.

Suvrat: Really! Did you mention at least once to the Risk & Compliance team?

Jaidev: Not formally but we chat over lunch, so some things have been tossed over.

After his scheduled 11 a.m. meeting with the security audit head over an old issue, Suvrat sought out Narayan Iyer, head of Risk & Compliance. In his room, he said, “Narayan, you heard what the top findings at the internal security meeting were. They are suspecting data pilferage... as the outcomes are reported, keep me in the loop, please. I need to examine our processes to ensure we have proper checks in place.

Narayan: Sure, I will. It is yet just a suspicion, not yet verifiable. So we will wait for them to establish… Why, something on your mind?
Suvrat: Now, this morning I was talking to Jaidev and he was mentioning some data breach that a customer was alleging. Jaidev, of course, felt it was not serious. Both these coming at the same time is worrisome.

Narayan: I am surprised, he has not told me anything.

Suvrat: Maybe he too is waiting to establish veracity. Data breach is not something that will present clear symptoms. You need to be continuously auditing your security measures and stay watchful. Why don’t you do this, check the last three months’ logs and see what are the kinds of complaints you are getting. If somebody is saying that a breach has happened, you know and I know that this level of breach must be reported to the Board. If Jaidev has not reported, then you can inquire — that is a different matter. But we can go over the complaints and, in parallel, support the Internal Security Team’s work — especially now that we are looking at internal security systems.

Narayan: Even the CEO has not said anything, Suvrat! In the last three meetings that I attended, nobody mentioned anything like this. Going by the nature of the breach that Jaidev mentions, if it is what you see, then it cannot be a one-off. It appears to me that there has to be a whole stack of such complaints.

Suvrat: Your boss, the CFO must have hinted at something by now? CFOs usually do not brook any risk or treat it lightly. Narayan…. Think please. Something is going on. Why did the security head want to do an audit when he was resisting audits all these months? Is something going on that you are being shy to mention? Do you know that stuff is happening? If you don’t, then you are in trouble. If you do, and I think that is possible, then tell me what you are doing about it. Your risk, your troubles have my sympathy of course; but I am not an auditor to demand explanation. If I press to know, it is because I have been warning about security lapses and asking for plugs to be put in place. Your confirmation of knowledge will help my work. I am accountable for your IT strategy; I too will be asked if I asked all the right questions and if I made sure that I obtained answers in full. Keeping your environment safe and secure is my mandate, I hope you understand that this is why I ask so many times.

Suvrat had been pushing for an entire holistic environment at Prescott. Only last week, he was talking to his partner at Westing Brothers, Alex Rajan and expressing anxiety over Prescott’s technology-unreadiness. A retailer traditionally, Prescott had stepped into e-tailing some years ago and wading it gingerly. But as he was to find, the engagement with e-tailing began as a challenge to do what everyone else was doing and then led to examining consumer interest and then to expansion. Nowhere in all this had Prescott wondered about the substratum of e-tailing: Information Technology.

Prescott attended to e-tailing with the same attitude it had given Purchess, its brick and mortar traditional business. The fact that business circulated and flowed through the wires of technology, was not apparent to operations.

The more Suvrat had looked at internal security, the less of it he had found. Recently, he had mentioned to Alex Rajan, his partner at Westing, that he wanted high security at Prescott.

Restless by now, Suvrat told Narayan, “I think the issue is bigger. I would urge you to talk to me about this. Risk & Compliance is the stuff of my work. Come let’s brainstorm and figure what is going on.”

Narayan was uneasy. He said, let’s meet tomorrow. I need time.

Next day at 9 a.m., Suvrat was taken aback to see five people in the conference room, including the chairman Ram Arya.

Ravindra Singh (Director, Ops): I will come straight to the point. We have come to know that there has been a significant amount of data theft and, truth is, we ourselves are confused and don’t know how it happened.... But we will sort it out among ourselves.

Suvrat: You cannot ‘sort it out among ourselves’, Mr Arya! This is deeper and murkier than you can even imagine, and puts the business at untold risk. And needs to be plugged at various levels. You do need IT to get involved. You need a security guard, as it were, posted everywhere in your system, so that wherever there is a point where data is exposed, the data cannot leak. And this, only technology can create for you. Add to this, security audit where you actually do a transaction audit of the document flow and examine if the security posts are void of control weaknesses…. How long since you have been of the view that data is being breached?

Ravindra: Some six months.

Suvrat (alarmed): Why didn’t you alert me? How do you say six months? Surely something may have happened to give you this feeling? I don’t think you understand the different dimensions of IT risk. If you have the right processes defined, then some access has to be restricted only to specific people only! You have not put those accesses in place today. You have to define the right level of policy and control which has to be done at a different level. I am seeing this all the time…

Imran Masood (Head of HR): What levels are you referring to?

Suvrat: Risk can be in hardware and software. When we say hardware, then we are talking of infrastructure and when we say software we mean applications. Infrastructure risk lies across multiple points: server, storage, network and data points, that is, end user points — laptops, mobile phones and computers. So, infrastructure alone as you can see has five parts. If I am a hacker, I can attack from anywhere and afflict any of these end points. That means so many more vulnerability points.

Ravindra: How do you mean, even mobile phones?

Suvrat: All are vulnerable because all are being served through the same server, part of the same server. So for example, a house has a window, door, garden, and terrace. A thief can come from any of these vulnerability points. That was just infrastructure. Now, take applications. They also need their security. Applications security will be at multiple levels, at the database level, at the level of different applications that Prescott uses, both on the server side and the client side and the Web applications, which is what most of the estate is. All the mobile apps that we have developed, have their own vulnerabilities. Every area has to be approached differently. Today any IT set up has so many vulnerabilities, which has evolved over last 5-10 years. A mature person in business will deal with this at a policy level, control level, he will invest in systems of appropriate complexity to monitor in real time.

Suvrat was already looking harassed. All that he was saying assumed that the men around that table had a deep understanding of their business environment. He realised he did not make sense to the people present. At least, not entirely. The CIO at Prescott, Amit Dalal (who uniquely was not present at this meeting) was in his 50s and had spent most of his years in manufacturing IT, which was a different world. He also came more from the application world. He had no expertise in the infrastructure side of IT. He depended on someone else for this understanding and that man — Janak Patel’s view of security was only focused on end points and he neglected the data centre, the hottest place where servers and storage were at Prescott. What was more, Janak directed the thought for Prescott exactly as he did for Purchess.

Suvrat: Janak is from the infrastructure side of the business, and he focuses more on end points but neglects the servers and storage. It’s like I am paranoid about my terrace so I want to protect only my terrace. But I leave my back door open… so a thief can come through the back door, no?

Point is, because there is no management school that trains you to become a CIO, anyone who is a CIO today has necessarily come up from a specific side — either infrastructure or applications. He knows his area well, but he is not fully aware of the vulnerability of the other web areas. He thinks I am doing everything properly. But he does not give percentage to the vulnerability creeping in from applications.

Ravindra: And that would be like?

Suvrat: Like being able to steal data...

Now facing the panel of five, Suvrat said, “There are these 10 things that can go wrong, but can you know which of the 10 have gone wrong? Each one has its own network of ramifications. All 10 could have gone wrong or 2 of 10 or 5 of 10… do you have a mechanism to find out what is going wrong where and when?

You don’t have a mechanism to tell you that something has gone wrong. You figured the wrong when multiple complaints came in. You are dating the risk or the security breach to the first complaint. But you do not know when the breach did in fact take place.

But Suvrat needed to get to the root of the breach. The panel, now sufficiently mollified, permitted him to check the encrypted records for all the card transactions.

On checking, Suvrat was stunned. Customer data was being stored!

Suvrat was quite confused by the turn of events. On one hand, the head of Business, Asim Datar, was vehement that at no stage had he defined business needs around customer data. Yet there before him, he could see 4,800 customer data sheets had credit card details saved.

The situation seemed to grow curiouser and curiouser as Asim called the operations manager Bibek Basu and discussed the anomaly. So, even operations had no idea! As they all sat around the table wondering, whispering, completely bewildered by the expressions that Suvrat was using, Basu began to look very disturbed. Slowly he confessed that he had known of the fact that customer data was being saved and had let it remain in the system as he felt that, ‘…some day we will need customer trends’.

Asim: Meaning? I don’t understand! Who asked you to store this data? And first of all, you need to be facilitated by the system to capture the data! So it seems more than just deliberate to me! How come the system is capturing?

Suvrat (taking over gently): Bibek, for how long have you known that data is being stored?

Bibek: It has always been there, as a facility. I knew of it. But I began storing it when once the system provoked by some error asked me if I wanted to store data and I thought I would be able to impress my boss with trend analysis....

I did not give any serious thought to its larger significance. I promise you. I only felt no one had likely explored this facility, that I would use this to advantage and show the company....

Suvrat: How did you come by this facility?

Bibek: It was in the design. When Elexa, the firm that customised the G-212 package for us, was customising the package, they asked me if we wanted this facility.

I was clearing the system at every stage, checking fitment, completeness, accuracy and so on along with Jaidev (from IT). When Elexa showed me this module, I thought it was cool. So, I said let it be there if it won’t cost us extra. They said they were OK with us keeping the module...

Over the next two days, Suvrat spoke to more and more of the team and learnt so much about how a system that is not secure can have features like this that lead to trouble.

The person who “revived” this feature at Elexa was a young business analyst who thought this was a cool idea. He included this in the final release of implementation. It was not done earlier because the seniors in operations were always aware that regulatory and compliance restrictions of Indian Laws did not allow you to do this. But when Bibek asked to keep it, the analyst at Elexa didn’t mind. And Bibek being unaware of legalities, enabled it.

The senior person at the implementation firm had left and there was a gap. When the analyst explained this to Bibek, both missed the fact that the feature had been lying “unused” not because no one knew it, but because seniors knew using it was against law. Then the audit that was supposed to happen never happened and they lost the opportunity to discover the mistake.

So on and so forth, it was a labyrinth of bugs and more bugs — operational, design, understanding and knowledge.

When all that had to be said had been said, Suvrat told Alex, “The three independent but interrelated areas: Risk, Compliance and Security, require approach at the levels of process, policy and technology.

Straightaway that means, investment in the right people, at right levels to ensure this is adequately covered. Had Prescott invested in process and security, then it would have appointed the right people who would have ensured that the feature to store customer data, even if enabled by business, is disabled because legally Prescott is not supposed to do it. Right folks in R&C would have identified this in a risk register to be maintained and flagged off that they are at risk but because those people were not there, no one bothered. Narayan in Risk does not seem to have the alertness to technological risks. The Risk manager should be able to smell risk!

Alex: This could have got captured in mandatory annual audits but the audit was skipped because it would have been an extra cost. And Prescott has been bypassing audits to save costs.

Suvrat: Not just people costs, but Prescott has been shying away from investing in monitoring and alert systems. Had they invested in these, data theft would have got flagged off the moment it happened! Someone decided not to approve the investment because the importance of that was not understood.

Alex: See, I can subscribe The Economist. But what to do with it when it comes are varied. I can paper my windows, I can leave it on my table to look good, I can read it,…. But that The Economist does not tell me. I guess it expects that I will read it for it is natural that when you subscribe you will read. I think technology is like that. Once you invest in it, you are expected to know that you must apply it and how to apply it.

Suvrat: Precisely. Precisely! And this is what I mean when I say Prescott is technologically unready. Readiness is a function of being able to tell control weaknesses from time to time; being aware of what can go wrong and why something can go wrong. Such readiness will manifest in investments in security alerts, so that breach or theft when it happens sets off the alarms.

So, the lack of controls and technology investments at Prescott is verily a function of lack of technology readiness, awareness… resulting in underinvestment, resulting in bigger risk and eventual business loss.

Alex: That we don’t know yet ….

Suvrat: That we will know soon.

Also read: Sanchit Jain | Anirudh Joshi | Ashutosh Tiwari

[email protected]