Information security is not a priority for many domestic firms and organisations, so it is a tough task convincing them to take it seriously, says Bernard Alphonso. As the director of what he claims is the Kingdom’s only firm specialising in the field, he would know.
Alphonso – a self-professed “security evangelist” – says that many of the calls he receives come after a problem has already arisen and the damage is done. He advocates a proactive approach to information security, claiming it should be the domain of the decision makers rather than IT managers.
“It’s high time Cambodia became serious about information security,” he says. “Based on my own experience, but this is me, typically very few things are being done.”
Alphonso started Alphonso Security Consulting in France in 2003, before moving it to Cambodia in 2005.
“As far as I know I don’t have any direct competitors in Cambodia,” he says. “What characterises my firm is that it is 100 percent specialised in information security management.”
The recent WikiLeaks situation showed that often the main threat to security was not purely online hackers, but was often as simple as individuals stealing information. In the case of WikiLeaks, security had allegedly been breached from Bradley Manning, a 22-year-old US Army soldier.
Alphonso says stealing digitised information is generally easier than taking physical items.
“People often don’t have a perception [that] they are committing a crime,” he says. “CEOs, for example, are gold mines of information.
“Let’s not wait for the big data breach to happen.”
Although Cambodia’s economy is benefiting from the advent of its communications networks, this also opens up companies and organisations to more possible breaches.
Alphonso says it would be far easier for clients to act proactively, but generally he’s called into action after the system is already down or the data is already gone.
Too much money is often spent on security, when many problems could be prevented by applying simple common sense, he says.
For example, he has seen money wasted on sprinklers in server rooms and hiring guards that spend their time on duty asleep, along with other dubious expenditures.
While technology plays a large role in information security, software alone is no good if not updated, he says.
“Security training is far and between although human beings have always been the proven weakest link in a security chain.”
When working with clients, he first advocates an assessment to look at possible vulnerabilities.
He is the only employee at the firm, but says he works in tandem with other consultants, including for clients based in Malaysia and Singapore.
Still, Alphonso says he has had a tough time selling his mission in Cambodia.
“All too often I have encountered skepticism and resistance,” he says. “Security is like insurance and you know that when insurance policies are not legally mandatory people tend to be negligent and risk prone.”