AltoVita's Spotlight Series: 5 Minutes with Ibraheem Khan

As a conscientious and diligent member of the AltoVita team, we are delighted to share this new Spotlight Series featuring our brilliant Chief Information Security Officer, Ibraheem Khan.

Known for his extensive knowledge, strategic mind, and energetic personality, Ibraheem has been working in information security  for more than 10 years, developing a real talent for identifying complex problems and implementing innovative solutions along the way.

With a new horde of evolving threats rising in cybersecurity, we’ve been fortunate to have his wisdom guide us in the right direction so AltoVita can continue being at the forefront of best practices for digital technology in the flexible rentals market sector. 

Continue reading as we get to know Ibraheem even better, as he shares a few fun facts and advice for how we can all stay safe online.

You’ve previously written about the vulnerabilities of working from home when it comes to cybersecurity, but what two benefits does this model offer employers and employees?

Ibraheem says: For employees, working from home offers two benefits, especially from my perspective (having a young family). The first is being able to stay home and spend more time with my family and watch my kids grow. Before COVID, I would travel a lot and would be away from home for most of the week. To be grounded for a lengthy period of time has been great as I get to do what I love (my work) and also be with the people I love (my family). The second is, having more of a balance with home and work life. Over the last couple of years, I know a lot of people have struggled with their home and work life balance but for myself I feel like I now have the perfect balance. As I am no longer traveling all the time, it means I can have a routine at home, from taking the kids to nursery, making dinner for the family, or even going to the gym on a regular basis. These are the little things that used to be a luxury for me. Also I did not realise how much of my day was spent in traffic or waiting for public transportation. On a daily (Monday – Friday) basis, I am probably saving an average of 2.5 hours a day from traveling to/from an office. Whether it is waiting for a flight, a train, or stuck in traffic, I am able to use that time for my own personal good. 

From an employer’s perspective, it has to be the ability to have an increased talent search radius. As companies were attached to an office location, it meant they had a small search radius to find talent, or attract talent who would be willing to relocate. As times have changed and modern companies have readily adapted to the use of technology in conjunction with operating from a “virtual” office, it has allowed more companies to practically use the full globe. I think it’s great because companies are able to find the best candidate for the role, and depending on what the role is, it may require a specialist that might have the right experience who is 100+ miles away.

The UK government recently implemented new legislation to help protect consumers’ IoT devices from hackers. What would you say are the top takeaways from this?

Ibraheem says: I would say the top takeaways are the main three elements of the Bill, which I believe are also necessary for all organisations using any form of software or cloud application solution, not only for those who are creating or reselling IoT devices.

1. Ensure all generic/ default passwords are changed at first opportunity. Changing a password from something obvious to something secure is in my opinion basic information security 101. If the password of your device/ application is something like “admin” then I am sure the majority of the time, a replica of that device or application is going to have the same password.
2. Making consumers aware to update their device and how long it will be in support for is another basic information security requirement. Patching and updating the software of anything is important. Using something that is no longer in support from the manufacturer/supplier is always nervy as it means once the device/application is broken, it is going to be costly to purchase a new one. Or it might be that you love the device/application so much and you have an attachment that once it breaks and you have to get a new one, you lose the sentimental value of that device/application. Whilst I get and respect that, anything that is connected to the internet should be updated on a regular basis. There are many smart people who on a daily basis try to hack into various devices and operating systems just for kicks (and some for financial or reputation gain), and without updating your devices you are allowing your information to be accessed or tampered with. From a consumer perspective, knowing the device/application you have purchased is going to be updated and fixed from bugs or security issues should be able to grant you peace of mind knowing the device/application you have purchased is going to keep you and your information safe for as long as possible… until it is out of support. If you do, however, purchase a device/application that is connected to the internet and it is not clear how often the company will fix their issues (bugs or security vulnerabilities) it is always worth exploring how secure that product actually is.
3. The third main takeaway which follows nicely from the second is; the ability to have a point of contact to report security vulnerabilities or bugs found within the device/ application. This is key for two main reasons for a consumer: The first being, if a security vulnerability has been reported it is the responsibility of the manufacturer/supplier of the device to ensure the security vulnerability has been remediated, and if not then the manufacturer/supplier could be fined, so there is a high possibility that the device/ application will get updated rather than left and forgotten about. The second is knowing that the device/ application you use on a daily basis is still your number one go-to device/ application until you or the manufacturer/ supplier (depends which comes first) has decided to part ways and move on to new pastures.

There are other takeaways from this Bill such as the manufacturer/ supplier getting fined for noncompliance which I touched briefly on, as well as knowing that the vast amount of IoT devices that are getting produced and used on a daily basis are finally going to get the security attention they actually need and deserve, plus a few others, but I felt the three main ones above are key as they are the takeaways that can be used for any device/ application, including mobile apps found in Apple’s App Store, Google Play, or even in the Playstation, Xbox, or even Microsoft applications – any application or device that is connected to the internet should be followed.

What advice would you give employers who are embracing the Work From Anywhere (WFA) model in order to help keep their business and staff safe online?

Ibraheem says: As companies are allowing staff to work from anywhere it is the responsibility of a company to ensure that their staff still adhere to the regulatory requirements of Data Protection laws. If an employee is situated in a country that is not seen as accepted or approved by the law then the company must ensure that they do everything to meet the regulatory requirements. Exceptions cannot be granted ‘just because’ as that does not work when it comes to law. Everything must be followed otherwise a company can receive a financial penalty or worse (ie, potential loss of business depending on the repetitional damage that may come from a data breach).

As companies allow staff to work from anywhere they also allow staff to generally use their own devices, and companies also have a responsibility to ensure that the device used is appropriate (ie, up to date with all latest software and security updates) with appropriate encryption in place, ensure there are appropriate access controls on the device, and ensure that the device has appropriate Anti-Virus software installed with notifications being sent to the companies Information Security contact or appropriate person/team to investigate. Teams working in silos can present many risks to a company but the same also applies to devices working in silo for an organisation. Personal devices are easy to distribute but they are also an easy and great target for hackers or unauthorised users to access confidential and sensitive information. 

Should a company adopt the work from anywhere methodology, then they must ensure an information security risk assessment is carried out on a regular basis to identify all of the risks that are present to the company and identify appropriate ways to mitigate them. Without conducting this exercise it will be difficult to understand what threats the company is facing and how to combat against them. Information security risk assessment are key to a secure organisation.

With the new year approaching, what predictions do you have for information security in 2022? 

Ibraheem says: I think we will still see a rise in Ransomware attacks and companies being compromised due to vulnerabilities. I don’t think those types of attacks will go away soon, but I also feel there has been a slack attitude toward operational resilience with business continuity playing a massive factor over the last few years. Unfortunately it is not unheard of for companies to not be aware of the type of applications, systems, and devices used within the company that helps make the cogs turn, but there are many risks to such apathy such as, in the event of an incident or disaster it might be difficult for a company to know which critical components need to be recovered or brought back into business as usual first without conducting appropriate assessments. A lot of organisations believe that due to everything being in the cloud the ownership is on the cloud provider as such backing up data and information is not something they need to do as data is stored ‘in the cloud’. This isn’t always the case as there is a risk that the cloud environment a company uses could potentially face an incident or disaster resulting in potential data loss or corruption. For 2022 it would be great to see organisations take more initiatives in securing their data but also conducting appropriate due diligence and regular health checks to ensure the survival of the company will still be intact in the event of a disaster or incident.

What are your favourite weekend activities, or hidden talents that may surprise our readers?

Ibraheem says: Ooooh, hidden talents…. Is eating a full 14″ pizza by myself a hidden talent or is that gluttony?? I do not think I have any hidden talents but I do have a love for Gracie Barra Brazilian Jiu Jitsu (GB, BJJ). I train on an average 3 – 4 times a week for two hours a session. I started in August of 2021 and fell in love with the sport/ martial arts. I used to train in Muay Thai when I was younger for about 5 years then, but I gave up due to travelling for work. Now I am grounded more (thanks to COVID…. Never thought I would actually say that), I am able to dedicate more time to focus on myself and my wellbeing. It is a dangerous world in infosec and data privacy… haha! In all fairness, the work I do is very sedentary, constantly stuck to a desk, or a device trying to keep up to date with the latest news that I had to do something that was active and allowed me to use my brain outside of work rather than doing something active that enabled repetition such as working out in the gym. The best thing about GB BJJ, is it is a great metaphor for human chess. When you think you have got someone in check, they can put you in checkmate by one move that you didn’t predict or see. I am hoping to attend my first competition in April 2022, who knows, in a few years I may say GB BJJ is my hidden talent but for now, it is definitely my go-to activity.