With a market cap of R140 billion and covering over 42 million lives, Discovery has a lot to protect. The man in charge of overseeing the safekeeping of all that data is Zaid Parak, group chief information security officer at Discovery.
In an interview with ITWeb TV, Parak outlines the top cyber risks the group is facing, and some insight into the strategic approach taken.
He says the number of attacks the group faces is “almost unquantifiable” and increasing exponentially.
Discovery is a financial services group that offers a range of solutions, from medical aid to life insurance, from savings and investments to short-term insurance, and, more recently, banking. Most of these offerings are underpinned by its behaviour-based wellness rewards programme Vitality.
The group is a South African success story, with presence in the UK, US and, through Vitality, it’s in 40 territories worldwide.
Discovery says it prides itself on innovation, its “shared value” model and on using technology in engaging ways to drive certain behaviours among its customers. With all of that, however, comes an incredible amount of sensitive data.
The biggest cyber threat to the business in South Africa currently, Parak says, is mass credential stuffing attacks.
“With the number of breaches globally and the databases of credentials available on the dark web, we're seeing massive credential stuffing attacks. That's probably the highest vector hitting our perimeter every single day.”
He adds that social engineering, through phishing and smishing, is also a top concern due to its prevalence across the South African financial services environment. He attributes these campaigns to well-organised syndicates, likely operating from within South Africa or Africa.
“As soon as you click on the link – and unfortunately, we’ve had a few customers go through that motion, going to a fake site that’s looking for credentials – within minutes, there's the phone call and it’s very professional. As we take down these sites, and so too do other banks, within hours there are a few more sites springing up.”
Evolving cyber training
As with any modern organisation, Discovery runs cyber awareness and training for its employees, but, Parak says, the levels of maturity around training are evolving.
“We've shifted away from the traditional ‘watch a video and answer some questions, now you're cyber aware’, that doesn't help. Our engagement is shifting towards ‘just in time’ training.”
He explains this is a targeted approach to awareness, and, as the name suggests, delivered in a timely fashion, but key is that it’s contextually relevant. “The shift needs to be what is relevant to me as an administrator, or as a developer, or as an actuary or a financial officer. What attacks would I be susceptible to?”
But, with all the training in the world, insider threats can still exist, whether they are driven by an individual’s personal greed, or a compromised employee under duress from criminals. In the economic environment of South Africa, collusion is unfortunately rife, says Parak. As such, this is an area he is paying specific attention to and will drive the group’s activities in the upcoming financial year.
“We're starting to move towards behavioural analytics or behavioural monitoring mode, where we can look at how AI can help us.”
Outlining that the analytics will need to operate within boundaries, Parak admits that Discovery isn’t quite at the stage of launching the behaviour monitoring yet. When it does though, he says, that triggers when a user’s digital behaviour deviates from normal patterns. This, combined with contextually relevant training, he hopes, will reduce the internal threat.
Another common cyber threat faced by organisations is the potential for supply chain attacks. For Discovery, with its Vitality offering, which is licensed to international insurance providers, the potential for third-party breach is significant.
“We have a massive partner network, where we share information and vice versa. From our side we quickly realised criminals are going to attack your suppliers, and that's exactly what we're seeing.”
Parak says Discovery does due diligence on its Vitality Network partners, classifying them based on data and information shared. The level of diligence varies, he says, based on the assessments. For the highest classification, Discovery conducts a full data privacy impact assessment, a security assessment, physical site visits and annual checks, including penetration testing. “And within our contracts, we stipulate the requirements on the protection of our member data within those environments, if it is being processed or stored there.”
Agentic AI and quantum
Regarding emerging threats, Parak says Discovery is starting to experiment and adopt agentic AI within the organisation. “My primary concern is the access to information those agents would have and the management of those agents. If you look at Copilot, any staff member or user can quickly spin up an agent, which is great in terms of productivity and something we encourage, but what access does it have? And how do we start managing those agents? It’s something I don't have a solution for yet, but something we’re looking into.”
As for the threat posed by quantum computing − its potential to crack existing cryptography − Parak says the time to start taking the threat seriously is fast approaching. He says it’s definitely on Discovery’s radar, but admits it will only become an active focus in the new financial year.
“I think all organisations need to start doing something actively, because these years creep up and then before you know it, it's there and then you're scrambling to make massive changes that will have far-reaching impacts.
“The first part of it is discovering and understanding where we are using all these algorithms (cryptography). The known is known – your certificates, swift transactions – but where else in the organisation are these hidden cryptos.
“The biggest concern I have currently though is ‘harvest now and break later’.”
On the subject of cyber culture within Discovery, he notes that the launch of the bank (in 2019), played a big part in raising awareness across the group.
“The insurance industry wasn't as heavily regulated as the banking industry. With the launch of the bank, we started beginning an understanding of the importance of security and I think that's when our executives and our business started saying this is the right thing to do.
“A big part of the strategy I brought into the company is around how to elevate the security posture of the entire organisation to the level traditionally known at banks, which have the best security, and that's what we've done over the years.
“We're no longer ‘the police’, but we’re now the business partner and enabler, and I think that is crucial for any security executive or CISO; not to be seen as that roadblock and saying no, constantly saying the sky is falling, because of the risks but embed that into how to use security and privacy and mindfulness in enabling the business.
“We’re in a phase now, over the past few years, where we don't bolt on security any longer, we actually build it into everything we do.”
Share