Cyber Insurance is a crutch; the best insurance is staff education

CISO Interview Series: Richard Jones, CTO, Jones Lang Lasalle

Richard, as CTO for JLL where does Cyber Security fit in your priorities?

JLL take the threat of Cyber Security very seriously and over the past 18 months JLL has placed an increased level of importance on Cyber Security, to the level where we have formed a regional CISO (matrix to managed to both our Global CISO and myself).

As result of the increased risk of Cyber threats across the globe, JLL have significantly invested in skilled resources, 3rd party services, education and tools to better enhance our environment.

I was impressed to see that earlier this year, there was a JLL article – Defining Cyber Security – the impact on commercial real estate portfolio. I’ve not seen this kind of broad analysis before, can you comment on this?

This document has been produced to assist and provide a level of re-assurance to our clients (who include Government agencies and leading Financial Services institutions) that JLL understands the threats and associated risks with Cyber Security. We outline guidelines of implementing a robust program, both physical and logical - to protect against such security threats.

Working across a number of markets in Asia Pacific, where does your business face the greatest threats?

What we are seeing across the region is that it is not one specific country being "hacked" more than another - but what we are seeing that the cyber criminals are looking for general weaknesses in our environment.

Given this our biggest exposure are our staff, and how many of them still do not believe security is their responsibility. We continue to educate them, but often its not until they are personally impacted by an attack that they take security and the risk of cyber threats seriously.

What’s your view on the gap that Boards have around Cyber Security. Are there specific areas that they need to focus on?

I personally believe that due to the recent highly publicised cyber breaches around the world and resulting CEO resignations. Definitely have seen an increased interest by the JLL board, with respect to Cyber Security, with additional funding and headcount being approved and regular updates and compliance reports being submitted to the board for their review and action.

On the flip side, and while improving, we are still have work to do in instilling that same level of vigilance by many of our staff.

We are seeing more enterprises move into the cloud, what’s your view on managing these threats?

JLL is committed, and today actively managing, a hybrid cloud strategy. In addressing the security concerns, there is a general feeling that our data may in-fact be safer in the cloud.

Read more: The Failed Promise of New Cyber Security approaches.

As the Cloud vendors understand that security is one of the biggest concerns their client have in moving to the cloud and to address this they have invested heavily (more than I could ever do) in ensuring that they have the best people, process and technology to protect, detect and respond against possible attacks.

Actually, one of the biggest concerns that need to be addressed is not so much on cyber attacks but to privacy laws and where the data is being held - and the rights governments have to access that data - whether through legal or illegal means. Given this, I see most Companies still prefer to keep their highly sensitive data (IP etc) in a secured on-premise environment.

Have you been tracking the new advanced attacks Business Email Compromise (BEC)?

Yes, we have been watching, and are seeing an increase in BEC attacks at JLL.

Read more: The IT-security divide is limiting full cyber attack chain analysis, expert warns

While the Technology team are doing its best to detect and block such email requests before they enter the JLL network - we still do see such requests infiltrating our environment - emails sent, supposedly sent by our CEO, COO and CFOs to Finance and Account Mgt staff requesting for urgent release of funds et.

Fortunately, JLL has a strict financial approval process and staff all know that such requests would never be made outside the process, but it certainly doesn’t stop the criminals from trying.

We have seen a significant increase in these types of attacks over the past six months and we continually to educate our staff to stay vigilant against such requests.

I’m interested to understand your view on Cyber Security Insurance. Is it critical or is this just a crutch?

My personal view, it is a crutch. It is my personal view is that the best "insurance" a Company can take against protecting against Cyber crime is to invest in educating all staff that they have personal responsibility in protecting themselves and the Company against cyber crime.

By educating them to be alert of scams and possible attacks, not doing things (visit "risky" websites, not securing their devices etc that exposes them to possible attacks.

What’s the best coaching that you ever received?

Of interest JLLTechnologies is working together with HR and have jointly developed an on-line Cyber Security education module. This includes a number of secret "on line test attacks" after graduation to ensure that the end-user is remaining vigilant - should the users "fail" the test then they are required to take follow-up courses and their management is also made aware.

When you are hiring new staff, are there any qualifications that you believe are important to look for?

When hiring new staff - naturally we look to confirm that they have the specific technical skills and experience required to perform the role and secondly, and often more importantly, the personality that ensures cohesiveness with the existing team structure. Balancing a team that while continues to ensure a smooth steady state with staff that are willing to "shake up the norm" and disrupt they way we do business.

One of the biggest challenges with a number of our "disruption" hirers is that often the excitement to get new products out the doors often comes at the expense of ensuring adequate security is in place. Managing and balancing this risk is a key task that I work on now.

You are given an opportunity to provide some words of sage advice for Australian Government around Cyber Security – what would you say?

Cyber threats are real and will be the next front in which wars are waged. Take this seriously. Please invest and ensure that our Infrastructure is secure and personal data safe from any possible cyber attack. We don’t want to be Estonia.

Lastly invest in your people - educate the public so they are aware and share the ownership against cyber attacks. Teach them to be vigilant and to be aware of the threats and risks. The damage such attacks can have both physically and materially are both real and substantial.

Join the CSO newsletter!

Error: Please check your email address.

Tags cloud vendorshybrid cloudgovernment agenciesattacksglobalBECCISOThe CloudJLLcyber securityAsia-Pacificcyber threatshacked

More about Technology

Show Comments

Editor's Recommendations

Solution Centres


View all events Submit your own security event

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Media Release

More media release