Insights into SOCAR’s cybersecurity policies and strategy
SOCAR, Malaysia’s app-based car-sharing service, doesn’t have a big team, but that hasn’t stopped the company from expanding to more than 530 locations and forge a partnership with KFC to move into their parking lots.
“We’re a small team but we make sure we deliver a great customer experience along with the convenience we promise,” said SOCAR CEO Leon Foong, in an exclusive interview with Tech Wire Asia.
Quite similar to Getaround, Zipcar, and Turo in the US, SOCAR allows users in Malaysia to book a car from a parking lot nearby, for any number of hours they prefer, and lets them drop it off at a location convenient to them.
Registration too is done via the mobile app, using a selfie alongside a photo ID of the intended driver. Most interestingly, the app is what the driver uses to gain access to the car.
By design, SOCAR’s users don’t directly interact with company executives at any point of the customer journey.
Everything is managed via electronic systems — and that’s what makes the company most vulnerable to cyber attacks.
Protecting users and SOCAR’s assets
Vulnerability isn’t something Foong is concerned about. “Pre-empt, stay ahead of the time, focus on preventing the most common types of attacks, and partner with the right people” is the strategy the company follows in order to ensure security doesn’t become an obstacle to assuring users of their safety.
“We’re aware of a lot of the potential risks that modern vehicles pose. While many of the standard Malaysian vehicles in our fleet, such as the Perodua Axia, aren’t connected to the cloud, others such as the BMW 330E, the MINI, and the Volkswagen Passat are. Hence, we think long and hard about the security needed for our vehicles”.
Foong refers to the recent man in the middle (MITM) attacks in the US and the EU, which are becoming more popular every day, and making it easy to steal vehicles as well as cause accidents that could potentially lead to death.
“We make sure we keep ahead of the times. Our software is built to prevent MITM attacks. It’s quite an important capability for us because if we don’t prevent it, not only does it make our vehicles susceptible to theft, but also puts the customer at risk.”
But that’s not all that the company is doing to safeguard its users. A vital part of its cybersecurity strategy is to find the right partners to help defend its systems.
Foong reveals that the company is in talks with Upstream — a firm specializing in automotive cybersecurity with a focus on securing the connected car ecosystem — to help ramp up security at SOCAR as the company focuses on becoming a part of the average Malaysian’s daily commute.
Culture is the key to cybersecurity
Often, businesses look at the cybersecurity gaps in their products and services but ignore the risks that internal policies (or lack thereof) can raise for the company.
SOCAR, however, is mindful that one part of ensuring its business offers the right protections is designing systems and policies that support their customer and product facing cybersecurity measures.
“Not everyone in the company has access to customer data. We provision who has access to customer data. Employees who have access to personally identifiable customer data, we track their systems and log their use of that data.”
But that’s not all. Foong reveals that they work hard at earning the customer’s trust and hence, they’re very careful about which employees have access to customer data. It’s not just determined by the role they play — employees face a rigorous background verification prior to being granted the privilege.
“Having a data-driven culture, we appreciate the operational leverage and flexibility that data gives us, and we appreciate that we also need to respect that data.
“We understand that we can only survive as a business if customers trust us — not just with their safety but also with their data.”
However, Foong is very clear about the fact that it’s not just the systems and policies that the company puts in place, it’s the company’s culture that makes the company strong or weak when it comes to protecting the company’s data.
“No matter what systems you have, if you have the wrong culture, data will always get leaked.”