Gojek CISO on fighting social engineering, and other cybersecurity tips
The past year-plus has been rife with cybersecurity breaches and other online vulnerabilities, the likes of which have rarely been seen on this scale. Ever since the onset of the pandemic last year, bad actors have been more creative than ever, inundating local servers and email accounts with phishing attempts, malware, ransomware, and a host of newer threat areas that is endangering both the enterprise and the individual.
Then the Solarwinds attack was discovered, which had apparently been going on for months and had managed to infect the systems of thousands of firms that relied on its services. And early this year, the Microsoft Exchange Server breach appeared to signal another cyber attack that was backed by state-sponsored groups, with similarities to SolarWinds.
And last month, it came to light that international venture capital firm Sequoia Capital was found to have been penetrated by a third party, after one of its employees fell victim to a successful phishing attack. The VC has raised billions for startups including those in India and in Southeast Asia, where it is backing some of the top Indonesian startups including ride-hailing-turned-super-app Gojek and e-commerce stalwart Tokopedia.
These two firms are two of the biggest unicorns in Southeast Asia, so much so they have been repeatedly rumored to be merging into one giant entity. While nothing has been confirmed, Gojek continues to expand its roster of services, which besides rides also includes a wide variety of last-mile delivery options back in Indonesia, e-commerce and payment facilities, and is looking to expand its transportation services into other Southeast Asian territories.
For George Do, Gojek’s Chief Information Security Officer, he joined Gojek after realizing the mission of its leaders aligned with his, which was to remove life’s daily frictions. But as the CISO of a fast-growing startup spread in several countries and with a sprawling service portfolio, George has to actively work with both technical teams like IT and Data Science, as well as with business units like Finance and Corporate Affairs, to ensure that the company’s strategy for governance, risk, and compliance is being thoroughly applied by all stakeholders.
“As a company, we have grown and matured tremendously since our founding. This success means we have a large and complex infrastructure and user base. The challenge is to keep cybersecurity on pace with the level of growth, but at the same time allowing the business to move as fast as it needs to,” Do told Tech Wire Asia.
In Gojek’s homebase of Indonesia, social engineering is rampant as a scam, where a fake virtual identity is created to take advantage of users who are not so digitally literate. George says Gojek has made significant strides raising public awareness of the various types of online fraud like social engineering.
“For example, we regularly send out security tips via our app to educate users on the common tactics of social engineering,” said George. “We [also] implemented number masking, which conceals contact information between our merchants and users, hence reducing social engineering attacks on phone numbers. We also enforce facial recognition for our driver-partners, which has helped to protect against account takeovers and reduce the number of fraudulent activities against drivers.”
And just as Gojek takes an omnichannel approach to its service lineup, the ride-hailing bigwig has taken a similar multi-pronged approach to educate their entire ecosystem on cybersecurity awareness, including users, drivers, and merchant partners.
“At the end of the day, there are limits to what we can do with cybersecurity technology to defend against fraud and account takeovers,” said the CISO, who counts NASA as among his pre-Gojek appointments. “A security-aware user is the best defense against fraud and bad actors, and we’ll continue to work hard to educate everyone in our ecosystem on the tactics that bad actors can use to target them.”
As such, cyber-protection awareness campaigns in the less digitally-advanced areas is a must. “Tactics used by scammers and bad actors are generally consistent across the region. We focus on making the message as simple as possible without overcomplicating things.”
As a digitally-native player, the company also has a dedicated fraud team that focuses solely on reducing incidents of fraud on its platform. But that is not the biggest issue for this company that has to maintain PCI (Payment Card Industry) compliance. “Payments present unique challenges from a security perspective. This is because whenever there is money transacting through a platform, bad actors will target it for profit,” Do affirmed.
“We operate our payment app and infrastructure with very high levels of security, and we continuously innovate to enhance security across our entire ecosystem,” he continued. “This ensures that our users have trust and confidence in using our apps. At the end of the day, we are custodians of our users’ information and we take this responsibility very seriously.”