Interview with Mr. Milan Raj Nepali, Founding Board Member and Treasurer, Centre for Cyber Security Research and Innovation (CSRI); Head of IT, Beema Samiti (Insurance Board: Insurance Regulatory Authority of Nepal) Ministry of Finance, Government of Nepal.
Q.1) Tell us something about your journey till date? How you started and something about your initial struggle days?
Coming from a remote rural village of Mustang to a Capital City Kathmandu Nepal for higher education and in search of better dreams was one of the most memorable and struggle days, I have ever experienced. The days where parents forced us to go abroad after SLC passed and the trends of the youth in our villages that days were not the same as these days for going abroad for higher education. There were two choices for me: Either involved in Agriculture/ Farming or Going abroad in the Gulf or Middle East Countries for working as a Migrant worker/laborer.
None of my ancestors nor my community is in this IT field till dates. Proudly, I can say that I am only the person in Kathmandu from Mustang who is a full-time IT Professional.
But I skipped both of those choices. And Luckily, meet up with one of the Landlords who owned a star hotel in Kathmandu. He proposed to me to work at his hotel in Kathmandu. And then the stairway to Kathmandu begins. Finally came to Kathmandu in 2006 and worked in a hotel as part-time as well as got a chance to continue my higher education i.e. I joined the fine art education at first and then shifted to a Technology Education was far more adventurous than I ever thought. None of my ancestors nor my community is in this IT field till dates. Proudly, I can say that I am only the person in Kathmandu from Mustang who is a full-time IT Professional.
Q.2) Tell us more about your work in the organizations which you have involved like npCERT and CSRI Nepal.
Back in 2018, I have heard the word ” Cyber Security” a lot which was a hot topic at that time. Thats how my journey begins with Nepal’s first Cyber Security Community Organization called
” Information Security Response Team Nepal (npCERT)”. At that time, npCERT was going to host Nepal’s first ” Global Cyber Security Summit 2018″. I was the Technical member and Organizing member as well. That was the most successful summit of npCERT and history was made. So, from that time, I am on the Cyber Security Domain and till to date, and also I am one of the active members of npCERT. We have hosted many program aftermaths.
We the cybersecurity enthusiasts and IT professionals from the various sectors like ISPs, Banks, Software Companies, and others gather together for a meeting and after a month in September 2018, we established “Centre for Cyber Security Research and Innovation”
In August 2018, we came up with an idea of introducing the Research Centre of Cyber Security in Nepal. We the cybersecurity enthusiasts and IT professionals from the various sectors like ISPs, Banks, Software Companies, and others gather together for a meeting and after a month in September 2018, we established “Centre for Cyber Security Research and Innovation” with 7 founding Board Members.
I am also one of the founding board members of CSRI and Currently working as a Treasurer of the same institution. Our both organizations work with the same motto i.e. ” Let’s Build Secure Nepal”
Q.3) You are also the president of ICT Professionals Association of Nepal? Why do you think such type of organization is needed?
We came up with the idea to establish the Information Communication Technology Professionals Association of Nepal (ICTPAN) as a not-for-profit organization established to advance the understanding of ICT matters within the community, corporate, and government sectors in Nepal. The ICT Professional Association of Nepal (ICTPAN) is the professional membership organization for individuals whose primary focus is the innovation expansion and development of ICT opportunities in Nepal. Our members are professionals within the IT Industry in Nepal who aim to advance the practice of Information and Communications Technology as a profession.
The ICT Professional Association of Nepal (ICTPAN) is the professional membership organization for individuals
ICTPAN is the peak member-focused organization for IT professionals who are looking to build and grow their careers, as well as connect with other like-minded individuals. ICTPAN is also dedicated to providing its members with a knowledge platform forum in and through which they can exchange industry information, network with other members of the ICT sector, undertake advocacy activities on the behalf of industry interests, and collaborate with each other to extend the scale and scope of services accessible through Nepal’s ICT sectors.
Q.4) How’s the CyberSecurity and Policies in Nepal?
Today’s security challenges require an effective set of policies and practices, from audits to backups to system updates to user training. Cybersecurity is to implement the most effective technologies — but those technologies are only as effective as the companies and people who operate them. This makes policy setting and enforcement a paramount objective for the industry. The most key point is the readiness of the industry that “Are we ready for the nextGen Technology and the components of 4th Industrial Revolutions?”. In the Fourth Industrial Revolution, Cyber Security is a prominent component.
Technology is the future and we should definitely adopt it. Till to date, developing Countries like Nepal has not put Information Technology as the first priority of the socio-economic development of the nation. In this context, IT Plans, IT Program, and IT Policies are not implemented and not updated properly. We have “Electronic Transaction Act-2063 (ETA 2063)”.
This document is a Cyber Law of Nepal and it has provisions document for authentication and regularization of the recognition, validity, integrity, and reliability of generation, production, processing, storage, communication, and transmission system of electronic records by making the transactions to be carried out by means of electronic data exchange or by any other means of electronic communications, reliable and secured.
The law does not only legalize all sorts of electronic transactions and digital signatures, but it has also undoubtedly implied the ways to run several computer-based mechanisms and penalize cybercrime. Till date, we don’t have any specific National Cyber Security Framework or National Cyber Security Law.
Q.5) What do you think does Nepalese people and organizations lack behind cybersecurity and awareness?
A comprehensive security awareness program sets clear cybersecurity expectations for all employees and educates users about how to recognize attack vectors, help prevent cyber-related incidents and respond to a potential threat. Strong security awareness training should directly address today’s (and tomorrow’s) most pressing cybersecurity hazards.
In other words, training prepares employees, which in turn prepares enterprises. The more your employees know, the more they’re able to identify and avoid the following cybersecurity storms.
In the context of Nepal, the organizations or doesn’t invest Security and Awareness Training to their employees and nor the Government allocate a good budget on IT and Security. That is the main reason that Nepalese people and organizations lack behind cybersecurity and awareness.
Q.6) What are your thoughts about the latest data breaches happened with the popular organizations in Nepal?
In my opinion, there is a clear Negligencency of employees, contractors, and third-party vendors that represent the cause of over half of all enterprise data breaches. This is a sobering statistic, one that keeps network administrators and IT managers up at night. After all, employee negligence hardly represents intent.
More often than not, good-intentioned employees make mistakes or skirt safe IT protocols because they’re tricked, rushed for time, or are unaware there’s a protocol set in the first place. With cybersecurity incidents only projected to rise, so does the potential for employee errors and the employee-enacted data breaches that statistically precede them.
The latest data breaches that happened with the popular organizations in Nepal are not the new case that we borne. It is said that ” There is cyber-attack every 39 seconds” in the world. But I appreciate the incident response of the companies and issued the Statements. Indeed, this is a good practice for awareness of Cyber Security for all.
Q.7) What can be done to reduce those cyberattacks and how can cybersecurity be implemented?
Doing nothing is no longer an option. You can protect your organization, and your reputation, by establishing basic cyber defenses to ensure that your name is not added to the growing list of cyber victims. The effective and affordable ways to reduce you and your organization’s exposure to the more common types of cyber-attack on systems and implementing the cybersecurity are:
- Boundary firewalls and internet gateways – establish network perimeter defenses, particularly web proxy, web filtering, content checking, and firewall policies to detect and block executable downloads, block access to known malicious domains and prevent users’ computers from communicating directly with the Internet,
- Malware protection – establish and maintain malware defenses to detect and respond to known attack code,
- Patch Management – patch known vulnerabilities with the latest version of the software, to prevent attacks that exploit software bugs.
- Whitelisting and Execution Control – prevent unknown software from being able to run or install itself, including AutoRun on USB and CD drives.
- Secure Configuration – restrict the functionality of every device, operating system, and application to the minimum needed for the business to function,
- Password Policy – ensure that an appropriate password policy is in place and followed.
- User Access Control – include limiting normal users’ execution permissions and enforcing the principle of least privilege,
- Security Monitoring – to identify any unexpected or suspicious activity,
- User Training Education and Awareness – staff should understand their role in keeping your organization secure and report any unusual activity.
- Security Incident Management – put plans in place to deal with an attack as an effective response will reduce the impact on your business.
Q.8) We can see online banking and transactions are popular these days. Do you think it is safe to do those transactions that include all our private information?
Online banking is safe, but you should also exercise caution when banking online. There are four main types of attacks that are prevalent when you use online banking services:
2. Identity Theft,
3. Keylogging and
As prevention is better than cure, you should be aware. So, while using online banking and transactions, you should Confirm your online bank’s legitimacy, be very careful with copycat Web sites, learn more about your bank’s security system and finally protect your computer from vulnerabilities and threats and let’s be careful. Stay safe online and Be Smart to use the internet.
Q.9) You are involved in a lot of international organizations and their programs too. What are the differences you find in the international arena and in Nepal’s tech industry?
Yes, I have involved in a lot of international organizations and their programs. The differences
I find in the international arena and Nepal’s tech industry is the proper plan and time. In Nepal, we rushed at the end of the project or program. We are not aware of the timeline. That’s the main difference and experience that I have faced while working with the tech companies and the International Organizations.
In Nepal, we rushed at the end of the project or program. We are not aware of the timeline.
Q.10) What are your last few words for everyone on how to become safe on the Internet during this pandemic?
Since we are in the middle of a pandemic dubbed COVID-19 that is wreaking havoc all over the world. National and International organizations are applying for Work From Home (WFH) for their employees and Academics as well.
My few words, for everyone on how to become safe on the internet during this pandemic, are enumerated as below:
- DO NOT OPEN ANY LINKS OR DOWNLOAD ANY ATTACHMENTS ON YOUR MAIL REFERRING TO COVID-19, rather follow World Health Organization (WHO) regarding all relevant updates on the situation.
- DO NOT CLICK ON POP-UPS when visiting certain websites, you may face threatening pop-ups claiming to have found malware or viruses on your computer. Don’t click on them as they will more often than not try installing malware or adware on your device.
- DO NOT DISABLE FIREWALL on your system. In-built firewalls are a very good line of defense that helps you protect against threats perform malicious activities on your system.
- ENABLE MULTI FACTOR AUTHENTICATION (MFA) on your organization account.
- UPDATE to the latest security patches for your desktop, laptop or software.
- Use Enterprise Virtual Private Network (VPN) to access organizational resources and verify its up to date.
- LOCK your devices before you leave your devices unsupervised (i.e. Work Laptop, Smartphones, Tablets). Have a habit of locking them before you leave it.
- Enforce Communication with the USE of End-to-end (E2E) Encrypted messaging applications.All official & confidential conversations must be done through such applications. Exercising with Microsoft Teams can be beneficial for all organizational communications.
- INCREASE PASSWORD COMPLEXITY for all your organization accounts.
- Beware about SHOULDER SURFING as others might be able to see/listen to some sensitive and confidential information.
The above major practices may secure you and your organizations.
“Be Stay Safe and Be Smart on the Internet”
Thank you very much !