Throughout the entire month of January, The Fintech Times will be exploring every dimension of one of the industry’s most pressing topics: cybersecurity.
We covered the latest innovations to look out for in 2022 in cybersecurity, but as with all new and experimental things, this adoption won’t be seamless at first. These innovations will each face unique challenges. Exploring these obstacles in further depth, The Fintech Times heard from James Bore, Director of Bores Consultancy; Luke Tenery, Partner at StoneTurn; Bronwyn Boyle, Chief Information Security Officer, Mambu; Johnny Young, Founder of CyberD TV; and Kyle Rice, CTO of SAP NS2.
Finding a genuine innovation that can radically change an industry is no easy feat. James Bore, Director of Bores Consultancy, argued that many ‘innovations’ are near on carbon copies of other products, so finding a new, innovative one is like finding a diamond in the rough. “Security fundamentals haven’t changed for millennia, and so most true innovation is about better applying those fundamentals to a technology landscape. Sadly a lot of the real innovation is buried beneath a slew of barely-novel products piled high with marketing keywords, and sorting through the chaff is a painful process that many don’t have the time or resources for.”
The idea that cybersecurity fundamentals are not in need of a huge change was echoed by Luke Tenery, Partner at StoneTurn. Believing that a lot of the cybersecurity issues we face in the modern-day are a result of poor employee training rather than faulty technology, he said, “There are two primary reasons why innovation in cybersecurity has in large part stagnated. The first is, it actually isn’t needed. The vast majority of networks suffer from failings around basic security hygiene. 61 per cent of the vulnerabilities on CISA’s known exploited vulnerabilities catalogue are at least a year old. Most intrusions can be tied to human error, whether it is password reuse, clicking a phishing link, misconfiguration of a public-facing asset, or failure to appropriately patch. These are not things technology can actually fix, it is a cultural and training problem. When the foundational security problems that have been endemic to networks since the early 1990s are still the primary issue, it is hard to find an innovative solution, especially given that the problem is one of combating human nature and not actually a technology issue at its core. The second primary reason is that the security industry isn’t properly incentivised to be truly innovative. In fact, it is incentivised to move slowly and incrementally. Truly solving a category of threat or fundamentally reducing the amount of impactful intrusions undermines the cybersecurity industry, as they make their money and VCs pour money into the sector, based on the ever-increasing fear of these intrusions and the outcomes. So, between the economic disincentive and the fundamental problem that cyber security is generally a human behaviour rather than a technology problem, you have a severe reduction in innovative solutions.”
Many companies simply cannot risk experimenting with new technology. In a field that is so ruthless if mistakes are made, Bronwyn Boyle, Chief Information Security Officer, Mambu explains many SMEs cannot risk using a new and unproven form of technology, “From a resourcing perspective, new ventures and partnerships can struggle to get traction with target buyers; organisations are often so stretched that they lack the capacity to trial and experiment with innovative solutions. Many firms that would benefit most from cyber innovations also work in highly regulated industries, which means greater risk requirements and additional barriers to entry. Finding ways to facilitate sandboxes or working with innovation panels is key to pioneering innovative solutions in a challenging operational environment.
“If you look at how cyber innovation has been pitched, there’s a lot of hype in the market – with security businesses making up a growing proportion of unicorn valuations. But where the value is often overlooked is the SME and middle market. It’s also where cyber innovation is most needed as smaller businesses can provide a foothold for much bigger cyber attacks. SMEs don’t always have the money to invest in big-buck solutions and may not understand what’s the best on market or which products are right for their business. So, it’s vital that vendors prioritise this market in the year ahead, to provide that education along with affordable services.
“In terms of social impact, fraud has continued to present a significant threat since the start of the covid-19 pandemic. Changing consumer behaviour, working from home and increased reliance on digital services have driven exponential increases in cybercrime and fraud. Figures show that more than £4million is stolen by fraudsters every day in the UK – with UK Finance equating it to a national security threat. With consumers having to adopt more digital services than ever, it’s vital that they’re fully educated on the risks involved and how to protect themselves when doing things like managing their money online. We often hear that people are the weakest link when it comes to cybersecurity, but they’re also our first line of defence – as an industry, we must do more to innovate with end users in mind.”
Johnny Young is the Founder of CyberD TV argued that many of these innovative companies are simple trying to capitalise on a booming industry but will end up paying more in insurance fees if they are unable to properly protect their clients, “Cybersecurity innovations occur every day, as they must. Hardware, software, and developing technologies such as quantum computing, all are driven by high-speed innovation.
“But let’s think on an even grander scale; what are the main problems to be faced by companies purchasing cybersecurity insurance, an entire industry that’s currently exploding?
“Companies are popping up like mushrooms to take advantage of the growth in cybersecurity insurance demand, though the best thing about some of them is their marketing skills.
“Having a policy is one thing, as it makes the insured company feel like they have a safety net. Getting paid after a data breach is another. As a wise philosopher once said, ‘Insurance is great to have, until you need to use it’.
“New companies are writing policies in great numbers, but do they have the cybersecurity experience, or knowledge of their customer’s security posture, to even know what they’re insuring against? To do this they’d have to do an extensive audit of their client’s policies, processes, and procedures, run compliance tests, and get deeper into the business than most companies would ever allow.
“On the other hand, innovative insurance companies could be on-site partners, and take responsibility for the cybersecurity work as an additional service. This can be another great source of revenue, as many smaller companies would love to outsource their cybersecurity needs.
“But still, what happens if a company writes a ton of policies, and many of their clients are hit with data breaches at the same time, such as Solar Winds, or the logj4 exposure? Will they pay up, or just fold their tent, and go out of business?
“If they stay afloat, the court system will be overwhelmed. Insured companies will sue to be paid, while the insurer countersues, claiming policy violations.
“I expect soon we’ll see a multi-billion-dollar cybersecurity insurance industry, albeit one that innovates itself into an unregulated mess. Yikes!”
Kyle Rice, CTO of SAP NS2, points out the sheer number of hackers and cybercriminals outdoes that of a cybersecurity team, and with each hacker trying new forms of trickery to access data, security teams have a huge burden in keeping up with all the new forms of attack. In addition to this, there is no room for error. Security teams must be 100 per cent successful each and every time or face possibly devastating consequences:
“Cyber threats rapidly change and evolve, so it is critical that cyber defenders continue to innovate to stay ahead of these threats. Due to the inherent asymmetry of cybersecurity, there are two aspects of cyber defense that make innovation in this space particularly challenging.
“The first complicating factor is that cyber attackers have a significant numerical advantage. Your cyber team and vendor partners are innovating as fast as they can to come up with new strategies to protect your network environment. But there is an entire world of potential cyber attackers who are innovating against you – and there are simply more of them.
“The second factor is that in a traditional network environment, cyber defenders have to be successful 100 per cent of the time, while attackers only have to be successful once. This dichotomy extends to innovation: a cyber innovation that works 10 per cent of the time will be largely useless to a defender but will be hugely valuable for an attacker.
“So how do you innovate successfully? The key is to strive to balance the asymmetry. Don’t restrict your defensive innovation only to your team and partners, instead expand your collaboration to include industry and government allies. Organisations like the Cybersecurity and Infrastructure Security Agency (CISA) are helping to drive these public/private partnerships which can significantly expand your defensive innovation network. Configure your environment so that when the inevitable occurs and an attacker is successful, they are not able to cause immediate damage. This is the concept of Defense in Depth (DiD): a series of wooden doors that are 90 per cent effective is much more secure than a stone wall that is 99.99 per cent effective – because now you can detect and mitigate the much smaller set of attackers that made it through the first door.”