Positive Technologies: Avoid disruption with smart technology - Roy Duckles
In today's hyper-connected finance world, hackers are looking to exploit any weaknesses, not only in a bank's IT network and system infrastructures, but also in core banking systems, internet banking applications, ATMs and point-of-sale terminals. Roy Duckles, vice-president of business development at Positive Technologies, discusses how and why many financial organisations must rethink their cybersecurity and compliance strategies.
Could you please tell us a little about yourself, and your role at Positive Technologies?
Roy Duckles: Positive Technologies has a cutting-edge technology platform that addresses the problem created by flaws in the underlying software used by banks on a daily basis, called vulnerabilities. It is my role to deliver an effective go-to-market strategy across EMEA for this, working with financial institutions to help them understand the risks and how we can help them address this problem. Driven by the expansion of this threat, the company is seeing significant international demand, and it's my job as VP of business development EMEA to help deliver this.
You work with other sectors as well as financial services. Are there unique threats and requirements for banks, compared with, say, telecoms and utilities?
The thing that unifies all of our customers is that they work in sectors that have a critical part to play in people's day-to-day lives. They are what the cybersecurity industry calls 'critical infrastructure providers' for a good reason. This means the security of their networks and connected operations is paramount. If these are compromised in any way, it could have a big knock-on effect.
Today's hyper-connected finance world brings this to a head in perhaps the sharpest of ways. From an investment bank's point of view, any hindrance caused by security problems could end up costing millions every single minute. In a world of low-latency trades and complex changing algorithms, security teams at banks simply cannot afford anything that disrupts activity.
From a retail bank point of view, what we do helps safeguard customer's confidential information. Retail banking operations are a big target for threat actors, because they hold the crown jewels: databases full of information that can be used to steal money wholesale. This brings a certain focus to our operations in the finance space.
Given how cybersecurity is a changing landscape, where do banks need to focus their energies in this area?
The question itself is very revealing. Security teams at even the biggest banks are continually challenged by the changing threat landscape. For this reason, it is a question of being able to focus on the immediate cybersecurity issues, while also having a big enough view to prepare for what is coming next. Threat actors are continually evolving the ways in which they target banks, and are well funded and highly intelligent. In response, banks need to be nimble, with a flexible strategy that combines the right mix of good people with intelligent technology. Only by doing this, can they stay relevant and effective.
How do you see the upcoming changes to the General Data Protection Regulation (GDPR) affecting how banks approach their cybersecurity?
The hefty fines for breaching the GDPR put the risk in sharp relief. If there is one thing banks know better than most other industries, it is managing financial risk. Given this, I would imagine the cybersecurity teams at these organisations are currently deep into their planning around GDPR. The government needs to give some guidance, but given the uniquely sensitive nature of the data handled by the sector and its legacy of compliance, it will be better prepared than many industries.
Technically, with fines aimed at protecting customer data, I would expect banks to pay specific attention to protecting against a sequence of events that leads to big one-off data breaches. Typically, these start with an attacker exploiting a vulnerability in one of the many pieces of internet-connected software used in today's modern bank. It only takes one piece of malware to slip through these, for a treasure trove of data to be exposed.
How important is it for banks to have a strong penetration testing process in place?
Any connected piece of hardware or software is a potential threat to the enterprise it is attached to. Where we just see a laptop or cloud application, a threat actor sees an opportunity. For this reason, having a solid penetration testing routine to find the flaws is very important. However, given the advancing amount of connected devices and cloud apps now in the enterprise, automating some of this work using intelligent technology is key to preventing security teams from being overwhelmed.
How can this help them in terms of vulnerability management?
Put simply, penetration testing helps banks find flaws - vulnerabilities - in their cybersecurity approach. It uses a variety of techniques to simulate numerous attacks; everything from human engineering to searching for vulnerabilities in the software that runs at the heart of every single financial institution. These flaws are not always obvious, which is why vulnerability testing and management is vital. A bank's CISO and security team might not know they are there, but gone unpatched they represent an open window into the bank's network.
With application security an often overlooked area, how can Positive Technologies help banks with this problem?
An increasing number of companies around the world are using cloud-based applications and software to run crucial processes, everything from email and document collaboration to core systems. As the reliance on connected software increases, unfortunately so does the risk. There are inherent weaknesses in such approaches because, more often than not, they touch the internet in some way - whether directly or indirectly. If these applications have vulnerabilities - essentially holes in the software that can be abused - they can allow an attacker to traverse a bank's network. Only by running smart technology, which continually checks for and addresses such flaws and the resultant attacks, can banks protect themselves. This is what we do.
With banks investing large sums of money in the cybersecurity area, what are banks concentrating too much on and what is being overlooked?
As someone who works in the cybersecurity industry, it's difficult to highlight areas where banks are over-indexing; as this is akin to saying they are being 'too safe'. In a world dominated by multiple complex threats, this would be wrong. As always, however, there is a tendency to underestimate the human factor in any enterprise. Employees represent the biggest single cyberthreat to any organisation; whether this is intentional or not, they are often abused by threat actors to begin the advanced attack chain. This is why education and training is crucial.
In terms of education and training, what improvements would you like to see within the banking sector? What constitutes best practice?
All sectors across the board need better training to safeguard against cybersecurity threats. Front-line and back-office employees need greater awareness of the threat their activities could pose to the networks and systems of the companies they work for. 'Brown bag' training, where employees are given a free lunch while being educated about the importance of cyber-awareness, is a good way of achieving this. In addition, it is vital for specialist cybersecurity teams to be continually abreast of the latest threats, vulnerabilities and other advanced attack trends. Only by knowing their enemy, can they respond accordingly. Continual technical training is crucial for this.
For banks seeking external help, what ingredients are required to make a successful collaboration?
We have some very large financial sector institutions on our books, many of which come to us after we open their eyes in some way to a particular threat. Our research teams are very well known as experts in their field, which means people tend to come direct to us for advice.
Often, we will be asked to carry out an audit on their systems prior to any long-lasting engagement. Typically, once we have done this, and given them a report showing where the risk points lie and how these could impact their core business, it leads to a longer relationship.
How do you see this space evolving in the years to come?
The cybersecurity industry moves at such a rapid pace that the future very quickly becomes the present. It was only recently that people were predicting that internet-of-things (IoT) devices posed a big threat to the internet, and the next thing we know they knocked a large portion of the East Coast offline. More specifically, I think we will see an increase in 'machine on machine' attacks as automation begins to play a larger part in generating threats. It is for precisely this reason that we have embedded machine learning in our platform, because attack volumes will rapidly increase beyond a point where a human being can cope.