Interrelating both legacy security systems and new ones are posing the biggest threat to online protections of financial services, according to Alex Doll, founder and managing general partner at Ten Eleven Ventures.
Cybersecurity is beginning to dominate the online world everywhere you look. Fears are rising over what is safe and where the newest threats are going to come from. Cyber criminals are becoming ever-more innovative in the way they can trick or manipulate their into accessing information they are not meant to have. One of the most notorious types of criminal techniques over the last couple of years has been ransomware – namely the WannaCry attack which was deployed around the world, including many UK-based organisations such as the NHS.
Fears over these unseen hostiles and the sheer magnitude of damage they can cause is being noticed by regulators, enterprises, startups and investors. Late last year, the European Parliament members agreed to introduce the first EU-wide cybersecurity certification scheme which will ensure products and services sold in EU countries meet cybersecurity standards. The UK government is also making some extra efforts in the field, after a new £70m investment commitment to the research and development of cybersecurity companies, was outlined at the start of 2019.
There is a strong push on building new cybersecurity solutions which can protect a business from all these online threats, leveraging AI or blockchain in innovative ways. However, this does not mean financial institutions can simply wash over their existing security systems and forget about them. Alex Doll, founder of the cybersecurity-focused venture capital firm Ten Eleven, believes managing both legacy, high-risk systems and capitalising on new solutions is the real bugbear for institutions.
Financial institutions need to be moving their current operational systems onto newer and safer architectures which leverage onsite tools to protect its running. Change might be needed, but there are still several architectures in place crucial to a business’ operations which are being protected by dated security technology. He said, “It’s a constant tension for FIs: how to modernize the underlying business applications while also being able to tap into the latest in security innovation.”
Innovation into new devices and applications is essential for the growth of financial institutions, but it is presenting new challenges for security. By sailing into unchartered territory of new technology types it can leave an enterprise exposed to an array of new, unforeseen vulnerabilities. Firms are looking to find new ways of interacting with customers through online on mobile means. To combat security threats, they are experimenting with two-factor authentication, biometrics, and hardware-based crypto, as well as improved post-authentication transaction authorisations and analytics, he said.
Doll said, “While these security frameworks are evolving positively, they are different and more advanced than anything used before. They also have to co-exist and integrate frequently with prior methods. This backwards compatibility requirement for security technologies is something that is constantly underestimated by security innovators and can leaves customers in a tough spot – it’s a challenge to get this balance right for both start-ups and the customers they serve.”
The cloud is a key example of new technology which is just shrouded by potential problems. It has quickly become one of the most attractive pieces of technology, but worryingly, many firms do not fully understand how it works. Whether this comes down to data protection regulations like GDPR and how cloud solutions are impacted or where data is stored.
He added, “While the perception may be that companies are moving everything onto “the cloud,” the reality is that there will be both on-premise data and cloud data for a long time to come – making the reality “hybrid.” Also, for the portion in the cloud, there is a common misperception that you will use one public cloud. The reality is that business teams can and do use multiple different vendors (and even different geographic instances from a single vendor) – making the predominant architecture “hybrid clouds.
“That’s why we see one of the most significant opportunity areas in security is the evolution of existing compliance and control systems – that now work and are required in the old world (like approved compliance and risk regimes) into this new, hybrid clouds future.”
Looking into the future, Doll believes that cloud attacks will continue to accelerate and grow in sophistication, leaving it paramount firms should implement solutions which can protect the challenges of hybrid clouds.
Growing the space
Interest in cybersecurity has grown at a steady rate since 2014, according to data by RegTech Analyst. Between 2014 and 2018 the number of investment deals into RegTech has risen from 125 to 164. In this period, the share of deal activity involving cybersecurity companies grew from 14.4 per cent to 19.7 per cent, joining identification/background checks with the highest number of deals.
The entire digital world needs these developments and innovations to be fostered if there is any hope in keeping up with cyber criminals. A recent report from Deloitte revealed a cyberattack can cost from as little as $34 a month and earn returns of $25,000 – if an attack ups its efforts and spends $3,800 a month, it could earn $1m each month. Funds raised through these attacks are often used to innovate their operations so they can continue to improve how they take advantage of new vulnerabilities.
There have been a number of high-profile attacks which have left personal information exposed or at risk. The previously mentioned WannaCry attack was one of these, but there are many other attacks going on which are not as widely reported. Earlier in the year, Bank of Valletta was subject to an attack which resulted in services going down. Metro Bank also claimed it had been hit by an attack this year, which hit various other banks as well. The alleged incident meant attackers were able to intercept verification texts which are sent to a customer’s mobile phone to confirm transfers or payments.
Data is at the heart of the financial world and this is ever more apparent in today’s technology laden world. This is what hackers are after when they attack a business as well. This is why it is crucial for financial institutions to safeguard their own data but also the personal information of customers. If an organisation does not even know what data they are holding, having long lost pieces in the depths of legacy systems, how can they be certain a criminal cannot find them? There is a sense of, if I can’t even find it, how will they. But they can be much more adept at finding a needle in a technological haystack.
Regulations like GDOR have begun to take form. Prioritising the privacy of data is a good way at making it harder for information to be casually left somewhere it should not be. This is not going to stop criminals accessing the information, but it can make sure it’s not just left on a plate for them. Doll believes that there needs to be a change in how consumer data is observed, particularly within marketing. “Technically, many of the things that marketers do with consumer data are architecturally similar to “what the security industry would call malware.” As this becomes clearer to more audiences, regulation has begun to emerge. I think this regulation is long overdue and will likely continue.”
Doll added, “The regulation discussion to data has focused a lot on privacy – it would be helpful in my opinion if the discussion started a little more squarely with internet advertising, which leads to the potential conflict of interest on data capture and potential destruction of privacy. Not all online businesses struggle to the same degree with the data they are now capturing. It’s the raw market power of the data as fuel to the advertising models that is the biggest societal problem. Lots of companies capture data and use it very responsibly to improve lives for customers, it just so happens they are not primarily in the advertising business. We need to be careful to not regulate the wrong things.”
Moving forward, he said a potential scenario would require the separation of security and privacy from primarily advertising-based business models. This would require them to use security and privacy form independent third-parties.
“Much the same way as PCI regulation (effectively resulting in the specialized outsourcing and scoping of payments) made for stronger, more flexible payment tools, this kind of regulation would improve competition and product outcomes. The people working on the R&D teams in the security industry are very specialized, innovating quickly and creatively to create exceptional tools.”
This makes it ever more important for firms to evolve their cyber protection services, otherwise, criminals will just get more advanced while they stagnate. Venture capital firms like Ten Eleven are trying to help the sector grow. The cybersecurity exclusive investor recently closed its second fund on $200m with a goal of deploying this into opportunities around the globe. The firm invests in all stages from Series A through to growth equity and sets itself apart by using its technical knowledge to advise its investing.
He said “I think entrepreneurs get tired of explaining the problem over and over again to non-security people at such a simple level that they lose the ability to differentiate the uniqueness of their approach. As a firm we tend to focus right in on architecture and competitive/substitute positioning – which puts entrepreneurs in position to really shine.”
The firm has already tapped its new fund, making an undisclosed investment into the cybersecurity awareness training and simulation platform KnowBe4. While the deal value was not revealed, KnowBe4 stated it had increased its company valuation to over $800m thanks to the deal, which was also supported by Ten Eleven’s investment ally KKR. The ‘human error’ towards online threats is a big pitfall for a business’ cyber defence, Doll said. KnowBe4 attempts to address this by transforming employees into defence lines and becoming educated about online threat tactics.
Copyright © 2019 RegTech Analyst
Copyright © 2018 RegTech Analyst