The Best Defense Against The Worst (Cyber)Offenses

Cybercrime is ever present and ever bolder as bad guys seek to topple the most basic building blocks of how we live, interact and shop, on a nationwide and even global basis. Here’s what Socure CEO Sunil Madhu sees as the best defenses against the worst offenses.

The Internet is so pervasive in our daily lives that a large-scale interruption would wreak havoc on the way we shop, interact and transact, in all corners of the globe. And, of course, the bad guys (that would be hackers, be they individuals or even state-sponsored teams) are always looking to take down huge swaths of the internet, costing companies, governments and individuals untold lost productivity and money.

So it is perhaps no surprise that Retired Admiral James Stavridis recently said that a “cybersecurity Pearl Harbor” may one day be a reality — and one of the key targets would likely be the banking and financial system, with serious implications for payments activity and the FinTechs that can help safeguard that activity.

In an interview with PYMNTS’ Karen Webster, Sunil Madhu, CEO of Socure, noted that the United States itself has engaged in global cyberwarfare, and many of the tools that have created in the past have found their way onto the public internet. Those tools are being misused by other government agencies, he said, and by individuals bent on attacking financial services.

The difficulty lies where financial systems’ websites, applications or processes are attached to the larger internet (and are thus vulnerable), and companies must conduct penetration testing to assess vulnerabilities and ensure that “attack surfaces” are limited.

“The general things that [Socure does] in terms of security training and security hygiene and the controls that you have in an enterprise” range from monitoring of removable devices to anti-malware software to the penetration testing (both internally and externally), Madhu said.

But at the end of the day, the executive said, defenses on a global scale are a challenge, as governments are not fully open with the private sector when it comes to letting companies know when loopholes or weaknesses are identified.

“Instead,” he said of governments, “what they end up doing is exploiting that for their own benefits so they can either spy on citizens [for intelligence] or counterattack someone else, or attack someone else.”

That can be problematic when transparency is needed in the cybersecurity process, he told Webster.

Motivated by caution, might we revert to a less connected environment, where, for example, the blockchain might move from public blockchain to private blockchain to private networks?

“People will always want to connect,” said the CEO. “We are social animals who want to connect, and we will always find ways to connect. I do not think the Internet is going to collapse on itself” and private networks will take precedence.

But many mobile platforms, he noted, created as activity has moved from desktop to mobile, “are mostly unprotected,” and he added that many people do not run antivirus or malware software on their mobile devices. That can be a vulnerability as enterprises continue to embrace the “bring your own device” culture. And that can have implications for systems that run across merchants where transactions occur, including, for example, Visa and Mastercard.

“The ultra-top secret systems,” he added, can be disconnected from the internet and have extra layers of security in place, with a nod toward Langley (via the CIA) and other entities.

As for preventative measures, said Madhu, more transparency is needed in communicating these threats when they are discovered. Enterprises are dealing with technology that has been stitched together over 20 years and based on traditional data center models. But as more companies move from the data center model to the cloud, security gets better.

There may in fact be “a lot more fearmongering and hype” as security companies launch efforts to sell their products, he said, “and they use fear as a selling point.”

The problems may not lie with the smaller enterprises themselves, in financial services and beyond, but with the larger entities that have crumbling infrastructure, such as nuclear facilities and power plants and where the “systems are old and industrial” and, if compromised by targeted hacking efforts, “could do serious damage” to a country.