Pixabay/Pexels.
Opinion Digital Banking
It's chips, not the cloud, that will save banks from the hackers of the future
The 'smart' future of cybersecurity might lie in 'dumb' hardware, writes Dawn Capital's Evgenia Plotnikova.
Evgenia Plotnikova is a Principal at Dawn Capital.
The summer attack on Capital One captured the personal information of over 100 million people. Big banks remain easy targets for hackers – legacy systems patched together and holding some of the most sensitive data on the planet. One weak spot is all they need. In the US alone, there have been 3,494 successful cyber attacks against financial institutions this year, according to reports filed with the Treasury Department’s Financial Crimes Enforcement Network.
And unfortunately, when it comes to securing the internet – which is how every aspect of our lives are increasingly run – most people have it wrong. Web 3.0 will not be protected by software alone. Instead, it will rely on teaching original hardware new tricks.
As a VC, it's my job to understand what successful cybersecurity will look like in the future – and which companies are building those durable solutions now. Due to this, I have to go back to the dawn of the internet.
In the early part of the 1980s, cybersecurity was easy. Your computer was an unconnected box, and the only way it could be hacked was to use a floppy disc or a CD with a program containing malicious code. But within 10 years, the level of complexity around security had increased exponentially. As the internet evolved, single, isolated machines became part of a network. For the first time, an attacker did not need physical access – malware could penetrate entire organisations via one employee’s browser, or an email.
Mirroring the development of the internet, cybersecurity then progressed through two stages: prevention and detection. While the first saw entrepreneurs focus on building products that could create a barrier to entry for hackers, and licence those to enterprise customers, the second had to monitor a ballooning number of attack vectors, and help institutions know the identity of each person behind a screen.
Then the internet moved on again. Mobile-first became the norm, and retaining a competitive edge meant relationships with customers had to be more interactive. Banks may have been slow to adopt cloud services, but are still doing so in an attempt to save money. Alongside this, they are falling back on a patchwork of tools that uncomfortably combines cutting-edge technologies with legacy systems that cannot easily be ripped out. This is the reality of cybersecurity today.
My primary focus is to work out how organisations can stay secure – because this enables me to identify the companies that will keep that a reality. As investors, we spend a lot of time looking at the pain points of chief information security officers in large organisations (a role that started in banking, when Citigroup hired “the world’s first CISO” Steve Katz in 1994), as they hold the burden of responsibility.
Going into the 2020s, preventing hacks to the financial system means funding companies innovating in three areas.
First, those that build the solutions that help in-house developers test as they go, meaning they write more secure code in the first place – automating the “test-first” approach.
Second, raising employee awareness. As the distinction between “work” and “home” tools blurs (think catching up on Slack on the commute home), attempting to keep control over what employees interact with is futile. But technology can make it easier for staff to get on with their jobs. One of our investments for example, Zivver, is a secure communication platform that lives in your Outlook. It uses machine-aided learning to alert you in real-time to potentially unsecure emails – before you even send them. And it retrieves them when, despite the warnings, you did send that internal memo to your mother.
And third, going back to the “golden age” of not being connected to anything. Actually, this is where we might be heading. Last year, we invested in Garrison, which is one company demonstrating this approach (dubbed ‘hardsec’), using hardware to enable its customers, several of which are global banks, to completely reassess security. With a very basic chip allowing only bare-bones functionality, there’s nothing for hackers to hack, and banks can feel 100 percent safe getting its employees back on the web.
Every company on earth has to now be both a technology and a data company. But they also need to be security companies. Making the change is a particularly tough task for banks, for whom the perceived risk of altering a system or infrastructure can outweigh existing weaknesses.
But this means winning solutions will capitalise on keeping banks’ customers safe and secure, while also offering a transition: those that address both the human factor and reinvent the way the original hardware – the building blocks – of the internet are used.
Evgenia Plotnikova is a Principal at Dawn Capital.
