All kinds of organizations are now struggling with cyber security threats and risks. There are a lot of consultants that are happy to manifest risks and sell their services. Some security companies and hacker groups also like to demonstrate how they have been able to get into some companies and systems. FinTech and finance services are very concrete examples where companies and all people must manage cyber-risks. But is it even realistic to be able to stop all attacks, and do we need totally new approaches?
The situation in cyber security has been compared to the time when artillery was invented and made castles useless. It basically forced all parties to think about security in a new way. It was no longer enough to build great walls and consider the inside safe.
Another good comparison, interestingly, is an avocado. An avocado has a soft part and a hard core. In this analogy, only the very important core needs hard protection, while a lot of the surrounding material is not so critical, but it is important to have the ability to trace if someone gets into it.
However, whatever analogy you use, it is also fundamental to understand that nothing is 100% secure. When you set up a server and connect it to the Internet, there are many parties that connect to it immediately. But there are also different levels of attacks. Some are simple to stop without any specific effort, and some are almost unstoppable, although these also require a lot of effort from the attacker.
Obviously, finance services is one popular target for attacks, whether the motive is to steal money, seize accounts or blackmail institutions. FinTech presents the opportunity to offer better and more cost-effective finance services, but it has also comes with its own cyber security risks. A recent conference presentation in Germany demonstrated how easy it was to seize accounts at a new Internet bank, N26.
The whole cyber security area is a complex discussion, as even the recent US presidential election has demonstrated. People underestimate the risk and don’t understand that no one is totally safe in the Internet. At the same time, it is easy to spread misleading information about the risks. A year ago, there were some cases in the UK where some people lost money from their bank accounts when the account numbers were stolen from an ISP. Immediately there were some experts on TV commenting that they had always said Internet banking is not safe. But the problem wasn’t the stolen account numbers so much as it was the users giving account access codes to criminals on the phone. (Those criminals, incidentally, were some teenage boys.)
Rethinking the security paradigm
The sad fact is that nothing is totally safe when it is connected to the Internet. However, the physical world is also risky, and we manage that risk all the time. When you walk on the street, there are all kinds of risks, but you can decrease them by selecting where, when and how you walk, for example, or how you carry anything of value that a pickpocket would want to steal. Lots of people tell terrible stories about how risky it is walk in the evenings near stations and other crowded places, but still many people do this without any problems.
Internet security has always been a balancing act between costs and potential risk – it doesn’t make sense to build a $1,000 system to protect only one dollar. Returning to the avocado analogy, there is a lot of data and services components that belong to the soft part of avocado – you cannot protect it totally, but you want to see if someone gets inside it. And then there is the small part – the core of the avocado – that is so fundamental that it must be completely safeguarded.
We also need more business-oriented security consultants that don’t just write horror stories, but can also calculate risks. And we need realistic “cyber-wise” business people who understand cyber security risks and digital business opportunities enough to build optimized secure services.