Even for those of us directly involved in tech and computing, it can be exhausting to try to closely follow news and developments in the area of cybersecurity.
Not only has there been a wealth of cybersecurity news over the last several years, most of it surrounding major security breaches tied to enormous brands, but there also always seems to be another breach on the horizon, despite concentrated efforts to prevent openings in cybersecurity.
Cybersecurity tech continues to advance, and even 2-factor authentication alone has had a measurable benefit for the average user. But we can always count on hackers to look for new ways around cybersecurity, both through tech and through social-based techniques.
To look into these matters in more detail, Soup.io spoke with Gyorgy Tomso.
Gyorgy Tomso has spent much of his career working in FinTech (financially-focused technological solutions and services), and as you might expect, this area represents an especially appealing target to hackers looking to commit fraud and steal personal information since they could potentially gain not only card numbers but banking info as well.
A startup pioneer in Hungary, Tomso has directly contributed to the growth of Pay U.S.A. as well as that of Euronet Worldwide Inc., and more to the point, he deployed machine learning fraud and merchant risk solutions with Pay U.S.A., decreasing loss by 5x.
Tomso’s unique perspective on cybersecurity and machine learning make him an ideal choice for this piece and we’d like to thank him for his contributions to our coverage.
Decreasing fraud loss with new tech
Consistently, available tech has proven to be incredibly useful in combatting cybersecurity breaches.
Elaborate security systems have substantially reduced risk in many areas. To use a very limited metaphor, improvements made to cybersecurity over the last ten years have been like going from having a single night guard watching over a building to installing an extremely complex network of cameras, motion sensors, and alarms, capable even of seeing the threat approaching the building.
But some of the truly impressive improvements to cybersecurity have come thanks to emerging technology that allows for even more advanced systems.
As we mentioned at the start, Tomso oversaw the development and deployment of security tools that utilized machine learning. We’ll let him provide additional details.
“We had to improve our capabilities to reduce reaction time and leverage Pay U.S.A.’s regional presence. We decided to consolidate to a single solution where all country data is available from EMEA and deployed one of the market-leading machine learning engines. We moved from a manual reactive fine-tuning to a self-driven AI solution that detects new fraudulent activities and patterns.”
AI, and more specifically machine learning, offer a great deal of value and potential to cybersecurity professionals, especially thanks to the “learning” component. Being able to recognize patterns in attacks can have an immediate effect on prevention.
Even more exciting, the tech behind AI is advancing very rapidly, meaning that it will only become a more useful tool over time.
Establishing and maintaining trust with users
But what about users? Users don’t want to wait for cybersecurity to be improved or optimized, they simply want to be protected right now and for as long as they use each service.
Tens of millions of users have already been negatively affected by security breaches. In many ways, the damage has already been done, and this creates a serious problem for companies that want to establish and maintain a sense of trust with their users.
If a company says to its users, ‘Your data is safe with us,’ then suffers a major breach, those users are going to be understandably skeptical, and they may even terminate their account.
If cybersecurity is never 100% guaranteed (we’ll be going over that later), how can a company earn back the trust of all those users?
Tomso detailed specific goals that relevant companies need to keep in mind, even if they’ve never suffered a breach.
“Any company operating in cyberspace must demonstrate their dedication to deploying the latest security solutions. They need to make sure their website and provided services are secure and display certified badges. They should describe how they protect customers’ data and privacy and take immediate action in the case of a possible security breach.”
These goals could be categorized as action and communication. Of course, both of these are important on their own and for different reasons, but unless they work together, user trust will be a thing of the past.
The action here is all about legitimate efforts to minimize risk for users and develop systems that will continue to deter attackers.
Communication is about transparency, regardless of the situation. No, companies shouldn’t detail the specifics of their new cybersecurity efforts to users. That would be a security risk of its own. But letting users know how hard they’re working to fix and prevent problems is extremely beneficial for everyone.
Keeping pace with threats
An incredibly popular question regarding cybersecurity is this: “Will we ever get to a point where cybersecurity has been optimized, making breaches impossible?”
If you work in cybersecurity yourself, then you’ll already know the answer to this question, but for everyone else, the answer is a strong, “No,” though there’s an asterisk to that answer as well.
Tomso elaborated on the topic.
“If the right security measures are implemented, then we can eliminate known vulnerabilities. However, today, most harmful security breaches are initiated through social engineering. These are extremely hard to detect and prevent. Fraudsters take advantage of human behavior, which can be trained to be more cautious but still has a high failure rate.”
Previously, many cybersecurity efforts focused on the technical side, making it more difficult for hackers to access sensitive information. There was a bit of an arms race in this regard, with cybersecurity professionals and hackers outdoing each other on a seemingly endless loop.
Technical vulnerabilities are still a concern, but as Tomso pointed out, data thieves have simply expanded into a new area: social engineering.
In a nutshell, social engineering used to refer to organized efforts to change the course of a society. In this context, social engineering refers to methods meant to deceive a person so that they will unknowingly give vital information to someone, or a group of someones, who have malicious intentions.
So, in a way, social engineering is just another way for thieves to get access to sensitive information, but rather than relying on tech-based vulnerabilities, it relies on human vulnerabilities.
Whereas cybersecurity professionals could previously teach tech systems to block attacks, they now need to consider the individual’s ability to recognize these new kinds of attacks.
Returning to that initial question, it’s unlikely that cybersecurity will ever be 100% full-proof, but it’s also not a complete impossibility.
Still, this is an interesting moment in cybersecurity as it now requires a good deal of cooperation between cybersecurity professionals and individual users.
Collaboration and data sharing
But collaboration can’t be limited to users and cybersecurity teams. Tomso explained how collaboration between different companies is also crucial and could lead to serious advances in the field.
“One of the most important aspects of fraud prevention is sharing data. It can help companies identify, assess, monitor, and respond to cyber threats. Collaboration gives us the biggest chance for successful threat response and elimination.”
It’s safe to say that in the past, companies have been very protective of their data and systems. After all, these are valuable assets, especially today.
But an unwillingness to cooperate in the pursuit of cybersecurity solutions could slow progress in the area to a crawl.
The sheer number of companies advancing their knowledge on cybersecurity means that there is a tremendous amount of valuable information specific to each company.
When companies, especially tech giants, choose to collaborate, everyone wins. Companies create better security systems and users can rest easy knowing that breaches are far less likely.
A message for tech leaders
Before finishing up, Tomso had a specific message for tech leaders and FinTech leaders willing to tackle the most difficult aspects of cybersecurity, specifically with regards to the social engineering we mentioned earlier.
“Social Engineering is constantly becoming more and more complex, not only in its use of technology but also in how it analyzes social behavior and leverages human psychology. All of us in the FinTech world, including technology and service providers, must constantly educate users and customers and keep them alerted of imminent risk.”
Not only is this concept important to the future of cybersecurity, it’s also quite complex. Disseminating vital information to 100% of a user base is difficult even at the best of times.
But the worth of that communication is incalculable. When users are armed with the knowledge of social engineering techniques, they immediately become better-equipped to notice and avoid attacks.
Understanding the human side of the equation will be vital to this process. If it’s effective, however, cybersecurity may very well enter a new age.