Large corporations have always claimed that they have robust data security in place but still many of them were hacked in 2015. Global CTO of Trend Micro, Raimund Genes spoke to EC’s Mohd Ujaley on famous cases of data breach, global breach notification laws and opportunities in India. He says, “Even as a security provider, we don’t say that we will be able to prevent all the attacks which occurs but once the attack happened or attackers are trying to steal the data, the alarm bells must ring.”
Sony, Ashley Madison and NSA–they all claimed that they had robust security system in place, but the fact is that still they were breached. Have security companies such as yours failed to prevent cyber attacks?
I have a different take on this. Even as a security provider, we don’t say that we will be able to prevent all the attacks which occurs but once the attack happened or attackers are trying to steal the data, the alarm bells must ring. First of all, I don’t agree that they had robust system in place. In NSA case, how was he [Edward Snowden] able to access the internal documents. Even, when we talk about the Sony breach, how they were not able to figure out when the attackers were stealing tera-bytes of data.
In my opinion, the company should have the ‘basic rights and parameters’ in place and everybody should follow it. Lot many companies talk about it but there are no conclusion yet. If you are a security agency, you must know, what are your assets and who are the scoundrels to safe the top secret documents from. My personal understanding is that security is not about setting the parameters or systems alone, they could be breached, but the key is, if somebody is stealing the data, then the alarm bells must ring.
There is hardly any post breach analysis in terms of what security solutions they were using and how they got hacked. Don’t you think that non-disclosure is a huge problem as well barrier to security?
I agree with you, it is definitely a problem with breach notification laws. USA has the security breach notification laws that require an entity to report each and every data breach to government bodies for what it caused. Sony need to talk about it. Actually there are report on these data breaches which are not accessible to the press or general public. It is only accessible to certain players and these players will not talk about it. It is almost similar of when we are asked by a company to assess in such situation, we never bring this to public. There are some of the security companies which would like to talk about it but the terms and condition are not allowing them to do so. But you are right, post breach analysis and sharing the learning will help in fighting the cyber security menace more strongly. That is why I believe, we should report at least to the concerned authorities of such breach.
In India, SEBI regulates the market, so would you say that they should come up with necessary regulation on breach notification?
From market regulation point view, yes they should, but it is a broader problem, so rather a particular regulatory body, I would say government should draft breach notification laws applicable on every organisations. Breach notification is working in some countries but not in Europe because cyber security laws for each countries is different. And, most importantly, there is always concern around privacy. In Singapore, RSA is regulating the market by informing government and other bodies about cyber security.
In the absence of breach notification laws, how trust worthy are cyber breach reports from different companies, which at times claim of 70-80% global breach?
That is again a huge challenge, right now there is no clear answer to this. When I received a research report about data breach from IBM. They said it has 70% of global breach, but I don’t believe on that because 70% of data comes from US as it is the primary market for IBM. Outside the USA and Europe, when the breach happened, they never talked about it, so it is hard to say how many breaches are from India and Germany and so on. By 2018, we would be able to know about the exact data breach when the global data breach notification laws comes up.
Across the globe, is the goldmine changing from anti-virus market to enterprise or has enterprise always been a goldmine for cyber security companies?
I can’t speak for others but enterprise market is always a goldmine for us. We have been focusing on this segment since our inception. We had developed the first gateway protection in 1996 and the server base cyber protection in 1993 that was licensed to Intel. Our most of the revenue comes from enterprise segment. As far as consumer market is concern, we focus on them but the market is smaller. Even for the other players like Kaspersky Lab and Symantec, the anti-virus market is smaller. Most of the sale depends on the total number of PC’s sale. And as you are aware that now people prefer to use mobile device like tablet and smartphone more, and this has decreased the overall demand for anti-virus solutions.
In India, government is aiming to build smart cities. What opportunities do you see and what security mistakes government should not do in smart cities project?
There is huge opportunity in smart cities project but it totally depends on the nature of the market. If this segment begins in India and the country takes the lead, obviously we will have some sort of investment to work along with the government projects. We are an early adopter and always analyse the market for investment.
As far as mistakes that government should not make, it is difficult to say at this point of time but the government’s core focus should be on security enabled services. The adoption of cyber security should be from an early stage. When we talk about the smart city, the government should ensure that all the devices follow the security standard set by them. The government should clearly mention that if you want to do a business here, better you follow such standard that we have set-in. For example, in Europe, if you don’t comply with their standard, you cannot do business there.
How is your R&D centre doing in India?
We have a R&D center with the ability of data center security for a product called deep security and it is working really well. As a CTO, I am really happy with what we are delivering. Indian market is stable for us and the time will tell us when to increase our base.