Protecting All Assets from All Cyber Attacks Is Unrealistic; Focus on Preventing the Unacceptable: Positive Technologies CEO

Seeking to protect all assets from all cyber threats sounds noble but is essentially unrealistic. Instead, a new approach that specifically focuses on eliminating ‘unacceptable’ risks at every level—companies, industries, even entire countries—is both viable and hugely beneficial. That was the message from Denis Baranov, CEO of Positive Technologies at the World Expo 2020 Dubai "Breakthrough Russian Digital Solutions for Government and Industry" business session, held on January 23.

The panel session, held as part of the "High Tech for a Sustainable Future" thematic week in the Russian pavilion, brought together representatives from government agencies and major industrial and IT companies from Russia, the UAE, and other countries.

Last year, companies' losses from cyberattacks exceeded $1 trillion, equivalent to 1% of global GDP, according to a report by digital security crowdsourcing platform, Bugcrowd. In 2020, cyberincidents increased by 51% worldwide, while many companies will remember 2021 for the unprecedented scale of cyberattacks and record ransoms. According to a study by Positive Technologies, an external attacker is able to gain access to the local network of 93% of companies, and a hacker from the inside can establish complete control of the infrastructure in all cases.

"The entire cybersecurity market today is at a bifurcation pointin the process of transitioning from the old state, which is no longer viable, to the new," said Denis Baranov. "In the past, cybersecurity services would buy security tools and try to uniformly protect everything from everything. This approach does not work anymore. To counter hacker attacks more effectively, you need to compile a list of unacceptable events that would seriously impact your organization. For a bank, for instance, the theft of all funds from a correspondent account is unacceptable; for an industrial enterprise, damage to equipment; for a health ministry, the theft of citizens' medical data. The new approach entails identifying such unacceptable events and tasking information security services with making them impossible to actuate.”

During his talk, Mr. Baranov explained that, after determining the unacceptable events, each organization should regularly test its systems for robustness and carry out cyberdrills to measure security performance.

“If the task is set correctly, the result can only be assessed through practical cyberdrills, when one team builds protection, and another team of white-hat hackers tries to actuate unacceptable cyberrisks. Our company implements such security assessment projects on a turnkey basis. Whatever the organization, ministry, industry, or country, we strive to ensure that such key risks cannot be actuated through hacker attacks," added Baranov.

He also noted that the company is trying out the new approach to cybersecurity primarily on itself—through regular joint cyberdrills involving highly skilled teams of attackers. Since 2019, Positive Technologies has already conducted three rounds of cyberdrills: external experts tried to actuate a key risk for a company in its infrastructure by creating backdoors in the source code, which, disguised as updates, can reach clients and make them vulnerable. No one managed to implement this unacceptable scenario.

In December 2021, Positive Technologies, a leader in the Russian information security industry, became the first Russian cybersecurity company to debut successfully on the stock exchange. This was the first case of direct listing in the history of the country.