In this intimate conversation behind the scenes at Infosecurity Europe 2013, David Emm, Senior Security Researcher and Malcolm Tuck, Managing Director for Kaspersky talk us through the level of current security threats facing businesses, individuals and indeed nations and governments. They offer some insight into industry attitudes, predictions for the future and an explanation of the current state of mobile security.
Are events such as Infosecurity Europe important for Kaspersky?
Very important. We have been coming for several years and the company was formed in 1999 in the UK so we have been coming pretty much every year from the early days till now and credit to all the team for putting the stand together and it is bigger and better than ever and we are very happy with it.
Give us an insight into how you have developed the solutions that you currently offer. It's all developed in house isn't it?
It is indeed done in house. If we see the need for a new type of technology we develop it organically because that way we get optimal integration with existing technologies. We are known as an antivirus company but actually, antivirus in terms of its core benefit really has expanded a lot in the last 4 or 5 years. Specifically, the reliance on signatures and reliance on technology has been much reducing and what's taking its place really is the need to proactively detect new threats even if they have never been seen before so that really means a range of technologies from white listing applications on the one hand to device control, behavioural analysis and a whole range of technologies in between.
Of course one of the big stories this year has been the rise in BYOD (Bring Your Own Device) and mobile working within organisations. What are the biggest problems facing businesses implementing this technology?
I think with businesses right now, they see technologies, they see the threat, they see the need to actually defend themselves but actually the logistics of achieving that technology are not so easy. I am thinking in particular here let's take mobile devices, which you referred to. Obviously the threat to them is growing the need to secure data on them is apparent but if you can't manage that realistically alongside protection of other endpoint devices then actually it does not get you any closer to securing them so you need something that will let you reach out to each endpoint manage it across all types of technology and basically lock it down and ensure that it does not become a weak point for propagating some threat across the organisation so actually being able to keep your finger on the pulse across the enterprise is really important.
Have you been surprised by how big a talking point mobile has been this year?
I think generally people are thinking generally are having a growing interest but it is not the only one. People are concerned about virtualisation as well; they are also looking at outsourcing stuff like using Cloud and what the potential dangers are. You see, whatever way you look at it what people are particularly looking for in an economic climate like the one we have now is being able to have cost effective management of the technologies they are choosing to use.
You mention the challenging economic climate that we are in; do you see businesses struggling to find the recourses to manage security currently?
I think they are struggling, it depends on which scale of business we are talking about, I think the SMB companies are under pressure and the mid market as well. We have great solutions to help them reduce their complexity and risk and enterprise companies too obviously are under pressure but they have slightly more recourses perhaps and we can obviously help them with our platform
Talking about the mobile side of things again; do you think part of the problem in the way that organisations have approached mobile security has been caused by a difference in attitude towards mobile security?
I think there is a different psychology at play. If as an employee, you are presented with a desktop or a laptop you know it is a computer device so you realise there is a security dimension but with a mobile device you don't. It's pedigree is "phone" it's a smart phone so although the technology is developed organically allowing you access social networks or store data or connect to all the other networks services including banking these days, what you don't necessarily have is that feel for the fact that it is a computer and that there is a potential threat there from a security point of view and so there is a different psychology at play and I think also historically you don't need big hard ware like printers, like desktops and like servers get routed through the IT department in an organisation and therefore the security guys have their finger on the pulse but actually mobile devices have crept into the enterprise and therefore security is not necessarily uppermost in their minds and so they are only just beginning to grapple with the fact that they are a key part of the deployment, a key part of the population in the enterprise but actually they don't necessarily have the information at their disposal to keep them secure.
Do you think some of the liability lies with the service providers and even the manufacturers of handsets? Where do you see the responsibility for security lying going forward?
I think it is a mixture, I think if you buy a car you expect to be able to drive it safely, you expect the manufacturer of the car to deploy airbags an side impact bars, you expect decent roads to drive on. I think the same is true with technology as well, so the people behind the operating system need to be aware of potential threats and try and minimise the risk for example filtering apps in an app store. I think also the hard ware manufacturers need to pay attention to the security as well. I think the technology like the technology we provide is important too, and individuals and businesses need to realise that it is people who are using this equipment and they are fallible and therefore you need to find some way so to speak to patch the human assets within your organisation.
Looking wider at the things you provide. Do you see yourselves as educators as well as provider of solutions?
Absolutely it is part of our job. Everyone in the company is an educator in one shape or form and I think that it is incumbent on us to make sure that we pass on our specialisation our knowledge. Some of the trends we are seeing and some of the information we can share via a service or via a meeting to make sure our customers are aware of the risks and not to scaremonger but to educate is very key to what we do.
Kaspersky are well known for advising governments on defending themselves from nation state attacks. Are governments seeing an increase in severe attacks of national importance?
I think we are so dependant on the Internet as individuals and within business including critical infrastructure so to speak. I think that dependence on technology gives an opportunity to would be attackers because it makes it easier for them to undermine that service, and that is really what we are seeing, we are seeing attacks of all kinds being used using computers and they will remain a feature of the landscape, but actually that type of attack which if you like involves resources above and beyond just a cyber criminal gang they will always going to be niche but what I think what people and businesses need to concern themselves with is like the more main stream attacks that are likely to impact them and it is pretty clear that the government with its cyber security strategy is very keen to engage with business and make them aware that there is a risk it's a real risk and that they need to play their part in defending themselves against that threat.
And looking forward to the next year or two; what threats are you expecting to be dealing with for the future?
I think targeted attacks have been growing. That's apart from the random speculative attacks on you and me. Specifically, someone going after this or that organisation, that has been increasing and we think that will continue to increase over time. I think people also obviously are looking for cost effective solutions and if that means using cloud or some service or if that means having virtualise system then they are going to explore that but that also means that cyber criminals are going to pay attention to that as well because where flocks of people go there is also a pool of potential victims and so people need to go into the cloud, go into virtualisation, go on line or go mobile with their eyes open knowing that actually security needs to be part of what they look at when they explore that avenue.