CYBERSECURITY
A moving
TARGET Nettitude was one of the earliest cybersecurity specialists to take a forward-looking, threat-based approach to penetration testing. Banks’ experience during the pandemic has only gone to show how right it was, says founder Rowland Johnson Staying ahead of the proverbial curve has long been the aim of Rowland Johnson, starting in 2003 when he founded one of the first cybersecurity companies, Nettitude. He subsequently turned it into a world-class, threat-led cybersecurity service for organisations across the globe so that they, too, could stay one step ahead of criminal cyberminds. Nettitude has grown from a small, UK-based team, into an organisation with offices in Asia, Europe and North America. In 2018, Johnson led the company through its successful acquisition by Lloyd’s Register as that organisation rises to the data-related challenges to supply chains posed by Industry 4.0. Johnson observed at the time that: “As the worlds of information technology and operating technology collide, the need to build integrated cybersecurity solutions will become essential.” It’s not, then, a cybersecurity consultancy focussed on delivering services for organisations that simply want to tick a box for compliance purposes; it’s aimed at companies that really want to understand the risks presented to their own organisation – and others that they deal with. “We operate internationally, through literally hundreds of offices distributed across the world, and work with some of the most sophisticated clients globally, delivering penetration (pen) testing and red-teaming services, as well as managed detection and response www.fintechf.com
services,” says Johnson. And it’s constantly scanning the horizon to understand what the various threat actors operating in what he calls ‘the wild’ are doing today. “We then tailor our services to mimic those types of activities, and, because we really are operating at the forefront of the industry, compliance almost hasn’t caught up to that space.” Bad actors are agile, quicker to respond to changing environments than legislation and regulation, which can be years behind industry developments, says Johnson. And how fast threats emerge has been demonstrated during the pandemic, when the volume and nature of online transactions changed dramatically, amplifying fraud opportunities as secure processes were put at risk of being compromised by the mass shift of staff to homeworking. Historically, testing focussed on organisations’ defences in their offices. As a result, many organisations have been found wanting when it comes to having a playbook for testing their resilience when staff are at their corporate laptop in their kitchen, shed or living room. “With COVID, two-thirds of the world is now working from home, yet most organisations haven’t really had any kind of assurance activity conducted to try and understand what risks are associated with that,” points out Johnson. “Many of our clients are seeing those threats and saying ‘OK, let’s do a simulation. Let’s do a test that mimics those real-world issues we’re seeing today’. They’re the types of clients
we can look at doing some really exciting work for.” Nettitude is closely involved in delivering the TIBER-EU initiative, which was designed to do precisely what these clients demand. Jointly developed by the European Central Bank and European Union national central banks, the European framework for threat intelligence-based, ethical red-teaming was also the first EU-wide guide to how authorities, entities and threat intelligence/red-team providers should work together to test and improve the cyber-resilience of entities by carrying out controlled cyber attacks. TIBER tests mimic the tactics, techniques and procedures of real-life attackers, based on bespoke threat intelligence for the organisation being targeted. They are tailor-made to simulate an attack on the critical functions of an entity and its underlying systems, i.e. its people, processes and technologies. The outcome isn’t a pass or fail; instead the test is simply intended to reveal the strengths and weaknesses of the subject, enabling it to reach a higher level of cyber-maturity. But such a programme shouldn’t be seen as a magic bullet, as Johnson notes: “Even if you look at organisations that have been through a TIBER exercise, or, before that, maybe a CBEST exercise, I suspect many of those tests were done in environments that look very, very different to the mode of operating today.” Nobody could have envisaged, 12 months ago, that most major banks would end up having the majority of their employees working from home. Issue 7 | ThePaytechMagazine
31