James Milne, Head of Product at AlphaCert and Frank Coyle, Head of Product Development at AlphaCert caught up to discuss the wide-ranging topic of security.
In this episode, James and Frank discuss information security, cybersecurity, and all the threats, impacts and mitigations around security that AlphaCert manage as an application software provider. In particular, AlphaCert’s experience with CPS 234, APRA’s Prudential Standard for Information Security.
If you liked this episode, there are plenty more Alpha Chats to watch on topics like Non-Fungible Tokens (NFT), Climate Change Financial Risk and Portfolio Holdings Disclosure.
Alpha Chats: Security
James Milne:
Hi everybody. My name is James Milne, I’m the Head of Product here at AlphaCert, and I’m here with Frank Coyle, Head of Product Development. Welcome Frank.
Frank Coyle:
Thanks James.
James Milne:
Today we’re going to discuss security, the wide-ranging topic of information security, cybersecurity, and all the threats, impacts and mitigations around security that we have as an application software business. Frank, what general security threats are out there and what general ways are there out there for organisations to combat or guard themselves against them?
What’s out there for organisations to combat and guard themselves against general security threats?
Frank Coyle:
That’s a pretty big question. I suppose the current trend is moving away from things that people will be more familiar with, like password attacks and brute force attacks and moving towards things like ransomware, where an attacker will gain access to your system, but without letting you know, without taking down your website or anything like that. They’ll get into your systems and try to steal your information assets, like your customer database or your credit cards or your personal identifiable information. And then they use that information as a ransom attack, like a kidnapping type, but where they’ll tell you that they’re going to destroy your information that’s vital to your business if you don’t pay them large amounts of money. Or they’ll otherwise disclose information and ruin your reputation around your peers and in your business with your customers. It’s a more personal and more people-oriented attack than we’ve seen in the past, where companies would attack physical servers with code hacks, and with the intent of bringing down your environment or your website.
James Milne:
Frank, do you think, is there more of a trend towards using the latest computer technology to try and hack into organisations, or use these ransomware threats against them?
Frank Coyle:
Yeah, the technology that they use to get in in the first place, it’s things like botnets, where they have lots of, slave or zombie computers all over the world where people have downloaded malware onto their computers. And then that computer becomes controlled by whoever’s running the scripts. And then people use these massive nets of bots or slave computers to run attacks on different companies. Everything’s moving to the cloud these days, every company has their servers in Azure or AWS or Google. And every time you bring up one of those environments, you have to obviously put security in place to make it available or not available to people on the internet. All of our applications are websites, so they have to be available in some respect to the internet.
Frank Coyle:
And if they’re on the internet these botnets can basically try and find them, do a scan of IP addresses to find open ports and open servers where they can start an attack and start to use brute force to get into those different servers. Because once they’ve got a foothold in one of their environments, then there’s a good chance that they can get into your network, which is probably connected to that environment too. And once they’re into your network, then they get access to your files and your databases. And then they’ve got access to all of your information assets that they can then hold for ransom.
James Milne:
Yeah, it’s a pretty scary thought. CPS 234 is obviously a hot topic across the industry. And it’s a law that’s in place for Australian entities that includes superannuation funds, to ensure that these organisations can withstand cyber-attacks. So, this is becoming more of an issue in Australia in terms of the compliance side of things. What is AlphaCert’s experience in complying with CPS 234?
What’s AlphaCert’s experience in complying with CPS 234?
Frank Coyle:
Yeah, our experience is a little bit indirect in that we are the supplier to companies in Australia who have to comply with APRA. But because we have to comply with it so that they can comply with it, it’s very relevant for us too. And it’s an interesting law that’s come in. It almost assumes that companies will be attacked and focuses on how companies prepare themselves for those attacks that are going to come in, whether they’re successful or not. And it puts in a framework in place for how you prepare yourself, how you strengthen your defences inside your own environment and how you recover from those attacks and how you report those attacks to the government, and to your clients and your customers.
James Milne:
Yeah. And security in this sense is not just software, is it? There’s a lot of additional elements outside of software to consider from a security perspective to ensure that your data and your information assets don’t fall into the wrong hands.
Frank Coyle:
Yeah, that’s right. So, there’s a lot of focus on your processes internally. Like the processes that people follow, not just software and systems. Like how you classify and how you identify your information assets. So that things like your database, if you have a database full of customers’ personally identifiable information, what’s the impact on your business if that information is taken over and held for ransom by some third party? What’s the impact on your business if they just destroy it? There’s a whole… It’s like a risk matrix where you think about the impact and the likelihood of different risks happening and how it can affect your business. So, it’s very much in the management meetings and the board meetings and directorate meetings where they talk about, if this attack happens, what’s the worst that can happen to us as a company and the people who run the company?
James Milne:
Yeah. And of course, CPS 234 makes the board responsible for putting in place those safeguards, for not only their organisation security, but also as you mentioned, all the vendors that they interact with on a daily basis.
Frank Coyle:
Yeah. 234 stipulates that you have to then check the security systems of your vendors as well. So not just your own internal systems, but you must vet the people who are working with you in an information security aspect. Anybody who’s got access to your environment directly or indirectly, whether you’re using some software company like AlphaCert to manage data from different sources. Is that company secure and is it going to be a factor for an attack into your company?
How has AlphaCert been architected around information security?
James Milne:
And just talking about AlphaCert Frank, what are some of the specific ways in which AlphaCert has been architected, in terms of our platform, specifically around information security?
Frank Coyle:
We aim to use best practice; everybody uses best practices. But we aim to use things like single tenancy instead of multi tenancy, which means that we don’t have a big shared system with one big database on one big server where everybody’s data is all in the same place. And if one person gets breached, the guy next to them, their data is also at risk and can be attacked and held for ransom in one big, massive breach. We like to keep everything really separate. Like a series of little walled gardens, where if one person gets access to one environment, they can’t get access to anybody else’s environment. Because there’s no direct link, there’s no crossover or shared technology or environments or hardware or anything like that.
James Milne:
Absolutely. Well, thanks Frank. I think that’s a really useful insight into the general threats that are out there, the way that organisations can prepare themselves for those threats. And also a bit of a look into CPS 234 and what it’s actually designed to do. Here at AlphaCert, security is absolutely paramount and baked into everything that we do. And we are really proud of our history in terms of supporting the in-house security for our customers on the platform. So thanks a lot Frank, and we’ll talk to you soon.
Frank Coyle:
Thanks James.