‘Cybersift strikes a fine balance between security and user experience’ – CEO Brian Zarb Adami

Cyber security is an ever-evolving landscape, with the incidence of scammers looking to make financial gain, commit identity theft or infecting entire systems with ransomware becoming more and more real. The necessity of stricter security protocols has increased so much that user experience is often turned into a frustrating exercise, where a supposedly simple action involves excessive oversight and time. This is an issue that Brian Zarb Adami, CEO of Cybersift, takes extremely seriously.

“At Cybersift our goal is to help clients maintain digital security without compromising user experience. Our priority is the fine balance between keeping bad actors out of our lives and systems and the convenience and ease of consuming digital services. To give one example, technical controls such as multifactor authentication surely slow down the process of logging into systems, but this extra layer of verifying a user’s identity goes a long way into securing our digital lives,” Brian starts off.

He explains that the balance of seamless user experience now spans different platforms, hardware types and connectivity. Users expect to be able to carry their digital identity with them across systems and to seamlessly switch between devices wherever they are – all while maintaining the same level of security.

Of course, this complicates matters for developers who look to maintain a sound level of security across all avenues of access. So what are some examples of technologies that successfully marry great virtual experiences with robust security measures?

“The best security is the one that is invisible, least intrusive and doesn’t interfere with the user flow. Messaging apps that offer highly secure end-to-end encryption are a good example. The user simply logs in, starts typing, oblivious to the fact that plain text is scrambled, securely transmitted and unencrypted on the other end.  I firmly believe all system developers should aspire to offer experiences akin to those offered by Apple’s face and touch ID, and Amazon Web Services (AWS) Cognito. The key word here is frictionless. These technologies manage to address the issues I’ve just mentioned,” Brian says.

Brian notes that, according to IBM, 95 per cent of data breaches boil down to some kind of human error, whether it’s the end users or even the administrators and operators of a system. Among the elements that can lead to system compromise we find inexperience and misconfigurations.

“Education and learnings taken from incidents is of paramount importance to both technical and non-technical users to avoid pitfalls. Awareness and a constant reminder the way threat actors operate are as valuable as the security software, devices, and other technical controls we deploy. An end user who brings a whole system to its knees because they clicked a malicious link can be transformed into being a powerful first line of defense,” he explains.

Thus, the importance of training both end users and IT personnel, ideally having a specialist IT security team able to understand the gravity and risk posed by threats. Meanwhile, two of the biggest emerging threats are Artificial Intelligence (AI) and quantum computing. AI allows bad actors to mimic voices and people in the virtual realm, where methods such as phone calls impersonating a loved ones are enhancing the effectiveness of scams and other deceptions aimed at embezzling the vulnerable or extracting information have become the order of the day.

Quantum computing brings an unparalleled speed of processing that is not too far on our horizon. This technology could mean that code breaking, and password guessing will be done faster, allowing access to the private keys that currently govern all our communications.

“There are powerful technologies which, in the wrong hands, can be a threat to our digital lives, freedom, and internet security. However, they can also be extremely beneficial. AI, for example, is leveraged to bridge a skills gap. In information security as an example, I know of at least three companies who are working on large language models (LLMs) to enable users to converse in plain English with an AI about security concerns in a network. The information is there and in many organizations is being collected. It is an obvious next step to use it to our advantage,” Brian states.

He adds that AI is already being used to great advantage for the ingestion and analysis of very large datasets to identify anomalies in areas such as fraud detection, medical screening, and information security. He explains how, in information security systems, AI can cross correlate anomalies with threat detection sources, filter out any less important ‘noise’ while highlighting events and incidents which are of concern for escalation to a human.

“It’s a great way to primarily address the current gap in the market, but also to have a second opinion through an ‘expert engine’ which is not subject to bias or other factors which cloud one’s judgment.”

So what strategies should be followed by companies in order to keep pace with the rapidly evolving landscape of cyber threats and user expectations? Brian believes that the best strategy to adopt is the ‘defense in-depth approach’.

“Here, one would layer different levels of protection around information assets to protect them. The whole idea is to make it harder for a would-be malicious actor – whether internal or external – to reach his goal. Steps often include protecting the perimeter, the network itself through segregation and running protection on each device, including less traditional surfaces like mobile phones.”

One of the challenges is that, often, mobile phones are privately owned and not controlled by an organisation, but users still expect to be able to connect to Wi-Fi at the office.

“This means that they offer a great vector of compromise for an attacker. In depth defense also extends to the actual hosts (PCs and servers) that are running the systems and protected with an end point detection and response tool and finally advocates the secure implementation of the applications themselves. The expectation is that these are developed and deployed with proper security protocols and controls, tested for logic errors, and then put into production only once all components are properly tested,” he reiterates.

So what might the future hold that could possibly revolutionise the way we approach cybersecurity and our digital experiences? Besides the afore-mentioned quantum computing, Brian believes that the use of blockchain for enhanced security is something that we haven’t leveraged enough.

“As you know, a blockchain is an immutable ledger of information. This technology can be adopted not only for cryptocurrencies, because the data can be stored in a secure way, making tampering difficult. Storing identity information on a blockchain also makes it harder to affect the integrity of identity information making impersonation and identity theft harder to achieve,” he replies.

Another area he believes is brimming with potential is zero trust architecture, where one would assume that no entity, person or device is trustworthy by default, and a kind of verification is required at every step of access requested.

“I think that this will go a long way into also securing businesses in the future. Finally, I cannot but mention securing the Internet of Things (IoT). Smart devices are becoming ubiquitous and are entering the mainstream through our households and businesses. With increased popularity of all things ‘smart’ and connected more and more every day devices are bridging the gap between our physical and digital lives,” he concludes.