Encourage people to admit mistakes — to create an open and security-aware culture. Blame and punishment are great ways to give yourself a major cyber problem. Late one Friday afternoon, a young employee who had been instructed to do something important told his manager he thought it was a mistake that would lead to a serious cyber risk. Within the hour it had escalated to C- level, as it had serious commercial consequences. He was right; the instruction was cancelled, and he was publicly praised for having done so.
As a part of our series about “5 Things You Need to Know to Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Andrew Bud, CEO and founder of iProov.
Andrew Bud CBE FREng is a distinguished UK entrepreneur and technologist. He is the founder and CEO of London-based iProov, which has grown since 2013 to become a leader in biometric identity assurance worldwide. Since 2008 he has been the global chairman of the Mobile Ecosystem Forum, a worldwide trade association. In 2000 he founded mBlox, which grew to become the world’s largest provider of enterprise text messaging worldwide. In the 1980s and 1990s he was a pioneer in the development of digital mobile communications in Europe. Andrew has a First Class degree in Engineering from the University of Cambridge and in 2020 was honoured by the Queen with a CBE and appointed a Fellow of the Royal Academy of Engineering.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I’m from London, where my parents settled and met. I come from a family of entrepreneurs and industrialists, who successfully built manufacturing businesses at the cutting edge of technology throughout the 20th century — including electrical fittings, batteries, scientific instruments, and computing devices. It’s in my blood, and engineering was regarded as the highest calling a boy could have. My mother was one of the few women to receive a Doctorate in chemistry in post-war Britain, and she and my father, a brilliant and creative man who worked into his 90s, supported and believed in me. My older brothers and sister are extraordinary people in their turn. I had a lot to live up to, with their support.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I didn’t come from the world of cybersecurity at all — I was a mobile guy. For a quarter of a century that’s where all the innovation and the action were. We were changing the world. But along the way, my previous business mBlox became the world’s largest processor of mobile payments — over 500m dollars in 2007. Then in 2008, cyber-crooks found a way to exploit a weakness in our systems and used our network to steal money from millions of people. I still remember being asked on camera whether my company had been complicit in this scandal or just recklessly incompetent. It was most unpleasant to realise we had allowed ourselves to be used in this way. The subsequent regulatory investigation exonerated us, but I vowed this would never happen to my users, my customers or me again. The question was how to provide effortless, ubiquitous, hyper-secure authentication. The answer was iProov.
Can you share the most interesting story that happened to you since you began this fascinating career?
In 2016 iProov was contracted to do a POC for HMRC, the UK equivalent of the IRS. As a prelude to that, HMRC put our solution through a very rigorous usability testing programme, in a specialised laboratory run by experts, using volunteer members of the public. We watched on CCTV as these users ran through a range of user experiences, supervised but unguided by the test leaders. It was one of the most extraordinary experiences I’ve ever had. To watch ordinary people react exactly as predicted in some cases and then do exactly the opposite at other times was enthralling. We watched them carefully think and then do precisely the “wrong” thing, misunderstand our beautifully designed cues, and completely ignore our lovingly presented instructions. They were not fools — we were the ones who’d screwed up without ever knowing it. The moment when engineers meet their users in action has a special magic to it, which I firmly recommend!
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I don’t think anybody succeeds in life without a lot of help from the people around them, so my list is long. I’d like to name one person in particular. In 1995, on a plane over the Atlantic, I read his book. In it, he mercilessly dissected my recent professional experience, laying bare all my follies and my mistakes with hideous precision and pointing out what I should have done instead. It was painful and a bit humiliating, especially as he hadn’t asked my permission. In fact, he didn’t even know I existed! Geoffrey Moore’s “Crossing the Chasm” was a revelation I knew to be true, and its successor “Inside the Tornado” had an even greater impact on me. I consider it a competitive advantage just to be old enough to have read it!
Are you working on any exciting new projects now? How do you think that will help people?
I think iProov is the most exciting project I’ve done in my life. Look, the biggest challenge an entrepreneur faces is to find a problem to solve that is so big it is worth solving, so worthwhile that it gives you and your team purpose, so difficult that it is endlessly interesting, and so fast-moving that it never gets dull. There aren’t that many around, so I feel profoundly grateful to have found a way to create trust in the online ecosystem worldwide. That will make life better and safer for billions of people globally and keep us busy for a while.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Burnout is a real hazard in our world, especially in a startup culture that glorifies extreme work patterns and commitment. When I was in my twenties, I would work on projects that sometimes needed all-nighters and seven-day weeks. It was very exciting — for a while. But then it had to stop and we needed to recover, or we would have fallen ill. Today, burnout comes from constant, unremitting stress, which is horrible and I think is a consequence of lousy leadership. Success comes from teamwork and people working at peak performance. Switching off, frequent exercise, open communication between colleagues, and accountability without blame are the ingredients of peak performance. Workaholism is not.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
Cyber-security today reminds me a lot of the mobile industry in the 1990s. It has the same heady mix of a huge opportunity; the ability to attract really clever, creative and interesting people; an endless supply of challenging problems — and, of course, big inflows of capital and the opportunity to build very large amounts of value.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
For nearly three years we have been warning about the threat posed by synthetic videos, widely known now as deepfakes. As human beings we tend to believe the evidence of our eyes, and when we see videos of people, we accept them particularly readily. Now suppose those videos are malicious fakes, inducing us innocently to provide access, make payments, supply sensitive information, and hand over control of our business to criminals and spies. The pandemic has caused an irreversible shift to remote working, in which much of our working lives will rely on video communications. When that gets compromised, havoc will ensue. Companies need to think deeply about the implications of when — not if — that happens to them.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
Several years ago, an organisation started trying to penetrate iProov’s biometric cyber defences. It gave a highly skilled researcher the full-time task of spoofing iProov’s public demo app. This person worked for weeks: because of his pattern of behaviour, we were able to identify his activity and study him carrying out experiment after experiment. About five weeks in, he was getting quite disheartened, but then he struck gold — he stumbled on a flaw in our algorithms and was able to pass a fake several times in a row. How happy he was! We knew that because we study imagery identified as malicious attacks. It was late afternoon, so he packed up early and went home. The next morning, he assembled his whole team and senior management around his computer to demonstrate his success. But it didn’t work anymore! During the night, the iProov team had analysed what had caused his success, identified the exploit in our algorithms and retrained them. He must have been so disappointed. He never succeeded again and gave up after eight weeks. It taught us the vital importance of monitoring and of rapid response to breaches. That’s commonplace in network defence but a major innovation in biometric security and one that is still not widely understood.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Because of the innovative nature of what we do, we have had to build most of our own tools. These are built into what we call the iProov Security Operations Centre, a complex assembly of machine learning classifiers and processes that analyses and assesses the vast mass of data flowing into our systems every day, every week and every month, looking for patterns of behaviour hidden deep down in the noise. Already back in my mBlox days, I learned that an attacker can prowl around for some time, carrying out probing and testing activities down in the noise, honing the potential of their weapon before mounting an attack that catches you by surprise with its scale and suddenness. Apart from the iSOC, our best defences are the processes we put in place to earn our certification under ISO27001. The key tool here was the commitment from the management team to live the security management system, not just to comply with it.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter “software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
The world is changing rapidly, and it’s becoming increasingly more attractive to outsource larger and larger chunks of defence. We secured our first ISO27001 certification entirely through our own work in-house. Three years later, we worked with an external vendor named iSMS.online, which made an enormous difference. We have put a lot of our company infrastructure onto Google Apps and benefit from the extensive security measures protecting that.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Almost without exception when a breach is detected and events investigated, someone will comment, “Oh, I saw that and wondered about it at the time.” The most important thing an organisation can do is to instill a security culture in all its employees, not just those involved in security and IT. That way, those early warning signs that something is amiss are reported and investigated early, rather than being found, potentially, months after the event.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
The primary response and responsibility following a breach is to communicate with the customers impacted. It is at this stage that having well thought-through incident and data breach policies and procedures is paramount. These need not only to exist but also to have been war-gamed so that if a breach happens for real, it’s not the first time people are following the process.
iProov makes use of biometric data, which GDPR classes as Special Category Personal Data, the highest classification, so we have been heavily involved with GDPR since before its launch. We have used the requirements of GDPR and other privacy-related laws in other jurisdictions to further improve our processes, which overall has made us a stronger business. There are two ways to look at privacy regulations — either as compliance that has to be done or as an opportunity to strengthen the company.
What are the most common data security and cybersecurity mistakes you have seen companies make?
People are often cited as the weakest link in security, but they are also the most overlooked strength. It is far too common for someone to raise a concern which is overlooked but later turns out to be an early warning sign of either an attack or a successful breach. Irrespective of the person’s role, seniority or length of service, it is critical to treat all security reports seriously and to encourage them. The reporting procedure needs to be very straightforward and one of the first items shared on day one, together with regular reminders, both formal and informal. A culture of denial and an aversion to bad news really do not bode well.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
We at iProov moved our office in July 2019. As part of the move we made a conscious decision to remove all dependencies on the office and to ensure that all staff could work remotely, to such a degree that we reclassified the office network as untrusted — the same as the Wi-Fi in any coffee shop. The majority of our staff were working from home part-time before COVID-19 struck, so we had already covered the basics, including the provision of laptop privacy screens to those in shared households and the reinforcement of secure working practises. We had a fairly seamless transition to fully remote working and no measurable change in errors. We have, however, seen an increase in various phishing attacks and an associated increase in internal phishing reports.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs to Know to Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Compliance can be treated as empty check-boxing or instead used as an opportunity to improve. In particular ISO27001 can be used as a great way to refine company processes. When our CTO first introduced it, I gave it my CEO’s blessing as a business imperative and a joint mission, not just a piece of tedious bureaucracy. That was a surprise to many staff but key to its ultimate success.
- Everybody is involved in security — not just the IT team. We’ve made calling out security threats, including simple phishing attempts, into a company-wide social experience. Even the most junior person in sales can join in, be seen to do so and earn social capital for having done so.
- Encourage people to admit mistakes — to create an open and security-aware culture. Blame and punishment are great ways to give yourself a major cyber problem. Late one Friday afternoon, a young employee who had been instructed to do something important told his manager he thought it was a mistake that would lead to a serious cyber risk. Within the hour it had escalated to C- level, as it had serious commercial consequences. He was right; the instruction was cancelled, and he was publicly praised for having done so.
- When developing security systems, auditing and logging need to be considered at the beginning, not tacked on at the end. It was our huge fortune to build a cybersecurity firm from the ground up. We knew from day one we would be attacked hard. Hence, we wove these systems into our fabric as we went. The result has been a deafening silence where the shrieks of protest would normally be.
- Never, ever allow pizza delivery staff into your office. And find out who your office cleaners really are. If you can’t, assume they are compromising your network undisturbed each evening.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Digital identities for all. They’re the key to social and financial inclusion and personal and societal cyber-safety and the source of trust online. Embrace them, don’t fear them — provided they have good biometric authentication and strong protection of personal privacy.
How can our readers further follow your work online?
iProov is at www.iproov.com, and new and exciting things appear every week. I talk about my work at linkedin.com/in/andrewbud/.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!