Seeking to protect all assets from all cyber threats sounds noble but is unrealistic. Instead, an innovative approach that specifically focuses on eliminating ‘unacceptable’ risks at every level—companies, industries, even entire countries—is both viable and hugely beneficial.

That was the message from Denis Baranov, CEO of Positive Technologies at Expo 2020’s business session “Breakthrough Russian Digital Solutions for Government and Industry”,during the ROSATOM Thematic Week “Breakthrough Technologies for Sustainable Future, held earlier this week at the Russian Pavilion. The panel brought together representatives from government agencies and major industrial and IT companies from Russia, the UAE, and other countries.

OverUSD1 trillion is the registered loss of businesses caused by cyber-attacks of last year, which is equivalent to 1% of global GDP, according to a report by digital security crowdsourcing platform, Bugcrowd.In 2020, cyber incidents increased by 51% worldwide, while companies will remember 2021 for the unprecedented scale of cyberattacks and record ransoms. According to a recent study by Positive Technologies, an external attacker is able to gain access to the local network of 93% of companies, and a hacker from the inside can establish complete control of the infrastructure in all cases.

“The entire cybersecurity market today is at a bifurcation point – in the process of transitioning from the old state, which is no longer viable, to the new,” said Denis Baranov. “In the past, cybersecurity services would buy security tools and try to uniformly protect everything from everything. This approach does not work anymore. To counter effectively counter cyberattacks, it is imperative to compile a list of “unacceptable events” that would seriously harman organization. For a bank, for instance, the theft of all funds from a correspondent account is unacceptable; for an industrial enterprise it is damage to equipment; for a health ministry, the theft of citizens’ medical data. The novel approach entails identifying such unacceptable events and tasking information security services with making them impossible to actuate.”

During his talk, Mr. Baranov explained that, after determining the unacceptable events, each organization should regularly test its systems for robustness and conduct cyberdrills to measure security performance.

“If the task is set correctly, the result can only be assessed through practical cyberdrills, when one team builds protection, and another team of ethical hackers tries to actuate unacceptable cyberrisks. Our company implements such security assessment projects on a turnkey basis. We strive to ensure that such devastating risks are not actuated through cyber-attacks” added Baranov.

He also noted that the company is evaluating this novel approach to cybersecurity primarily on itself—through regular joint cyber-drills in collaboration with a highly skilled teams of attackers. Since 2019 to date, Positive Technologies has conducted three rounds of cyberdrills: external experts tried to actuate a key risk for a company in its infrastructure by creating backdoors in the source code, which, disguised as updates, can reach clients, and make them vulnerable. No one managed to implement this unacceptable scenario.

In December 2021, Positive Technologies, a leader in the Russian information security industry, became the first Russian cybersecurity company to debut successfully on the stock exchange. This was the first case of direct listing in the history of the country.