News & Updates
May 2, 2017
By Robert Morrish, CEO
Australia’s national strategy for cyber security will continue to expand in scope as government, public sector and private enterprises like Haventec collaborate more.
This is partly a natural progression, as more intelligence is shared, more opportunities are identified; though it’s also because the real innovations in this field are very new.
On 19 April I was invited by Craig Davies, CEO of the Cyber Security Growth Network, to participate in a roundtable with PM Malcolm Turnbull and a handful of CEOs about challenges and opportunities in Australia’s cyber security industry.
In his introduction to the report the PM noted: “The conversation has shifted – in government, in business and for individuals. Trust and confidence through cyber security is becoming economic and security currency for Australia…
…The cooperation between government and business is stronger and deeper; boardrooms and Commonwealth agency heads are more attuned to cyber risks. State and territory governments are engaged; and the tempo of international engagement is quickening.”
The Prime Minister interviewed me about the trials faced by Haventec and other cyber security start-ups in selling to Australian enterprise, remarking that reports from the February RSA Conference in San Francisco suggest US enterprises are keener to get ahead of the curve.
Alastair MacGibbon, Special Adviser to the Prime Minister on Cyber Security Department of the Prime Minister and Cabinet, pointed to the fact Australia now ranks fourth globally in patent filings in cyber security research and development as a very positive sign we’re making progress.
Though he also commented we need more collaboration between public and private sectors, and more investment in innovative technologies if we’re to deliver on early promise.
May 2, 2017
By Robert Morrish, CEO, and John Kelaita, product owner on Sanctum at Haventec
We’re pleased to announce Haventec is making one-click transactions safer and easier with our Sanctum product launched in April 2017.
Haventec Sanctum is a revolution in the handling of critical data such as personal credit information (PCI), personal health information and other forms of personally identifiable information.
In short: we’ve decentralised payments and other private transactions.
Each user keeps control of their own PCI and other transaction data on their own secure devices.
The sensitive personal information and the security keys to ‘unlock’ transaction authorisations are kept apart – even when money is being transferred from a customer to a merchant, the merchant doesn’t collect PCI.
As soon as a transaction is verified with a unique one-time-only key both the lock and the key are instantly replaced.
Therefore, we’re not only doing away with the need for organisations to manage and protect any central store of critical data, we’re also helping enterprises reduce their compliance costs and fraud risks.
Sanctum gives customers a fast and secure one-click transaction method, which improves the customer experience. Meanwhile, we make it easier for organisations to safely handle those transactions.
The end result: Haventec Sanctumhelps build trust in every transaction.
May 2, 2017
By John Kelleher, product owner on Authenticate at Haventec
Our Authenticate product does what its name suggests: it Authenticates users through a new and highly secure system that is passwordless and easy to use.
Authenticate is built on our concept of properly decentralising data security so that organisations can offer safer identity and access control while protecting users’ privacy.
By ‘properly decentralised’ we mean that it does more than keep keys and locks apart – although those elements are essential – we mean we’ve not only killed the ancient idea of passwords, central username/password stores, our system asserts itself in every interaction by making entirely new keys and locks from scratch every time you Authenticate.
As there is no central honeypot of valuable and sensitive data (such as usernames, passwords and permissions), Authenticate helps organisations avoid common data security risks simply because they no longer have attractive central targets that cyber criminals go for.
Ongoing benefits include reduced liability and costs associated with looking after those sensitive records, and less exposure to breach attempts.
Customers or members of organisations that offer Authenticate regain control of their own valuable and sensitive personal information.
An Authenticate organisation simply needs to know the user is legitimate so that it can provide authorisation – say, to access a specific system or record – it doesn’t need to store a lot of sensitive data anymore.
In each instance, Authenticate creates a one-time lock and key which it breaks up using Haventec’s patented algorithm and safely shares the parts to authorised parties. The original key is then destroyed.
When the user Authenticates an interaction, they enter their fragment of the decentralised broken key via a secure app on their pre-approved device by entering a PIN only known to them (no record of the PIN is kept by any party).
We regenerate the key using the decentralised fragments to provide the appropriate level of access at a pre-sanctioned gateway.
The interaction is secure at all times, and the keys and locks are replaced every time.
It’s a simple solution to many big, common challenges for organisations that need to confirm they can trust the people they’re dealing with as well as maintain control of every touch point.
Authenticate efficiently helps individuals build up a personal trust profile based on their safe and legitimate interactions; and by allowing them to secure their own sensitive information on their own devices, Authenticate also removes friction.
It’s simply a safer, more convenient way to manage network trust and security for everyone.
May 2, 2017
By Robert Morrish, CEO
We already suspected it, though it was still eye-opening to experience first-hand just how novel our technology is in the cyber security world.
When we joined Austrade’s delegation to the RSA Conference in San Francisco mid-February 2017 our aim was mostly to build Haventec’s company profile, as well as making quality connections with potential partners and clients.
Equally importantly, we were able to fine-tune our pitch for the US market in early meetings with new clients introduced by AMP Technologies and Nuix before heading out to meet other organisations with Austrade. Listening to questions from new acquaintances as well as ongoing feedback from other members of the delegation was invaluable – pitching our story is simply the best way to refine it.
We’re very happy that we heard very few objections (and those we did helped us adjust our pitch further). The American market is very open and receptive to our technology, on a bigger scale than Australia, and we’ve gained fantastic insights into industry best practice and trends, particularly in finance, defence, healthcare and critical infrastructure.
May 2, 2017
By Naveen Neti, Chief Engineer, at Haventec
Although I’d never experienced anything like the huge RSA Conference in San Fran, I was already confident we’d gain a lot from the trip as all my research showed the US is very positive and supportive of technology start-ups. The short version of this report is that the US security tech industry ‘gets us’.
The big technology trends being talked about at the RSA Conference circle some of the challenges in our industry:
(1) Endpoint security – the basic concept is that because a lot of common attacks happen on the user’s device itself, such as a laptop or smartphone, more needs to be done about both hardware and software security on portable devices and their connections to the outside world (via WiFi, Bluetooth and SIM cards). There are plenty of products in this space already, though still a lot of market opportunity as most people own multiple devices and haven’t done much to secure them.
(2) Artificial Intelligence and machine learning for server log management – tracking activity on a server or network is a huge chore well beyond human capability as we just can’t process the mass of information ourselves to spot most of the malicious behaviour. While most corporate users already expect all interactions to be monitored, some people are a bit slack about data security. As it only takes one device to be compromised to do damage to an organisation, smarter AI is being used to help close the gap.
There are still a lot of vendors making and selling password managers, though everyone we spoke with seemed very interested in the possibilities of password-less authentication. Our technology is in a very new market, with no big competitors. It’s a good position to be in.
May 2, 2017
By Edora David, Strategic Support at Haventec
A full day of competitive pitching can be nerve-wracking though it should also be fun. That’s the advice from Trish Fowler at the UK Department for International Trade, British Consulate-General, which hosts the Startup Games around the world:
“The start-up games includes full day of coaching, teaching, mentoring and practical sessions, cunningly disguised within an absorbing game, simulating the highs and lows of start-up life,” explains Trish. “It’s a good fit for Haventec, as we are aiming at different start up stages including more mature ones”.
Trish was right. It was less like the Hunger Games and more like the friendlier Commonwealth Games, with fast-paced pitch and feedback sessions to help us sharpen our game.
Pitching alongside 50 other Aussie startups Haventec gained plenty of fresh perspectives on how we can sell cyber security innovation to a variety of audiences, including technologists who want to understand how it all works, to C-level execs who want it to deliver results.
May 2, 2017
By Stuart Ridley, Content Strategist at Haventec
After several years of debate the Federal Government passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016 that tightens the rules around data breach notifications.
Mandatory breach notification will be enforced from February 2018.
Most organisations covered by the Privacy Act (including businesses with more than $3million annual turnover, government agencies and NPOs) will be legally required to announce data breaches to the Australian Privacy and Information Commissioner and all people affected by a breach.
All affected clients, customers and members will need to be alerted as soon as possible (within 30 days) if there is any risk of serious harm.
A data breach notification should be delivered through the usual expected channels – the key word is ‘expected’ – in short, whichever channel/s people are used to, to help cut the risk of people dismissing a notification as a scam.
The notification needs to include:
- Clear description of the data breach – when, where and who is affected
- Disclosure of the nature of information exposed (e.g. names and contact details)
- Instructions on what affected people need to do to respond (including recovery and/or protection)
Failure to comply with the new notification rules could lead to fines of up to $360,000 for individuals and $1.8million for organisations.
Data privacy legislation is also being updated worldwide:
- The EU General Data Protection Regulation will enter into force on 25 May 2018
- In the United States, State-owned data protection and mandatory breach legislation applies, with a national review expected in 2018
- Malaysia’s Personal Data Protection Act has been in force since 2010
- The Philippines Data Privacy Act has been in force since 2012
- Singapore’s Personal Data Protection Act passed in 2017
Robert Morrish, CEO of Haventec, notes: “Although most people know their personal identity, financial and health information is potentially valuable to hackers, their online behaviour suggests otherwise about the risks involved – or put simply, that data security is not ‘their’ problem but the responsibility of the organisations with which they transact.”
“Public trust in any organisation is instantly eroded when its supposedly ‘secure’ digital and physical environments are breached, exposing personal customer data. The personal cost to each individual might vary incident by incident, but ultimately it amounts to significant reputational damage for the organisation that allowed the breach to happen.”
Haventec has an interest in preventing data breaches happening in the first place.
While Haventec’s focus is mainly helping organisations and individuals better protect their sensitive data, we are working with our partners to help customers improve security practices overall, including:
- Who has access and how much access are they given?
- How are ongoing security behaviours monitored and responded to? (e.g. Do users have to prove trustworthiness before they are given higher access?)
- Where is data held (including with external data hosts) and who has the keys?
- How is data catalogued and identified?
- How is data handled within the organisation ‘off network’ (i.e. What are the risks of data being leaked inadvertently or deliberately by staff who have printed or copied records?)
- How is every item protected, from access point or gateway to database to individual record?
“As hackers are increasingly more efficient at outsmarting organisations’ cyber security measures, more corporate C-Suite leaders are being held to account – in the media, by their shareholders and customers, and ultimately, by their legislators,” warns Robert Morrish. “Some leaders can face criminal convictions where obvious negligence is demonstrable.”
“Yet, many organisations appear to only take data protection measures as that required by law, rather than focusing on removing breach risks. Most importantly, adhering to regulatory guidelines (or rules) for data security does not of itself render personal data as safe from intrusion and theft.”
“The published research on breaches of sensitive data indicates that most companies are not aware they have been breached and become aware of a breach months after it has occurred. The best stance is to assume that breaches will happen – and address the challenge now.”
May 2, 2017
By Ric Richardson
Early in 2017 we started arranging our engineering talent at Haventec into three teams, each playing to their personal strengths.
Firstly let me say all our engineers are A players. They all have great abilities. I also know that people are happiest when they do things they are good at.
Here’s how we’ve arranged our engineering teams:
- Red Team – R&D – This team can handle fast iterations and quickly assess, test and dump ideas while trying to break the back of bigger problems. The Red team must also be able to handle continuous disappointment. (Read more about the Red Team dynamic and Haventec’s Chief Engineer.)
- Blue Team – Production – This engineering team focuses on production code, drawing on personal strengths like attention to detail and tenacity for quality output. Documenting, quantifying and articulating customer product requirements demands patience and relentlessness.
- Green Team – Customer focus – This team is made up of release code engineers who are sympathetic to customer needs and challenges. They fix and refine code to improve the user experience.
This approach is working well and everyone gets in and helps each other when needed – we don’t have silo builders at Haventec.
I’ve recently researched some interesting viewpoints on the difference between engineering for Proof Of Concept (POC) and Minimum Viable Product (MVP) relevant to our team.
One viewpoint explained the difference simply as: a POC proves a function or technology’s validity (i.e. whether it can be done and will work) whereas a MVP proves a product’s market viability (i.e. will someone pay for it).
Validity and viability are two completely different things.
Production readiness and tasks such as resilience testing, intrusion testing and hardening are part of delivering a minimum viable product / MVP. As we are catering to banks and larger corporations resilience testing and pen testing are part of the MVP.
Originally we thought of the Red Team as the MVP team but really they are the POC team. By the above definition the Blue Team is the MVP team and the Green Team helps mature and flesh out the products with the aid of paying customer feedback.
The other thing that became clear is how important prospective customer feedback and beta testing is to the MVP process.
It’s where all the customers’ questions get asked and answered:
- What is the minimum API set we need to run on an enterprise network?
- What is the minimum feature set needed for someone to use and pay for our product?
- How good does our documentation have to be? What is the minimum pen testing we need to do?
So besides making rock solid quality code, the Blue team also has to have constant feedback from marketing, sales and beta testers, all the while developing reliable and provable answers to all these questions.
So here is a question: could a proof of concept team also do a minimum viable product?
Probably not. But it’s worth tinkering over.