Dear Industry,
‍

From Guarding to Guardrails: Pivoting Cyber Security from Detection to Prevention

Al Lakhani, Founder & CEO, IDEE 

The dawn of the digital age has reshaped the very essence of the way we live, work and communicate, requiring all individuals and businesses to seek protection when navigating the digital landscape. As a result, cyber security has become ingrained in the very fabric of consumer and business life. My journey within the sector began more than two decades ago. In an era where computing leaps from gigaflops to exaflops, shattering barriers once thought insurmountable, the cybersecurity industry languishes in a paradox of progress. Despite the monumental advances in technology that have reshaped our digital world, our approach to cybersecurity—especially in preventing account takeovers—remains embarrassingly stagnant. Over the last five years, account takeover incidents have hovered persistently around the 80% mark, a glaring testament to the lack of our industry's inertia. While our computational capabilities have rocketed into realms once deemed the stuff of science fiction, our strategies for safeguarding digital identities are mired in methodologies that seem almost mediaeval by comparison. This stark contrast not only highlights a failure to evolve but also serves as a clarion call for a seismic shift in our cybersecurity ethos: from detection to complete prevention.
‍

Reflecting on past mistakes

Let’s take a step back. Antivirus software emerged as the frontline defence against cyber threats in the early days of personal computing, with manufacturers eventually deciding to install antivirus detection systems on new computers automatically. However, this approach proved inadequate as attack techniques quickly evolved and outpaced the detection capabilities of the pre-installed anti-virus software. This is a useful example of the challenge we now face, albeit with different technology: multi-factor authentication (MFA 1.0).  Its adoption represented a progressive step forward which, quite rightly, aimed to limit account takeover (ATO) attacks. However, the technology consistently falls short of addressing the root causes of these cyber breaches. And, instead of rectifying its deficiencies, we remain fixated on detecting breaches caused by these vulnerabilities, rather than preventing them outright. This embarrassingly primitive and reactive approach has morphed our security landscape into one where account takeover (ATO) attacks are not the exception but the norm. Furthermore, the insistence on using two devices for multifactor authentication (MFA 1.0) exemplifies the drastic deterioration in user experience—akin to requiring two keys to unlock your car every time. As a result, the industry’s approach has not only compromised our security but has also severely degraded the user experience, transforming the vision of a secure digital future into a fantasy. So the billion-dollar question is: why is the sector so obsessed with a reactive approach focused on detection at the expense of prevention?
‍

Detection is better for business

Call me pessimistic, but I fear it’s because detection is a multi-billion-dollar business. Revenue in today’s cyber security market is expected to hit $183.1 billion in 2024, before rising to $273.6 billion in 2028. Characterised by ongoing subscriptions, consulting fees and digital audit charges, detection-based security companies make up the lion’s share of this market. Therefore, any move towards implementing technology that effectively eradicates compromised credentials and prevents ATO altogether would disrupt the revenue streams that detection-based software can generate. This should prompt a critical examination of the industry's practices. The reluctance to embrace preventative measures, despite their potential to enhance security, reflects a fundamentally flawed cybersecurity sector – one that must be shocked out of its ongoing slumber.
‍

Prevention is possible

Indeed, turning the pipe dream of an ATO-free world into reality is not an insurmountable challenge. Yes, it demands a bold reimagining of cyber security, but making prevention the foundation – not a feature – of what we do is eminently possible. It’s about getting to the root causes of ATO attacks and solving them. The technology to eradicate ATO exists today; the sector merely needs to adopt an open-minded approach and eliminate the word "impossible" from its vocabulary, much like humanity once dismissed the "impossible" and put a man on the moon. The only barriers to a future free from account takeovers are the limits we impose on our imagination and determination. These values are at the heart of what IDEE is all about. Our systems are grounded in the principles of immutable credentials and transitive trust, ensuring that access to an individual’s or business’s accounts and data is only possible on trusted devices, by trusted users, and under the users’ total control. Unlike the most ubiquitous security measures that are out there, this means that we have eliminated the vulnerabilities associated with passwords, codes, push notifications and QR codes, providing a fully – and I mean fully – phish-proof solution. What’s more, it’s decentralised by nature, with credentials stored locally on trusted devices within secure hardware.  As such, with centralised databases out of the picture and transitive trust and strong identity proofing in place, we have found a way of making ATO attacks relics of the past. Many people don’t believe us when we tell them that, but it’s true. I invite the sector to seek out our solutions and experience what IDEE can do – just come and have a look.
‍

It’s time to challenge the status quo

The next step in the evolution of our industry is to take a leaf out of those who dared to dream of reaching the moon, who chose to embark on a quest not because it was easy but because it would stand as a testament to their limitless potential. Today, we are faced with a similar choice: to accept the status quo or to redefine the future of cybersecurity.When I came into this industry, I knew that a significant change was needed to truly protect individuals and businesses online. Sure, I’ve made mistakes along the way. At first, we tried to create a B2C wearable, which failed commercially. We then tried B2B2C digital identities, and failed commercially again. I’ve never given up, and our current B2B MFA 2.0 solution has resonated with the market. But the goal of these solutions has always been the same - prevent ATO. The legacy of our industry, of what we can achieve together, will be defined by whether we can achieve this one thing. If we choose to, we can protect digital identities and finally instil trust in the online world. Together, we can usher in a new era of cyber security and forge a legacy worthy of the digital age. I invite you to join me on this journey.