Richard Hayton, Trustonic: “it is next to impossible for the average user to spot a well-planned scam”

New and smart technologies are continuously emerging and stepping into our world to make it easier in one way or another. And while many of them are useful for different purposes, they, just like everything else cyber-related, need to be secured.

No matter how aware you are about cybersecurity, without any protection measures, it’s virtually impossible to secure yourself from various threats, such as malware, fraud, data breaches, or other. They can cause damage to a company or individual both in terms of reputation and financially.

Just like you’re required to put on a seatbelt in your car, your devices need cybersecurity technology to protect you from cyber felons. For this reason, we have invited Richard Hayton, the Chief Strategy & Innovation Offices (and CISO) of Trustonic – company that provides cybersecurity technology.

Both your team and client base have grown exponentially since your start in 2012. What has the journey been like for Trustonic?

Trustonic was founded as a joint venture between Arm, Gemalto, and G&D to create secure technologies for emerging trends and market opportunities, predominantly in the mobile, automotive, and financial services sectors. Trustonic was sold to EMK Capital LLP Limited in Feb 2020. We continue to provide security solutions for new market and customer growth opportunities. We are proud to have world-leading technology. Innovation is still a key part of what we do.

Can you tell us a little bit about what you do? What industries do you mostly work with?

Trustonic is a security company at heart. Our core technology is a secure operating system that runs alongside Android or other ‘regular’ operating systems. We sell our production to mobile equipment manufacturers and it is embedded in around 2 billion devices. That experience has enabled us to branch into three other areas. The automotive and IoT sectors are growing rapidly, using the same core technology in these markets. Our experience in the mobile space has also led us to an adjacency. Our ‘Telecom Platform’ focuses on solutions for Mobile Network Operators, particularly relating to fraud and device financing.

What are the most common challenges associated with securing smart devices?

The challenge with security is always to determine what you are trying to achieve. For an enterprise, the data on the device often matters most, and solutions such as Mobile Device Management address this well. For an equipment manufacturer, however, the issues are somewhat different. Meeting necessary certifications – for example, to allow HD video playback, or enable tap-to-pay or government Id; preventing fake devices being used and ensuring consumer trust in the brand. For a Mobile Network Operator or device financer, the problems are different again – how do you prevent a device from being stolen or fraudulently removed from the contract? Here, the association between the device, customer, and service must be protected.

How do you think the pandemic affects the way people perceive cybersecurity?

I don’t think the pandemic has fundamentally changed perceptions, but it has changed what we consider normal. Now GP appointments are routinely online, and in person, banking has all but disappeared. Many individuals rarely use cash today, and more and more activities that used to take place in person are now online. This means we are sharing more data online than ever before. We rely on digital checks that many are ill-equipped to assess and cheap for an attacker to forge. For example, online conveyancing is inherently riskier than travelling to a bricks-and-mortar solicitor because it is easier to forge a website than an office. It is next to impossible for the average user to spot a well-planned scam.

Since the automotive industry is one of your main fields of focus, what are your thoughts on the connected car concept? Do you think this technology is going to enhance safety or pose more security risks?

‘Connected Car’ is a great marketing term, but we are talking about three different systems.

1. Advanced Driver Assistance Systems (ADAS) – such as lane-keeping or auto-braking
2. Autonomous driving
3. Software updates over the air

All these have security implications. Whilst it is undoubtedly the case that if any of these go wrong, then there can be safety problems. In reality, they generally dramatically improve both safety and security.

The reason for this is twofold. Firstly, the whole concept of ‘smart’ vehicles has led to far greater awareness and focus on cybersecurity. Regulations, such as UNECE WP29 and other legal requirements, are in place for automakers to ensure cybersecurity is considered throughout the lifecycle of their vehicles. Secondly, these systems generally work. There are certainly counterexamples, but generally, autonomous drivers or drivers using ADAS systems tend to be better at following the rules and less prone to accidents.

The most significant safety and security concerns are not really with these advanced systems, but simply because modern technology has a lot of software, and cars are no exception. This means a security flaw, even in a relatively mundane area, could potentially be exploited by an attacker. Turning the radio on at high volume, turning off the lights, opening the doors – all of these could have fatal consequences, especially if large numbers of vehicles are attacked at once. This is why secure software update is important, and doing that in a connected sense means flaws get patched faster.

What predictions do you have for the future of smart devices?

Processing power and connectivity have become significantly cheaper, which means we will see more devices of ever greater variety. ‘Smartness’ is the plastic of the 21st century. It will be everywhere and for every purpose. There are 100-200 CPUs in every new vehicle because putting a computer in the window switch and a computer in the window motor is cheaper than placing a wire between the two. This leads to a fundamental change in how things are built. In the future, many smart devices will be just as invisible as the window-switch CPU. Consider washing machines that monitor their drum rotation to reduce wear or toasters that use a CPU as it is a cheaper timer than a bimetallic strip. We have both of those already. Neither has the ‘smart’ label, but both are computers at heart.

The more visible smart devices will be the gadgets of tomorrow. Twenty years ago, voice synthesis, voice control, and digital mapping were all ‘early’ and didn’t touch most people’s lives. Today they are how we live. Perhaps Virtual Reality will be the next big wave? I think Augmented Reality will become commonplace in some areas. You can buy a heads-up display for your car today that overlays map directions. Whilst we may scoff at the idea of Google Glass, 60% of people in the UK wear glasses. I see no reason why some form of glasses-based augmented reality won’t take off.

In your opinion, what security solutions are essential for companies nowadays?

Security is all about risk. Pretty much every company has employee, financial, and legal data that should be confidential and must be recoverable in the case of a ‘disaster’ (which might simply be a stolen server or a small fire). Companies also have to show they are looking after data – to their customers and regulators. That means the list of ‘problems to solve’ can be immense, and managing this list is a risk of becoming a burden, especially to small businesses.

I think it is also important to understand the limitations of what can be achieved with technology alone. A firewall, for example, can potentially keep the bad guys out – but it can also give a false sense of security if the attacker can avoid it – perhaps by attaching to wifi inside the barrier. Having people responsible for worrying about security is essential – but also appreciate that they will make mistakes and that security is just one more thing to trade-off against cost and other commercial needs.

Some hosted solutions can help if they include cybersecurity and disaster recovery as part of the package. Principles such as Zero Trust are also great – but it can be hard to ensure these are used universally, so inevitably security policy requires a mix of technical and process solutions.

Talking about casual users, what safety practices do you think everyone should adopt to secure their devices?

We should all know this by now, but strong passwords matter. Use a different password for every different site, service, or device. Why? Because if an attacker finds a list of passwords, they will add them to the list of passwords to try on their next attack. This is, of course, impossibly hard to manage, so use a password vault, such as LastPass or BitWarden. This does mean you are trusting someone with all your passwords, so stick to the big names. Storing passwords is itself a risk – but the risk is far smaller than if you use the same password everywhere.

Secondly, remember that your email account is the key to your kingdom. If I can get to your email, I can generally log in to any of your accounts by clicking on the ‘reset password’ box and following the link emailed as a result. Therefore, protect your email twice as hard.

Thirdly, use ‘two-factor’ authentication. To log into a device, you are asked to use your phone and password. It sounds like pain, but you often only need to do it each time you use a new device or web browser. In practice, the extra pain is minimised. Needless to say, your email should be the first thing you protect in this way. Google, Microsoft, and others make it easy.

What does the future hold for Trustonic?

Trustonic remains a fascinating place to work. We have two very different businesses, but both are grounded in a strong understanding of security. Our ‘secure platform’ business protects the lowest levels of microprocessors to the highest level possible. We are immensely proud of it. As IoT and automotive security continue to grow, we are well placed for exciting growth.

Our other business, Telecoms Platform, takes our security know-how and applies it to enable new solutions within the telecoms industry. For example, by securing mobile devices against loss, we can enable financing of mobile phones to users in many countries who previously could not hope to acquire them. As technologists, it is wonderful to see how technology can break down barriers between the haves and have nots.