Ted Egan

In this era of cybercrime, security continues to be one of the biggest challenges for companies that transact online, particularly in the financial services sector. Australian internet security firm TrustDefender has established itself as a leader in this market, and has just been the recipient of a $16 million investment from listed technology company Nexbis, which will take a 50% stake in the business.

Today co-founder Ted Egan talks to SmartCompany about the war on cybercrime, keeping his company in Australia and why you will only win a client’s trust when they know you are big enough to be sued.

We might start at the beginning. So I gather TrustDefender was set up in 2006?

Officially it was formulated as a company in 2006 however Andreas, who’s CTO of TrustDefender, and I started discussing this back in 2004 believe it or not, when we both had well-paid careers.

In IT, I take it?

Yes, in the IT and security space. So we both had our own companies as well. Andreas had a German/US-based company that dealt with man-in-the-middle attacks and SSL security.

We were discussing about the overall security issue, even in those days we felt the whole security model was broken. We were spending millions of millions of dollars on enterprise security and then on the other end we were spending millions of dollars on the end-point security meaning the consumer at home, mum and dads, small business, whatever. But the enterprise never knew what the security health of that device was or the integrity of the security of the end point really was. So they were pretty much playing Russian roulette every time they did a transaction. And they were promoting eCommerce and it was a very large target for all criminals to attack.

We wanted to build an independent layer that complemented all of the best practise security strategy. So we didn’t want to take away from what the antivirus companies were doing, the firewall companies were doing, the authentication companies were doing or the general enterprise security anti-fraud type solution that were being deployed at the enterprise.

What we wanted to do was to be able to check the security health of the device at the end point and the overall security chain, integrate that all into one security chain and also address the big issue that you hear banks talking about educating the customer. So we sought to do that and we sat down with the banks here in Australia.

Just to go back a step. Your program TrustDefender sits in between the consumer at home and the enterprise. It allows a bank to see what security measures the end user has running.

The security health of the end-point device. It’s an independent layer that sits over the top of everything. It consists of an application that’s deployed to the end-point device and in today’s environment, applications are deployed on every type of device. What we wanted to do was be an independent layer that complemented what was going on but provided real time feedback to the enterprise based on the security health of the buyer. What type of antivirus are they using, is it up-to-date, is it actually working, is the malware trying to trick it, is the firewall switched on, or if it’s switched off?

The average consumer out there – mum and dads, business user, whether it be small business or large business – they are not security experts, they are not computer experts, they don’t know. So we wanted to be able to also provide real time feedback to them based on the security health of the machine they’re using. Whether it be their own personal machine or whether it be the one they’re using at work or whether it be the one they’re using at an internet cafe. So in all those cases, they will be told the security health of their machine. And that’s very light, they can always log in and they can always carry out the transaction.

But importantly back at the bank or the enterprise, the enterprise can now apply business rules or policies based on the security health of that machine. The bank can now do one of two things. They can apply different rules based on the security health of your machine, they may allow you to log in but they may not allow you to do a transaction because your machine is compromised. All the things that you may normally see that are hidden in web pages of the bank that you never read, now we’re looking at cost savings for the bank.

So how is that delivered, through a pop up?

No, it’s delivered within the website of the bank. There are technology capabilities in TrustDefender that are quite advanced. And we’re seeing vendors out there trying to catch up. And we’ve had this in place probably two and a half, three years now. But the world’s catching up.

For a young company like yours, was the process of selling to big financial institutions like banks and credit unions difficult? I’d imagine just getting a foot in the door would be tough.

Even though we worked with a lot of the big banks in the early stages and we continue to work with a lot of these big banks, it is very hard because in Australia we have this thing that we never buy locally, you’ve got to establish yourself overseas – and you need to be big enough to be able to be sued is the other thing.

What we did as a strategy was we broke the finance sector into tier one, tier two and tier three. Tier three were the small credit unions that are used to outsourcing everything at the back end.

I went to a credit union function, I didn’t plan to be there I just accidentally got asked to go to this meeting and I met with some CEOs of the credit unions and we were all talking about fraud and I added my two bobs worth and told them what we were doing and the CEO of that credit union asked me to come and visit him. It was a regional credit union, so I had to jump on a plane to do so. And we did a presentation on what we did, took them through how TrustDefender would work and we could supply that as a managed service as opposed to an enterprise server within the bank, because they didn’t have that back-end system. Within that same day they signed a cheque and an agreement to roll out TrustDefender.

Wow, the power of networking.

Yes, that was very powerful for us. We’d thought: how do we break into the credit union movement, because we didn’t know anyone. We knew the big banks but we didn’t know the credit unions. So I would say Australian credit unions were probably the world first in real-time, risk-based security wrapping around their existing authentication and transaction process. And that’s something to be quite proud of actually, proud for us and proud for them.

What that meant was when we deployed TrustDefender for the first time ever they could see all the types of antivirus solutions – from the fake antivirus to the real antivirus – that people were using. They could see what firewalls people were using, they could see how many of their customer base were potentially compromised and they could now do something about that. And that was very important for them.

This investment from Nexbis at $16 million is a substantial investment.

In Australia it’s very large.

Does this now make you big enough to both go overseas and get sued?

I don’t know about getting sued, they’re going to sue you whether you are a two man team or a hundred man team.

We knew there was a big need for this product around the world and when we launched this demo in December 2005 what happened was we were approached by financial institutions right around the world. So that’s why we focused on the finance sector initially.

So we had them from Europe, the US, everywhere, and we were even invited to come to the US and speak about how authentication needed another step in the process and we were interviewed on TV for that.

Now what happened when we rolled out with our credit union was that we received calls from even the biggest financial institutions in the world and then following from that there were tenders put out and we won each of those. The quickest tender we won was in the UK and we won it with a major tier one bank. We’ve now got a number of UK financial institutions from a tier three to a tier one. We have more in Europe – Netherlands and Poland. So arguably we’d probably have more of our customer base in Europe right now just because of the size of these organisations.

So we need to build a team, and you’re talking about entrepreneurs, there were two options. Do you go to the US or do you go to Europe? If you go to the US, we had to have a company set up, we’d probably have to invest $2 million, just picking a round sum of money we’d need for a year to really go after this business and win.

Alternatively in Europe we could still do all of it from Australia. We didn’t need to set up a company, we could still win this by partnering with major organisations like systems integrators and so forth. And we’d formed relationships with major system integrator Deloitte UK and we’d work with them and how we formed that relationship was that they did due diligence on us. And they wanted to make sure that what we were saying our product actually did before they would work with us or go near us.

So does this investment allow you to chase that US market?

Yes, it does. In the next month or so, probably a month, we’ll have a US company set up, we’ll have a leading CTO of a major financial organisation in the US join us who is a leader in the security space. He is a hands-on guy, not your bureaucrat type, more at the architect level and he will lead our team in the US. We’ll have a pretty strong team in the US. We haven’t just raised the money thinking we have to go out and get these people, these people have already been waiting in the wings and been helping us in the background. It is amazing how many people have been so enthusiastic to support what we are doing for nothing, there is no money in it for them or anything. It’s just they believe in what we are doing.

What do you see as the big challenges in the US?

The biggest challenge is really setting up the infrastructure to deliver the solution, that infrastructure and support side of things. That will take a fair bit of work. We have got a number of different options there where if you are talking about going after the really big banks then you have got to have a partner. That partner will be one of the big four I guess. Three out of four we already have relationships with.

So that highlights how a clever use of partnering can really help extend your business much easier than trying to do it all yourself.

Well it mitigates the risk, that’s the key. You have got to mitigate risk at every stage, whether you are just here in Australia going to see a credit union or you are dealing with a larger bank, you have got to mitigate risk. You know that word of being sued is, well it is not that people are going to sue you but they want someone that is big enough for them to deal with and to deal with their bureaucracy as well.

We’ve mitigated that component as much as we could at each stage by having some very security-educated people who could explain our technology even if we were not there.

Obviously you have been in this space for a long time. Are we getting anywhere near winning the war against cyber crime or is this a never-ending fight?

Probably the best way to talk about where we are in the war is we have got a long way to go. Countries have their own rules and regulations I guess but as you know with the internet it has no borders, and we have some very smart people who are on the wrong side of the law. Those people are tempted by large sums of money and while there are large sums of money involved that they can get access to without really being detected or caught, the perpetrators or writers of the malware or crimeware will continue to do what they do.

You know once upon a time we had dumb terminals in between banks and the consumer, or business and the consumer, and you know that was great as there was no outside threat apart from the inside that is within an organisation. Then you had the internet come along and you had user name and passwords. That was great because it worked quite well as someone had to guess your user name and password, until someone started to write malware that could actually collect those details. And then we introduced authentication. Now, the authentication was great, but then we had guys who wrote technology to record keystrokes, we had guys who wrote technology to get around the authentication method, so you were actually authenticating the criminal.

Now we are moving beyond that because consumers out there are saying we want better protection. Yes, we want to do more transactions online but we want to trust our relationship with the bank or eCommerce provider. So now we are moving to integrate the end point device in the overall security chain and that reduces or mitigates a large amount of the risk that is actually out there, that we have currently got today.

Terrific to see that companies like yours stay in Australia too. It is the sort of smart businesses we want to keep here.

We fought hard to keep our company in Australia. We had some nice offers from the US and the UK and they wanted us to move overseas and just leave Australia, but Andreas and I love Australia. Andreas is German but he moved here because he loves Australia.

Nexbis was a great option as it allowed us to stay here, it allowed us to grow an Australian company, build an R&D team here in Australia, build our expertise in Australia, allowed Andreas and I to stay here in Australia. But one of the interesting parts was they also had a technology that was potentially something we could integrate in to our overall offering and also offer that around the world. It may not have been the best deal or the worst deal we had on the table but it was the one that fitted the best from a personal point of view.