Out of all the things that will keep a software CEO up at night, hacking is probably top of the list.
Here is the rundown as we understand it.
ION’s XTP system got hacked. What is XTP? Clearing brokers and big banks use software to do all of their post trade processing of customer accounts. You might remember hearing about a big old system called GMI. That’s the original bank back office software. XTP is a “newcomer,” in that field being much faster and supposedly easier to work with. It’s a multi-tenant system. What this means is that all the banks are on the same system, as opposed to each having its own. There are huge economies of scale.
The hackers got in there. Co-opted customer data. Sounds like ION paid up the ransom right away. You would think that would be the end of the story. But in reality, it’s just the beginning. Ion has to make sure that the holes are closed and everything is locked up tight. Every hacker in the world knows you have a vulnerability and are paying ransom. This means being shut down for a while.
Some thoughts.
Multi-tenant versus single tenant. Candidly talking about this in the software world is like skipping through a minefield. Think of multi-tenant like an apartment building. There is security at the front door and some for each of the apartments. Now if a robber gets in and the design is bad on the inside a robber can loot the entire building. Everyone. Single tenant is like a house. You’d have to break into each one. It’s a lot more work for a robber. The thing is multi-tenant is amazing. There are huge economies of scale that drive much cheaper software.
Salesforce is a poster-child for multi-tenant (aka SAAS). It’s gorgeous, secure multi-tenant system. It’s just that the stakes are not the same. Customer contact data versus billions in trades. If you insist on going multi-tenant, that’s fine. The takeaway here is two things. Multi-tennant is awesome IF the correct security is in place. This is not an easy question to answer. Second is to carefully consider this question: If armageddon happens, where do we stand?
Last thought.
Who is your first call upon being hacked and ransomed? Your Lawyer! The hackers may be designated nationals. More and more are showing up on that list. Pay them and you might be charged under the Trading With the Enemy Act. Something to keep in mind.