An Interview with Leo Hatton, CEO of SendForensics

September 27, 2019

CEO of SendForensics, Leo Hatton (second from left) in a conversation with Mr David Koh, Chief Executive  of Cyber Security Agency of Singapore (CSA) (rightmost) at CSA’s Cybersecurity Innovation Day.

This month, we interviewed Leo Hatton, CEO of SendForensics, an ICE71 SCALE startup. Read on to find out what inspired Leo to start up this email security company, his challenges when he first started out, and his advice for the budding entrepreneur.

Q: What inspired you to start up SendForensics?
 
The world has a love/hate relationship with email. Yet as more of the world’s activities transition online, an individual’s email address has become the de-facto identifier and communicator for the digital space. A 50 year-old technology has achieved this, despite the security issues, by holding fast as the only instant, point-to-point global communication channel that is not owned by any corporation; universal, open, and most importantly, free to use by all. The misunderstood sibling of the World Wide Web, if you will.. Now imagine if spam, phishing and fraud were taken out of the mix. It is possible, and that’s why we exist.
 
Q: Did you meet with any challenges when you first started up the company?
 
At the time (2013), there was a great rush to capitalise on the vast emerging consumer markets of the SEA region, so the local tech scene was awash with B2C startups comprising high-growth (user-number-centric) business models. So to appear on the scene with a deep-tech, heavy R&D, long-play B2B enterprise startup was an unusual prospect when speaking to potential backers; ‘unusual’ often being translated to ‘high-risk’! Much of the R&D was therefore bootstrapped (read: a struggle), but we persevered and were lucky enough to find a fantastic fit in the end.
 
Q: We read that SendForensics is dedicated to the study of email quality. Tell us more about that.
 
The global email environment is a constant battle between those trying to get spam/phishing attacks into users’ inboxes, and those defensive filtering-systems trying to keep them out. The problem is that it’s very difficult to define exactly what constitutes a legitimate vs illegitimate email at any point in time (the environment is constantly changing). Defensive systems can learn to identify patterns and properties within an email, but the nature of the technology employed means they have trouble defining exactly what these are.
 
On the sending side, this means that legitimate organisations can unknowingly end up sending email of very poor quality i.e. containing multiple ‘forensic faults’ as we call them, which leaves them more vulnerable to being spoofed (amongst other issues). We dedicated ourselves to this problem, building a new type of classification engine that not just recognises, but defines the faults themselves so they can be eliminated. In this way we can ensure that legitimate companies are sending high-quality (fault-free) emails that can be differentiated from even highly-engineered spoofing attacks by defensive systems.
 
The important driver for us is that there are always things a legitimate sender can do to produce a high-quality email that an illegitimate sender can’t, and if this was made easily actionable by all organisations, illegitimate email would be trivial to identify and could therefore not survive.
 
Q: Could you share interesting use cases where your product helped your clients achieved their business objectives?
 
For a bit of background, our flagship email security system is designed to stop counterfeit (spoofed) phishing emails pretending to be ‘from’ an organisation reaching customers, partners, employees and the supply-chain (anti-fraud, brand-protection). Now in one of our first commercial case-studies, the ecosystem (customers, partners, employees etc) of a mid-sized regional organisation was targeted by a botnet. Usually a botnet will perform a sustained attack over many weeks, sending as many as tens of thousands of spoofed emails per day. However, with our system running, the botnet was stopped in its tracks after only a couple of days before it could spool-up to even a thousand messages, with no counterfeit emails reported delivered. New techniques are all well and good in theory, but to have it commercially proven in such a vivid manner was ..well, I’m not sure who was happier, the client or us.
 
Q: How do you see Singapore as part of SendForensics’ growth plans?
 
The company was founded in Singapore, so it has always been a large part of the company’s plans. I’d like to say it was a conscious choice made with cogency and foresight.. but of the 3 founders, one has been here for 12 years, one (myself) for 13, and one for all her life, so in reality Singapore was chosen because it’s home! There were opportunities to relocate to the US in the early days (it was actively encouraged by many) but we held our belief in the future of cyber in our region and we’re now lucky to have found ourselves in the right time and place to capitalise. Singapore has become both a conduit and springboard for regional expansion, and the cache that a “Singapore cybersecurity company” holds around the wider APAC community is not to be underestimated.
 
Q: What is your advice to a budding cybersecurity entrepreneur in order to thrive?
 
Any person in a large organisation can be replaced and the business will continue to function (in theory at least). But as a founder/CEO of a startup, like it or not, you are a single point of failure for the business during the early stages. Added to that, the complexities of commercialising a new cybersecurity solution can mean many years before traction, and high stress levels over long periods can manifest in unusual ways, even physically. So my advice would be to remember that ultimately, the ability of your mind to function effectively is the single foundation upon which everything else is built. In short, look after yourself!