The United Kingdom has a long and proud history of cyber security. From the codebreakers at Bletchley Park, to Tim Berners-Lee – the inventor of the internet itself. Breaking new ground in the world of tech is in the fabric of the country.
The digital and online world is changing quickly and constantly. Systems and security is like a world-wide game that everyone can have a go at cracking. But how does the world of cyber security look today compared to a few years ago? And what’s in store for the future?
We spoke to some of the Tech Nation Cyber 1.0 programme cohort (applications for Cyber 2.0 are now open), Randal Pinto from Red Sift and Oz Alashe from Cybsafe, as well as programme scale coaches Dave Palmer from Darktrace and James Chappel from Digital Shadows, about the past, present and future of cyber security in the UK and beyond.
The past does not equal the future
Cyber security is an industry that has evolved massively over the past 20 years, and one of the biggest changes is its ubiquity. Red Sift, a part of Tech Nation’s first cyber programme, are working to democratise cyber security, making it available to small businesses, not just major corporations.
Red Sift co-founder Randal Pinto believes that the last decade has cyber has been having a moment. “10 years ago, cyber security not a mainstream industry. The general opinion was that only large organisations could be a target and the role of a Chief Information Security Officer (CISO) did not exist.”
Cybsafe founder Oz Alashe agreed saying that “it was a space that barely existed a decade ago, and what was available was boring, unscientific, and ineffective.
“The art of cryptography has come a long way in the last half century; the discovery of the RSA algorithm in the 70s was a particular turning point. RSA opened up the possibility of using different keys to encrypt and decrypt. And it completely revolutionised the field.
For a long time, the prevailing idea in the cyber security industry was to add more hurdles – more layers of complexity – into technology. It was argued that cyber criminals would have a harder time breaking into systems which were complex and had numerous barriers to entry.”
Pinto says of historic cyber security that “[it] was predominantly seen as a forensic and reactive industry. The solutions were expensive and relied on hiring consultants to investigate and fix the flaws that led to a cyber attack.
“Red Sift brings our experience of building consumer and enterprise software to transform the cyber security industry and bring it to the modern SaaS era, where companies of all sizes have access to cyber security solutions that can actually prevent attacks.”
Increasingly in contemporary cyber security, psychology and behavioural science is as important as coding and adversaries get more creative and sophisticated in their methods. Cybsafe, another member of the Cyber 1.0 cohort, provide the world’s first intelligent cyber security awareness, behaviour and culture risk management solution, fusing psychology and behavioural science with artificial intelligence and data science.
Alashe told us that “nowadays, there’s a growing understanding of the relevance of behavioural science techniques, and a realisation of how machine learning and data analytics can support with cyber awareness, behaviour, and culture programmes. CybSafe has led the way in this regard.
“While encryption is an incredibly useful tool as a prerequisite to password storage, it’s mostly redundant if users perform insecure behaviours, such as entering details onto a system attached to an insecure network, or if the password is written down and left in public view.”
“Encryption is redundant if passwords are simple and vulnerable to brute force attacks. When millions of people around the world use “123456” and similar weak combinations, encryption doesn’t provide additional protection”
“Many in the industry have attempted to combat this by forcing users to use complex combinations of letters, numbers, and symbols, but this has almost created more problems than it’s solved. People struggle to remember random, nonsensical strings, and such strings are also surprisingly easy for computers to guess.
“Users will always prioritise convenience over security. The more difficult it is for genuine users to get on with their day-to-day activities, the more likely they are to perform unsafe actions, such as writing passwords on sticky notes, or accessing and entering sensitive information over public wifi.
“One small aspect of what CybSafe addresses is helping users to design easy to remember and difficult to crack passphrases.
“Behaviour in relation to technology at work and at home has always been one of the most glaring threats to security”
“Organisations usually don’t have the resources or know-how to tackle the human aspect of cyber security successfully on their own. What’s more, they had no way of quantifying this human risk, or seeing if their interventions were working. When awareness solutions are applied, they are often ineffective –failing to actually improve the way people were behaving.
“Perplexing training manuals, strict cyber security policies, and run-of-the-mill phishing simulations that businesses impose on their staff aren’t really getting risk-reducing results. Staff still engage in dangerous activities that increase their risk, which is why the cyber security industry is stepping in to help.
“We are beginning to see systems and technology being designed to enable security without compromising productivity, and going forward we must see more technology designed to fit the human – not the other way around.
The future influences the present just as much as the past
A key factor for the future of the sector is the importance of standards-based thought leadership in cyber security, as evidenced by the work of Dr Ian Levy and the National Cyber Security Centre (NCSC). According to Pinto “their initiative to promote the adoption of DMARC (an email authentication, policy, and reporting protocol) has been influential in other countries who followed the same message and in some cases like the USA even made it into a binding directive. The creation of the NCSC to work with government and the private sector has helped the sector tremendously.”
“No longer is security just the concern of one IT geek in any given organisation”
In terms of corporate awareness and resources committed to cyber security, we can expect to see more of the same in the future. Alashe observed that “organisations now readily recognise the significance of information security. Leaders realise how security impacts everyone, and now more than ever, cyber security is closely linked to business operations.”
Pinto agreed that both business and individuals are becoming more cyber-savvy; “Digital transformation has completely changed the dynamic. Now everyone has an online footprint (social media, bank accounts, photo archives etc) and with the low costs to attack (currently estimated to be 400x lower than the cost to defend) mass attacks become quite commercially attractive, rather than spending vast amounts of time trying to hack into an organisation with more sophisticated cyber defenses.”
The rise of IoT
While once upon a time we might have only had to worry about a computer getting hacked or catching a virus, whereas we now live in ever-more connected homes, workplaces and public spaces, where smart metres, smart speakers, fitbits, fridges, watches, not to mention smartphones are digitally connected and connectable.
According to Alashe: “the growth of the internet of things has brought in dramatic changes to the cybersecurity landscape. As connected devices increase in circulation by the day, the attack surface area increases and so does the threat level.
“IoT devices, particularly those running newer and relatively untested firmware present a distinct opportunity for criminals – called Zero Day attacks. Once infected, devices can be leveraged to reveal sensitive personal and corporate information, and if a sizeable mass of machines is compromised, criminals can also launch devastating DDoS attacks.”
Securing the future
So as we try to look to the future, we’ll leave the last words to Oz Alashe and Randal Pinto, and their predictions and vision for the future of cyber security, from the companies building it.
Alashe: “Apart from a much greater attack surface, owing to the greater prevalence of IoT Devices, I predict much greater levels of security automation. Consumer devices and software continue to suck up more of our personal data and I think this will be the new cyber security battleground. The more data that’s out there, the more fallible we all are to identity-based attacks.
“The UK is a world-renowned technology hub that currently attracts some of the best talent from around the world, and there are numerous programmes underway in the UK to encourage even more people to enter the industry. Tech Nation’s Cyber programme is one.”
Pinto: “I hope cyber continues to be part of the agenda of governments and corporations and that the wider public benefits from a higher level of security that makes it less of an attractive market for the bad guys.
“More investment is a good start. We are in the early days of growing this industry and we need to make sure that cyber continues to be part of the agenda of companies so it can continue to evolve. The attackers are not standing still so we shouldn’t either.
“I am a strong believer in standards-based security and in consortiums of companies coming together to address the fundamental cyber security issues via standards to fix the root cause and not the symptom. Once the fundamentals are covered I believe it will be a machine learning race; the same techniques that are created to do good can be used to launch cyber attacks, so I believe it will be about the good guys staying ahead of the game.”
“We only need to be one step ahead to win”
Applications for Cyber 2.0 are now open. If you’re a UK cyber security company ready to scale, then apply now.