Cyber-crime is one of the greatest threats facing Britain today, according to Chancellor of the Exchequer George Osborne. Speaking to GCHQ in November in his capacity as chair of the government’s committee on cyber, Mr Osborne commended the work of our security agencies in protecting the British people from attack, pointing out the rise in the number of terrorist plots they foiled or prevented last year: a 7-fold increase from a historic rate of one-per-year.
National security aside, 90% of large businesses (and 74% of small businesses) suffered a security breach in 2015, and the average cost of a single online security breach to a large UK organisation is estimated to be between £1.46 and £3.14million (and £75-311k for small businesses). It’s therefore not particularly surprising that the development of cyber security and the narrowing of the IT skills shortage top both the UK Government’s agenda and that of big business in 2016.
The threat of cyber-attack is expected to continue to grow throughout 2016, with a study by PWC showing that 59% of the respondents to their survey foresee more security incidents in the year to come than the last.
This is due to a number of factors; firstly, the complex tools needed to construct an attack were, in years past, the sole province of hacking and computer experts, but have recently become relatively open-source in many cases, available for download across the Dark Net. This means that the cyber-attack game is no longer confined to those with the skills – anyone with the will can now be a major thorn in the side of corporations and even governments.
Secondly, the rapid growth of the Internet of Things (IoT) is exponentially expanding the attack surface: Gartner, Inc. forecasts that 5.5million ‘things’ will be connected to the IoT every day in 2016, and that connected devices will reach 20.8bn by 2020. Every one of these myriad devices presents a new crack in the firewall, so to speak.
It’s not just mobile phones, laptops and baby monitors connected to the IoT, either. Large portions of critical infrastructure are connected in most developed countries: this presents a target almost too good to resist for those who wish harm. National defence systems, energy grids, banking and finance, transportation networks and medical care providers all connect to the Internet and present perfect targets through which to cause maximum damage.
Another factor driving the growth of the cyber threat is the severe skill shortage currently holding the industry to ransom. There are simply not enough IT and cyber-security specialists to man the fort and repel the invaders.
All this paints a glum picture, but with an increased threat comes an increased focus on defence and security. In the 2015 Spending Review and Autumn Statement, the Chancellor pledged continued support to the National Cyber Security Programme (launched 2011, £860m investment over last 5 years), with the creation of a new National Cyber Centre to be ‘a unified source of advice and support for the country’ and the continuation of investment in the ‘offensive cyber programme to ensure the UK has cutting edge capabilities in this new domain of warfare. In total the government will spend £1.9 billion on cyber capabilities’ over the next 5 years. The review also pledges to ‘broaden the supply base and encourage new and innovative companies by establishing a £165million Defence and Cyber Innovation Fund’ and ‘dedicate 1.2% of [the government’s] growing defence budget to science and technology over this Parliament’.
The Chancellor’s speech explains the government’s five-point plan to improve cybersecurity in the UK:
- Work with internet service providers (ISPs) and their customers to provide national protection through the automatic diversion of internet users from bad addresses, to prevent malware infections.
- Amalgamate the ‘alphabet soup of agencies involved in protection Britain in cyberspace’ by establishing a single National Cyber Centre, which will report to the Director of GCHQ.
- ‘Launch an ambitious plan to build the cyber skills our country needs, identifying young people with cyber talent, training them, and giving them a diversity of routes into cyber careers’, including a £20m competition to open a new Institute of Coding to fill the current gap in higher education, as well as higher and degree-level apprenticeships in key sectors, among other initiatives.
- ‘Set up programmes to support the best cyber start-ups – excellent British companies like GlassWall, Garrison, Digital Shadows and Titania’, and build upon the energy generated by foreign investment with further support, as well as the creation of a £165m Defence and Cyber Innovation Fund, ‘to support innovative procurement across both defence and cyber security’.
- Destroy the idea of impunity in cyberspace by ‘building [the UK’s] offensive cyber capability – a dedicated ability to counter-attack in cyberspace’ and ensuring that attacks on Britain are not ‘cost-free’.
Outside of government efforts, the private sector is also upping its game when it comes to cybersecurity. Venture capitalist firms, often from the US, are recognising the rapid increase in demand for effective cyber security and are investing in new and innovative British firms at a pace.
Paladin, an American venture capitalist firm, announced this month a $350m (£244m) investment fund earmarked for British cyber security start-ups, and has brought on GCHQ’s former head, Sir David Omand, and the White House’s ex adviser on cyber security, Richard Clarke, as advisers.
The fund’s European head, Alex O’Cinneide, said that “the UK is a natural extension for us after investing in companies protecting critical infrastructure in the US”, and Omand added that “Britain is seen as a world leader in new ideas and systems to protect critical infrastructure systems such as utilities and banking from attack, making it a rich source of potential investments”. He also suggested that the UK is in a better position for such innovation than, for example, the US, because of a lower level of suspicion over central government involvement in controlling such systems, which holds back US development.
According to the Telegraph, Paladin has already invested $70m (£49m) of its fund into a London-based encryption start-up and is currently settling terms for two further deals to put up another $10m into each of two other UK cyber-security businesses.
Dark Trace, a Cambridge, UK based specialist start-up, last year secured $18m (£12.5m) in one round of funding and from a number of backers, followed by a further investment several months later of $22.5m (£15.7m) by US venture capital firm Summit. California-based networking giant Cisco Systems bought out UK-based security consultancy Portcullis Computer Security in the last quarter of 2015 for an undisclosed amount, with the deal expected to reach completion in the second fiscal quarter of this year. According to CRN, the deal is part of a plan by Cisco to reach a 20-30% share of the $25billion (£17.4bn) enterprise security infrastructure market over time, in which it held, at the time of the purchase, a 9% share, according to CRN. A number of other large deals appear likely this year, and it seems that the US interest in the UK’s cybersecurity industry is only growing.
We here in the ICT team at CBSbutler predict an almost exponential expansion for the cybersecurity sector, and indeed the ICT field as a whole, and we are already seeing this growth evidenced in the increasing deluge of available jobs we are working with. We are excited to see where the next few years take the market and hope to see the rate of growth we are currently enjoying only increase.