Cyber-attacks defy borders and jurisdictions and are recognised as a Tier One threat to national security by the UK government. As the world becomes more connected, the attacks are becoming stronger, more frequent and more sophisticated.
Nearly half of UK businesses identified at least one cyber security attack in 2016, according to UK government data, while it was a record year for data breaches in the US. An example of how far and how wide cyberattacks can spread came in May 2017, when more than 230,000 computers in over 150 countries were hit by a ransomware infection called WannaCry. Vital systems including those of the NHS were incapacitated, all due to the exploitation of a bug in the Windows operating system.
Looking to the future and, if official projections regarding technological connectivity are to be believed, the potential for cyberattacks and data breaches are set to increase significantly. “The expansion of the internet beyond computers and mobile phones into other cyber-physical or ‘smart’ systems is extending the threat of remote exploitation to a whole host of new technologies,” warned a recent government report.
This expansion, commonly epitomised by the notion of the ‘Internet of Things’ (IoT), represents the aspiration to integrate the physical world with the digital, allowing objects to share data and cooperate to reach common goals. Smart meters in homes can interact with a digital device meaning that users can adjust their heating remotely; Intelligent Transport Systems (ITSs) can make use of information from cameras to optimise public transport routes.
The pace and scale at which technological integration is predicted to take effect underlines exactly how much value will be placed on preventative measures in the next few years. By the end of 2016, there were approximately 13.3 million IoT connections in the UK. This is expected to grow by approximately 36 per cent to 155.7 million connections by the end of 2024. The primary concern with this level of integration is that it provides more opportunities for cyber-attacks.
The sheer scale of opportunity available to potential criminals has not gone unnoticed by the UK government. The government spent £860m bolstering its resilience to cyberattacks between 2010 and 2015 and has pledged a “transformative investment“ of £1.9bn over the next five years to further strengthen its defences, sponsor research, promote careers in cyber security and teach cyber “life-skills”. This will be supported by a new National Cyber Security Centre, based in Victoria in central London.
As part of this, the first seven start-ups have been selected to benefit from a new government-funded cyber innovation centre in Cheltenham with hopes of rivalling existing cyber-security firms such as NCC Group, a Manchester-based cyber-security firm whose customers include Apple and Lloyds Bank; FTSE 250 security software developer Sophos, and cyber security provider ECSC, which started trading on Aim in December.
The accelerator programme aims to develop next-generation cyber security systems to boost the industry, which was worth £22bn to the UK economy in 2015 and contributed nearly £2bn in exports. The early-stage firms selected to join the programme include CounterCraft, Cyberowl, Cybersmart, FutureScaper, Spherical Defence, StatusToday and Verimuchme.
The choice of cyber security firms is becoming better while the penalties for failing to take precautionary measures are set to become more punitive. The government has confirmed that the UK’s decision to leave the EU will not affect the start of the EU General Data Protection Regulation, which comes into force in May 2018. Under these new rules, businesses will face financial penalties of up to €20 or 4 per cent of global revenue, whichever is higher, as well as new obligations to notify authorities and customers of any breaches. If this regulation been in force when Tesco Bank was hacked last November, it would have been liable for a fine upwards of £1.9bn, according to 1&1 Internet chief executive Robert Hoffmann. Today, the maximum fine the Information Commissioner’s Office can impose is just £500,000.
Unsurprisingly, demand for cyber-security professionals has soared. The number of cyber security jobs advertised in the UK rose by 32 per cent in the two years to 2016, according to jobs website Indeed. Financial services firms are reportedly leading the recruitment drive, spurred on by data from the Financial Conduct Authority (FCA) suggesting attacks on financial institutions in the UK rose from just five in 2014 to 75 in 2016. BT Group is believed to have taken on some 800 new hires in its cyber security practice last year following the launch of BT Assure Cyber service by its subsidiary BT Security in 2015. Nearly a third of the 235 graduates joining BAE Systems this year have been hired to work in the company’s cyber-security arm.
The cyber-security industry is now growing at such a pace that demand is overtaking supply. In a bid to plug the skills gap, the UK government will invest in a range of educational initiatives and in development of the cyber security profession. This includes creating a virtual network of UK universities dedicated to technological research and supported by government funding. The new virtual institute will focus on hardware and will look to improve the security of portable devices such as smart phones, tablets and laptops. Similarly, the UK’s first ever National College of Cyber Security has been set up by a new not-for-profit body Quafro with representatives from Cyber Security Challenge UK, the National Museum of Computing and BT Security. The school will take its first cohort of pre-university students in 2018.
In terms of the here and now, companies such as G4S are moving to meet demand and already offer a range of cyber security awareness workshops for executives in the public and private sectors.
Fear of a costly attack and the introduction of upcoming European data laws present a commercial opportunity for the insurance industry. PwC predicts the global cyber insurance market will grow to $5 billion in annual premiums by 2018 and at least $7.5 billion by 2020. Lloyd’s of London considers itself a global market leader in the cyber insurance space with a 20-25 per cent share of the market. Last year, it introduced 15 different types of insurance cover in anticipation of rising demand in 2017.
In this environment, the focus on cybersecurity requirements is only going to get stronger. The destructive and sophisticated nature of these attacks presents a direct threat to a growing number of industries. The demand for sophisticated and agile defence mechanisms will move in tandem.