Mark Phillips, Director of Security and Resilience, ADS Group talks to Your Ready Business about the business of cyber security.
Hardly a day seems to go by without a story about a new virus or piece of malware, denial of service attack, large-scale data loss, or unknown vulnerability in computer systems.
ADS, which represents the UK’s aerospace, defence, security and space sectors, has observed a Catch-22 situation. Government is perplexed that since 2010, some parts of the private sector have not reacted to cyber threats as quickly as expected. In turn, parts of the private sector have questioned why they should care. In general, the private sector will always respond to the “three Rs”: complying with Regulation, mitigating business Risk and generating Revenue.
Last year, the government published standards such as the Cyber Essentials – so that all organisations know what they should do to meet basic threats. In public sectors like Defence, that face more advanced threats, bespoke standards are in the process of being developed (ADS has been leading the Defence Cyber Protection and will shortly announce a joint initiative with the government to improve cyber security in the aerospace supply chain). Organisations will need to invest in their security in order to comply with these standards once they have been mandated in public.
The Risk – attacks can be costly
The risk to businesses from cyber threats has become more challenging over time. Gradually businesses have seen that the impact of cyber attacks is not just virtual: it encompasses disruption or destruction of products and services, a loss in reputation and confidence amongst customers, and a loss of competitive positioning in the market.
Recent attacks against Saudi Aramco and Ras Gas in Qatar have highlighted this.
The government estimates that small businesses can lose up to 6% of their turnover from an attack. This equals between £35,000 and £65,000 to a small organisation, with larger organisations potentially losing between £600,000 and £1.5 million. In other words, an attack could be very costly and a real risk to the bottom line of the business.
Revenue: Cyber Security as a booming market
The other side of the coin is that cyber security means big business. Growing recognition of the threat combined with an understanding of “what good looks like” has started to spur the market and cyber security is the biggest growth area for the security industry as a whole. Globally, the underlying market is substantial, with the prospect of rapid growth; Venture Capitalists estimate the market to be worth US$60 billion with an expected annual growth rate of 15 per cent. International interest in cyber security products and services is high. At home however, the picture is somewhat complicated: whilst the UK government is prioritising cyber exports, its investment in domestic cyber defence has, until recently, been somewhat lagging.
The more advanced tech becomes, the more vulnerable we become
The more connected we are, the bigger the threat of cyber attacks. By 2020, over 50 billion devices will be connected to each other (the Internet of Things), providing a larger attack surface with “always-on” devices and shared data libraries and stores. Malicious individuals will continue to be empowered by the Internet; they will use the digital world in unexpected ways and use new techniques to counter surveillance by law enforcement. So, despite the benefits that will result from greater interconnectivity between devices, from a cyber security perspective, the risks will be greater and the world will be characterised by more unpredictable, sophisticated and large-scale attacks.
Advanced technologies like quantum computing, would mean enormous processing power through the ability to be in multiple states and perform tasks at all possible permutations simultaneously, would create more risks for cyber security. Quantum computing will break all existing public key encryption algorithms, but could also lead to new forms of secure communications. Some commentators have noted that ‘if quantum computers appeared as a viable technology tomorrow, there would be few alternatives for securing our online and wireless transactions’.
Even if cyber defences improve, the physical infrastructure upon which systems rely will be targeted. For example, server farms could physically be attacked. Cyber security is not just about the digital world or data: it is also about the physical world. This gives a new meaning to the term ‘Cyber-Physical Systems’.
Getting equipped to face the future
Digital leaders must recognise that current cyber security solutions like passwords, firewalls, patching, anti-virus and networking monitoring are too limited. These solutions are specific to certain systems or networks, in other words offering “pinpoint” security. They operate on the basis that as new security needs are identified, solutions can be added on. They focus on the mitigation of specific threats and vulnerabilities, rather than on prevention.
A report by the Centre for the Protection of National Infrastructure and QinetiQ’s Technology Tracking and Forecasting Group predicted that improvements in these measures would be only incremental and would be matched – if not overtaken by – developments in the means of attack.
In the Internet of Things, these measures will be less adequate than they are today. The computing power of tomorrow will create a situation where new forms of security are rapidly challenged and the number of threats increases exponentially. Devices will not just be interconnected but more interdependent than they are today.
There needs to be a shift towards a “systems of systems” approach, for example ‘Biological Network Security’. Security and resilience should also be designed into software and hardware from the outset. That is why initiatives such as the Trustworthy Software Initiative are so interesting and valuable.
However, in reality, market dynamics could hinder these developments. Time-to-market pressure is an issue, as integrating security tends to involve a longer production cycle, and designing for security is more costly at the outset than patching at a later date. The question is what will push vendors in the right direction – will it be consumer pressure?