Continuous improvement is an established management mantra and a hallmark of successful organisations. In any competitive or fast-changing sector, it pays to be ever-vigilant for market threats and opportunities. However, in IT, the threat side of that equation has another dimension.
Securing personal and commercial information from loss or theft has always been an essential aspect of risk management. Now, the burgeoning digital environment and increasingly sophisticated cyber crime have supersized that risk to the point where continuous improvement in data security is an existential necessity – both to meet customer expectations and keep hackers at bay.
So, it’s no surprise that cyber security is itself one of the most significant segments of the IT industry. The market for security-related products and services in the UK stands at around £8.3 billion – a 46% increase since 2017 when annual revenue was an estimated £5.7 billion.
UK companies employed more than 42,000 people in cyber security roles in 2019, a record year for investment, with UK companies raising £348 million in 80 deals. This included record investment in early-stage companies and took the total raised over four years across the sector to more than £1.1 billion. The number of active cyber security firms in the UK had increased by 44% to more than 1,200 – the equivalent to a new cyber specialist setting up every week.
Just about every business, organisation and individual has skin in the game, whether as a data holder, transactor, customer or internet user. Connectivity between devices, data and people is the new social-economic norm.
The business case for moving data to the cloud is compelling as on-premises systems rapidly become outdated and more expensive to maintain, a drag on efficiency and a hindrance to connectivity. In the UK, 60% of businesses rely on cloud computing. There are a plethora of providers in this $266 billion global market, which is projected to grow by 15% a year to 2027 and dominated by Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform.
Users enjoy access to their company’s data anywhere, anytime, on whatever internet-enabled device. The business then benefits from higher staff productivity and a reduction in the substantial costs of physically hosting data storage servers, associated infrastructure and IT engineers.
The call for increased cyber security
Security is also an essential factor. IT industry surveys suggest that about 60% of the business-sensitive information on hard drives is held insecurely. Cloud service providers offer data encryption, authorisation management, access control, cloud integration, communication security, monitoring and auditing, and business continuity as part of their security package. However, improving accessibility for employees can also potentially increase vulnerability to the hacking of sensitive data.
The digital space itself is relentlessly expanding. The roll-out of online services to customers – from banking and e-commerce to utility and social welfare accounts – has extended connectivity to most consumers and citizens.
The Internet of Things will hook up billions of new devices too. In the UK alone, around 29 billion are projected to be online by 2022. From smart TVs and speakers to fridges and vacuum cleaners on the smart home front – to sewage pumps, drones and equipment sensors in industry – the interconnectedness of all things is rapidly gaining a new, literal meaning.
Cyber attacks are on the rise
And how many weakest links will these ever-growing networks spawn? A government survey in 2020 showed that the threat had increased and evolved. Almost half of UK businesses (46%) had suffered a cyber breach or attack in the previous 12 months. The bigger the business, the greater the target: two out of three medium-sized companies were affected (68%), and three out of four large concerns (75%). While investment in cyber security varies hugely, it is now a priority for four in five senior management boards (80%, up from 69% in 2016). More businesses back up their data on cloud servers (69% up from 61% in 2018).
The National Crime Agency (NCA) warns that the distinction between criminal cyber crime groups and state-sponsored espionage and disruption is increasingly blurred. Meanwhile, home-grown cyber criminals are becoming more sophisticated, posing a rising threat.
Serious data breaches are now an all-too-common occurrence. For example, in just one month, March 2020, data hacks put the loyalty and security of around two million UK customers on the line: Tesco had to replace the Clubcards of more than 620,000 members; then Boots saw the theft of passwords for 150,000 Boots Advantage Cards; before the personal data of nearly a million Virgin Media users (15% of their customer base) were stolen from a marketing database.
Every company is at risk
Private, public or third sector, corporation, institution or individual, the reality is that no entity can assume it’s protected from the unholy trinity of organised crime, bedroom hobby-hackers, and good-old-unreliable incompetence. Several government departments and agencies have succumbed to human error; for example, in January 2021, the Home Office revealed that 400,000 criminal records had been deleted by accident.
In England and Wales, there were 1.7 million’ computer misuse offences’ in the year to September 2020, according to the Office for National Statistics crime survey. Nearly 30,000 offences were referred to the national fraud and cyber crime reporting centre – an increase of 36% on the year before. This was driven by rises in the two largest categories: hacking of social media and email (up 53%), and computer viruses and malware (40% higher).
The statistics are chilling, and next time it could be the fridge that decides the sell-by date for your security.
As cyber criminals concentrate their formidable resources online, the threats they pose are continually innovating and shifting as they probe for weaknesses. While the serious crime gangs command the funds to pay for the sharpest minds, off-the-shelf tools traded on the dark web enable less technically proficient criminals to diversify into cyber crime, the NCA has also warned.
Innovation must match the alarming pace of cyber crime
Research and development in the cyber security environment has to match this ferocity. Specialist providers and corporate IT departments engage in a constant cycle of patches and updates to negate weaknesses in their networks and security modules.
The most innovative products in the fight against cyber crime often struggle to find early adaptors. Through its National Cyber Security Strategy, the UK government aims to support innovation by start-ups, early-stage companies, and high-growth companies, connect them with investors and promote collaboration across the cyber security ecosystem.
While some developments have broad applications, every organisation has its own patchwork of systems and networks, both human and technical, and different vulnerabilities. Whatever the security functions outsourced to cloud platforms and the protective features they offer, internal safeguards can be strengthened.
Expenditure on these enhancements to system safety, on top of cloud services, account for many of the successful IT-related claims made to HMRC for R&D tax credits – another form of government support for innovation in this field.
Cyber security isn’t just left to the tech giants
While the tech giants explore the potential of blockchain and edge computing architecture to buttress their perimeter-based defences, and around half of UK businesses outsource cyber security, a variety of improved and increasingly innovative measures are also being deployed in-house. Examples include:
- Authentication tokens: These are a form of the two-factor authentication that is now widely used on social media platforms and customer accounts to verify a user’s identity when they attempt to connect to a system.
- Deep learning: Some companies are using artificial intelligence (AI) and machine learning to understand the behaviours and patterns of their various systems at a micro and macro level. Armed with this close knowledge, it is possible to identify more quickly if something (eg, a data centre) is behaving in an unusual way that shows it could have been breached.
- Data encryption: In some cases, when data has been stolen, it may not be the end of the world. If the data has been encrypted, the only information an unauthorised user can extract is unreadable cyphertext. Without the key used to encrypt the data, the process cannot be reversed, so the information remains secure in most cases. Hackers might be able to decrypt the data, but the process is extremely complex and takes a long time.
As more commercial activity and inter-device communications move online, neither specialist data service providers nor corporate users can afford to press pause on their investment in cyber security. As more criminals rely on artificial intelligence, defensive AI will need to be developed and deployed. This is a business-critical IT arms race that is continuous and never-ending.