• The sudden shift to mass homeworking is expected to dominate much of the activity in cyber security over the next two years
• Possible solutions include encrypted business lines being set up in homes alongside private family lines, and workers being trained on appropriate protocols for homeworking security
• AI and machine learning may need to be utilised to keep on top of changes in behaviour

The sudden and massive shift to homeworking and a surge of hackers trying to take advantage of the disruption caused by the virus is certain to boost demand for cyber-security products and services.

The industry has already grown rapidly in the UK in recent years, with annual sales soaring 46% over two years to £8.3bn, according to a January report by the Department for Digital, Culture, Media & Sport. The number of active cyber-security firms in the UK rose 44% from 846 in 2017 to more than 1,200 at the end of 2019, with about 43,000 full-time employees. Now, as a result of the pandemic, industry experts say these firms will be busier than ever.

"Many organisations have suddenly taken on, or massively expanded, their use of remote working, cloud technology and video conferencing, which is building a security debt into their systems," says Tim Rawlins, director at NCC Group. "Overall we can expect to see three major changes: remote working won’t go away in the short-term so they will need secure systems being used at home; in the longer-term we should see an increase in endpoint monitoring, detection and response requirements. (This also extends to how cyber security solutions are delivered and the 30% of clients who previously insisted we work on site have realised we can deliver services remotely. We’ll see much more of a swing toward remote based services in the long-term future when the benefits are fully realised.) And, as organisations realise the risk of small in-house teams in the event of a pandemic or similar long-term absences then external, more resilient, teams are likely to become even more popular." 

Better prepared

“I think there will be a sea change after Covid-19, with people taking a whole new look at risks that are considered high impact but low probability, and that includes big security breaches as well as pandemics,” says Bob Nicolson, head of consultancy at cyber-security specialists Nicolson Bray.

“Once we have got through the pandemic, I expect governments to spend an awful lot of money preparing for the next one and it’s the same with companies – after an event they tend to put everything in place for the next time.

“There will be a big uptick in investment in response processes and procedures with organisations wargaming and running tabletop exercises, saying ‘OK, if we have a cyber-security breach, what do we need to do?’ and testing that to discover where there may be weaknesses that need to be fixed.”

Nicolson believes the pandemic will make businesses realise that beyond investing in cyber-security technology “they also need to invest more in training and processes, and it requires a board-level change in corporate strategy.

“Clearly if there is a business cultural shift to more remote working and conferencing then there has to be similar innovation in the cyber-security space to focus on that as a growth area.”

Developers of cyber-security technology face major challenges, such as the need to strengthen cryptography (secure communications) systems so they can deal with the future threats posed by quantum computing capable of decrypting many systems. However, experts agree there will be an even larger emphasis on adopting existing processes and training.

Zero trust

Chris Wallis, founder of cyber-security firm Intruder, says the sudden shift to homeworking will dominate much of the activity in cyber security over the next two years.

“There is a concept in cyber security called zero trust, which means moving away from the old-school idea of gaining access across a whole system when you are on a work network,” he says. “The thinking behind zero trust is that we don’t trust any end point no matter where it is, so you have to constantly prove it is you with two-factor identification and unique user IDs.

“Many of the companies that are still on the old network-based model are now realising almost overnight that it just doesn’t cut it any more, because everyone is working from home and people may be getting access through using VPNs (virtual private networks) – and if anyone compromises the VPN you are toast.

“People will now be reassessing how they have access set up, and the extra exposure to the internet means they need to be monitoring those services for vulnerability.

“Small companies might need to pick up some technologies that they weren’t previously using. For larger organisations there will probably be a change in the tools that they use because having everyone working from home means there will be a huge transition towards security systems that work on the actual device or end-point computer, rather than services based on monitoring a local network.”

Paul Harragan, director of cyber security in mergers and acquisitions for EY, says most of the solutions are services that already exist; “it’s just a matter of how quickly companies can shift and transform and adopt them. Zero trust policies and architectures are the future really because it removes the onus of the help desk to quarantine who can access what.

“That is probably the future, and cloud adoption is key for homeworking. Cloud security is quite good at the moment, but it often boils down to the weakness being the user not being qualified to configure such environments.

“The big challenge is how do you train an entire workforce if they are all at home and how do you enforce that policy adoption when they are at home? It is very difficult.”

Likely responses

Harragan expects to see a shift towards encrypted business lines being set up in homes to work alongside private family lines, and workers will need to be trained on appropriate protocols for homeworking security.

Matt Palmer, a Jersey-based cyber-security adviser to the finance sector through consultancy Cyberclaria, expects to see a two-stage response to improving security.

“The first response is going to be in training systems and processes to encourage positive behaviour and make sure there are consequences for bad behaviour.

“You can make a lot of progress by training people up, helping them understand how the rules that apply to them in the workplace still apply to them, or apply to them even more, in a home environment.”

The problem, says Palmer, is that the work environment and the behaviour of workers, customers and suppliers will all continue to change rapidly enough to undermine those rules.

“So what we actually need is tools that can learn how people behave, and we are beginning to see those with artificial intelligence (AI) and machine learning tools. That is the long-term solution: effective machine learning tools for security and compliance.

“A lot of learning tools out there sound great but they won’t solve problems for you right now and in some cases deploying them will take years. This is a 10- to 15-year plan for truly effective machine learning security tools, but the changes in work behaviour we are going through are not going to go away, so businesses need to adopt both short-term and long-term strategies.”

Poppy Gustafsson, chief executive of fast-growing cyber-security firm Darktrace, says UK firms and other organisations have no choice but to use AI to resist increasingly sophisticated threats.

“It is this appetite for what we call ‘autonomous response’ technology that has driven Darktrace’s exponential growth,” she says. “As we start to see the early signs of attackers using AI, defensive AI will be critical, and not just a nice-to-have. The best algorithms will win many battles, but the cyber war will rage on.”