Skip to content

the Lorca
Report
2020

Making of an Ecosystem

Foreword

by Matt Warman, minister for digital infrastructure, Department for Digital,
Culture, Media & Sport

Matt Warman

The UK has a world-leading technology ecosystem that we can be proud of. Our globally renowned academic institutions produce cutting-edge research and innovative spinouts while our startups are finding novel solutions to some of society’s most pressing challenges.

And one of our greatest success stories in recent years is our booming cybersecurity sector, which has well and truly come of age and contributed £8.3bn to the UK economy last year.

Along with GCHQ and the National Cyber Security Centre, we now have a critical mass of cyber entrepreneurs, researchers, investors and corporate innovators.

This community is setting new records for investment and producing global businesses with significant valuations such as Darktrace and Digital Shadows. As this report highlights, funding into cybersecurity startups in the UK in 2019 surpassed half a billion pounds for the first time – a testament to the quality of our homegrown companies and the maturity of the sector.

Most importantly, these companies are developing new technologies that keep businesses and individuals safe online – technologies that protect our economy and our privacy.

This staggering growth hasn’t happened by chance. When the government launched its National Cyber Security Strategy, we recognised the massive impact cyber threats have on national security, our economy and the whole of our society.

Our aim was to improve the nation’s defences, grow our cybersecurity sector and create a thriving ecosystem where government, investors, academia, industry and innovators support each other and share knowledge.

The London Office for Rapid Cybersecurity Advancement (LORCA) was born from that strategy. We tasked Plexal, an innovation centre, with the job of supporting some of the brightest later-stage security companies with their scaling ambitions.

I’m delighted to see that LORCA has exceeded our initial expectations (members have raised over £141m in two years, well over our initial target of £40m). LORCA is also bringing together all the components of our cyber ecosystem and enabling real collaboration to take place.

Featuring insights from a cross-spectrum of the sector, this report is a celebration of how far we’ve come and just how strong our ecosystem is. But it also doesn’t shy away from some of the challenges still ahead – especially when it comes to making sure our earliest-stage cyber startups have the support they need and can continue developing truly innovative solutions to tomorrow’s security threats.

The UK government remains fully committed to the continued growth of our cyber ecosystem. Cybersecurity is a powerful enabler for innovation that will very soon underpin our entire digital infrastructure.

As the tech sector powers our economic recovery out of the COVID-19 pandemic, there is an immediate opportunity for the cybersecurity industry to grow and become the backbone of our world-leading digital economy to help make the UK the safest place to be online.

MW

Matt Warman

Minister for Digital Infrastructure,
Department for Digital, Culture, Media & Sport

Introduction

According to the Department for Digital, Culture, Media & Sport, cybersecurity generated an annual revenue of £8.3bn in 2019, commercial investment into the sector exceeded half a billion pounds for the first time in the same year and a new cybersecurity business is registered every week in the UK.

We don’t have to work as hard to convince the world that cyber matters: it’s commanding attention in boardrooms and the World Economic Forum named cyber-attacks in its list of the biggest threats facing humanity.

As our digital world expands, keeping data safe affects every industry. And because of what’s at stake – the privacy of individuals, national security, trust in society and the ability of businesses to bounce back from an attack – the UK government has taken a strong leadership role. It sets the innovation agenda, championing principles like Secure by Design and supporting startups through government-backed programmes. Cyber is too important to fail.

The result has been the growth of a cyber ecosystem, which includes investors (who are increasingly backing cyber businesses), academic researchers, startups, industry and government. We also have world-leading intelligence and cybersecurity agencies such as the National Cyber Security Centre and GCHQ, as well as initiatives aimed at supporting innovators at all stages such as CyLon and LORCA.

But the British cyber industry is still in its early years of development and there are parts of the ecosystem that require more attention.

Saj Huq
Saj Huq, director, LORCA

Challenges ahead

Our academic institutions, one of the top growth drivers for cyber startups, are under financial pressure and not all of our best institutions are geared up to commercialise their research at scale.

More and more cyber startups are being created but too few are maturing. Although there’s a similar proportion of cyber businesses at the seed stage (32%) compared to the tech sector as a whole (31%), the scaling challenges for IP-rich cyber businesses with long product development cycles are particularly pronounced. Investment is focused on growth-stage businesses and COVID-19 is making investors even less likely to back an early-stage company for the first time.

Trust is the currency at the heart of the ecosystem, and startups need the investment community to back them knowing full well that they may take time to develop a product, find a product-market fit and generate revenue. Without attention, we could see the flow of new innovative solutions slow in the future.

It’s also a challenging sector for investors and industry buyers to navigate. With so many new cyber companies being founded – many of them offering similar solutions – industry buyers complain of being bombarded with sales emails from founders who don’t speak the language of business.

Early-stage founders most in need of a sale are also most likely to dangle technology features in front of buyers and investors, to little effect. The market is crying out for solutions that can be incorporated into existing technology stacks and demonstrate a clear business benefit. Overall, the solutions being developed need to align more closely with the market’s cybersecurity needs, business priorities and organisational challenges.

Why this report

We’ve published this report to take the pulse of our cyber ecosystem.

Drawing on insights from LORCA’s members, the industry roundtables we’ve held, figures from research company Beauhurst and hours of interviews with representatives from across the sector, we’ve identified five macro trends defining cybersecurity now and in the new future.

We’ve also identified five key challenges that industry and society face – and five examples of how our innovation community is responding.

But our report has also exposed a gap. The sector’s growth in the last few years has happened so fast that we haven’t got a definitive map of the UK’s cyber innovation ecosystem in its entirety to help us all differentiate between solutions, enable more collaboration and patch danger zones before they become chronic problems. So that’s what LORCA plans to do this year as a follow-up to this report.

Whether you’re a student, a security professional, a VC or a CEO who recognises cybersecurity’s role as an enabler for innovation and transformation, we hope you’ll play an active role in the sector’s next chapter and use this report to engage with the ecosystem.

Methodology

The LORCA Report 2020 analysed information derived from Beauhurst’s database of high-growth UK companies to assess the status of the British cybersecurity startup and scaleup industry.

For the purposes of this report, LORCA defines a British cybersecurity startup/scaleup as a business that’s domiciled and operating in the UK and provides a cybersecurity product (rather than services/consultancy) and has fewer than 1,000 employees. This is in accordance with the parameters of Beauhurst’s methodology.

LORCA identified 633 cybersecurity startups in the UK based on this criteria and used the resulting data, along with a number of first-hand interviews, to inform the findings, analysis and recommendations in this report.

There are variances between our investment data for 2019 and the data compiled by DCMS’ Cyber Security Sectoral Analysis, which is due to differences in the times at which the data was cut.

It’s also worth noting when assessing the geographic distribution of companies that many companies have their headquarters registered in London despite being based in another part of the country. This also happens the other way round.

 

Geography: startups across the UK

Almost half of the UK’s cyber startups are clustered in London, but there are also clusters thriving in the South East, North West and Northern Ireland. Meanwhile Scotland is home to 30 cyber companies.

United Kingdom
Region
Top Local Authority (Including London)
Top Local Authority (Excluding London)

Maturity

There’s a healthy flow of new cyber companies being born (a new cyber business is registered every week in the UK according to data gathered in 2019 by DCMS). 32% of cyber businesses in the UK are at the seed stage and almost half (46%) of cyber startups incorporated between 2014 and 2015 remain at the seed stage. This is a higher proportion than fintech (33%) or AI (41%) firms.

In addition, only 12% of cybersecurity startups active in 2019 have secured official scaleup status by achieving a growth rate of 20% for three consecutive years.

COVID-19 could also threaten the ability of these early-stage companies to grow: from 23 March 2020 until 18 May 2020, only 0.87% of all funding has gone to startups that have never been funded before.

There’s a danger that the growth of this group could be stunted. And in a sector where many startups are still at an early stage, it’s a cause for concern.

 

Stage of Evolution
Stage of Evolution

From 23 March 2020 until 18 May 2020, only 0.87% of all funding has gone to startups that have never been funded before

Investment

Investment in cyber startups continues to increase every year and reached an all-time high of £521m in 2019, surpassing the half a billion pounds mark for the first time. Overall investment into the sector grew by 72% between 2018 and 2019.

The trajectory of this rise has become steeper since the launch of the National Cyber Security Strategy 2016-2021, despite political and economic uncertainty surrounding Brexit.

The sector as a whole also appears to be resilient to shocks such as COVID-19: while the value of deals in the UK across all sectors from 23 March to 18 May 2020 was 50% lower than the same period in 2019, cyber seems to have bucked the trend. The value of deals for the sector was actually 940% higher than for the same eight-week period in 2019, with £104m being raised by cyber startups in total. In 2019, cyber startups raised £10m in the same period.

In fact, when cyber company and LORCA alumnus Privitar raised $80m, it was the fourth largest investment deal in the eight weeks since lockdown began, according to Plexal’s Startup Tracker.

Since the start of 2020, British cyber startups have raised £496m in total.

 

Deals by Year and Investment

Deals By Stage

Seed

Venture

Growth

Established

A funding gap

While the figures reflect the growing maturity of the sector, investors are increasingly funding more established companies rather than those at the seed and venture stages. This is reflected in the falling number of deals – which is especially pronounced for early-stage startups between 2018 and 2019.

The number of deals involving seed and venture-stage cyber startups fell from 52 in 2018 (worth £91m) to 39 (worth £53m) in 2019.

Meanwhile, it’s the increase in the value of investment into growth-stage companies that has driven the bulk of the sector’s growth. Of the £521m that was invested in cyber companies in 2019, 68% (£354m) went to growth-stage companies.

And this trend has continued in 2020. Growth-stage companies have already secured £465m in 2020 out of a total of £496m (94% of all investment).

Seed and venture-stage startups, meanwhile, have secured 6% of investment since the start of 2020. Only 21 deals in 2020 (worth £30m) have involved startups  at the seed and venture stages.

If funding continues to move downstream, it could threaten the pipeline of innovative cybersecurity companies and spinouts. Without funding they may not have enough runway to go through their product development cycle and commercialise their solutions.

And COVID-19 could already be exacerbating existing challenges faced by early-stage startups. Since lockdown began in the UK on 23 March until 18 May, funding across the tech sector as a whole has been focused on startups that have already secured investment. And this is also true for the cybersecurity sector, where only 0.87% (£0.9m) of all funding went to startups that have never been funded before during that time period.

68%

of all investment in cyber was directed at growth-stage companies in 2019

94%

of all investment in cyber so far in 2020 has been directed at growth-stage companies

71%

of all investment into cyber startups in 2019 was secured by three growth-stage companies: One Trust (£160m), Onecom (£100m) and Synk (£57m).

8 weeks after lockdown: figures from 23 March 2020 until 18 May 2020

We analysed data from Beauhurst to compare investment activity in the eight weeks following lockdown in the UK with last year’s figures.

£1.04bn

How much was raised by tech startups

£52m

How much was raised by seed-stage tech startups

£104m

How much was raised by cyber startups

50%

How much lower the value of investment into tech startups was compared to the same eight-week period in 2019

£0.9m

How much was raised by seed-stage cyber startups (representing 0.87% of all deals)

940%

How much higher the value of investment into cyber startups was compared to the same eight-week period in 2019, when startups raised £10m

Growth drivers

Of all growth routes available to cybersecurity startups, 35% have attended a competitive accelerator and 68% have raised equity. This is higher than the average across all sectors where 51% have raised equity.

Elsewhere, 11% of cyber startups have received an innovation grant, which is slightly higher than the cross-sector average of 10%.

There are 30 academic spinouts operating in the cybersecurity sector (with 4.7% of all cyber startups starting life as a spinout). The University of Cambridge and Queen’s University Belfast are proving the most prolific in translating academic excellence into commercial success, which is likely to be down to the work of the Centre for Secure Information Technologies (CSIT).

Mechanisms of Growth

Mechanisms of Growth

Universities
University of Cambridge4
Queen's University Belfast4
University of Oxford2
University of Bristol2
Lancaster University2
Edinburgh Napier University2
City University2
University of Surrey1
University of Kent1
University of Hertfordshire1
University of Birmingham1
University of Bath1
University College London1
Royal Holloway (University of London)1
Royal College of Art1
Queen Mary (University of London)1
Nottingham Trent University1
Imperial College London1
Coventry University1

Cyber Trends

After interviewing VCs, startup founders, industry buyers, researchers, policymakers and cyber experts, we’ve identified five macro trends defining our ecosystem now that we think will play an even bigger role in the near future. Click on a heading to read more.

Investors Find The Market Challenging To Navigate

A record level of capital is entering the market and interest is broadening beyond specialist VCs. But investment is focused on later-stage companies, it’s a complex market to navigate and investors find it hard to tell whether the solutions being pitched to them will actually sell.

Ken Pentimonti, a principal at Paladin Capital, says: “It requires more technical skills to evaluate cybersecurity than a lot of other areas in venture capital, so it’s not as simple as saying ‘we think cyber is an interesting area, let’s raise some capital’. You need a team with a deep tech background to evaluate those technologies.”

Cat McDonald, investment associate at AlbionVC (software investors with a security portfolio) says the company doesn’t go hunting for security startups specifically. Instead, it looks for acute pain points in the market and matches experienced teams and emerging enabling technologies to serve those needs.

But assessing product-market fit isn’t easy. “The most secure product isn’t always the best product in terms of what the market needs and wants,” McDonald says. “And where you get companies buying up cyber solutions to tick boxes, deciphering between what has superficial early traction and what has a true product-market fit can be tricky.

This is made even harder when early-stage companies have the government as their first customer. Although the government might validate the technology, that’s not necessarily an indicator of broader market success.”

McDonald is looking for market validation and evidence that a company could have a repeatable use case – but that’s a challenge in cybersecurity where buyers sometimes require bespoke rather than off-the-shelf solutions. Repeatable success isn’t easy to guarantee.

It’s also very hard for investors to differentiate between solutions in what’s become a crowded market. “Cyber is a very noisy market and new companies haven’t been mapped particularly well, says Peter Jaco, who has experience in commercialising early-stage technology companies and is the founder of Apichi Partners. He says this makes it challenging for investors to tell solutions apart, and this could be particularly off-putting for angel investors who are also wary of how long it takes to see a return in cyber. “The average angel investment doesn’t see a return for maybe eight years and that scares a lot of them – they feel more comfortable in a business-to-consumer setting,” he adds.

Deep tech cyber startups, meanwhile, require VCs to take a leap of faith.

Shahram Mossayebi, CEO and co-founder of cyber company Crypto Quantique, cautions fellow startups about entering into a round with an investor who isn’t willing to wait for a company to generate revenue. “We’re lucky that our shareholders and investors view us as profitable for several years but we’ve also spent a lot of time understanding our market and how we can serve it,” he says. “We’re clear that we’ll be pre-revenue for some time, but more inexperienced founders might take money from an investor that pushes the company to generate revenue very early on. And I think that’s when it often starts going wrong.”

Mossayebi believes startups need more patient capital (where the investor doesn’t require an immediate return and instead is happy to wait for a more substantial return in the longer term). But VCs need to feel more comfortable with navigating the sector before backing deep tech startups that might not generate revenue for a while.

There’s a misalignment of expectations between VCs who are driven by their fund cycles to commercialise investments early, and cyber startups, which need patient capital to develop game-changing, deep tech solutions that tend to be capital-intensive. The ecosystem as a whole needs to encourage more patient capital and work with investors to spot innovative solutions that align to emerging market needs.

SPOTLIGHT ON: THE BRITISH BUSINESS BANK

Patrick Magee
Patrick Magee
Chief commercial officer, the British Business Bank

The British Business Bank (BBB) exists to make financial markets work for small businesses in the UK

Despite the growth of the cybersecurity market last year, there are undoubtedly gaps that we aim to plug by backing funds investing in cyber and through our NSSIF programme, which stimulates investment in priority sectors.

Like everyone, particularly those in the small business community, we’ve had to adapt rapidly to the impact of COVID-19 and the shift from our traditional focus on patient capital to equity intervention through the likes of CBILS and the Future Fund. But it’s in times of crisis that the development bank model comes into its own.

We have a higher risk appetite than a commercial investor so we can support more companies in economic difficulty. As the pandemic began to hit the economy, we’ve provided over £15bn to over 170,000 British startups under our government-partnered schemes.

It’s especially important in a sector like cyber, where it can take years to develop a commercially viable product, that companies receive investment at the right stages. However, investors can be wary about backing companies at the pre-seed stage. Our angel co-fund and emerging regional angel programme are aimed at addressing this issue by providing a stepping-stone to later-stage venture capital.

 

We Need TO Protect Early-Stage Innovation – Especially Since COVID-19

While 2019 was a record year for investment into British cybersecurity startups, deals were focused on a small number of companies rather than being spread among pre-Seed and Series A startups.

Investment activity has been moving downstream for the last 12 months and, according to figures compiled by research company Beauhurst and Plexal (which delivers LORCA), the funding gap has become even wider since the pandemic.

British startups raised £1,037bn in the first eight weeks of lockdown but only 5% (£52m) of this went to seed-stage startups that hadn’t raised funding before. This suggests that investors are protecting their existing portfolios.

Cat McDonald’s experience in the weeks following the start of lockdown is representative of several VCs in our network: “We spent most of April and May focussed on our existing portfolio of 50 or so companies, but we are now exploring new investment opportunities and we have capital to deploy,” she told us. “That being said, the bar is higher now and we need to build confidence in a company’s business plan despite the broader macroeconomic uncertainty.”

The pandemic could also shrink the pool of active VCs in cyber, which means fewer opportunities for seed-stage companies. Ken Pentimonti has noticed more non-specialist VCs entering the arena, which means more competition but also more co-investors to partner with.

However, McDonald thinks COVID-19 could make them think twice. “During a crisis, many investors have a renewed focus on their core areas of competence. Although cyber companies are faring relatively well right now, investors with limited experience in the space may pause before making a first-time cyber investment.”

This fall in investor activity could also come just as growing cyber companies find demand for their solutions increase, thanks to the rise of remote working and the accelerated digital transformation it’s causing. “Cyber is a growing area and the pandemic, if anything, will mean it grows even more,” says Pentimonti. But without enough runway, these companies might not be able to scale to meet demand.

Cashflow issues are especially pronounced in cyber where product development and sales cycles are long. Even among the LORCA cohort, which features later-stage companies that tend to be well-funded, 41% of our members told us they needed a cash injection within the next three months to remain operational.

41% of LORCA members need a cash injection within the next three months to remain operational

Jaco, who is also the chairman of cyber startup CyberOwl, says that Britain is on the whole “a way better place to launch a cyber company than it’s ever been before”, but he is cautiously optimistic. “If we want to keep it that way, we can’t allow delays in funding – especially to early-stage companies – to slow down progress in the next few years,” he says.

But while VCs are becoming more risk-averse, could industry come to the rescue? What startups need most, after all, is contracts. “The innovator is solving for a future problem using new technology, but buyers are often reluctant to try something they don’t need when they think the status quo is good enough”, says Jim Shook, director of Cybersecurity and Compliance Practice, Data Protection Solutions at Dell Technologies. “Staying ahead of the threat actors is important, and the status quo doesn’t achieve that goal.”

The government has introduced a number of mechanisms to support startups through the COVID-19 crisis, but the shortfall in early-stage funding was an existing challenge before the pandemic.

If we don’t address this now, we risk a lost generation of cybersecurity entrepreneurs across the country. There’s a risk that without sustainable and consistent funding available at the earliest stages of a startup’s development, the pipeline of innovation will suffer.

"we risk a lost generation of cybersecurity entrepreneurs across the country"

University challenged

At the same time, our academic institutions, which are responsible for producing cutting-edge research, are also under pressure.

David Crozier is the head of strategic partnerships and engagement at the Centre for Secure Information Technologies (CSIT) at Queen’s University Belfast (an organisation that helps commercialise cybersecurity research, and a delivery partner of LORCA). He told us that while research-intensive universities are commercialising their technology and turning ideas into value propositions, in many other institutions “a lot of good ideas are dying at the PHD research level” because there’s limited structure in place to help ideas develop into businesses.

The UK government has intervened with its Cyber Security Academic Startup Accelerator Programme to put a more structured process in place, which Crozier says has been a welcome intervention.

But to take things to the next level he’d like to see the government back early-stage companies by taking more risks in the way it procures solutions.

Crozier also believes we can do better at joining the dots between all the programmes in play – research institutes, incubators and accelerators – that can fuel a cyber startup’s growth. “There’s an opportunity to look at these programmes holistically and make sure there’s no point where startups are falling through the cracks,” he says.

"There’s an opportunity to look at these programmes holistically and make sure there’s no point where startups are falling through the cracks"

THE SECTOR may be heading towards consolidation

There are now 633 high-growth cyber companies in the UK. But while new entrants are a sign of a healthy ecosystem, the market has become crowded and complex.

Chief information security officers (CISOs) share a recurring pain point: they’re seeing startups pitch a platform or solution that either doesn’t fit into their existing security architecture, or isn’t able to demonstrate how it would add business value that would justify the investment. As more cyber companies join the sector, we’ve seen a proliferation of solutions that both potential customers and investors find hard to navigate. In fact, Panaseer’s Security Leaders’ Peer Report found that most security teams are running more than 50 tools at once and 89% have concerns about their visibility of their IT infrastructure.

Cath Goulding, CISO at Nominet, a company that guards the .UK domain name registry and delivers cyber services to government and enterprise, thinks startups should consider how easily their solutions can be integrated rather than wasting energy inventing something buyers don’t need: “So many startups put all this time into creating their own dashboards and portals, but we already have our own so that’s not the bit I’m interested in,” she says. “I’m more interested in your underlying data and how I can integrate it into what we already have. By giving me another platform or portal you’re giving me more unknowns that I need to look at. You’re essentially giving me more potential problems.”

Jim Shook, considering the market trends Dell Technologies is witnessing, told us: “There’s always been a lot of point solutions in the security marketplace, which can make it difficult to navigate and harder to integrate the solutions. I’m seeing a growing demand for intrinsic security, security by design and better integration. That will help to shift things but I think it will still be a while before we see consistent streamlining in the marketplace.”

 

"I’m seeing a growing demand for intrinsic security, security by design"

What could this mean for the UK’s cyber sector? In 2017, we saw the likes of IBM and Cisco collaborating to fortify industry against the latest threats. A closer partnership between large and small companies could be the next phase. For example, big tech ecosystem providers such as Splunk and Amazon Web Services are actively partnering with startups.

Goulding would welcome more collaboration between providers: “SMEs should be thinking about consolidation with other platforms rather than adding yet another product to the mix. Darktrace has done so well partly because it had this model where you could just plug and play, and it had a service on top of it.”

"SMEs should be thinking about consolidation with other platforms"

Crypto Quantique’s Shahram Mossayebi offers a word of caution about this approach, though: “There is an incredibly complex, fragmented innovation ecosystem on the supply side where you have hardware providers, device manufactures, platform vendors (who extract most of the value) all the way through to system integrators into enterprise,” he says. “We need more platforms in cyber but we also need to protect innovators through mechanisms like patents to make sure larger third parties aren’t extracting all of the value.” The cyber ecosystem’s role here is to make sure the consolidation demanded by CISOs doesn’t stifle innovation by favouring incumbents over disrupters.

Meanwhile Ryan Spanier, vice president of innovation at Kudelski Security, envisages a scenario where there are a handful of small technology ecosystems that smaller companies could seamlessly slot into. “This could encourage innovation and enable small firms to access funding. It’s also necessary: without this consolidation the industry will need to find a way to standardise so that anyone can develop a product that can integrate into an ecosystem.”

Dan Russell, associate director at Deloitte, believes that collaboration between startups is both likely and in the interest of startups. “It’s unlikely that a small company will displace a big player,” he says. “It’s more likely that the big player will get the smaller players to buy up the even smaller players, with the help of an integrator. So small businesses should develop their technology in such a way that it’s able to integrate with other solutions. And they should focus their energy on the integrators – not going after the big bank or the large organisation.”

Ken Pentimonti is not convinced that consolidation will actually happen any time soon, though. “For years people have been talking about the cyber market being fragmented and the need for consolidation, but it hasn’t happened yet,” he says. “It’s hard because the threats are continually changing and the solutions must be dynamic. You’ll always get new startups and spinouts addressing parts of problems in new, creative ways. And then large organisations are going to want to try to integrate them because it’s difficult for them to develop those cutting-edge technologies themselves. I don’t see this changing dramatically.”

But given the lack of funding available to early-stage startups, we’re likely to see startups eye acquisitions by industry as a viable survival tactic. The consolidation CISOs have been calling for could finally begin to happen.

 

Cybersecurity has a communications challenge

Given how crowded the market is, good marketing could help cyber startups gain traction but CISOs and investors are often frustrated by the way founders describe their solutions.

“I’ve lost count of the number of times I’ve asked founders to stop telling me about how cybersecurity is a problem – I know it’s a problem, it’s my job,” says Nominet’s Cath Goulding. “I want to get to the heart of the matter. There is a layer of marketing nonsense you have to get through to find out what a startup’s product actually does and how it can work with my existing solutions.”

"There is a layer of marketing nonsense you have to get through to find out what a startup’s product actually does"

VCs can get equally frustrated. “So often founders of earlier-stage companies focus on the technology rather than the market need,” says Cat McDonald. “Investors need to know that a company is solving an acute pain point in the market and that it has a better way of tackling that pain point than what’s already out there.” McDonald also believes founders who have been through an accelerator or an early-stage funding round usually become better at speaking the language of VCs and buyers. “It definitely helps,” she says.

ACCESS TO CYBERSECURITY IS NOT EVENLY DISTRIBUTED

The government’s Cyber Security Breaches Survey highlighted that cyber attacks are becoming more frequent and almost half of businesses (46%) and a quarter of charities (26%) reported cyber attacks in 2019. The very organisations that will find it hardest to financially recover from a cyber attack are being left exposed.

And this gap is being made worse by an industry culture that looks for cures rather than prevention, says Andy Bates, executive director at the Global Cyber Alliance. “In cybersecurity, companies tend to employ complex, technical solutions to fix problems that are unaffordable for entities other than large businesses,” he says. “If there was a little more basic security hygiene, many of the problems would be solved and the accessibility gap in cybersecurity would start to shrink.”

Bates believes that security providers are missing a trick by focusing their attention on corporates with big budgets, rather than winning less lucrative contracts from smaller organisations. “One million sales worth £100 each generates the same amount as a single £100m contract but each one takes a fraction of the time,” he says. It makes much more sense to move into the SME space than fight it out for that one big contract.”

There’s also a gap when it comes to who is being equipped with the tools and education needed to navigate a digital world. For example, while cyber startups have responded to demand for human-centric solutions by developing better training platforms and methods using behavioural economics, self-employed teams don’t always receive the same training. CISOs also don’t have the same visibility of the cyber hygiene being practiced by remote, freelance workers. This was one of the key challenges highlighted by representatives from security teams working in the media at a LORCA roundtable, who admitted that they’re employing an increasing number of freelance journalists who don’t always use vetted tools or devices.

People who are unemployed are also less likely to be trained in basic cybersecurity principles while the 18% of the population who class themselves as non-users of the internet could be a prime target for bad actors, should they decide to log on.

Dell Technologies’ Jim Shook thinks this digital divide is unacceptable and believes it’s the responsibility of both industry and the government to do something about it: “There is a digital divide both in terms of access to the internet itself and having an understanding of security. We’ve got to fix this divide and do more to educate people about security – not just employees but the self-employed. We need to make security solutions really simple to use.”

"There is a digital divide both in terms of access to the internet itself and to having an understanding of security"

There are initiatives under way to address these access gaps – most recently Innovate UK, the government’s innovation agency, awarded funding to Think Cyber Security to adapt its security training solutions for SMEs that are being targeted during the pandemic. It’s crucial that both the public and private sectors rally to serve charities, SMEs, the unemployed, freelancers and other under-served segments of society. Security online shouldn’t be the privilege of the few.

INDIVIDUAL SECURITY COULD BE THE NEXT INNOVATION TREND

To date, cybersecurity has been thought of as a problem for business while individuals appear to be complacent about the nature of the threat. A recent study by Nominet, for example, showed that 77% of British adults believed they knew enough to stay safe online despite cybercrime reaching unprecedented levels.

But this could change very soon.

The rapid proliferation of connected devices, sensors and automation means consumers are engaging with technology more often. And the associated risks could be what causes a change in consumer attitudes towards cybersecurity.

But will consumers be willing to buy personal cyber products and take personal responsibility for their digital security, or will the cost be absorbed into the price of technology products?

Cat McDonald, speaking with her VC hat on, is sceptical about the willingness of individuals to pay for or use an onerous cyber product: “Driving adoption of any new consumer product is hard and it’s even harder for a security product that’s introducing friction or taking away convenience,” she says. “Mass-market disruption with a security solution is most likely to be achieved by a tech titan like Apple or Microsoft.”

The government is also increasingly viewing the online security of individuals to be something that falls within its remit. Theo Blackwell, the chief digital officer for London, is tasked with making sure the UK capital achieves its smart city objectives. He says that the growing digital reach of cities means “cybersecurity is becoming a responsibility for municipal government because they have a duty of care to their communities”.

But Blackwell also believes individuals should care more about their own cybersecurity. “People have a responsibility to adhere to basic security principles,” he says. “For example, devices from abroad might not conform to UK security standards and consumers need to become more aware of the technology they bring into their homes.”

But there are still very few cyber solutions on the market aimed directly at the consumer – most likely because there’s no commercial market for them yet. Sujeesh Krishnan, CEO of cyber startup Kinnami told us: “Public awareness is growing, and COVID-19 is helping to make everyone more aware. Remote work and study during the current pandemic and the increased number of cyber attacks is placing more attention on personal data security.

But we do need more awareness building and education aimed at the consumer market for demand for personal cybersecurity solutions to rise.”

Industry’s security
challenges

– and the innovator’s response

A healthy cyber ecosystem is one where innovators – whether they’re a PhD researcher or a startup founder – create solutions tailored to the challenges industry and society are facing now, as well as challenges they could face in the future.

It’s essential that the communication loop doesn’t break and that we’re not creating cyber products in an information vacuum. Instead, we want technology to be co-created, with innovators iterating to respond to market demands.

At LORCA we have a firm understanding of what these priorities are by spending hours speaking to CISOs, buyers and security teams within organisations.

Here, we’ve highlighted five of the most pressing cybersecurity challenges that both industry and society are facing – and five examples of how the innovation community is responding.

Digital Identities

As more people live their lives online they’re leaving a digital footprint, which allows hackers to steal identities – or at least part of someone’s identity. Banks, hospitals, collaboration tools used for work and social media platforms have been turned into honeypots of personal data that could be compromised. In response, there’s been a growing emphasis on digital identity protection by both the government and industry.

There’s widespread agreement that a single point of authentication would help minimise the risk and offer benefits to governments by enabling them to digitally identify citizens. For example, Estonia saved at least 2% of its GDP by using digital signatures as part of its e-Estonia programme of activity.

COVID-19 has also renewed interest in digital identity: British cyber firm Onfido recently raised £100m to develop immunity passports that link a user’s digital data to their biological self.

It’s an area that’s ripe for innovation. In particular, there’s an opportunity for solutions that take a Secure by Design and Privacy by Design approach to enable widespread digital transformation. For example, they could enable local government to provide digital public services that seamlessly integrate people’s digital identities while protecting people’s privacy.

On the innovation supply side, we’ve seen a number of solutions addressing the front-end authentication experience using biometrics. For example, international airports are now using facial recognition technology as an additional layer of security. Meanwhile B-Secur, which graduated from the LORCA accelerator and raised £4m in March 2019, uses ECG technology to verify someone’s identity using people’s unique heartbeat pattern.

But digital identity is a sensitive area, as the debate around the privacy implications of the pilot NHSX contact tracing app in the UK has shown. As people become more conscious of where their data is stored, privacy and transparency needs to be built into solutions.

Industry viewpoint

Stuart Whitehead
Stuart Whitehead
Partner and digital identity lead, Deloitte

Organisations view digital trust as a cornerstone for great customer experiences, a protector of revenue streams and a driver for operational efficiency. The growing range of channels, devices, platforms, and touchpoints is driving the need for digital identity solutions but there’s more to digital identity than simply enabling the right individuals to access the right resources at the right times. 

We see four key trends guiding organisations as they meet both current and future needs.

1. Evolving digital identity landscape.

A digital identity solution may traditionally be targeted towards consumers, but the rise in complexity of the customer experience, additional audiences and the overlap in use cases is driving the need for more traditional identity and access management features.

2. Frictionless, consistent omnichannel experiences facilitated by single sign-on

Consumers increasingly rely on a large number of devices. Demand for biometrics and even password-less access is also increasing. Organisations should focus on ways to reduce unnecessary friction which can lead to customer churn.

3. Improved developer support

In a world where every company is a technology company, digital identity systems must provide a platform for continuous change.

4. Emphasis on security and compliance

Security is paramount—customer data can be compromised in an instant and can have tremendous implications on an organisation’s viability and reputation. This highlights the need for next-generation security features and solutions.

A modern digital identity solution should not only meet today’s security and compliance standards, but also consider the requirements for future, frictionless customer experiences.

Organisations need to consider establishing a strong combination of the right skills, processes and technology to deliver a secure and reliable digital identity solution to keep customer data safe.

Innovation spotlight

Chang Hun Yoo
Chang Hun Yoo
Founder and CEO, swIDch

swIDch, which is a member of LORCA’s third cohort, aims to eliminate identity theft and card not present fraud (which happens when someone uses another person’s card or card details fraudulently). It’s also been selected as one of the CYBERTECH100: an annual list of 100 of the world’s most innovative cyber startups. 

Digital identity sits at the heart security but its all-encompassing nature also makes it difficult to develop a ground-breaking solution.

Securing online identities is particularly relevant to the financial sector and in particular, payments. swIDch has developed an algorithm and, based on a collaborative approach with traditional authentication technology providers, is creating a new security offering for the market.

Our algorithm generates a one-time authentication code (OTAC) with a client chip in a networkless environment. This OTAC compensates for the weaknesses posed by static user identification and RSA keys. In contrast, OTAC can recognise who generated the codes and what device they used – eliminating the need for complex tokenisation infrastructure. This reduces server load, as well as the costs associated with network traffic, maintenance and fraud.

This method can address the authentication challenges of payment gateways – even when poor connectivity is an issue. Users of the payment gateway can simply generate a dynamic ID code or QR coupon on their own mobile device to enable authentication and payment because dynamic codes can be locally generated without a network connection.

Ultimately, swIDch intends for this technology to have applications in multiple sectors beyond payments, from IoT connected devices through to military applications.

Disinformation

These are challenging times for facts. Our digital lives are dominated by 24/7 news and social media, creating an environment where everyone’s a broadcaster and information can be easily manipulated or misinterpreted.

Misinformation – where false facts are shared but not necessarily with the intent to deliberately deceive – is rife. And so is disinformation, where an actor – be it a nation state or a company carrying out corporate espionage – creates and disseminates fake news.

At LORCA we’ve heard from both journalists and the defence sector about how disinformation is a growing challenge. It’s changing the very nature of war by manipulating political narratives and undermining the legitimacy of the media and online debate.

But who should be responsible for tackling the challenge is still being debated, and it’s proven to be an ethically complicated challenge. Countries like Singapore have introduced legislation to clamp down on fake news, which has raised privacy concerns. Meanwhile social media companies have been criticised most recently for failing to halt COVID-19 related fake news.

As a security issue, it’s disinformation that’s starting to command most attention from the cyber community, and we’re seeing more solutions come to the fore that use existing technology like machine learning and authentication techniques to spot fake news. But it’s still not on the radar of large swathes of the sector and it’s not widely regarded as a clear-cut cyber challenge.

That will begin to change soon, though. Having spoken to industry about the challenge, we believe that we’re likely to see growing concern among businesses about the reputational and financial damage a disinformation campaign could have on them.

It’s a challenge that will continue to affect both the private and public sectors, while its spread takes place through the media. This is an arena where collaboration will be key and the tech sector – including cyber startups – can arm society, business and government with the tools they’ll need.

Industry viewpoint

Robert Hannigan
Robert Hannigan
Former director of GCHQ and chair of LORCA’s Industry Advisory Board

Disinformation is not new; deliberately misleading people has been a technique used by nation states and others for as long as anyone can remember.

It was a powerful weapon in the Cold War, when ideological confrontation reached its peak, but the digital era has enabled the proliferation of false information in new ways at a scale, speed and low-cost hardly imaginable in the past. Recent elections across the democratic world have illustrated the new power to manipulate public trust.

While disinformation is not exclusively a cybersecurity problem (it predominantly affects the political and social spheres), it is a challenge that cries out for innovative technical solutions.

At the root of all digital disinformation is the ability to misuse anonymity to harness the same social media platforms that all of us use and to hide in the noise.

The cyber industry knows a great deal about identity management and authentication, and big tech platforms are already using niche products to single out and block suspicious nation state actors. Actions by Twitter and YouTube to block Beijing’s disinformation campaigns during last year’s Hong Kong protests are a good example.

But more concerningly, cyber criminals are waking up to the potential of disinformation to damage the reputation of companies and individuals, whether for blackmail or to affect stock prices. The endless sextortion emails flowing to personal inboxes are a simple example.

Share price manipulation and corporate reputation campaigns are more worrying and sinister. We’ve seen examples of opportunistic disinformation for profit, from the issuing of fake press releases to denial-of-service attacks at commercially sensitive moments. The arrival of AI-powered deepfake technology offers even greater opportunities to make disinformation look real and have individuals appear to say things they never actually said.

Cybersecurity startups can play a role in identifying and fingerprinting disinformation campaigns by either exposing or blocking them at machine speed.

The business model for these services is still unclear – much will depend on what the big tech platforms choose to do and what regulators impose – but it is certain that public and government pressure for technological solutions to tackle disinformation will continue to grow in the years to come.

"Cybersecurity startups can play a role in identifying and fingerprinting disinformation campaigns by either exposing or blocking them at machine speed"

Innovation viewpoint

James Chappell
James Chappell
Chief technology officer, Digital Shadows

Digital Shadows is a cybersecurity scaleup with solutions that include dark web monitoring, threat intelligence, phishing protection and digital risk protection services.

At Digital Shadows we’ve been monitoring disinformation for some time, and we’ve picked up on a number of tactics such as very accurate site impersonation, modified documents, domain spoofing and the use of bots on social media or in forums.

We’ve found that there are usually three main stages to a campaign:

Creation of compelling content, authentic publication and circulation to get as many eyeballs on it as possible.

The barriers to entry for running these campaigns are extremely low and malicious actors will continue to innovate with technology – such as chatbot accounts utilising AI techniques – to create increasingly convincing forum posts, reviews and other content.

Some organisations are combating this by proactively monitoring for the registration of malicious domains while social media companies are combining human and machine intelligence to try and detect disinformation and fake news at scale. But it’s not necessarily a clear-cut cybersecurity issue.

We’re seeing the very definition of what cybersecurity is being challenged and the lines are being blurred.

In many ways, however, there are lots of overlaps between traditional tactics used by threats actors to deceive (like phishing) and what we’re now describing as disinformation.

Disinformation at its heart is really about information integrity – how can we use technology to verify and then trust information? Just like cyber intelligence and journalism have parallels, cybersecurity and disinformation have several parallels.

But while social media companies are investing in this space, it’s not a particularly crowded market in terms of cyber products. There are a small number of startups that focus on one narrow aspect of the challenge, like reviews or reputational monitoring. And until there’s more of a commercial opportunity that’s unlikely to change.

"Disinformation at its heart is really about information integrity"

Innovation spotlight

Dan Brett
Dan Brett
Co-founder and chief security officer, CounterCraft

CounterCraft detects, investigates and responds to targeted attacks using techniques that include deception technology.

Cybercriminals actually deploy disinformation techniques as part of their broader tactics. Phishing, spear phishing and other forms of social engineering used to trick users into giving up their credentials have been used since the earliest attempts at network penetration.

But what if these techniques could be used against hackers instead? Using deception technology, CounterCraft can create synthetic environments where adversaries have access to information that appears to be real – but isn’t. A series of technical clues, only traceable to the criminals looking for an organisation, are laid as a trap. For example, if a hacker attempts to infiltrate an airline, the aeroplane specifications supplied within the deception environment would be entirely fictitious.

Our platform protects an organisation’s confidential information while learning more about the motives and methods of cybercriminals.

In fact, deception technology is being deployed by finance, retail and industrial companies, as well as governments and law enforcement agencies. So while disinformation is having a profound impact on our society, the tables are being turned on cyber criminals using the very same principles.

Supply Chain Security

At LORCA supply chain security has been a focus area for our accelerator programmes since we launched because industry representatives and CISOs tell us time and again that it’s a major business challenge and an area that requires an injection of innovation.

Across sectors – from manufacturing to the media – organisations are struggling to manage the security of supply chains that are digital, global and complex.

They know that a smaller supplier somewhere in the chain could provide an entry point for an attack but it’s very difficult to manage this risk. In fact, according to cybersecurity startup Risk Ledger, 36% of suppliers don’t enforce multi-factor authentication on remotely accessible services and 35% don’t conduct regular penetration tests of their public facing IT infrastructure. What’s more, COVID-19 is increasing the attack surface as malicious actors look to exploit vulnerabilities caused by remote working.

COVID-19 has also led to many businesses adding risk to their supply chains as they aim to be agile and collaborate quickly with new suppliers. In some cases, security professionals admitted to LORCA that they’ve skipped doing security checks entirely to fast-track the onboarding process.

Under normal circumstances they would be more vigilant, but businesses are having to embrace agility like never before. Delaying the procurement process for cybersecurity reasons or preventing a supplier from doing their job by blocking them from parts of a network can have major business consequences. If a security solution doesn’t enable organisations to carry out checks quickly, it might not be used at all.

But even when a new supplier is vetted, the process often relies on the vendor reporting their own security measures – and their assessment could be biased.

There’s a gap in the market for novel solutions that enable organisations to carry out supply chain security checks efficiently and continuously. These solutions also need to enable network visibility across a supply chain in real time.

Industry viewpoint

Shannon Jones
Shannon Jones
Global partnerships, Kx

Kx is a LORCA partner that offers high-speed processing of real-time, streaming and historical data.

The business-driven growth in the reliance on third-party vendors has given attackers more subtle opportunities to breach a company’s defence and wreak havoc. This means attackers are increasingly adopting an island-hopping strategy, attacking not only the target network but supplier entry points too.

Supply chain security sounds simple: locate and fix vulnerabilities before attackers find them. The difficulty arises in getting security teams from different organisations across the supply chain to work together to make this possible.

We need solutions that allow security teams to proactively and continually manage supply chain risk by understanding a potential attack surface and conducting threat modelling that provides actionable insights. The measures taken to first quantify and actively determine risk are just as important as the actual protective solution.

These measures have to be continually assessed and the scalability of cyber solutions to secure all devices – particularly when it comes to IoT – is critical to safeguarding entire supply chains.

Innovator spotlight

Oliver Church
Oliver Church
CEO, Orpheus Cyber

Orpheus Cyber provides accurate, threat-led cyber risk ratings for organisations and their suppliers

Threat actors are aware that a supplier is often the weakest link in their target’s defences and for some time they’ve focussed their attention on supply chains. COVID-19 has exacerbated this problem, as remote working has increased the attack surface of all organisations (especially for less secure suppliers).

Adversaries are ramping up their operations to exploit this increased vulnerability – with dire consequences for companies that are now more reliant than ever on the digital side of their business.

Traditionally, supply chain risk management has been conducted by people asking suppliers to complete questionnaires that are then laboriously chased, collected and analysed by humans. It’s a costly and often inefficient approach that at best provides a single-point-in-time reflection of a supplier’s cybersecurity at the moment they completed the form.

Orpheus Cyber has developed an approach that enables organisations to manage their supply chain risk cost and time-efficiently. We’re a Financial Conduct Authority and Bank of England accredited cyber threat intelligence company and our threat intelligence capabilities enable skilled teams to deliver a risk-based approach to supply chain cyber risk management.

Our cloud-based platform enables organisations to easily understand the cyber risk associated with each of their suppliers and their entire supply chain on an ongoing basis as the risk to each supplier changes. Better yet, it doesn’t require the involvement of the supplier in assessing their cyber risk – although we do provide reports that mean suppliers can mitigate their attack surface issues.

We accurately calculate risk based on both threats and the attack surface, while our machine learning means we’re predictive in our assessments.

We’re working across multiple sectors, including financial services, telecommunications and the public sector. We’ve delivered supply chain cyber risk management for the NHS and partnered with major global companies to integrate our technologies into their products and services.

Securing The Internet Of Everything And Everyone

The expansion of networks and the digitisation of everything from physical infrastructure to healthcare continues to dominate the security agenda, blurring the line between physical and digital threats.

On an individual level, people are logging onto the internet from multiple devices to work, shop, communicate or consume content – a trend that COVID-19 has placed in the spotlight.

This spread of the internet into all corners of our lives is increasing the attack surface.

Securing data as it flows between individuals, a complex web of private sector organisations and the government is a continual challenge and it’s not always clear who’s responsible.

LORCA has been told by representatives from the defence sector that the security of a country’s health and transport services is considered a national security issue, while in London local government is grappling with making the capital a smart city while sharing data securely across a range of private and public sector stakeholders.

One response to this challenge has been the Secure by Design movement that champions technology that has security principles built in from the start rather than bolted on later. The UK government has taken a leadership role in this space, whether by working with companies like Arm to develop hack-resistant hardware or partnering with countries like Singapore to secure the Internet of Things. And in January 2020, the government announced its intention to introduce legislation to improve the security of connected devices in the UK, with the onus being placed on manufacturers to put appropriate protections in place around consumer data.

There’s also a need to secure networks themselves, rather than individual assets or devices, using advanced encryption that’s able to secure data in a nuanced way by implementing controls based on how sensitive the data is.

One response to this challenge has been the Secure by Design movement that champions technology that has security principles built in from the start rather than bolted on later. The UK government has taken a leadership role in this space, whether by working with companies like Arm to develop hack-resistant hardware or partnering with countries like Singapore to secure the Internet of Things. And in January 2020, the government announced its intention to introduce legislation to improve the security of connected devices in the UK, with the onus being placed on manufacturers to put appropriate protections in place around consumer data.

There’s also a need to secure networks themselves, rather than individual assets or devices, using advanced encryption that’s able to secure data in a nuanced way by implementing controls based on how sensitive the data is.

Industry viewpoint

Paul Crichard
Paul Crichard
chief technology officer, BT

As digital networks meet the broader connected world, several trends are converging at once. Traditional network security is no longer the priority. Instead, there’s a shift toward protecting applications and personal identities.

In turn, this collides with the consumerisation of the business marketplace, which is moving workplace technologies to the home – something that’s being significantly accelerated by COVID-19.

For the cybersecurity industry, this drives a need to understand the context around these connections and for security solutions to enable people to do what they need to do rather than inhibiting them.

Part of the solution is securing data wherever it sits in the network infrastructure. To do this, controls must be in the right place. This is a critical part of the conversation around 5G, for example.

Secondary systems will have trouble keeping up with 5G infrastructure and in the long-term, companies will need to redirect their assets away from third-party data centres that may not be able to work at the necessary speeds.

Finally, addressing the security challenges posed by the networks of the future means being smart about what controls users put over data. Levels of encryption will have to vary based on the value of the assets under protection. For example, less sensitive work has no requirement for high levels of encryption because it’s not as valuable.

Unnecessary layers of security not only cause friction in a user’s experience but could also compromise the encryption efforts by giving malicious actors more examples that they can use to model their attacks.

"addressing the security challenges posed by the networks of the future means being smart about what controls users put over data"

Innovation spotlight

Thad Eidman
Thad Eidman
co-founder and COO, Acreto

Acreto delivers a comprehensive Secure Access Service Edge (SASE) platform to protect any device, any application and any network from, anywhere.

Over the past five years, IT infrastructure has fundamentally changed as distributed and mobile technologies have seen rapid adoption rates. Cloud and SaaS applications, as well as the Internet of Things and the rise of remote working, are creating significant new security challenges that can’t be met by legacy security products.

Organisations are finding that the increasing number of new security point products required to secure these environments is creating an untenable level of complexity and cost. 

To address the issue of complexity and cost for securing these new distributed environments, the industry is calling for the adoption of a new security model – Secure Access Service Edge (SASE).

This consolidates the security needs for an organisation into a single platform, enabling the secure access to networks and applications by any device and any user from anywhere. 

Acreto delivers the security industry’s most comprehensive SASE platform. Our platform can secure any type of device (from IoT to servers), any application (on-premises, cloud and SaaS), any network (including public and third-party networks) from anywhere.

Zero-Trust Security

The growth of cloud infrastructure, the popularity of Bring Your Own Device policies and the number of breaches that have come down to insider threat have changed the ways CISOs view security. Most now believe that organisations shouldn’t automatically trust anything either inside or outside its perimeters. In fact, the threat is increasingly likely to come from the inside.

Malicious attackers, using techniques like phishing, aim to gain network access. Once in, they look for sensitive data or lie dormant for long periods of time, waiting until the perceived threat has passed. They can also use credential theft to mimic anyone with trusted access to the network – including those with high privileges such as an IT manager or senior executive.

This means that the trust but verify model is out and a new era of proactive security has arrived.

Organisations big and small are increasingly adopting zero-trust security principles that require the continuous verification of every individual in a network through multi-factor authentication whenever they interact with company data. This requires a matrix model to micro-segment the network so hackers can’t move laterally through a company’s infrastructure once it’s been infiltrated.

And COVID-19 has also led to more organisations adopting a zero-trust approach. LORCA brought a cross-section of businesses together to discuss the pandemic’s impact on cybersecurity and we heard about how many organisations have been forced by circumstance into being more agile and taking on more risk than they’d normally have the stomach for. This includes onboarding suppliers without robust cybersecurity screenings and allowing staff to work from home using their own devices. With so many unknown risks and potential attack entry points now within the organisation, embracing the zero-trust way has become more important.

But despite zero-trust being top-of-mind among CISOs, there are few cybersecurity solutions on the market to meet this demand. Secureworks, which is part of the Dell Technologies family, and Cambridge-founded Darktrace, are notable examples.

We have, however, seen a number of cyber companies developing user-centric solutions that aim to minimise the human error that can lead to a breach and make cyber training more effective for employees.

Industry viewpoint:

Jim Shook
Jim Shook
Director, cybersecurity and compliance practice, data protection solutions, Dell Technologies

Dell Technologies helps organisations embrace digital transformation by arming them with the technology solutions, products and services they need.

Mobile technology and cloud computing have destroyed the old approach to security, where you would go about defining and then defending your security perimeter. Nobody can really define a perimeter anymore and the new approach is to acknowledge that you can’t trust anyone or anything without verification.

This makes sense from a security standpoint but is much more difficult and costly to implement operationally. And it’s especially hard for larger organisations with legacy systems and processes like banks to transition to a zero-security approach – both from a technical and resourcing perspective.

And that’s something not everyone appreciates. Technologies that enable you to take a zero-trust security stance are important, but they’re not plug-and-play tools – you still need the right strategy, people and operations in place. It’s a huge cultural shift.

In reality, CISOs need to prioritise their security measures – they just don’t have the resources or budget to monitor everything. So vendors need to work with the business to identify the systems and the business processes that are most critical from a risk standpoint and begin to micro-segment the risks.

In terms of startup activity, we’re seeing some interesting solutions that involve authentification methods and shared encryption keys but zero-trust is still a relatively new trend so there’s a lot of room for new, innovative solutions that help businesses navigate the complexity.

Innovator viewpoint

Jason du Preez
Jason du Preez
CEO, Privitar

Privitar enables organisations to benefit from data insights while protecting their customers’ sensitive personal information.

Zero-trust security is a mentality that works on the assumption that the environments that digital assets reside in can’t be inherently trusted.

The evolution of traditional cyber defences and the proliferation of connected devices has driven businesses towards zero-trust security principles. Organisations will all suffer cybersecurity breaches and so they have increasingly looked for better ways to add layers of security to their infrastructure that are centred around data itself.

Zero-trust approaches can be particularly effective when it comes to mitigating cyber vulnerabilities caused by human error. People make all sorts of mistakes, such as mis-addressing a sensitive email or clicking on a phishing link. It’s much easier to minimise this insider threat by limiting people’s access to sensitive information and monitoring for suspicious behaviour.

As attacks become increasingly sophisticated, organisations are far less able to trust what’s inside their networks. At the same time, those networks are becoming more nebulous thanks to the adoption of new business models and the increased use of data to enable decision-making.

This is symptomatic of a shift to more distributed, cloud-based platforms. Zero-trust will be an essential principle in the future of cybersecurity as these methodologies and working environments become the norm.

Innovator spotlight

Liad Mizrachi
Liad Mizrachi
Head of operations and co-founder, Avnos

The company’s AI-powered engine helps to anticipate workloads and automate mappings across an organisation’s on-premises, hybrid and cloud environments.

The traditional cybersecurity paradigm of attempting to maintain a robust perimeter-level defence is outdated. Just like a medieval battlement, this castle and moat approach is only effective so long as it isn’t infiltrated.

In a post-breach world, this is almost impossible to guarantee. The advanced tools at a malicious actor’s disposal allow them to move laterally once inside a network across databases and applications, as we saw with the WannaCry ransomware attack.

Organisations are adopting zero-trust segmentation as a solution to the expansion of the traditional network perimeter into the cloud and the broadening connected world. Avnos is a cloud-based, zero-trust platform that delivers distributed and decentralised micro-segmentation policies to all workloads, both on and off-premises.

This method provides for a more robust segmentation strategy, securing zones across the entire organisation and giving businesses more control over the growing lateral threats that bypass traditional perimeter-focused security tools.

A key challenge with zero-trust security based on network segmentation is that you have to know what to segment. Without full visibility of all devices, users, applications and network traffic, businesses can’t know what kind of segments to create.

To address this, Avnos has an AI-powered engine to automate workloads discovery and mapping across all environments. This allows businesses to trust their network again with advanced visualisation of connections between workloads, users and applications, as well as relationships between the host network and unauthorised devices.

This full visibility is what will take zero-trust security to the next level.

"The traditional cybersecurity paradigm of maintaining robust, perimeter-level defence is outdated"

Recommendations

1

Cyber specialists have a role to play

in sharing knowledge with angel investors and non-specialist VCs to make the sector more accessible to a wider pool of investors. Angel investors can also play a role in plugging the funding gap by backing more early-stage companies.

2

There’s an opportunity to work with industry

to help them feel more confident about piloting or adopting new, innovative technology that’s not yet been validated by the market. The risk could be minimised by exploring other ways of validating products or integrating them into established delivery platforms.

 

3

Industry can play a bigger leadership role

by collaborating with competitors or players in other sectors to solve the big, borderless cyber challenges that touch all sectors and organisations of all sizes.

4

Industry can work more collaboratively with innovators, moving beyond

the traditional vendor-customer relationship to make sure solutions being developed on the supply side match what the market wants and needs.

5

Private-public sector collaboration is essential.

Cybersecurity contributes to our economy, is a core aspect of our national security and enables industry to innovate and stay resilient to breaches. Innovation is also taking place in both the private and public sectors. It’s essential that this collaboration continues in the long term and the links between initiatives are strengthened to maximise cross-sector impact.

6

There’s a growing opportunity for corporate venture capital

within the cybersecurity ecosystem to provide patient capital for innovators with long product development cycles and complex routes to market. This will be most valuable for breakthrough technology solutions that can meet emerging and future needs.

7

We need to connect the dots

to avoid startups becoming stuck at the seed or pre-seed stages. We should take a holistic approach to ecosystem support, adopting common goals across the ecosystem to help minimise the chances of innovators falling through the gaps between support stages.

8

Linking regional capabilities with London could help commercialise research.

The UK has an extensive network of regional academic and research institutions in cybersecurity. At the same time, London continues to be Europe’s tech capital and acts as both a landing pad and launchpad for cyber startups.

There’s an opportunity to link our regional academic capabilities with the capital to ensure we’re commercialising and scaling early-stage innovation as well as translating knowledge into economic growth.

9

Early-stage startups need help

with showcasing their solutions in a way that resonates with business leaders and investors so they can differentiate themselves in a crowded market.

10

Mapping the ecosystem would help

all participants navigate it and identify avenues for collaboration. This would be especially valuable for non-specialist investors and startups trying to plot a route to market.

Lorca: An Innovation Ecosystem

LORCA is delivered by the Plexal innovation centre with support from the Centre for Secure Information Technologies and Deloitte. We’re backed by the UK government and count Lloyds Banking Group, Dell Technologies, Global Cyber Alliance, Kx, Kudelski Security and Hub8 as partners.

Our mission is to support the most promising cybersecurity solutions that can help us all to stay safe in a connected world.
Our ecosystem connects startups, scaleups, academics, investors, government and industry from around the world to address the biggest security challenges facing the digital economy.

Welcoming a new cohort of cyber scaleups into our accelerator every six months, we act as a landing pad into the UK market and a launchpad into global markets. We give our members everything they need to scale, from mentoring and trade delegations to connecting them with industry and VCs.

We also hold regular Innovation Forums, investor engagement days and Needs Accelerator events to get to the heart of what buyers and investors want, as well as scan the horizon for future technology trends and challenges.

Want to get involved? Contact us on info@lorca.co.uk to register early interest for our next accelerator, become a startup member of our workspace in London, learn about being a corporate partner or engage with us as an investor or sister organisation.

Lorca by Plexal