the Lorca
Report
2020

A record level of capital is entering the market and interest is broadening beyond specialist VCs. But investment is focused on later-stage companies, it’s a complex market to navigate and investors find it hard to tell whether the solutions being pitched to them will actually sell.

Ken Pentimonti, a principal at Paladin Capital, says: “It requires more technical skills to evaluate cybersecurity than a lot of other areas in venture capital, so it’s not as simple as saying ‘we think cyber is an interesting area, let’s raise some capital’. You need a team with a deep tech background to evaluate those technologies.”

Cat McDonald, investment associate at AlbionVC (software investors with a security portfolio) says the company doesn’t go hunting for security startups specifically. Instead, it looks for acute pain points in the market and matches experienced teams and emerging enabling technologies to serve those needs.

But assessing product-market fit isn’t easy. “The most secure product isn’t always the best product in terms of what the market needs and wants,” McDonald says. “And where you get companies buying up cyber solutions to tick boxes, deciphering between what has superficial early traction and what has a true product-market fit can be tricky.

This is made even harder when early-stage companies have the government as their first customer. Although the government might validate the technology, that’s not necessarily an indicator of broader market success.”

McDonald is looking for market validation and evidence that a company could have a repeatable use case – but that’s a challenge in cybersecurity where buyers sometimes require bespoke rather than off-the-shelf solutions. Repeatable success isn’t easy to guarantee.

It’s also very hard for investors to differentiate between solutions in what’s become a crowded market. “Cyber is a very noisy market and new companies haven’t been mapped particularly well, says Peter Jaco, who has experience in commercialising early-stage technology companies and is the founder of Apichi Partners. He says this makes it challenging for investors to tell solutions apart, and this could be particularly off-putting for angel investors who are also wary of how long it takes to see a return in cyber. “The average angel investment doesn’t see a return for maybe eight years and that scares a lot of them – they feel more comfortable in a business-to-consumer setting,” he adds.

Deep tech cyber startups, meanwhile, require VCs to take a leap of faith.

Kumi Thiruchelvam, an investor and former chief commercial officer at cyber company Crypto Quantique, cautions fellow startups about entering into a round with an investor who isn’t willing to wait for a company to generate revenue. “We’re lucky that our shareholders and investors view us as profitable for several years but we’ve also spent a lot of time understanding our market and how we can serve it,” he says. “We’re clear that we’ll be pre-revenue for some time, but more inexperienced founders might take money from an investor that pushes the company to generate revenue very early on. And I think that’s when it often starts going wrong.”

Thiruchelvam believes startups need more patient capital (where the investor doesn’t require an immediate return and instead is happy to wait for a more substantial return in the longer term). But VCs need to feel more comfortable with navigating the sector before backing deep tech startups that might not generate revenue for a while.

There’s a misalignment of expectations between VCs who are driven by their fund cycles to commercialise investments early, and cyber startups, which need patient capital to develop game-changing, deep tech solutions that tend to be capital-intensive. The ecosystem as a whole needs to encourage more patient capital and work with investors to spot innovative solutions that align to emerging market needs.

The British Business Bank (BBB) exists to make financial markets work for small businesses in the UK

Despite the growth of the cybersecurity market last year, there are undoubtedly gaps that we aim to plug by backing funds investing in cyber and through our NSSIF programme, which stimulates investment in priority sectors.

Like everyone, particularly those in the small business community, we’ve had to adapt rapidly to the impact of COVID-19 and the shift from our traditional focus on patient capital to equity intervention through the likes of CBILS and the Future Fund. But it’s in times of crisis that the development bank model comes into its own.

We have a higher risk appetite than a commercial investor so we can support more companies in economic difficulty. As the pandemic began to hit the economy, we’ve provided over £15bn to over 170,000 British startups under our government-partnered schemes.

It’s especially important in a sector like cyber, where it can take years to develop a commercially viable product, that companies receive investment at the right stages. However, investors can be wary about backing companies at the pre-seed stage. Our angel co-fund and emerging regional angel programme are aimed at addressing this issue by providing a stepping-stone to later-stage venture capital.

While 2019 was a record year for investment into British cybersecurity startups, deals were focused on a small number of companies rather than being spread among pre-Seed and Series A startups.

Investment activity has been moving downstream for the last 12 months and, according to figures compiled by research company Beauhurst and Plexal (which delivers LORCA), the funding gap has become even wider since the pandemic.

British startups raised £1,037bn in the first eight weeks of lockdown but only 5% (£52m) of this went to seed-stage startups that hadn’t raised funding before. This suggests that investors are protecting their existing portfolios.

Cat McDonald’s experience in the weeks following the start of lockdown is representative of several VCs in our network: “We spent most of April and May focussed on our existing portfolio of 50 or so companies, but we are now exploring new investment opportunities and we have capital to deploy,” she told us. “That being said, the bar is higher now and we need to build confidence in a company’s business plan despite the broader macroeconomic uncertainty.”

The pandemic could also shrink the pool of active VCs in cyber, which means fewer opportunities for seed-stage companies. Ken Pentimonti has noticed more non-specialist VCs entering the arena, which means more competition but also more co-investors to partner with.

However, McDonald thinks COVID-19 could make them think twice. “During a crisis, many investors have a renewed focus on their core areas of competence. Although cyber companies are faring relatively well right now, investors with limited experience in the space may pause before making a first-time cyber investment.”

This fall in investor activity could also come just as growing cyber companies find demand for their solutions increase, thanks to the rise of remote working and the accelerated digital transformation it’s causing. “Cyber is a growing area and the pandemic, if anything, will mean it grows even more,” says Pentimonti. But without enough runway, these companies might not be able to scale to meet demand.

Cashflow issues are especially pronounced in cyber where product development and sales cycles are long. Even among the LORCA cohort, which features later-stage companies that tend to be well-funded, 41% of our members told us they needed a cash injection within the next three months to remain operational.

Jaco, who is also the chairman of cyber startup CyberOwl, says that Britain is on the whole “a way better place to launch a cyber company than it’s ever been before”, but he is cautiously optimistic. “If we want to keep it that way, we can’t allow delays in funding – especially to early-stage companies – to slow down progress in the next few years,” he says.

But while VCs are becoming more risk-averse, could industry come to the rescue? What startups need most, after all, is contracts. “The innovator is solving for a future problem using new technology, but buyers are often reluctant to try something they don’t need when they think the status quo is good enough”, says Jim Shook, director of Cybersecurity and Compliance Practice, Data Protection Solutions at Dell Technologies. “Staying ahead of the threat actors is important, and the status quo doesn’t achieve that goal.”

The government has introduced a number of mechanisms to support startups through the COVID-19 crisis, but the shortfall in early-stage funding was an existing challenge before the pandemic.

If we don’t address this now, we risk a lost generation of cybersecurity entrepreneurs across the country. There’s a risk that without sustainable and consistent funding available at the earliest stages of a startup’s development, the pipeline of innovation will suffer.

At the same time, our academic institutions, which are responsible for producing cutting-edge research, are also under pressure.

David Crozier is the head of strategic partnerships and engagement at the Centre for Secure Information Technologies (CSIT) at Queen’s University Belfast (an organisation that helps commercialise cybersecurity research, and a delivery partner of LORCA). He told us that while research-intensive universities are commercialising their technology and turning ideas into value propositions, in many other institutions “a lot of good ideas are dying at the PHD research level” because there’s limited structure in place to help ideas develop into businesses.

The UK government has intervened with its Cyber Security Academic Startup Accelerator Programme to put a more structured process in place, which Crozier says has been a welcome intervention.

But to take things to the next level he’d like to see the government back early-stage companies by taking more risks in the way it procures solutions.

Crozier also believes we can do better at joining the dots between all the programmes in play – research institutes, incubators and accelerators – that can fuel a cyber startup’s growth. “There’s an opportunity to look at these programmes holistically and make sure there’s no point where startups are falling through the cracks,” he says.

There are now 633 high-growth cyber companies in the UK. But while new entrants are a sign of a healthy ecosystem, the market has become crowded and complex.

Chief information security officers (CISOs) share a recurring pain point: they’re seeing startups pitch a platform or solution that either doesn’t fit into their existing security architecture, or isn’t able to demonstrate how it would add business value that would justify the investment. As more cyber companies join the sector, we’ve seen a proliferation of solutions that both potential customers and investors find hard to navigate. In fact, Panaseer’s Security Leaders’ Peer Report found that most security teams are running more than 50 tools at once and 89% have concerns about their visibility of their IT infrastructure.

Cath Goulding, CISO at Nominet, a company that guards the .UK domain name registry and delivers cyber services to government and enterprise, thinks startups should consider how easily their solutions can be integrated rather than wasting energy inventing something buyers don’t need: “So many startups put all this time into creating their own dashboards and portals, but we already have our own so that’s not the bit I’m interested in,” she says. “I’m more interested in your underlying data and how I can integrate it into what we already have. By giving me another platform or portal you’re giving me more unknowns that I need to look at. You’re essentially giving me more potential problems.”

Jim Shook, considering the market trends Dell Technologies is witnessing, told us: “There’s always been a lot of point solutions in the security marketplace, which can make it difficult to navigate and harder to integrate the solutions. I’m seeing a growing demand for intrinsic security, security by design and better integration. That will help to shift things but I think it will still be a while before we see consistent streamlining in the marketplace.”

What could this mean for the UK’s cyber sector? In 2017, we saw the likes of IBM and Cisco collaborating to fortify industry against the latest threats. A closer partnership between large and small companies could be the next phase. For example, big tech ecosystem providers such as Splunk and Amazon Web Services are actively partnering with startups.

Goulding would welcome more collaboration between providers: “SMEs should be thinking about consolidation with other platforms rather than adding yet another product to the mix. Darktrace has done so well partly because it had this model where you could just plug and play, and it had a service on top of it.”

Kumi Thiruchelvam offers a word of caution about this approach, though: “There is an incredibly complex, fragmented innovation ecosystem on the supply side where you have hardware providers, device manufactures, platform vendors (who extract most of the value) all the way through to system integrators into enterprise,” he says. “We need more platforms in cyber but we also need to protect innovators through mechanisms like patents to make sure larger third parties aren’t extracting all of the value.” The cyber ecosystem’s role here is to make sure the consolidation demanded by CISOs doesn’t stifle innovation by favouring incumbents over disrupters.

Meanwhile Ryan Spanier, vice president of innovation at Kudelski Security, envisages a scenario where there are a handful of small technology ecosystems that smaller companies could seamlessly slot into. “This could encourage innovation and enable small firms to access funding. It’s also necessary: without this consolidation the industry will need to find a way to standardise so that anyone can develop a product that can integrate into an ecosystem.”

Dan Russell, associate director at Deloitte, believes that collaboration between startups is both likely and in the interest of startups. “It’s unlikely that a small company will displace a big player,” he says. “It’s more likely that the big player will get the smaller players to buy up the even smaller players, with the help of an integrator. So small businesses should develop their technology in such a way that it’s able to integrate with other solutions. And they should focus their energy on the integrators – not going after the big bank or the large organisation.”

Ken Pentimonti is not convinced that consolidation will actually happen any time soon, though. “For years people have been talking about the cyber market being fragmented and the need for consolidation, but it hasn’t happened yet,” he says. “It’s hard because the threats are continually changing and the solutions must be dynamic. You’ll always get new startups and spinouts addressing parts of problems in new, creative ways. And then large organisations are going to want to try to integrate them because it’s difficult for them to develop those cutting-edge technologies themselves. I don’t see this changing dramatically.”

But given the lack of funding available to early-stage startups, we’re likely to see startups eye acquisitions by industry as a viable survival tactic. The consolidation CISOs have been calling for could finally begin to happen.

Given how crowded the market is, good marketing could help cyber startups gain traction but CISOs and investors are often frustrated by the way founders describe their solutions.

“I’ve lost count of the number of times I’ve asked founders to stop telling me about how cybersecurity is a problem – I know it’s a problem, it’s my job,” says Nominet’s Cath Goulding. “I want to get to the heart of the matter. There is a layer of marketing nonsense you have to get through to find out what a startup’s product actually does and how it can work with my existing solutions.”

VCs can get equally frustrated. “So often founders of earlier-stage companies focus on the technology rather than the market need,” says Cat McDonald. “Investors need to know that a company is solving an acute pain point in the market and that it has a better way of tackling that pain point than what’s already out there.” McDonald also believes founders who have been through an accelerator or an early-stage funding round usually become better at speaking the language of VCs and buyers. “It definitely helps,” she says.

The government’s Cyber Security Breaches Survey highlighted that cyber attacks are becoming more frequent and almost half of businesses (46%) and a quarter of charities (26%) reported cyber attacks in 2019. The very organisations that will find it hardest to financially recover from a cyber attack are being left exposed.

And this gap is being made worse by an industry culture that looks for cures rather than prevention, says Andy Bates, executive director at the Global Cyber Alliance. “In cybersecurity, companies tend to employ complex, technical solutions to fix problems that are unaffordable for entities other than large businesses,” he says. “If there was a little more basic security hygiene, many of the problems would be solved and the accessibility gap in cybersecurity would start to shrink.”

Bates believes that security providers are missing a trick by focusing their attention on corporates with big budgets, rather than winning less lucrative contracts from smaller organisations. “One million sales worth £100 each generates the same amount as a single £100m contract but each one takes a fraction of the time,” he says. It makes much more sense to move into the SME space than fight it out for that one big contract.”

There’s also a gap when it comes to who is being equipped with the tools and education needed to navigate a digital world. For example, while cyber startups have responded to demand for human-centric solutions by developing better training platforms and methods using behavioural economics, self-employed teams don’t always receive the same training. CISOs also don’t have the same visibility of the cyber hygiene being practiced by remote, freelance workers. This was one of the key challenges highlighted by representatives from security teams working in the media at a LORCA roundtable, who admitted that they’re employing an increasing number of freelance journalists who don’t always use vetted tools or devices.

People who are unemployed are also less likely to be trained in basic cybersecurity principles while the 18% of the population who class themselves as non-users of the internet could be a prime target for bad actors, should they decide to log on.

Dell Technologies’ Jim Shook thinks this digital divide is unacceptable and believes it’s the responsibility of both industry and the government to do something about it: “There is a digital divide both in terms of access to the internet itself and having an understanding of security. We’ve got to fix this divide and do more to educate people about security – not just employees but the self-employed. We need to make security solutions really simple to use.”

There are initiatives under way to address these access gaps – most recently Innovate UK, the government’s innovation agency, awarded funding to Think Cyber Security to adapt its security training solutions for SMEs that are being targeted during the pandemic. It’s crucial that both the public and private sectors rally to serve charities, SMEs, the unemployed, freelancers and other under-served segments of society. Security online shouldn’t be the privilege of the few.

To date, cybersecurity has been thought of as a problem for business while individuals appear to be complacent about the nature of the threat. A recent study by Nominet, for example, showed that 77% of British adults believed they knew enough to stay safe online despite cybercrime reaching unprecedented levels.

But this could change very soon.

The rapid proliferation of connected devices, sensors and automation means consumers are engaging with technology more often. And the associated risks could be what causes a change in consumer attitudes towards cybersecurity.

But will consumers be willing to buy personal cyber products and take personal responsibility for their digital security, or will the cost be absorbed into the price of technology products?

Cat McDonald, speaking with her VC hat on, is sceptical about the willingness of individuals to pay for or use an onerous cyber product: “Driving adoption of any new consumer product is hard and it’s even harder for a security product that’s introducing friction or taking away convenience,” she says. “Mass-market disruption with a security solution is most likely to be achieved by a tech titan like Apple or Microsoft.”

The government is also increasingly viewing the online security of individuals to be something that falls within its remit. Theo Blackwell, the chief digital officer for London, is tasked with making sure the UK capital achieves its smart city objectives. He says that the growing digital reach of cities means “cybersecurity is becoming a responsibility for municipal government because they have a duty of care to their communities”.

But Blackwell also believes individuals should care more about their own cybersecurity. “People have a responsibility to adhere to basic security principles,” he says. “For example, devices from abroad might not conform to UK security standards and consumers need to become more aware of the technology they bring into their homes.”

But there are still very few cyber solutions on the market aimed directly at the consumer – most likely because there’s no commercial market for them yet. Sujeesh Krishnan, CEO of cyber startup Kinnami told us: “Public awareness is growing, and COVID-19 is helping to make everyone more aware. Remote work and study during the current pandemic and the increased number of cyber attacks is placing more attention on personal data security.

But we do need more awareness building and education aimed at the consumer market for demand for personal cybersecurity solutions to rise.”

As more people live their lives online they’re leaving a digital footprint, which allows hackers to steal identities – or at least part of someone’s identity. Banks, hospitals, collaboration tools used for work and social media platforms have been turned into honeypots of personal data that could be compromised. In response, there’s been a growing emphasis on digital identity protection by both the government and industry.

There’s widespread agreement that a single point of authentication would help minimise the risk and offer benefits to governments by enabling them to digitally identify citizens. For example, Estonia saved at least 2% of its GDP by using digital signatures as part of its e-Estonia programme of activity.

COVID-19 has also renewed interest in digital identity: British cyber firm Onfido recently raised £100m to develop immunity passports that link a user’s digital data to their biological self.

It’s an area that’s ripe for innovation. In particular, there’s an opportunity for solutions that take a Secure by Design and Privacy by Design approach to enable widespread digital transformation. For example, they could enable local government to provide digital public services that seamlessly integrate people’s digital identities while protecting people’s privacy.

On the innovation supply side, we’ve seen a number of solutions addressing the front-end authentication experience using biometrics. For example, international airports are now using facial recognition technology as an additional layer of security. Meanwhile B-Secur, which graduated from the LORCA accelerator and raised £4m in March 2019, uses ECG technology to verify someone’s identity using people’s unique heartbeat pattern.

But digital identity is a sensitive area, as the debate around the privacy implications of the pilot NHSX contact tracing app in the UK has shown. As people become more conscious of where their data is stored, privacy and transparency needs to be built into solutions.

Organisations view digital trust as a cornerstone for great customer experiences, a protector of revenue streams and a driver for operational efficiency. The growing range of channels, devices, platforms, and touchpoints is driving the need for digital identity solutions but there’s more to digital identity than simply enabling the right individuals to access the right resources at the right times. 

We see four key trends guiding organisations as they meet both current and future needs.

1. Evolving digital identity landscape.

A digital identity solution may traditionally be targeted towards consumers, but the rise in complexity of the customer experience, additional audiences and the overlap in use cases is driving the need for more traditional identity and access management features.

2. Frictionless, consistent omnichannel experiences facilitated by single sign-on

Consumers increasingly rely on a large number of devices. Demand for biometrics and even password-less access is also increasing. Organisations should focus on ways to reduce unnecessary friction which can lead to customer churn.

3. Improved developer support

In a world where every company is a technology company, digital identity systems must provide a platform for continuous change.

4. Emphasis on security and compliance

Security is paramount—customer data can be compromised in an instant and can have tremendous implications on an organisation’s viability and reputation. This highlights the need for next-generation security features and solutions.

A modern digital identity solution should not only meet today’s security and compliance standards, but also consider the requirements for future, frictionless customer experiences.

Organisations need to consider establishing a strong combination of the right skills, processes and technology to deliver a secure and reliable digital identity solution to keep customer data safe.

swIDch, which is a member of LORCA’s third cohort, aims to eliminate identity theft and card not present fraud (which happens when someone uses another person’s card or card details fraudulently). It’s also been selected as one of the CYBERTECH100: an annual list of 100 of the world’s most innovative cyber startups. 

Digital identity sits at the heart security but its all-encompassing nature also makes it difficult to develop a ground-breaking solution.

Securing online identities is particularly relevant to the financial sector and in particular, payments. swIDch has developed an algorithm and, based on a collaborative approach with traditional authentication technology providers, is creating a new security offering for the market.

Our algorithm generates a one-time authentication code (OTAC) with a client chip in a networkless environment. This OTAC compensates for the weaknesses posed by static user identification and RSA keys. In contrast, OTAC can recognise who generated the codes and what device they used – eliminating the need for complex tokenisation infrastructure. This reduces server load, as well as the costs associated with network traffic, maintenance and fraud.

This method can address the authentication challenges of payment gateways – even when poor connectivity is an issue. Users of the payment gateway can simply generate a dynamic ID code or QR coupon on their own mobile device to enable authentication and payment because dynamic codes can be locally generated without a network connection.

Ultimately, swIDch intends for this technology to have applications in multiple sectors beyond payments, from IoT connected devices through to military applications.

These are challenging times for facts. Our digital lives are dominated by 24/7 news and social media, creating an environment where everyone’s a broadcaster and information can be easily manipulated or misinterpreted.

Misinformation – where false facts are shared but not necessarily with the intent to deliberately deceive – is rife. And so is disinformation, where an actor – be it a nation state or a company carrying out corporate espionage – creates and disseminates fake news.

At LORCA we’ve heard from both journalists and the defence sector about how disinformation is a growing challenge. It’s changing the very nature of war by manipulating political narratives and undermining the legitimacy of the media and online debate.

But who should be responsible for tackling the challenge is still being debated, and it’s proven to be an ethically complicated challenge. Countries like Singapore have introduced legislation to clamp down on fake news, which has raised privacy concerns. Meanwhile social media companies have been criticised most recently for failing to halt COVID-19 related fake news.

As a security issue, it’s disinformation that’s starting to command most attention from the cyber community, and we’re seeing more solutions come to the fore that use existing technology like machine learning and authentication techniques to spot fake news. But it’s still not on the radar of large swathes of the sector and it’s not widely regarded as a clear-cut cyber challenge.

That will begin to change soon, though. Having spoken to industry about the challenge, we believe that we’re likely to see growing concern among businesses about the reputational and financial damage a disinformation campaign could have on them.

It’s a challenge that will continue to affect both the private and public sectors, while its spread takes place through the media. This is an arena where collaboration will be key and the tech sector – including cyber startups – can arm society, business and government with the tools they’ll need.

Disinformation is not new; deliberately misleading people has been a technique used by nation states and others for as long as anyone can remember.

It was a powerful weapon in the Cold War, when ideological confrontation reached its peak, but the digital era has enabled the proliferation of false information in new ways at a scale, speed and low-cost hardly imaginable in the past. Recent elections across the democratic world have illustrated the new power to manipulate public trust.

While disinformation is not exclusively a cybersecurity problem (it predominantly affects the political and social spheres), it is a challenge that cries out for innovative technical solutions.

At the root of all digital disinformation is the ability to misuse anonymity to harness the same social media platforms that all of us use and to hide in the noise.

The cyber industry knows a great deal about identity management and authentication, and big tech platforms are already using niche products to single out and block suspicious nation state actors. Actions by Twitter and YouTube to block Beijing’s disinformation campaigns during last year’s Hong Kong protests are a good example.

But more concerningly, cyber criminals are waking up to the potential of disinformation to damage the reputation of companies and individuals, whether for blackmail or to affect stock prices. The endless sextortion emails flowing to personal inboxes are a simple example.

Share price manipulation and corporate reputation campaigns are more worrying and sinister. We’ve seen examples of opportunistic disinformation for profit, from the issuing of fake press releases to denial-of-service attacks at commercially sensitive moments. The arrival of AI-powered deepfake technology offers even greater opportunities to make disinformation look real and have individuals appear to say things they never actually said.

Cybersecurity startups can play a role in identifying and fingerprinting disinformation campaigns by either exposing or blocking them at machine speed.

The business model for these services is still unclear – much will depend on what the big tech platforms choose to do and what regulators impose – but it is certain that public and government pressure for technological solutions to tackle disinformation will continue to grow in the years to come.

Digital Shadows is a cybersecurity scaleup with solutions that include dark web monitoring, threat intelligence, phishing protection and digital risk protection services.

At Digital Shadows we’ve been monitoring disinformation for some time, and we’ve picked up on a number of tactics such as very accurate site impersonation, modified documents, domain spoofing and the use of bots on social media or in forums.

We’ve found that there are usually three main stages to a campaign:

Creation of compelling content, authentic publication and circulation to get as many eyeballs on it as possible.

The barriers to entry for running these campaigns are extremely low and malicious actors will continue to innovate with technology – such as chatbot accounts utilising AI techniques – to create increasingly convincing forum posts, reviews and other content.

Some organisations are combating this by proactively monitoring for the registration of malicious domains while social media companies are combining human and machine intelligence to try and detect disinformation and fake news at scale. But it’s not necessarily a clear-cut cybersecurity issue.

We’re seeing the very definition of what cybersecurity is being challenged and the lines are being blurred.

In many ways, however, there are lots of overlaps between traditional tactics used by threats actors to deceive (like phishing) and what we’re now describing as disinformation.

Disinformation at its heart is really about information integrity – how can we use technology to verify and then trust information? Just like cyber intelligence and journalism have parallels, cybersecurity and disinformation have several parallels.

But while social media companies are investing in this space, it’s not a particularly crowded market in terms of cyber products. There are a small number of startups that focus on one narrow aspect of the challenge, like reviews or reputational monitoring. And until there’s more of a commercial opportunity that’s unlikely to change.

CounterCraft detects, investigates and responds to targeted attacks using techniques that include deception technology.

Cybercriminals actually deploy disinformation techniques as part of their broader tactics. Phishing, spear phishing and other forms of social engineering used to trick users into giving up their credentials have been used since the earliest attempts at network penetration.

But what if these techniques could be used against hackers instead? Using deception technology, CounterCraft can create synthetic environments where adversaries have access to information that appears to be real – but isn’t. A series of technical clues, only traceable to the criminals looking for an organisation, are laid as a trap. For example, if a hacker attempts to infiltrate an airline, the aeroplane specifications supplied within the deception environment would be entirely fictitious.

Our platform protects an organisation’s confidential information while learning more about the motives and methods of cybercriminals.

In fact, deception technology is being deployed by finance, retail and industrial companies, as well as governments and law enforcement agencies. So while disinformation is having a profound impact on our society, the tables are being turned on cyber criminals using the very same principles.

At LORCA supply chain security has been a focus area for our accelerator programmes since we launched because industry representatives and CISOs tell us time and again that it’s a major business challenge and an area that requires an injection of innovation.

Across sectors – from manufacturing to the media – organisations are struggling to manage the security of supply chains that are digital, global and complex.

They know that a smaller supplier somewhere in the chain could provide an entry point for an attack but it’s very difficult to manage this risk. In fact, according to cybersecurity startup Risk Ledger, 36% of suppliers don’t enforce multi-factor authentication on remotely accessible services and 35% don’t conduct regular penetration tests of their public facing IT infrastructure. What’s more, COVID-19 is increasing the attack surface as malicious actors look to exploit vulnerabilities caused by remote working.

COVID-19 has also led to many businesses adding risk to their supply chains as they aim to be agile and collaborate quickly with new suppliers. In some cases, security professionals admitted to LORCA that they’ve skipped doing security checks entirely to fast-track the onboarding process.

Under normal circumstances they would be more vigilant, but businesses are having to embrace agility like never before. Delaying the procurement process for cybersecurity reasons or preventing a supplier from doing their job by blocking them from parts of a network can have major business consequences. If a security solution doesn’t enable organisations to carry out checks quickly, it might not be used at all.

But even when a new supplier is vetted, the process often relies on the vendor reporting their own security measures – and their assessment could be biased.

There’s a gap in the market for novel solutions that enable organisations to carry out supply chain security checks efficiently and continuously. These solutions also need to enable network visibility across a supply chain in real time.

Kx is a LORCA partner that offers high-speed processing of real-time, streaming and historical data.

The business-driven growth in the reliance on third-party vendors has given attackers more subtle opportunities to breach a company’s defence and wreak havoc. This means attackers are increasingly adopting an island-hopping strategy, attacking not only the target network but supplier entry points too.

Supply chain security sounds simple: locate and fix vulnerabilities before attackers find them. The difficulty arises in getting security teams from different organisations across the supply chain to work together to make this possible.

We need solutions that allow security teams to proactively and continually manage supply chain risk by understanding a potential attack surface and conducting threat modelling that provides actionable insights. The measures taken to first quantify and actively determine risk are just as important as the actual protective solution.

These measures have to be continually assessed and the scalability of cyber solutions to secure all devices – particularly when it comes to IoT – is critical to safeguarding entire supply chains.

Orpheus Cyber provides accurate, threat-led cyber risk ratings for organisations and their suppliers

Threat actors are aware that a supplier is often the weakest link in their target’s defences and for some time they’ve focussed their attention on supply chains. COVID-19 has exacerbated this problem, as remote working has increased the attack surface of all organisations (especially for less secure suppliers).

Adversaries are ramping up their operations to exploit this increased vulnerability – with dire consequences for companies that are now more reliant than ever on the digital side of their business.

Traditionally, supply chain risk management has been conducted by people asking suppliers to complete questionnaires that are then laboriously chased, collected and analysed by humans. It’s a costly and often inefficient approach that at best provides a single-point-in-time reflection of a supplier’s cybersecurity at the moment they completed the form.

Orpheus Cyber has developed an approach that enables organisations to manage their supply chain risk cost and time-efficiently. We’re a Financial Conduct Authority and Bank of England accredited cyber threat intelligence company and our threat intelligence capabilities enable skilled teams to deliver a risk-based approach to supply chain cyber risk management.

Our cloud-based platform enables organisations to easily understand the cyber risk associated with each of their suppliers and their entire supply chain on an ongoing basis as the risk to each supplier changes. Better yet, it doesn’t require the involvement of the supplier in assessing their cyber risk – although we do provide reports that mean suppliers can mitigate their attack surface issues.

We accurately calculate risk based on both threats and the attack surface, while our machine learning means we’re predictive in our assessments.

We’re working across multiple sectors, including financial services, telecommunications and the public sector. We’ve delivered supply chain cyber risk management for the NHS and partnered with major global companies to integrate our technologies into their products and services.

The expansion of networks and the digitisation of everything from physical infrastructure to healthcare continues to dominate the security agenda, blurring the line between physical and digital threats.

On an individual level, people are logging onto the internet from multiple devices to work, shop, communicate or consume content – a trend that COVID-19 has placed in the spotlight.

This spread of the internet into all corners of our lives is increasing the attack surface.

Securing data as it flows between individuals, a complex web of private sector organisations and the government is a continual challenge and it’s not always clear who’s responsible.

LORCA has been told by representatives from the defence sector that the security of a country’s health and transport services is considered a national security issue, while in London local government is grappling with making the capital a smart city while sharing data securely across a range of private and public sector stakeholders.

One response to this challenge has been the Secure by Design movement that champions technology that has security principles built in from the start rather than bolted on later. The UK government has taken a leadership role in this space, whether by working with companies like Arm to develop hack-resistant hardware or partnering with countries like Singapore to secure the Internet of Things. And in January 2020, the government announced its intention to introduce legislation to improve the security of connected devices in the UK, with the onus being placed on manufacturers to put appropriate protections in place around consumer data.

There’s also a need to secure networks themselves, rather than individual assets or devices, using advanced encryption that’s able to secure data in a nuanced way by implementing controls based on how sensitive the data is.

One response to this challenge has been the Secure by Design movement that champions technology that has security principles built in from the start rather than bolted on later. The UK government has taken a leadership role in this space, whether by working with companies like Arm to develop hack-resistant hardware or partnering with countries like Singapore to secure the Internet of Things. And in January 2020, the government announced its intention to introduce legislation to improve the security of connected devices in the UK, with the onus being placed on manufacturers to put appropriate protections in place around consumer data.

There’s also a need to secure networks themselves, rather than individual assets or devices, using advanced encryption that’s able to secure data in a nuanced way by implementing controls based on how sensitive the data is.

As digital networks meet the broader connected world, several trends are converging at once. Traditional network security is no longer the priority. Instead, there’s a shift toward protecting applications and personal identities.

In turn, this collides with the consumerisation of the business marketplace, which is moving workplace technologies to the home – something that’s being significantly accelerated by COVID-19.

For the cybersecurity industry, this drives a need to understand the context around these connections and for security solutions to enable people to do what they need to do rather than inhibiting them.

Part of the solution is securing data wherever it sits in the network infrastructure. To do this, controls must be in the right place. This is a critical part of the conversation around 5G, for example.

Secondary systems will have trouble keeping up with 5G infrastructure and in the long-term, companies will need to redirect their assets away from third-party data centres that may not be able to work at the necessary speeds.

Finally, addressing the security challenges posed by the networks of the future means being smart about what controls users put over data. Levels of encryption will have to vary based on the value of the assets under protection. For example, less sensitive work has no requirement for high levels of encryption because it’s not as valuable.

Unnecessary layers of security not only cause friction in a user’s experience but could also compromise the encryption efforts by giving malicious actors more examples that they can use to model their attacks.

Acreto delivers a comprehensive Secure Access Service Edge (SASE) platform to protect any device, any application and any network from, anywhere.

Over the past five years, IT infrastructure has fundamentally changed as distributed and mobile technologies have seen rapid adoption rates. Cloud and SaaS applications, as well as the Internet of Things and the rise of remote working, are creating significant new security challenges that can’t be met by legacy security products.

Organisations are finding that the increasing number of new security point products required to secure these environments is creating an untenable level of complexity and cost. 

To address the issue of complexity and cost for securing these new distributed environments, the industry is calling for the adoption of a new security model – Secure Access Service Edge (SASE).

This consolidates the security needs for an organisation into a single platform, enabling the secure access to networks and applications by any device and any user from anywhere. 

Acreto delivers the security industry’s most comprehensive SASE platform. Our platform can secure any type of device (from IoT to servers), any application (on-premises, cloud and SaaS), any network (including public and third-party networks) from anywhere.

The growth of cloud infrastructure, the popularity of Bring Your Own Device policies and the number of breaches that have come down to insider threat have changed the ways CISOs view security. Most now believe that organisations shouldn’t automatically trust anything either inside or outside its perimeters. In fact, the threat is increasingly likely to come from the inside.

Malicious attackers, using techniques like phishing, aim to gain network access. Once in, they look for sensitive data or lie dormant for long periods of time, waiting until the perceived threat has passed. They can also use credential theft to mimic anyone with trusted access to the network – including those with high privileges such as an IT manager or senior executive.

This means that the trust but verify model is out and a new era of proactive security has arrived.

Organisations big and small are increasingly adopting zero-trust security principles that require the continuous verification of every individual in a network through multi-factor authentication whenever they interact with company data. This requires a matrix model to micro-segment the network so hackers can’t move laterally through a company’s infrastructure once it’s been infiltrated.

And COVID-19 has also led to more organisations adopting a zero-trust approach. LORCA brought a cross-section of businesses together to discuss the pandemic’s impact on cybersecurity and we heard about how many organisations have been forced by circumstance into being more agile and taking on more risk than they’d normally have the stomach for. This includes onboarding suppliers without robust cybersecurity screenings and allowing staff to work from home using their own devices. With so many unknown risks and potential attack entry points now within the organisation, embracing the zero-trust way has become more important.

But despite zero-trust being top-of-mind among CISOs, there are few cybersecurity solutions on the market to meet this demand. Secureworks, which is part of the Dell Technologies family, and Cambridge-founded Darktrace, are notable examples.

We have, however, seen a number of cyber companies developing user-centric solutions that aim to minimise the human error that can lead to a breach and make cyber training more effective for employees.

Dell Technologies helps organisations embrace digital transformation by arming them with the technology solutions, products and services they need.

Mobile technology and cloud computing have destroyed the old approach to security, where you would go about defining and then defending your security perimeter. Nobody can really define a perimeter anymore and the new approach is to acknowledge that you can’t trust anyone or anything without verification.

This makes sense from a security standpoint but is much more difficult and costly to implement operationally. And it’s especially hard for larger organisations with legacy systems and processes like banks to transition to a zero-security approach – both from a technical and resourcing perspective.

And that’s something not everyone appreciates. Technologies that enable you to take a zero-trust security stance are important, but they’re not plug-and-play tools – you still need the right strategy, people and operations in place. It’s a huge cultural shift.

In reality, CISOs need to prioritise their security measures – they just don’t have the resources or budget to monitor everything. So vendors need to work with the business to identify the systems and the business processes that are most critical from a risk standpoint and begin to micro-segment the risks.

In terms of startup activity, we’re seeing some interesting solutions that involve authentification methods and shared encryption keys but zero-trust is still a relatively new trend so there’s a lot of room for new, innovative solutions that help businesses navigate the complexity.

Privitar enables organisations to benefit from data insights while protecting their customers’ sensitive personal information.

Zero-trust security is a mentality that works on the assumption that the environments that digital assets reside in can’t be inherently trusted.

The evolution of traditional cyber defences and the proliferation of connected devices has driven businesses towards zero-trust security principles. Organisations will all suffer cybersecurity breaches and so they have increasingly looked for better ways to add layers of security to their infrastructure that are centred around data itself.

Zero-trust approaches can be particularly effective when it comes to mitigating cyber vulnerabilities caused by human error. People make all sorts of mistakes, such as mis-addressing a sensitive email or clicking on a phishing link. It’s much easier to minimise this insider threat by limiting people’s access to sensitive information and monitoring for suspicious behaviour.

As attacks become increasingly sophisticated, organisations are far less able to trust what’s inside their networks. At the same time, those networks are becoming more nebulous thanks to the adoption of new business models and the increased use of data to enable decision-making.

This is symptomatic of a shift to more distributed, cloud-based platforms. Zero-trust will be an essential principle in the future of cybersecurity as these methodologies and working environments become the norm.

The company’s AI-powered engine helps to anticipate workloads and automate mappings across an organisation’s on-premises, hybrid and cloud environments.

The traditional cybersecurity paradigm of attempting to maintain a robust perimeter-level defence is outdated. Just like a medieval battlement, this castle and moat approach is only effective so long as it isn’t infiltrated.

In a post-breach world, this is almost impossible to guarantee. The advanced tools at a malicious actor’s disposal allow them to move laterally once inside a network across databases and applications, as we saw with the WannaCry ransomware attack.

Organisations are adopting zero-trust segmentation as a solution to the expansion of the traditional network perimeter into the cloud and the broadening connected world. Avnos is a cloud-based, zero-trust platform that delivers distributed and decentralised micro-segmentation policies to all workloads, both on and off-premises.

This method provides for a more robust segmentation strategy, securing zones across the entire organisation and giving businesses more control over the growing lateral threats that bypass traditional perimeter-focused security tools.

A key challenge with zero-trust security based on network segmentation is that you have to know what to segment. Without full visibility of all devices, users, applications and network traffic, businesses can’t know what kind of segments to create.

To address this, Avnos has an AI-powered engine to automate workloads discovery and mapping across all environments. This allows businesses to trust their network again with advanced visualisation of connections between workloads, users and applications, as well as relationships between the host network and unauthorised devices.

This full visibility is what will take zero-trust security to the next level.