High up in Canary Wharf, a war is raging. Hunched over a laptop, James Chappell is on the frontline. The chief technology officer of Digital Shadows scans a report of dozens of skirmishes from the past 24 hours. Some are harmless, some are cause for concern. All of them emanate from cyberspace.
“Everyone gets breached,” says Chappell. “We need to respond and recover quickly and minimise the damage.”
Welcome to the world of cyber security, the last line of defence for companies fretting that they will be targeted by increasingly sophisticated hackers. Yesterday, security firm Kaspersky Lab estimated that $1 billion and rising had been stolen from 100 banks in 30 countries in an “unprecedented cyber robbery” over the past two years. Just as corporate headquarters cluster in the capital, so too have firms offering high-level protection from these attacks. London has become Cyber City.
A 22-strong workforce will more than double this year, in London and San Francisco, after it secured an extra $8 million from backers.
“This area is hot right now,” says Eileen Burbidge, from venture capital firm Passion Capital, an investor in Digital Shadows who has watched security and privacy problems grow.
Simple denial-of-service attacks, designed to disrupt high-profile services such as a bank’s website, have mutated into something more sinister. The growth in social media means it is impossible for companies to stem the tide. A large bank can be mentioned 60,000 times a day on the internet. Typically, six of those incidents pose a threat. Digital Shadows might detect account details being hawked to the highest bidder on a coders’ website, or something unleashed by a threat group such as the Syrian Electronic Army. Often the worst offenders are a company’s own staff, who back up files on unsafe storage systems or disclose too much on Facebook.
Boardroom minds have been focused by the devastating hack suffered by Sony Pictures late last year, in retaliation for its movie The Interview, which involves a plot to assassinate North Korean leader Kim Jong-un. The studio lost an early script of the next James Bond movie, a string of embarrassing emails — including the then chair Amy Pascal’s exchange with producer Scott Rudin in which Angelina Jolie was called a “minimally talented spoilt brat” — and details of bosses’ salaries.
Such a high-profile breach has meant boom time for small start-ups, including Garrison Technology, established a few months ago in Islington by Henry Harrison and David Garfield, who, like Chappell, once worked for Detica, defence giant BAE Systems’ cyber arm. Big firms are getting in on the act too, either by buying up small firms, partnering with them, or building teams to offer their own advice which typically suggests to companies that investing in prevention is a better bet than paying for the cyber cure.
Consulting firm Deloitte has seen its cyber practice increase revenues by 20 per cent in the past 12 months, with a spike in recent months. It set up an intelligence centre in Reading and is recruiting heavily: Deloitte’s cyber staff of 110 will swell to 150 by the summer.
It is a similar story at KPMG, where its cyber team has increased from 70 people three years ago to 250 today.
“More than 10 per cent of our cyber security team have worked in the military or government, reflecting the diverse approach needed in tackling these threats,” says Simon Collins, KPMG’s UK chairman. These new career paths have opened up as the threat of a cyber attack has soared to the top of the boardroom agenda. Not so long ago, Britain’s biggest companies received a letter from the Government advising firms to tighten up on security measures, for the sake of their business but also for the country’s reputation.
Chappell says: “The seniority of people that get it has gone up. We used to be talking to the IT department. Now we are talking to the board.”
Lloyd’s of London CEO Inga Beale calculates that the insurance industry took $2.5 billion in premiums on policies to protect companies from hacking-induced losses, up a quarter on a year ago. She estimates that cyber attacks have cost businesses up to $400 billion a year. In the City, the Bank of England holds regular simulations to prepare banks and trading firms for an attack. The last, Waking Shark II, simulated a three-day concerted cyberattack on the UK’s financial system by a hostile state.
“Fear creates business opportunities. A near certainty of the next few years is that there will be more spending on cyber security, by firms, governments and us,” said Geoff Mulgan, CEO of innovation charity Nesta. “Major financial services firms have had to be more paranoid than other industries.”
Backers after the next bright young things should look to Hammersmith, where Europe’s first dedicated cyber security accelerator will launch in offices provided by investment manager Winton. Designed to mentor young cyber entrepreneurs over a 12-week programme, it has been co-founded by Epsilon Advisory Partners, home to former prime ministerial advisers Jonathan Luff and Grace Cassy.
Britain has a head start because of its heritage in this area. Some of it is thanks to Alan Turing and the codebreakers of Bletchley Park, some of it because of the international repute of GCHQ, the Government’s eavesdropping station in Chelmsford. Some entrepreneurs’ efforts date back to misplaced fears about battling the Y2K computer bug.
The company that became ScanSafe started in a cramped top-floor office in Farringdon, an unlikely setting to fight email viruses. It moved into remote monitoring of a company’s internet browsing, including limiting employees’ access to Facebook and Twitter. That proved lucrative: brothers Eldar and Roy Tuvey split £37 million when the business was sold to American internet giant Cisco in 2010. Their next venture, Wandera, began two years ago and employs 70 in offices near Marble Arch, in San Francisco and Slovenia.
“Hackers go where the data is but a lot of people don’t think their phones are at risk,” says Eldar Tuvey. Illustrating how the cyber war has gone mobile, Wandera’s software scans data traffic as it reaches any device — and says one in five devices run apps vulnerable to a local-access attack. Clients include law firms who supply their on-their-go workforces with handsets but are worried of sensitive information leaking. Tuvey said one thing that hasn’t changed from his ScanSafe days is the challenge to hire the best people.
“Last time around we were outbid by hedge funds and financial firms — everybody wanted to work for Morgan Stanley,” he says. “That is less the case now but we are competing with other tech companies for staff.”
Across London, the army is growing as the war continues.