Hosted by Plexal’s Tom Horner, an innovation consultant, our final Cyber Lates event of 2022 reflected on what we’ve seen and learnt over the past 12 months and subsequent expectations of what may occur across the 2023 cyber landscape as a result.
Panelists included our CEO Andrew Roughan who was joined by Abu Sayed, director at cyber security consultancy Daintta – and current member of the Cyber Runway Ignite programme we run with DCMS – alongside Harriet Mahier, associate analyst at specialist risk consultancy Control Risks.
The current state of affairs
Harriet started by pointing to the Russia-Ukraine crisis, which has translated into the cyber threat environment. “We’ve seen kinetic conflict in Europe for the first time in a very long time,” she said. “What we’ve seen coinciding with that is the use of offensive cyber as a conduit to kinetic warfare activity.” Harriet added that as the conflict has persisted and kinetic warfare hasn’t been as effective as expected, cyber will become increasingly more attractive to the likes of Russia attack European critical national infrastructure.
Abu explained how his first encounter with cyber security was a decade ago, at which time cyber knowledge was limited. But as time has changed, so too should leaders change with it. “We’ve seen a massive growth in the sector,” he started. “I’m going to be quite bold and then make a statement which is, there is no there is no excuse today, for any organisation, big or small, not to have basic cyber hygiene in place.” Abu’s rationale is that the market is quite literally flooded with products to keep companies safe, all at different price points for flexibility, so businesses should take heed of this. “The threat is always evolving and changing – we must stay threat-relevant [and] understand where these new threats are coming from.”
Opportunities from threats
For Andrew, further sophisticating the cyber ecosystem we’ve collectively played a role in building is key – so both the private and public sectors need to continue building on our existing foundation. In fact, it’s the members of the public, he believes we can all learn from, referring to citizens as “a positive force for cyber security.” “They’re much more understanding of the risks on the internet, use of data and privacy components that go with that, so I think the citizen can inspire us to take responsibility for cybersecurity and then bring it into different workplaces,” he says.
Drawing on a Ministry of Defence conference he attended recently, Andrew highlighted the evolution of warfare from traditional conflicts in the domains of land, air and sea may have proceeded for a period before coming to an end. “In the new domains of cyber and space, we will be always on in conflict,” he explains. “The risk will always be there, so from a geopolitical aspect I think our mindset really needs to change.” An opportunity this presents, however, is using cyber and space approaches to stimulate more agile thinking in traditional warfare on an open-source technology basis, closing the gap between traditional and future methods.
Tom went on to ask if we should expect the nature and size of attacks to evolve, or if it’s a question of our world changing that makes impacts that much bigger? Sharing his take, Andrew suggested that while nation state actors were once more concerned with causing disruption than seeking economic gain, things have changed dramatically. “I think, increasingly, states will go after industry and citizens,” he said, noting the sophisticated protection needed to defend against a state isn’t necessarily something that are considering.
Harriet added that when you think about who owns the critical national infrastructure and who owns telcos, the financial sector and so on, it’s the private sector rather the government. “We see this all the time – if you want to target the NHS, you target a managed service provider of the NHS because it’s a lot easier,” she detailed. “I think it’s really important for organisations to consider the whole spectrum of threats from state-linked actors to cyber criminals to cyber activists, as well as insiders, and also importantly, how those categories blend and blur into each other.”
Breaking down what these developments mean for small businesses, Abu said: “Adversaries like to follow the path of least resistance. Going into next year, what we’re going to see more of is the insider threat – which a customer described as ‘the soft underbelly’. There’s been a lot of investment to perimeter protection, detection within the network, but the real vulnerability, is still human beings and individuals – and that’s been throughout the history of time.” He added that the opportunity here is for the cyber community to collectively think about how to protect ourselves as technology evolves.
The positives within the crystal ball
Recognising that there’s been a new frontier of risk from cyber attacks, Harriet is enthusiastic about alliances we’ve seen in 2022 and believes more of that will come. “What we’ve really seen come out the past year is the effectiveness of international cooperation, both with the private sector and the public sector,” she detailed. From NATO, EU members and the Five Eyes, there’s been a banding together of allied countries calling out malicious cyber activity. “I think the real lesson to come out of this is: information sharing is a really key tool in stopping these threats.” With this method, organisations that don’t have developed capabilities are able to learn from those who are more advanced to mitigate threats.
Andrew believes that all of the big flagship government policies are pointing in a positive direction for our communities. “What we’re seeing is government officials standing on stage saying ‘My supply chain has to work with innovators and startups, they’ve got the new ideas, the agility and the creativity to help us face into some of these challenges’,” he noted. “In 2023, I hope we’ll see a tipping point to that where the integration of government policy to big industry primes to startups, that the process gets easier.” If this shift happens, Andrew expects we’ll be able to retain and grow the SMEs and startups operating in cyber, rather than them moving into other fields.
Closing with his dreams, Abu agrees with Andrew and Harriet that integration between government, industry and society is key. He’s also hopeful that, in the same way people understand the importance of data through GDPR, the same will happen within cyber security. “Where we can have the biggest impact is around educational principles.”
As always, we caught also caught the event on video, which you can tune into below.