Andrew Lockley – Exponential Investor (Great Britain) –
An easily-prevented cyber-attack temporarily crippled much of the NHS. It was a big wake-up call for society.
Cybersecurity has now moved into the mainstream – and I’m personally looking to invest.
With the enormous scale of the WannaCry attack, it has finally become obvious that cybersecurity is a serious issue.
Our “big brother”, Frontier Tech Investor, has long been tipping investments in this space.
An end to decades-long scrimping on cybersecurity is welcome. Increased spending, by firms and governments, will unlock big profits for companies in the sector. For too long, cyber has been the poor cousin of physical security. Accordingly, we’re potentially entering a boom time for investors in cybersecurity firms.
Today, we’re interviewing Natasha Ketabchi from CyNation – whom I met at 2Pears’ regular Techpitch 4.5 event. It’s a great place to go, if you want to meet small, up-and-coming tech firms. Natasha will quickly boost your expertise, on the vital cybersecurity sector.
AL: Why is cybersecurity becoming such an important area?
NK: Society, and economies, are becoming increasingly digitised – leaving virtually no individual or business offline. The line between personal and business data, and consequently business intellectual property, is becoming blurred. The value of a business increasingly depends on the value of data it controls. Businesses, however, are not the only ones to have realised the value of data: so have cyber criminals. The importance of security in this virtual world cannot be overstated, but is not yet fully recognised by many organisations.
I believe that data management and protection is the future, and I want to be at the forefront of innovation in this space. We are building a company from the ground up, CyNation, which we are confident will be optimally placed to do just that.
AL: What does CyNation see as the solution?
NK: CyNation is intending to take advantage of this opportunity by helping companies to address rising cybercrime, and increasing regulatory pressure. Global spending on cyber is supposed to be a cumulative $1 trillion in the next five years, as executives come to realise that the effect of a breach is long-lasting.
A recent study established that the cost of a breach can be estimated as a permanent 1.8% drop in stock price. In the case of Yahoo, which suffered two very high-profile breaches, the impact was even larger: a discount of $350m on its sale price (7.25%) – as well as a substantial delay in the (still pending) transaction.
Limited knowledge and resources currently make it nearly impossible for firms to build and maintain ongoing compliance – particularly for SMEs. These small firms are the backbone of the European economy. CyNation makes cyber compliance for SMEs in data-heavy industries achievable and affordable. We’re launching our automated compliance manager tool – CyReg GDPR. This will allow firms to embark on the compliance journey, in an affordable and easy-to-follow manner.
The CyReg GDPR tool is a SaaS addition to our product range. This will ultimately evolve into an end-to-end cybersecurity and compliance solution.
AL: What does the GDPR stand for?
NK: It’s the General Data Protection Regulation. This comes into force on 25 May 2018, with very far-reaching consequences. This new package of rules applies to all organisations that hold, process, and store personal data of EU citizens – regardless of the organisation’s location. Fines for non-compliance are draconian (reaching €20m, in some cases), which should naturally make it a business priority.
For individuals, the regulation not only protects the rights associated with personal data, but also provides the toolkit and channels to exercise these rights.
From a business perspective, it makes an organisation liable – both financially and legally – for the data it collects and processes.
To start the process of compliance, a business manager should start by answering simple questions: where is the data in my organisation? Who owns it? What data has the most critical value to the business? How is it being collected and used?
This due diligence should become an integral part of redesigning business processes, policies, and behaviours. Procrastination in implementing the right approach to data management, security and compliance may lead to irreversible consequences. It could even put some firms out of business entirely.
AL: We’re all generating more and more data, which firms often hold for us. What are the security implications?
NK: The first and the most critical one is that individuals have a fundamental right to the protection and security of their personal data. Consumers should have rights to their own data; to know the purpose for which it was obtained, and by whom; and how it is processed, stored, and (most importantly) protected. On the one hand, this mentality shift is a once-in-a-lifetime business opportunity. On the other, it requires complete rethinking of existing legislation, as well as business processes.
From a regulatory perspective, a lot is being done – both to protect citizens, as well as to make businesses accountable. Shareholders and clients will most certainly demand this accountability – as their privacy and security awareness grow. The true game-changer is the GDPR, which we discussed earlier.
The second-most important implication is that data is no longer a by-product or a derivative asset of business processes; it is an asset on its own right. It can be valued, monetised, and used to drive operational performance, and profits. Again, for businesses, this means a totally new approach in understanding and evaluating their data assets – and consequently in building their security and compliance strategy.
Thirdly, and ironically, the value of data possessed by a business is often recognised by cyber criminals much faster than by the firm’s own executives. Managers may unfortunately be slow to understand their digital assets, but they still have to bear the consequences of this ignorance.
This lack of awareness, and the weak protection systems and policies which result, are resulting in an increasing number of cyber-attacks. These are also growing in scale, impact, and sophistication.
Cyber-attacks cost British industry £34bn a year. Just over half – some £18bn – of the total comes from lost revenues as the result of successful attacks. The remaining £16bn represents companies’ increased spending on IT, as they beef up their defences (source: Telegraph). This is the space that CyNation will work in. We’ll provide businesses with the necessary tools to implement effective data protection and management – as well as the means to demonstrate compliance to their stakeholders. We offer a simple, affordable and automated cyber-compliance manager. This produces board-ready reports for SMEs. We also have a more complex enterprise solution, suitable for larger firms. In addition, we offer security and compliance training, and other professional services.
AL: What should investors check that business leaders are on top of?
NK: Business leaders are accountable to their stakeholders: customers, employees, and shareholders. They should take their new responsibilities to heart. These obligations come from a better understanding of the necessity for data protection. They need to become advocates for the importance of compliance with data protection regulations.
WannaCry, the most recent global cybersecurity attack, should act as a cautionary tale. More than 200,000 computers, in at least 150 countries, have been infected. Several NHS trusts ground to a halt – and the health secretary, Jeremy Hunt, has come under a lot of scrutiny. He will have to provide details of measures that were taken to resist this attacks, as well as indicating how something of this scale will be prevented going forward. I hope that this will teach leaders the importance of preparedness – as well as showing the risks of cutting corners. Succumbing to an attack like this has a real business and reputational impact.
GDPR will be a game-changer in this respect. It effectively forces firms to rethink their processes, by inflicting heavy penalties. Compliance will ultimately be necessary to be successful, in a world powered by data.
AL: That’s a sobering thought – and I’m sure many investors will be asking their portfolio firms some tough questions. What else can be done?
NK: Businesses find themselves in a difficult predicament: regulatory costs and pressures are increasing, but cybersecurity talent and resources are scarce and expensive. My team and I believe that the automation of cybersecurity and compliance will become the most time- and cost-effective solution. We are putting the building blocks towards this goal in place, by developing a range of solutions that utilise artificial Intelligence and automation. These will allow businesses to have a single, unified view of their cyber situation. No solution on the market can guarantee simultaneous and error-free protection of all the data assets and infrastructure of a single business. This is why we are building solutions that have a prioritisation mechanism embedded in their technologies. That’s made possible by modern technological advancements like artificial intelligence, machine learning, and neural networks. This is what CyNation puts at the core of the technology it’s developing.
All in all, we advise to adopt a long-term, modular, flexible strategy – that will allow businesses to stay a of these trends.
If your computer still works, we’d love to hear what you think about this vital sector: firstname.lastname@example.org.