From state-sponsored advanced persistent threats to small-scale mischief hacks, cyber threats can take many forms . One Scottish firm, ZoneFox, has chosen to focus on the growing problem of insider threats – individuals within organisations who, knowingly or otherwise, compromise key information assets and personal data.
That could be through compromised login details or stealing data on thumb-drives.
Jamie Graves, the chief executive of ZoneFox, became interested in this in 2005 while doing a PhD under the charismatic tech pioneer Professor Bill Buchanan at Napier University.
Graves examined how individuals and businesses could be compromised by significant “data gaps”.
He says: “The data being collected was not fit for purpose. It was like a jigsaw with lots of pieces missing, so I wanted to come up with a place where data was completely verifiable and authentic – to create an accurate record.”
The need to “lock down the insider threat” can result from different types of risk: a malicious insider who sets out to steal data, sometimes linked to moving to a new job; an advanced threat, where an outsider hijacks an employee’s account and pretends to be them; and the “accidental insider”.
Graves says: “We see malicious insiders and advanced threats, but it’s a small percentage.
“The accidental insider is by far the most common threat – someone who doesn’t know, or forgets, about a firm’s security policy and might unintentionally leak information.
“It’s about identifying what can be done to educate and train people and give businesses feedback to improve their processes.
“Lots of organisations have fantastic teams but mistakes do happen – it’s about protecting and guarding against exfiltration, which is simply removing data from a system or network.”
ZoneFox, which is backed by Archangel Investors and the Scottish Investment Bank, works with a wide range of sectors, including financial services and businesses not unlike itself.
“We have lots of customers who are fast-growing companies like us who are creating innovative products or services – in fintech and also in retail and pharma.
“They have dynamic teams, with no classic company structures – they are fairly loose, so it’s about providing a security infrastructure to solve problems for firms growing quickly.
“They want to retain their agility but at the same time to provide the level of security needed by the business and from the regulatory perspective.”
ZoneFox, which spun out of Edinburgh Napier University in 2010 and started operations in 2013, is now looking after 32,000 different “end-points” and aiming for significant growth, by demonstrating its value-added proposition and expertise in the market.
“There is a massive market to go at because it’s not if, but when, organisations will be compromised,” says Graves. “There are many reasons, usually human beings, why security can never be 100 per cent. You have to be on the ball 100 per cent of the time to avoid being compromised; if you are an attacker, you only need to get lucky once.”
Graves says the financial services sector has a good understanding of the cyber-security agenda and has taken “a pragmatic, risk-based perspective”.
Callum Sinclair, partner and head of technology at Burness Paull, agrees: “The financial services sector is generally very sophisticated when it comes to cyber, partly because regulations require it.
“We also saw instances recently in the press of what can happen and how quickly customer trust is eroded when IT upgrades go wrong, for example [at TSB].
“As we introduce new fintech players and emerging technology into the mix, it will be critical for the sector to adopt an ethos of privacy and security by design and default – the sort of culture which the likes of the new General Data Protection Regulation is trying to foster.”
Sinclair says both large and small businesses in financial services and fintech must be alive to the risks.
“Any organisation can be subject to cyber threats at any time. While the large players have more invested in sophisticated security systems, they are often only as strong as their weakest, generally human link,” he says.
“Smaller organisations may have less to spend but may not be such a visible target – though alternatively, they could be seen as a weak entry point in a supply chain.”
Graves says no-one can afford to take their eye off the ball: “It’s a journey. You are never there and you always have to keep reassessing threats and risks; it’s about having a full picture of your internal security.”