Information Age has partnered with Tech Nation to help explore 20 of the UK’s leading cyber security scaleups.
Tech Nation Cyber is the UK’s first national scaleup programme for the cyber security sector. It is aimed at ambitious tech companies ready for growth.
In a series of 20 company profiles, we will be introducing you to the cyber security scaleups that make up Tech Nation’s first cyber cohort.
All answers provided by Jonathan Pope, CEO and co-founder at Corax.
What does your company do?
Corax is a cyber risk modelling and prediction platform, which leverages its proprietary data on the security and technology resilience (of more than 10 million interconnected companies) to provide faster and more accurate benchmarking, predictions and expected loss costs of cyber events to individual and groups of companies worldwide.
AI in cyber security: predicting and quantifying the threat
How do you differentiate from your competitors?
We’re the leading and largest source of cyber risk data and analytics with millions of companies modelled for cyber risk in our database. This is the first time this has been done at this scale — the unprecedented breadth and depth of our data brings enhanced accuracy in benchmarking individual companies and their third parties. It also delivers unparalleled insight into cyber risk at micro and macro economic levels. For the first time, insurers, financial services, regulators and governments can identify potential ‘points of failure’ in technology services, technology service providers and locations not just in their portfolios and customers, but across the global internet. This isn’t just about understanding and improving cyber risk for individual companies, this is about understanding the entire interconnected ecosystem. Our other differentiator is our modelling of the financial and probabilistic quantification of cyber risk.
Rather than simply rating an individual or group of companies, Corax uses AI-enabled models to provide the probability of, and expected loss costs of data theft, data compromise and IT disruption. Those models aren’t suddenly generated overnight, they have taken years of collaboration with the insurance industry to develop and must continue to evolve, and not many others have that modelling capability.
What are the common challenges in the cyber security space?
It depends how you interpret that question, and I’d like to frame it in the context of business decision-makers, rather than in specific threats and security practices.
The majority of company directors and executives, irrespective of the size and nature of the company, aren’t yet comfortable with how best to address cyber compared with other business risks. Knowing where to start, what the chances of an event are and how much it might cost, what questions to ask, what to prioritise, what to track and how much expenditure is appropriate: these are all matters for which there is still a lack of business intelligence and experience, and that’s why Corax provides automatically generated reports that help directors understand a company’s cyber exposure. Uncertainty about where to start is compounded by the crowded and fragmented marketplace of product and service providers looking to help companies improve their security. There are thousands of security products on the market, and for security consulting companies must choose whether to go to larger firms like the big four, or boutique firms, or buy it as part of their IT and security solutions, or their insurance. For me, SMEs and enterprises should seek guidance from their insurance brokers, lawyers and IT providers.
Cyber security best practice: Definition, diversity, training, responsibility and technology
What are the biggest mistakes a company can make regarding security?
First, it’s a mistake if company directors do nothing. That may be because cyber can often seem intangible or potentially overwhelming, and that can generate inertia. Second, for company directors to assume that IT resource, internal or external, are on top of it, or even have responsibility for it. That’s a mistake because it’s a common misconception that IT professionals are security experts, and that they have the time and resource to cover everything. Next is to appoint someone to have overall accountability for cyber risk. Finally, it’s a mistake if company directors don’t create a joined up approach by pulling together representatives from IT, risk, and HR, some of whom will be external, such as outsourced IT providers, insurance brokers and lawyers.
Provide your best practice advice/top tip for effective cyber security?
Definitely get the basics right, which means achieving and maintaining a basic level of cyber hygiene. Unfortunately cyber hygiene covers a number of different sub-elements. The most important is knowing what technology you’ve got at any one moment in time. If you don’t know what you’ve got, you can’t look after it! You might ask why a company wouldn’t know what they’ve got, but in an age when cloud servers can be spun up instantly or when staff can create their own access to cloud software services (so called shadow IT), or companies merge, tracking this isn’t always easy. Secondly, look after it. That means back ups and regular patching/updating of software on all technology assets and closing off anything that shouldn’t be open to the internet. This is important because even after twenty years of hype about cyber security, the vast majority of cyber events affecting individual or thousands companies are the result of poor cyber hygiene.
Don’t invest in sophisticated monitoring tools. Instead, invest in creating a security culture by providing staff security awareness training. That doesn’t just mean creating awareness of email phishing and fraud, it also means making staff slicker with technology, for example in using password management and multi-factor authentication tools. Next is to make sure you have insurance covering you for a cyber event. This is one to discuss with your insurance broker and also a lawyer too. What isn’t widely recognised is that a cyber insurance policy normally includes pre and post incident support, and there’s no doubt you’ll need it!