The catch-22 of cyber security

The furore over the decision to allow Huawei technology to be used in the UK’s 5G networks is a very high-profile illustration of the concerns that exist over cyber security. The fear is that the telecoms company will be forced by the Chinese government to build backdoors into its technology that can be used to gather intelligence surreptitiously on foreign governments and organisations.

Cyber security is big news. The UK cyber security sectoral analysis 2020 report from the Department for Digital, Culture, Media and Sport (DCMS) gives an indication of just how big, revealing that the number of active security firms in the UK has risen by 44% to 1,200 since 2017, contributing £3.7bn to the UK economy, with sales up 46% to £8.3bn. The number of full-time employees working in cyber security has grown by 37% in the last two years to reach 43,000.

This rise in fortunes for the cyber security industry has been lauded by digital minister Matt Warman, who said: “It’s great to see our cyber security sector going from strength to strength. It plays a vital role in protecting the country’s thriving digital economy and keeping people safe online.”

Warman said the report demonstrated that “there has never been greater demand, both at home and internationally, for the products, services and expertise offered by the UK cyber security sector”.

Mike Jackson, entrepreneur success director at Tech Nation, told Computer Weekly: “It is promising to see the number of cyber security firms increasing by 44% and the positive contribution this makes to the UK economy.”

There is no doubt that channel partners are among the businesses benefiting from this increased focus on cyber security. There is money to be made in cyber security (and cyber crime, obviously) and it shows no signs of letting up in the future. As a consequence, the contribution it will make to the UK economy is bound to rise as the perils and costs of cyber crime become ever greater.

So, that’s all good news. Growth is good – unless it’s in things like cyber crime, the murder rate, knife crime or unemployment.

But – yes, there’s always a but – let’s ask ourselves what is the biggest impetus for the impressive growth in cyber security and the number of security companies. The simplest answer is that cyber threats have increased and fear of cyber attacks has become a major issue for businesses and organisations. To put it simply, the rising incidence of cyber crime – and the increased scale of the damage it can inflict – has led to a rise in cyber security businesses that can help customers to deter or prevent such attacks.

Like love and marriage, it seems you can’t have one without the other. Although, to be strictly accurate, you could, because if the security was foolproof, there wouldn’t be any cyber crime. But that’s not what we have today. What we have is an increasing reliance on technology and digitisation that, in turn, makes businesses, individuals and organisations more vulnerable, across a wider landscape, to malicious actions from cyber criminals.

To take a contrary stance, praising the growth of the cyber security market is, to all intents and purposes, acknowledging the success of cyber crime and the rise in IT vulnerabilities that helped to fuel it. Can anything be done to change that? Is there an onus on vendors and service providers to make their products and services more secure? If so, how do they reduce the threat landscape for their products and services? And how do they ensure the cost of doing that does not become prohibitive?

There is only so much vendors and service providers can afford do to secure a product or service before they launch it onto the market. If you acknowledge that there is no way to categorically address every potential security threat, then, once an attack occurs, the priority is for the cyber security industry to be prepared and ready to address the vulnerability and fix it before there is any serious damage.

This means focusing more on reacting to attacks quickly and effectively, rather than trying to pre-empt every potential threat, known and unknown – an approach alluded to in another MicroScope article. But to do that, you need more cyber security businesses to plug the gap and provide a rapid response to the breaches and attacks that the vendors and service providers have not been able to foresee or forestall.

We are in a catch-22 situation where we benefit from tremendous advances in technology that enable us to do even more with it every day, but we also suffer from a corresponding increase in the scale of the damage that can be caused if something goes wrong.

As a result, it seems unlikely there will be any slowdown in the growth of the cyber security business for some time. It would be very surprising indeed if whoever is digital minister in two years’ time is doing anything other than echoing Warman’s words. That’s good news – or is it?