BBC: Beyond the Breach

The script of my Reuters story on cybersecurity. Podcast available here (

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

)

If you’re getting tired of internet security companies using images of padlocks, moats, drawbridges and barbed wire in their ads, then chances are you won’t have to put up with them much longer.

Turns out that keeping the bad guys out of your office network has largely failed. All those metaphors suggesting castles, unassailable battlements, locked doors are being quietly replaced by another shtick: the bad guys are in your network, but we’ll find them, watch what they do, and try to ensure they don’t break anything or steal anything valuable.

Which is slightly worrying, if you thought firewalls, antivirus and the like were going to save you.

You’re probably tired of the headlines about cybersecurity breaches: U.S. insurer Anthem Inc saying hackers may have made off with some 80 million personal health records, while others raided Sony Pictures’ computers and released torrents of damaging emails and employee data.

Such breaches, say people in the industry, show the old ways have failed, and now is the chance for younger, nimbler companies selling services to protect data and outwit attackers. These range from disguising valuable data, diverting attackers up blind alleys, and figuring out how to mitigate breaches once the data has already gone. It’s a sort of cat and mouse game, only going on inside your computers.

Cybersecurity, of course, is big business. $70 billion was spent on it last year.

Of course, we’re partly to blame. We insist on using our tablets and smartphones for work; we access Facebook and LinkedIn from the office. All this offers attackers extra opportunities to gain access to their networks.

But it’s also because the attackers and their methods have changed. Cyber criminals and spies are being overshadowed by politically or religiously motivated activists, and these guys don’t want to just steal stuff, they want to hurt their victim. And they have hundreds of ways of doing it.

And they’re usually successful. All these new services operate on the assumption that the bad guy is already inside your house, as it were. And may have been there months. Research by IT security company FireEye found that “attackers are bypassing conventional security deployments almost at will.” Across industries from legal to healthcare it found nearly all systems had been breached.

Where there’s muck there’s brass, as my mother would say. Funding these start-ups are U.S- and Europe-based venture capital firms which sense another industry ripe for disruption.

Google Ventures and others invested $22 million in ThreatStream in December, while Bessemer Venture Partners last month invested $30 million in iSIGHT Partners.

Companies using these services aren’t your traditional banks and  whatnot. UK-based Darktrace, which uses maths and machine learning to spot abnormalities in a network that might be an attack, has a customers like a British train franchise and a Norwegian shipping insurer.

But it’s early days. Most companies still blithely think they’re immune, either because they think they don’t have anything worth stealing or deleting, or because they think a firewall and an antivirus program are enough.

And of course, there’s another problem. As cyber breaches get  worse, and cybersecurity becomes a more valuable business, expect the hype, marketing and dramatic imagery to grow, making it ever more confusing for the lay person to navigate.

I’ve not seen them yet, but I’m guessing for these new companies the shield and helmet images will be replaced by those of SAS commandos, stealthily patrolling silicon corridors. Or maybe it’ll be Tom, laying mousetraps for his nemesis. Might be apt: Jerry the cheese thief always seemed to win.