Computers are everywhere. All businesses rely on computers, IT infrastructure and the internet for at least some day-to-day operations and wherever there’s computers, there’s also a threat.
Statistics suggest that rather than being a thing of the past, cybercrime is on the rise across the world. But it’s not the hobby of a few bad eggs. Cyber criminals are often highly organised, with considerable resources at their fingertips.
The 2022 Global Risks Report from the World Economic Forum warned that 'cybersecurity measures put in place by businesses, governments and individuals are increasingly being rendered obsolete by the growing sophistication of cybercriminals.’ The 2023 UK government cyber security breaches survey reported that 59% of medium businesses and 69% of large businesses reported a cyber breach or attack in the last 12 months. Meanwhile, analyst firm Gartner predicted that by 2025, 45% of global organisations will be impacted by a supply chain attack.
It's a real and scary prospect for businesses of all sizes, and one on which many IT support contracts are won. But one company is taking a different approach.
Punk Security, who are based in C4DI Northallerton, are unique in several ways. For a start their multi-coloured, mohawked Zebra logo is a welcome splash of colour in an industry that isn’t always known for its vibrancy and represents their more positive approach to cybersecurity.
Why the Zebra? It’s the punk of the animal kingdom according to co-founder Daniel Oates-Lee. "We were told that nobody would like the company logo, by multiple graphic designers. But everybody loves it, and the stickers. They love the fact that it's completely different from everything else. We wanted to be different. We didn't want to just blend in with the rest of them." It seems like a pretty good strategy, and it seems to be working. They’ve grown to a team of 8, mostly remote workers, in two and half years.
We caught up with him to find out more about the company and the state of cybersecurity today.
Helping the human squishy things
Punk Security’s approach to working with clients is not about fear mongering, says Daniel. “We help companies understand where they're weak and show them where they need to get to and help them along that process. Rather than selling this idea of fear and everywhere burning to the ground. We promote what we believe is going to help customers the most rather than just bolting everything down, so that nobody can do anything.”
Some cybersecurity measures can feel over the top and many businesses may feel that they’re not big enough to be targeted. The reality is of course, that any business is theoretically under threat and the weakest link is the human rather than the tech.
According to Deloitte, 91% of cyber-attacks begin with email, even if the final attack was administered differently. And in 2022, phishing attacks (those which attempt to trick the recipient into opening a malicious link or file) increased by 61%. They fall into the wider category of social engineering attacks which are increasingly becoming the primary weapon in a hacker’s arsenal. You can have all the latest anti-malware software on your system but there will always be a way into a company. The employees.
“Cybersecurity is getting better over time. But the biggest vulnerability we have unfortunately is the squishy things, the human elements,” says Daniel. “We help secure the human by doing live demonstrations, carrying out simulated phishing attacks, or we will give good security advice to employees about how to protect themselves on social media? What settings should they be enabling? How can they better protect themselves at home? Because that will leak into their business life as well.”
Of course, any technical advancement in cyber will soon develop vulnerabilities as criminals find a work-around, so it’s ultimately down to individual human awareness and procedure to ensure a company stays safe. He feels it’s not worth banging on about the multitude of threats that are out there.
“Everybody knows that bad things happen if you don't secure yourself properly.” They acknowledge that is a very real possibility but take a more pragmatic approach from there.
Working with the community
Punk Security started off the back of an 8-year friendship between the two co-founders, Daniel Oates-Lee and Simon Gurney and has grown since then, hiring developers and other roles along the way. The team is scattered across the UK with Simon being based in Northallerton and Daniel in Leek. But the advent of remote working tools means they’re able to easily work on projects concurrently.
As for what they work on? It’s quite varied. And often bespoke.
Clients vary “from the military, which are several 1000 people strong, to online music retail companies, which might have 20 people.” And the work they do all depends on the customer. Military contracts are understandably stricter and more directional whereas businesses may come with a problem, they just don’t know how to solve.
“We also do a lot of open-source projects. That’s where we are developing capabilities for the community to use our software for free and to enhance their cybersecurity posture.” They’re very much involved in the cybersecurity and developer sphere and are hoping to do more training around DevSecOps. This endeavour goes beyond setting up systems after the fact but rather feeds security into the very early processes of development at a software company. And it was a key part of setting up Punk Security. It's a creative and innovative side of the business that is not always found in IT companies and it fits with their ethos of sharing what they know and working at the cutting edge of IT.
“The idea of DevSecOps is about bringing developers and operations teams together so the developers can help operations teams deploy their software and diagnose problems. So as the developers write their piece of code, we will scan it for what we call secrets. These are like hard coded passwords, or API keys or certificates that shouldn't be being leaked in the source code.”
“We’re building a platform to be able to upskill people and teach them more about it and we've got a few more open-source projects that we're planning on working on as well.”
Such is their commitment to open source and community that they’ve made use of the C4DI community to run events. Joining C4DI was about having a central physical presence in Northallerton and Daniel says that “from there, we started using C4DI for its events and its connections to the wider area.”
"In conjunction with C4DI, we ran a cybersecurity event in Hull where we carried out a live Hack taking business people through what would happen in a ransomware event and then showed them how to prevent it. That was also in conjunction with Northeast Cyber Resiliency Centre which is a police funded charity organisation. So, the police gave their experience of various different cyber-attacks, along with our live demo."
Their involvement in military projects as an Armed Forces Covenant signed business is also relevant to an area of cybersecurity that is growing.
Where is cyber heading?
Cyber in the military is a topic that our speaker is familiar with as a member of a reservist unit, and hackers are increasingly being deployed in warfare.
As far as why it’s being used, he says “it's being able to carry out an action without firing any typical weapons” that will make it increasingly appealing as time goes on. But he cautions the threat is not solely from the likes of “Russia and China, that people do seem to focus on. There are also some really good hackers in Brazil. Or North Korea.” The totalitarian state in particular is renowned for being a hotbed of ransomware and ultimately there are links back to China and Russia, relaying internet through the former and activity often being linked to Russia.
But innovation will continue and there are positives to hold onto about how companies like Punk can stay ahead of the criminals. One such innovation that has entered every part of industry is, of course, AI. Daniel is open minded.
"We've been investigating how we can use it as part of testing our systems. And we've got it to build what we call zero day attacks in a matter of hours. So I think this is going to be another useful tool to help bolster our cybersecurity. But on the flip side, it's also going to make our adversaries, the attackers, lives a little easier as well.”
Ultimately the reason companies like Punk exist is to ensure most employees and workers don’t have to worry about these threats too much. For them, the focus is clear and Daniel talks about “building a firewall inside the person”. Stay alert and take your time to establish whether what you see in front of you is legitimate. And you’re doing the best you can.