Develop tools to make it easy for anyone to be secure online, whilst minimising opportunities for cyber attackers.
This could include ways to assist software developers and network designers to produce highly secure solutions even when re-using the work of others, or to improve the take-up of Cyber Essentials.
Mechanisms to reduce the effectiveness of attackers with significant resources are also welcome, as are tools that will reduce the risk that people face from the aggregation of all of their internet activity.
This topic also includes training packages.
1. Improved take up of Cyber Essentials and incremental improvements
We would like to see many more small companies meeting the Cyber Essentials benchmark. Any tools that can assist in this regard would be of interest.
We want companies both to achieve Cyber Essentials, but also to maintain their security posture so, for example, automated vulnerability assessment may also feature here, as would any products and services that helped companies who had already achieved cyber essentials to take affordable next steps. As the objective relates to small companies, a low-cost solution is preferable.
2. GDPR readiness
Whilst large corporates are alive to the issues, organisations such as SMEs, charities and other non-profits are yet to fully understand the implications of GDPR, which require companies to prove they have taken adequate steps to properly manage personal data.
Charities in particular are focused on their front-line delivery and, as a rule, spend little on IT security. They believe that their mission – to do good – is enough to prevent any accusation of poor practice.
An ICO fine is likely to have a disproportionate effect on the survivability of organisations like these. Low cost, easily implemented solutions to this problem are required if we are to make a difference here.
Note that awareness raising alone is insufficient; we ae looking for products or services that improve security.
3. Identifying ‘the good’
Tools that have a capability to ’learn’ what normal looks like (noting and accommodating the fact that the norm is not always the good) in terms of system/user access to sensitive sets of data in order to allow system owners to produce profiles (or other artefacts) from which anomalous behaviour can be identified and acted upon.
Related to this, an ability to profile user behaviour would assist us in awareness campaigns and to highlight areas where greater awareness may be necessary (or where no intervention is required).
4. Making it easier to be secure
Tools that enable mobile phone users to be aware of and manage the activities and privileges of the apps they run are of interest, as are those that enable users to more easily use white/black lists for apps.
In addition, tools that make it easier for app users to manage the risks they face when they click “yes” to highly complex and voluminous terms and conditions, or how much identity and other information they are giving away, would be of value. Low-cost solutions are preferred.
Easy to digest, modern, high-quality training packages that are suitable for the lay person (and could potentially be NCSC approved) are currently in short supply and would be of interest.
Having said that, attempts to train users on ways to avoid phishing attacks do not work for everyone; humans are not best placed to make these decisions. Tools that enable the computer to determine whether an e-mail is trustworthy could help with this problem.
5. Getting the board to ‘get it’
Board members generally have limited time, limited understanding of cyber risks, limited money and a set of other pressing problems to solve. In this challenging environment, we are looking for mechanisms that help boards take the cyber risk more seriously, where information is presented in a way that is both compelling and digestible to that specific audience.
This same issue is prevalent more generally. Mechanisms that will allow a cyber conversation in a way that is accessible and persuasive to different audiences are of interest.
6. Not all animals are equal
Some users can be classed as VVIPs and require bespoke support. Tools that enable such individuals to understand their digital footprint and which can easily offer advice and guidance – or ‘canned’ environments – dependant on the situation are of interest. Enterprise versions of such tooling – which expose the digital footprint of an organisation – are also valuable.
7. Out-of-the-box solutions for the vulnerable
Whilst it is true that there is a kids’ version of, for example Youtube or Itunes, it is difficult for the responsible adult to configure a machine to be child-friendly (or vulnerable person-friendly). An out-of-the-box solution that makes it safe for vulnerable people to interact on line would be a welcome addition to the marketplace. This includes making it harder to become the victim of grooming activities or visiting unsuitable websites.
People find it very hard to generate and remember different and complex passwords for the range of devices and services they use. They also find it tiresome to enter them manually.
We are looking for approaches that reduce the burden of passwords without compromising security. Ideally solutions should adopt existing standards, and make use of hardware security features built into commercially available devices.
Existing products use a range of biometrics and physical tokens, with variations in the level of protection offered to credentials. We believe there is room to improve the state of the art in terms of the options available, the protection of critical components, and also novel combinations of techniques (such as multi-factor or continuous authentication).