Security firm High-Tech Bridge has backed the UK National Cyber Security Centre’s (NCSC) claim that many security firms sell products by exaggerating the abilities of cyber attackers.
“Today, too many cyber security startups try to boost their sales by using fear, uncertainty and doubt (Fud) tactics,” said Ilia Kolochenko, chief executive of High-Tech Bridge.
Many venture capital companies have started to collect money aggressively to reinvest into startups, promising their investors to create a new Facebook or Google in cyber security, he said.
“Once they enter into a startup, they usually start pressuring the founders to boost sales by all possible means, without really caring if their solutions actually help the customers,” said Kolochenko.
“At the end of the day, companies purchase cyber security products that they don’t really need or are not appropriate for their risks, business processes or infrastructure.”
He believes the startups are obliged to exaggerate the risks in order to continue selling their products to disappointed customers.
“The worst thing is that the money invested into startups is not really used to create new technologies, but is spent on selling miraculous stories about omnipotent hackers,” he said.
Kolochenko was responding to a speech by NCSC technical director Ian Levy at the Usenix Enigma security and privacy conference in Oakland, California.
“We are allowing massively incentivised companies to define the public perception of the problem,” he is reported as saying.
Levy said it was dangerous to listen only to firms that made a living from cyber security and he criticised security firms that depicted cyber attackers as highly skilled masterminds.
In reality, he said, most attacks are aimed at firms with poor cyber security defences, citing the attack onTalkTalk that used the well-known and easily blocked SQL injection attack method.
Levy highlighted the work the NCSC has done with HM Revenue and Customs (HMRC), which is the first government department to fully implement the domain-based message authentication, reporting and conformance (Dmarc) protocol .
Implementation of Dmarc is mandatory for public sector bodies as part of the active cyber defence (ACD) programme led by the NCSC.
HMRC’s implementation has cut the number of potential threats reaching staff and has proved so successful that it is now being rolled out to other government departments in line with the NCSC’s policy of proving cyber defence strategies before requiring UK business to implement them.
The NCSC now plans to approach every industry sector that has a high public impact and encourage them to implement Dmarc by offering them use of the government’s centralised reporting capability.
Levy urged other businesses to look at what the NCSC is doing and to read the cyber security advice available on the organisation’s website.
Stinging reportThe NCSC officially opened its doors on 1 October 2016 to bring together all the key government cyber security organisations under a single umbrella, but in astinging report, the Public Accounts Committee (PAC) has criticised the government for taking too long to consolidate and co-ordinate its “alphabet soup” of agencies involved in protecting the UK in cyber space.
The report also said the breadth of the NCSC’s role is considerable, and it is still unclear which organisations from across the public and private sectors can call on the NCSC for assistance.
The PAC recommended that the Cabinet Office should develop a detailed plan for the NCSC by the end of the current financial year, setting out who it will support, what assistance it will provide and how it will communicate with organisations that need its help.
Responding to the PAC report, the NCSC said that in the four months the organisation has been operational, it has “transformed how the UK deals with cyber security”.
The NCSC said it has provided “real-time cyber threat information to 3,000 organisations from over 20 different industries, offering incident management handling and fostering technical innovation”.