SME Cyber Security - May 2017 by Lyonsdown

CYBER-SECURITY SPECIAL Why it pays to heed the human factor in your cyber-defence

WANNACRY After the NHS hacking scandal, could the IoT be next?

LIFE IN THE SILVER SCREEN How Secret Cinema’s Fabien Riggal wants to change the way we watch movies

Page 2

Page 4

Page 7

AWARD-WINNING BUSINESS JOURNALISM • MAY 2017

BUSINESS-REPORTER.CO.UK

Revolutionary roads Special report How Richard Branson’s latest investment MacRebur is tearing up the way we surface our highways

INSIDE: 17-year-old ethical hacker Ruby Nealon on how to find your vulnerabilities before the fraudsters do DISTRIBUTED WITHIN THE SUNDAY TELEGRAPH, PRODUCED AND PUBLISHED BY LYONSDOWN WHICH TAKES SOLE RESPONSIBILITY FOR THE CONTENTS

May 2017

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

business-reporter.co.uk

Business Reporter UK

@biznessreporter

When it comes to cyber-security, it pays to heed the human factor OPENING SHOTS SUNETRA CHAKRAVARTI

EMEMBER THE scam emails going around in the early noughties presumably from a Nigerian prince in exile? The gist of it was that they had a trillion dollars squirrelled away, and they needed help taking it out of the country. It also involved getting you to send them some money. A lot of people fell for the scam – this was before Googlemail was a thing, back in the era when every email was treasured and read twice. Over time the crooks grew smarter and their crookery got more sophisticated. But irrespective of how nuanced and complicated the process got, it always boiled down to that one thing. Sending out an email to extort money. But the saddest aspect is that phishing scams like this are still the most successful way of making money for cyber-criminals. Do you know how much money the scam artists behind the WannaCry ransomware made? The one that crippled NHS systems, affected 73 countries

and disrupted major utility companies in Europe? A measly $72,000. Compare this with the fact that one in every 14 phishing emails is successful. Then do the maths on how many of these emails are being sent out every day and every hour to extort and to terrorise. The problem begins and ends with humans. The official statistic for how many cyber-attacks are a result of employee carelessness or laziness varies between 72 per cent and 90 per cent. Even though the figure varies, it is still eye-wateringly high. As a CISO said to me the other day, “There is no kill switch for breaches resulting from human error.” So the question now is: can the superior advances in technology not help solve the problem? How about machine-to-machine, artificial intelligence and machine learning? It turns out that such things can only complement the work of us humans, and the lovefest around AI is apparently a case of emperor’s new clothes. Said Simon Crosby, CTO at Bromium: “The maths around

“As a CISO said to me the other day, ‘There is no kill switch for breaches resulting in human error’” machine learning was done years ago by Alan Turing. The attackers have changed their ways. Data is already encrypted. Identifying if something is right or not or a change in tactic has led to WannaCry, which is potentially catastrophic. Turing’s legacy i s b e i n g w r it l a r g e w it h WannaCry.” Then there is newer research saying that IT employees are not concerned by the possibility of a breach. What could possibly lead to this lack of empathy and loyalty? Does the lack of caring show a deeper disconnect between businesses and their employees? Cyber.uk’s Dr Jessica Barker thinks

IN THE APPLICATION ECONOMY, PROTECT AND ENABLE ARE THE SAME THING.

ca.com/security

Add

.com

there is more to it: “There are a lot of cultural factors around cybersecurity. Often IT workers can be made to work hard and long hours. They may feel like they are not appreciated. And being seen as geeks in basements can frequently lead to a rise in resentment. “The worst kind of cyber-attacks use psychological drivers too. Spear-phishing is all about making an attack deeply personal. They try to evoke curiosity.” So if there was an email from someone I know asking me to click on a link to check out photos of an event I have been to, I am pretty sure I would fall for the bait. Wouldn’t you, too?

May 2017

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

facebook.com/biznessreporter

info@lyonsdown.co.uk

Meet the 17-yearold ethical hacker who has spotted bugs for Uber and United Airlines Sunetra Chakravarti talks to Ruby Nealon, the 17-year-old ethical hacking prodigy making waves in the cyber-security industry, about what the future holds…

UBY NEALON is 17. Dressed like plenty of kids his age (uniformly black) he smiles often and is currently growing out bleached hair. But Ruby is different from typical teenagers. While much of his peer group will be going into clearing for universities this autumn, he will already be graduating from the University of Salford. Ruby has been famous in the cyber-security community for quite some time, for hacking into the systems of the likes of GitHub, Uber, Ubiquity, Valve, Shopify and Rockstar Games during hackathons (collaborative programming events). He got his name on Microsoft’s Wall of Fame for discovering vulnerability at the age of 11. Fame sits lightly on his shoulders though, and he admits to being sensible with the vast bounties he gets via the hackathons he participates in. In September 2016, he received $18,500 for spotting vulnerabilities on a client’s system in a group of 30 to 40 hackers. When we meet, he is on his way to another hackathon, this time in Amsterdam, to see if he can find any t hing on WorldPay ’s systems… Business Reporter: How did you get into it all? Ruby: My way into the world of computer hacking was very different. At the age of 10, like any 10-year-old, I decided I had had enough of school. I was not

enjoying it but I loved computers and so wanted to study computer science at university. Obviously I had no entry qualifications so couldn’t go to a normal university. I applied to the Open University – they had never taken anyone younger than 16, but before and after school I would ring and ask them. Eventually they agreed to see me – my dad drove me to the interview. Looking back now, they asked me some very basic questions. They invited me to do a parttime pre-university course on Linux while I was at primary school. I did very well in that, scoring 94 out of 100. After that, they gave me the go-ahead to do a course but my parents couldn’t afford the £760 it cost. I remember selling my Nintendo Wii that I got for Christmas to pay for it. When I was on the course, I felt I wasn’t getting good value for money. But I couldn’t get a student loan because I was under 18. That’s when I decided to go to university full-time, so I sent out a BCC mass-mailer to every university I could get to while still living at home. Salford replied, so I ended up leaving high school when I was in Year 9. I’m the first person in my extended family to go to university. It was funny in a sense, because I was a lot younger than my cousins who would eventually go too. Then I did something that, in hindsight I shouldn’t have done, but I did it because I got

no response from flagging a bug on [gaming network Steam’s] system. So I put a game together called Watch Paint Dry, which was just a 45-second video of my bedroom wall and put it on Steam on a Friday [bypassing Steam’s approval system] – it was removed on Monday. I apologised for releasing it but [Steam] were very curt about it. Then [HackerOne co-founder] Marten read about it and reached out to me. He said, if you like hacking maybe you would like to get paid for it? I started very slow. I work on the HackerOne Triage system with a few [other people]. We review vulnerabilities, add details and provide them to the client’s team. I started working at HackerOne back in August 2016 and am in London today hoping to do something full-time for them. So are you here for a job interview? [Barry Duplantis, vice president of customer success at HackerOne, pipes in] When you are an ethical hacker and if your reputation and signal is up there, we will approach you and ask: “Do you want to come work for us?” My pool is from the community and I try to find folk who are doing great and have a good reputation. Ruby: I want to work there because I know everyone in the community. It is a community of hackers paying close attention to security. Over the course of

Ruby Nealon was offered a job by HackerOne at the age of 17, after it noticed his skill in finding access points into supposedly secure company networks

my time here, I’ve submitted many severe Airbnb vulnerabilities, and I got $10,000 for finding policy-based issues on the systems of a large American insurance company. I took in $18,500 at Vegas last August, so I took my family and girlfriend to Gaucho for a meal. United Airlines pay us in AirMiles for flagging bugs, and I used the ones I earned to take my girlfriend first-class to Vegas. As one of the brightest stars in the world of ethical hacking, what does the future look like? Back in December, Uber’s head of operations reached out to me with an interview offer as I was reporting lots of good bugs to them. I couldn’t make it work because I couldn’t get the visa owing to my age. I haven’t thought long-term yet though…

May 2017

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

business-reporter.co.uk

Business Reporter UK

@biznessreporter

After the NHS, will the IoT be the next malware target for hackers? Sunetra Chakravarti asks if the lack of security of popular IoT devices makes them ripe for hacking “Researchers have been testing IoT devices for a long time and have often found them lacking even basic security practices” – Liviu Arsene, Bitdefender

HE INTERNET of Things was the hot topic in 2016, but it’s the real deal in 2017. Not only does it include connected TVs and fitness trackers but also printers, smart lightbulbs and routers. With all this rapid growth, the cybersecurity risks aren’t far behind. Consumers are always at risk, but it is small to medium businesses that are the easy targets for cyber-criminals happy to squat on networks and collect the drip-feed of information. Hackers bided their time for 280 days in the case of US retailer Target’s network, before going in for the kill. Imagine what they could do with unsecured IoT lightbulbs in a business or home. The IEEE’s IoT and Big Data Interactive Transmitter (http://transmitter.ieee.org/ iot-2017) can help you see what connected IoT products you are likely to use during the course of the day, and the kind of interactions – and risks – each comes with. But it’s just this year that businesses and consumers are waking up to the threat they bring with their ease of use. “Researchers have been testing the security of IoT devices for a long time and have often found them lacking even basic security practices,” Liviu Arsene, senior e-threat analyst at Bitdefender, said. “Most IoT manufacturers treat security features trivially and often are not even included in the device’s development roadmap. “However, what small business sometimes fail to realise is that they’ve been hosting IoT devices in their network for years without realising. If you think about internet-connected printers, one could argue that they’re also IoT devices. They’re usually the most targeted when it comes to breaching an organisation’s security as they either have poor password protection or loads of vulnerabilities.”

When news that Amazon’s Alexa was listening and recording conversations emerged, Alex Mathews, lead security evangelist at Positive Technologies, said: “Given enough time, money and motivation, most technology nowadays can be hacked using flaws in design. The more internet-connected devices people put in their homes, the higher the risk is to them personally. People need to be careful before rushing to get the latest smart home device. It might make getting pizza delivered easier, but there is a trade-off with your personal information.”

Mirai-mare Much of the problem stems from internet service providers leaving “back doors” open so they can remotely connect and update software. Sadly, this also means the same door is open for hackers, as in the Mirai malware case – Mirai scanned open ports and tried lists of passwords until one worked, then infected the device. This simple methodology took down vast swathes of the internet, including TalkTalk and Post Office Broadband in the UK. “The wider infrastructure needs addressing,” says Paul Lipman, CEO of Bullguard. “Content filtering exists on devices but the true sophistication lies in being able to tell a legitimate and a malicious access attempt apart. In the US, one of the main ISPs is Comcast – all its routers would ship with “admin” and “password” as the username and password. A malicious user just has to scan IP addresses and they are in. In seconds, they would have full control of home networks!” And the problem can extend from virtual to actual security. Internet cameras or IoT-enabled front door locks simply don’t have the kind of processing power or

storage capacity to run powerful security software. They are designed to perform the maximum number of tasks with minimum cost, with the line between digital and physical security blurred. In April, researchers at IBM stumbled on a new variant with an in-built component to mine for cryptocurrency. As IBM threat researchers Dave McMillen and Michelle Alvarez said: “If the weaponisation of IoT devices into DDoS botnets is the latest malicious trend, turning them into Bitcoin miners may be just around the corner.” Paul Holland of Beyond Encryption thinks the real reason for IoT developing at breakneck speed without any security concerns has been for a variety of reasons, primarily due to the speed of uptake. “Apple led the charge with voice-controlled applications, and people are now using Cortana and Siri to get to the next level of efficiency,” he says. “The question is, do consumers understand hackers could easily gain access to their network by using the backdoor entry from the shopping list Echo stored for them?” It’s clear companies need more information about the devices connecting to their network, and network managers need the

ability to identify and remove devices compromised by malware or human error. Jon Garside at HPE Aruba said: “IoT within business is already happening and the growth of its use across all industries is inevitable. Businesses shouldn’t let security threats be the barrier between a marketleading or non-competing company.” For others, though, such as John Madelin, CEO of Reliance ACSN, it is a case of much ado about nothing. “You have to remember that cyber-criminals are inherently lazy people,” he points out. “They are also chancers. Would they really want to write a bit of code for six weeks to hack a fridge? Or would they rather send DDoS or ransomware to a healthcare trust and make half a million pounds? “Seventy per cent of our most valued files are in emails. [As a hacker] I would want to compromise your email. Phishing is easier than scanning telnet ports, and one in 14 phishing emails is successful. Just send 14 emails!” But the risks remain. As the Motley Fool wrote recently: “Without trustworthy security models and regular software updates to counter new attack methods, the IoT shouldn’t exist.”

Safeguarding your IoT devices One of the biggest issues for IoT devices is the EU’s General Data Protection Regulation (GDPR), which comes into force in May 2018. CEO of Cloudview James Wickes’s advice for businesses is:

something secure and that a firewall is in place • If they are unsure, have equipment assessed and installed by a trustworthy technician

• Choose a vendor that, at a minimum, uses corporate-grade encryption for data and ensures compliance with data regulations

• Buy equipment from reputable manufacturers

• Ensure usernames and passwords have been changed from the default state to

• Ask the supplier if they will mitigate any losses incurred through privacy breaches, related fines and so on

May 2017

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

facebook.com/biznessreporter

info@lyonsdown.co.uk

People get ready: GDPR is coming! H After a year of talking about it, businesses now have just one year to ensure they are compliant with the rulings outlined in the EU General Data Protection Regulation (GDPR), which comes into effect in May 2018. The countdown is truly on

ERALDED AS “a major step forward for consumer protection”, the GDPR will place an even greater onus on organisations to safeguard the personal data they hold from cyber-attacks. For example, the new rulings state that organisations will have to implement “appropriate, technical and organisational measures to ensure a level of security appropriate to the risk, including […] encryption of personal data”. Failure to comply will have serious consequences for any business. With fines of up to 4 per cent of an organisation’s annual worldwide revenues, non-compliance could be crippling for a company’s bottom line – and its reputation. With such devastating repercussions, the C-suite is certainly sitting up to consider how best to tackle the challenges GDPR poses. As such, identifying ways on how best to protect customers’ data, and business’s intellectual property, is fast creeping up the boardroom agenda – with a particular focus on implementing encryption strategies.

However, the balance of power is starting to shift. According to the Thales 2017 Global Encryption Trends Study from the Ponemon Institute, for the first time, business unit leaders are now at the head of the charge when it comes to encryption strategy, having the highest influence over its implementation. What’s more, the adoption of encryption strategies across global organisations has accelerated considerably over the last 12 years. In fact, just over two in five organisations now have an encryption strategy applied consistently across the enterprise – a huge increase on the 15 per cent we reported back in 2005. Driving this shift has certainly been the rising number of data breaches hitting the headlines over the past few years, but so too have the changing regulations around data protection. In fact, compliance with privacy and data security requirements is the main driver for the majority of global organisations to deploy extensive encryption use within their company.

This is just the start… A boardroom issue

“Cyber-security strategies need to reflect what is going on in the real world”

When it comes to matters of encryption, you wouldn’t be alone in thinking they reside solely within the confines of an organisation’s IT team. In fact, over the past decade, we have seen that the IT operations function has consistently been the most influential in framing an organisation’s encryption strategy.

Yet while it’s encouraging to see encryption usage is on the rise, there is still a lot of work to be done. Today, a worrying 84 per cent of UK organisations say they still feel vulnerable to data threats, according to the recently released European edition of the Thales Data Threat Report, with one in five reporting that they feel

Cindy Provin

“very” or “extremely” vulnerable. What’s more, despite an increase in IT security spending, the number of data breaches continues to rise. Perhaps this can be attributed to the fact that businesses continue to invest in traditional security measures to protect their sensitive data. In fact, we recently found that nearly half of UK organisations plan to increase network IT security spending, and there is a strong belief among many that network security is “very” or “extremely” effective at protecting data from breaches. The problem with traditional, network IT security solutions, however, is that data no longer resides within the traditional “walls” of an organisation. Today, more and more organisations use sensitive data in an advanced technology environment – such

as in the cloud and on connected devices – and consequently, network security solutions become increasingly redundant in stopping modern breaches. Cyber-security strategies need to reflect what is going on in the real world. In today’s increasingly complex threat landscape, robust IT security strategies, such as encryption, must be in place to protect data in all its forms, wherever it is created, shared or stored. The consequences for failing to properly protect valuable customer data, come May 2018, are not worth considering. The GDPR is coming and your business needs to be ready. INDUSTRY VIEW

Cindy Provin is chief strategy officer at Thales emea.sales@thales-esecurity.com www.thalesesecurity.com

May 2017

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

An instant cash injection that can help your business grow

USINESS OWNERS are often held back from expanding and growing due to a lack of funding, particularly during seasonal disruptions to trade. Cash flow has been identified as the single biggest worry for UK independent business owners, with nearly a third losing sleep over it. Almost 30 per cent admit this damages the development of their business, and rely on personal funding due to strict conditions applied by traditional lenders. A business cash advance is an alternative way to raise finance if your company takes card payments, giving you access to a lump sum of between £500 and £300,000 in as little as 72 hours. The application is completed in minutes over the phone with a decision the same day, and repayments are linked to your card sales so that you only pay back when you earn from your customers. This instant cash injection can be used for anything at all, without intense scrutiny as to where every penny will be spent. If your business needs stock, a refurbishment or a cash flow boost to pay unexpected expenses, don’t sit around waiting on the traditional methods of raising finance. With Quick Capital, access to cash when you need it is quick and simple. INDUSTRY VIEW

To find out how a cash advance can help your business grow, call 0800 3777 402 or visit www.quickcapital.co.uk

business-reporter.co.uk

Business Reporter UK

@biznessreporter

Eyeing up the investors There’s more to bagging funds to launch that big idea you just had than enthusiasm, reports Joanne Frearson “A lot of people spend a lot of time thinking about what they want the money for and spend less time thinking about why investors should give it to them” – Matt Mower, Activate Capital

REAT IDEAS are one thing, but they’re only half the battle when it comes to securing capital. Investors who want to back start-ups are increasingly looking to put their money into teams with a solid background who can demonstrate that they have a great business. Margaret Rice-Jones, previously chairman at Skyscanner, says: “If you are looking for financial capital, venture capitalists always look for two things. They look for a great team and they look for a great idea. If you have not done it before and are not therefore recognised as a great team then the journey to get started is much harder. “It is very unlikely that a VC will back an early-stage business in the UK if they do not know the team.” She explains that knowing the team is important, as during the journey towards becoming successful teams are likely to face many challenges, and VCs want to know they can negotiate them capably. “With very early-stage businesses, investors are looking to exit on average at about seven years,” she says. “They realise that during that time technology will change, the market environment will change and therefore backing a team they believe can successfully negotiate those things is critical. The approach to funding is very dependent on whether the team has done it before or not.” Rice-Jones, who is also a director and board adviser for start-ups such as ctrlio, Xaar, Point Blank Solutions and Openet, continues: “If you are unknown the key is getting to that stage where you have a product and you have some revenue. Then there is a reasonable amount of capital around in order to get you through the next stage of being able to scale your revenues up.

“A lot of people take their very first support from friends and family – it could be as little as allowing someone to live at home rent-free while they work from someone’s bedroom, or maybe if they have the right connections, a little more money.” She also explains that some angel investors are willing to support start-ups at an early stage. According to Matt Mower, founding partner of Activate Capital, which helps start-ups with their ideas, getting funding is all about understanding the needs of an investor. “A lot of people spend a lot of time thinking about what they want the money for and spend less time thinking about why investors should give it to them,” he says. “I see a lot of people who do not take an investor’s perspective. “They think they see this great idea you ought to invest in it, not ‘this is how we give you a return’. Taking the perspective of why an investor should care about anything is a good starting point.” Mower’s advice is to have a model which understands why you want the money and why the investor wants to give you the money. And one way to get money if you do not have experience, he explains, is to have someone credible vouch for you. “The funny thing is, it is not necessarily hard to do,” he says. “It’s six degrees of separation – you are not actually that far from famous, wealthy people who might actually care about what you do. That name in the right circles will bring in interest.” But with Brexit negotiations on the horizon, there could be some challenges ahead for start-ups. Says Rice-Jones: “There was a short pause in June and July last year when everyone stopped. I was actually out fundraising with the business and then for a few

Deals increase in last quarter Overall deal numbers in UK start-ups and high-growth companies increased by 2.7 per cent from the previous quarter, according to research from Beauhurst. However, deal numbers were still 6.72 per cent lower than in the same quarter last year. The total amount invested increased by 2.2 per cent, the highest amount since the first quarter of last year, but growth in deal numbers was only seen in early-stage deals. Crowdfunding saw 11 per cent growth in deal numbers, with almost £45million invested in more than 80 deals. The South East, the second busiest region for equity investment after London, felt a harsh decline of more than 50 per cent in deal numbers.

weeks everyone said, let’s wait and see what happens. Is that recession emergency Budget going to happen? When it didn’t things went back to normal.” But whether things remain normal, she says, “depends entirely what is going to happen over the next few months and years”, with border issues and access to talent being critical issues. “The biggest issue is access to talent and immigration because many of these businesses have large numbers of European staff,” she says. “We just do not grow enough people with computer science skills in this country. We need the staff.” Rice-Jones believes that without this access people may decide not to start their businesses in the UK or they will have a small team in the UK and a technology team somewhere else. “It will not stop entrepreneurs being successful,” she says. “But it may change where the job growth is.”

May 2017

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

facebook.com/biznessreporter

info@lyonsdown.co.uk

Life in the silver screen On its 10th anniversary, Secret Cinema’s Fabien Riggal talks to Joanne Frearson about changing the way people watch movies

ECRET CINEMA started 10 years ago as an idea for a new way of watching films, and it’s grown ever since, changing the way audiences perceive entertainment and creating new forms for artists to work in. Fabien Riggal, founder of Secret Cinema, tells me that setting up as an entrepreneur first occurred to him when he was “working in telephone sales and doing running on the side.” “It was an interesting concept I was working on – making my proper first short film, called She Loves Me, She Loves Me Not,” he says. “I was making this film but at the same time I was working in telephone sales, because in telephone sales you have to be hyper-confident – you pretend to be different people. “So all of a sudden I just told people I was a producer. I would make one call for the telephone sales company and one call trying to get my film made. My confidence would suddenly switch – I realised that is all it is, really. You just say you are something and you are.” After completing his film, Riggall started thinking about the ways in which people consumed movies. He wanted to see if people would come to see a film if they didn’t even know where it was being screened, or even what the film was in the first place – or even if the secrecy would make them somehow more intrigued. Sure enough, 450 people turned up to watch the first Secret Cinema screening. Ten years later, the company has grown, with its events attracting upwards of 1,000 people a night. Riggal believes Secret Cinema’s success comes from creating a new form of entertainment which breaks free from the restrictions many artists face. “If you look at every single area, it is dying to come out of its frame – fashion catwalks, theatre stages, music venues,” he says. “What we are interested in is creating a new way of experiencing culture and freeing artists to get their work seen in new ways.” He cites the recent film Dancer, a documentary about Ukrainian ballet prodigy Sergei Polunin, the youngest principal dancer of the Royal Ballet, who left after just two years, as an example. “He was the most celebrated dancer, but he quit,” says Riggal. “His explanation was that he just felt trapped. There has to be place for radical change and place where artists can experiment with new forms, film, music, art and theatre.” “People want to sit in a seat and watch a movie, but they also want to go to the theatre and see a wonderful play at the National. There is growing hunger for more active cultural experiences. Audiences are looking to become participants, not audiences. There is a joy in coming together in big groups of people in this way.” For Riggal, Secret Cinema is about building a company that empowers artists to create new forms and new ideas while also giving audiences the ability

“We’re interested in creating a new way of experiencing culture and freeing artists to get their work seen in new ways” – Fabien Riggal, Secret Cinema

Secret Cinema’s screening of Moulin Rouge involved sending attendees individual character backgrounds

The tech industry in a post-Brexit UK needs to punch above its weight

to stop being audiences, at least in the traditional sense. When Secret Cinema screened Blade Runner at Canary Wharf in 2010, attendees were instructed to arrive at the venue dressed in a punk, gothic or neon style, and were told to wear goggles because of “fears of acid rain”. Says Riggall: “We sent that as a press release to the press, and on ITV and other places they [repeated it] almost as if it was real. I think we invented fake news. That was a special moment, when I realised all 1,000 of the audience came completely dressed up. They looked amazing in goggles and hair extensions. I was like, this is really working.” The recent Moulin Rouge screening has taken the concept a step further, with the audience being given characters, with biographies and backgrounds that are interconnected. Effectively, every

night about 1,000 characters are played by the audience itself. “It is a film that is very evocative, especially now with the sense of kind of gloom and disillusion with what’s outside, and the power that we have over what’s outside,” Riggal says. “When you come to this world you are allowed to dream – you are allowed to be just whoever you want to be and the rules have changed. People are looking for that.” The past 10 years has seen Secret Cinema develop a loyal following, and Riggal is planning to launch new secret events in other cities. “We are also looking at moving into producing the films, so we can control a complete world,” he says. “It just boggles the mind, what that can do if we were to write a script. We’re inspired by the world of the film, and we build a world around it. The audience of Moulin Rouge lived in Monmarte in 1899.”

ITH ARTICLE 50 having been triggered, we are entering an uncertain time in regards to how the UK economy will fare. And despite reports of growth towards the end of last year, the future is still very much uncharted, and it is not yet known how we will come through this huge political and economic shift. Business confidence has since wavered and the pound has been unable to gain momentum since the referendum. So what does this mean for the digital world? As one of the fastest-growing sectors in the UK economy, now, more than ever, businesses need to invest in their digital strategies to secure their future workforce and trading capabilities. It is estimated that a huge 41 per cent of digital tech jobs exist outside the digital industry itself, demonstrating the need for continued investment and development in this area. And as we move away from Europe and closer to “Global Britain”, the UK tech industry must match digital leaders such as the United States and Japan to remain competitive and economically stable. INDUSTRY VIEW

Shaz Memon is creative director at Digimax press@shazmemon.com www.shazmemon.com

May 2017

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

8 MacRebur’s Toby McCartney, who won a Voom award for developing a new road surface made from recycled plastic

business-reporter.co.uk

Business Reporter UK

@biznessreporter

‘Talk from yo not from wha people want Joanne Frearson talks to Toby McCartney about how passion trumped inexperience when it came to pitching his revolutionary plastic road company to Richard Branson

AST YEAR Toby McCartney, CEO of plastic road company MacRebur, stepped on stage at the final of Voom, Richard Branson’s Dragons’ Den-style event, to pitch to Sir Richard and his star-studded line-up of judges for a slice of the £1million prize fund. McCartney originally entered the competition expecting to win little more than some feedback from Branson on his business, which uses recycled plastics to improve the strength of road and fix problems such as potholes, but he ended up beating 9,000 other businesses to win the Start-Up category. Nearly a year later he still can’t quite believe his good fortune – McCartney thinks he won the competition largely based on his answers to the panel’s questions, rather than his pitch. “I made the mistake of buying the books on how to give and elevate a pitch,” McCartney tells Business Reporter at the launch of this year’s Voom. “The Voom pitch was not one of my best. I stuttered half way through and I only felt I won it through the questions.” But the process of simply answering questions allowed him to feel more himself. “If you have something you are really passionate about, you just talk from that passion rather than what you think people want to hear. I think that makes for the best pitches.” After winning the event, “Just be yourself” is McCartney’s mantra for others entering start-up pitchathons. “That is Richard’s success, isn’t it?” he suggests. “He is just doing something he loves. That is the advice – just be you and be passionate about what you do in any of the pitches and, as Richard says, keep it short.”

McCartney with Branson at the Voom 2017 launch

McCartney confesses that he doesn’t always follow that advice, however. Life has been quite an adventure since winning Voom, he says. “It has been nonstop. I would quite like a holiday. It is phenomenal – we went from a concept to a fully-fledged business from the moment we won Voom. “Initially when we first thought about the concept, we thought, wouldn’t it be great if we had one or two councils [on board] and then we entered Voom? Now we are talking about not just the UK, not just Europe, but the rest of the world as well. It is phenomenal. I am still pinching myself. We are still catching up.” There were plenty of naysayers at the beginning who warned McCartney plastic roads would never take off. “We simply asked ourselves, what if?” he says. “What if we were to enter? What if we got through the first round? I remember sitting with my colleagues and my wife. What if we got to the semi-final? And then when we got to

May 2017

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

facebook.com/biznessreporter

info@lyonsdown.co.uk

our passion, at you think to hear’ the semi-final… just imagine how it would be if we got to the final?” McCartney proved the disbelievers wrong, and now Voom plastic roads have been popping up all over the UK, including at a truck service station in Cumbria as well as Carlisle airport. “That was a big thing for us, Carlisle Airport, as it was a big test – actually having planes landing on our runaway,” says McCartney. “Then we got our first council roads, and now we have various roads around Cumbria,” he says. Sections of road that contain the company’s product are duly signposted: “This road is made from waste plastics”. For start-ups that would like to get out and pitch, but are concerned about whether their business idea might not be good enough or worried about criticism, McCartney stresses that a thick skin can go a long way. “It does not matter how great the idea or how innovative it is,” he says. “You are going to have people saying it is not going to work, or it is a load of rubbish, or it is this or that. It is the ability to take that as feedback and learn the answer for it. Even if you do not

MacRebur surfaces are already appearing nationwide

respond to it, knowing the answer to the worst criticism for us has been the biggest learning curve.” Having an idea, even an inclination of one, that might benefit other people should be justification enough to enter something like Voom, McCartney believes. His current ambition is to get MacRebur into Europe before Brexit throws any potential spanners into the works – the firm is using partners

Guaranteed to save you money on your card processing fees

Giving businesses a bit of va-va-Voom

in the UK that also have a European presence to build up contract supply agreements with big asphalt companies in mainland Europe. “There are many opportunities still out there despite the whole Brexit situation,” says McCartney. “The entrepreneur’s mindset should be switched on and looking for those opportunities, rather than at the problems,” he says. Other plans for the company involve freeing up their directors’ time to explore other countries such as Mexico, the US and China. “We need to grow locally and at the same time not let the opportunities go abroad,” says McCartney. “It is a kind of mixed approach into developing the UK market, the European market, then the rest of the world. World domination – we will see how that goes!” he laughs. To help MacRebur to achieve its worldwide growth strategy, the company has also raised £1.3million via crowdfunding platform Seedrs – twice what it had initially asked for. And by winning Voom, MacRebur has gone from a small UK company to one with expansion plans around worldwide.

Sir Richard Branson’s Voom competition is back, and this year start-ups will have the opportunity to pitch their ideas on the Voom Pitch bus, which is travelling across the UK and Ireland looking for the next big entrepreneur. Over the next six months the Voom Tour will stop off at destinations nationwide, including Belfast, Birmingham, Cardiff, Dublin, Dundee, Edinburgh, Glasgow, Manchester, Newcastle and Winchester. Sir Richard’s advice for anyone thinking about pitching was to “keep it short. I am famously dyslexic, and if Virgin takes an advert, if I can understand it we know it is going to work. It is simple, clear-cut messages. It is the old rule of the elevator pitch – can you get it across in an elevator?” The Voom Tour is a chance for people to get started in business – up for grabs are regional prizes of £5,000, as well as ten chances to meet and receive advice from Sir

HEN IT comes to accept i ng c a rd payments from customers, businesses are often confused by unnecessary processing fees – which means they are usually paying too much. At Handepay we’re so confident that we can save you money that we’ll put our money where our mouth is. Let us review your current merchant services costs, and if we can’t save you money we’ll give you £1,000! Whether you are switching suppliers or new to card payments, we keep things simple with transparent pricing and no hidden fees. For example, we don’t charge our customers PCI DSS compliance and noncompliance fees, authorisation fees or joining fees unlike some of our competitors. In most

cases, we also cover any fees you have to switch suppliers. We have a range of card machines to suit all businesses and all accept contactless payments, including Apple Pay and Android Pay. On average, customers switching to Handepay save a massive 36 per cent on their card processing fees. In 2016

“Saving more than £1,200 per year has allowed us to invest more money growing our business. Taking the Handepay price challenge is a must” – The Lane, Kent

Richard himself. The national competition will return in March 2018 and will again provide the chance to win a share of £1million in prizes. Research from Virgin Media Business shows that almost two in five people think they’ve had a great idea for a new business. However, more than seven in 10 of this group – the equivalent of over 13.8 million people – suffer from “business diffidence”, and haven’t done anything with their ideas because of a fear of failure. Half the respondents who didn’t realise their ideas saw a lack of funding as their main obstacle, followed by 37 per cent who cited a lack of confidence preventing them from realising their dreams. Sir Richard believes the future will be centred on small businesses. So to help SMEs, Virgin Media has launched Voom Fibre, which enables new and existing business customers to receive ultrafast download speeds of up to 350Mbps.

alone, we offered UK independent business owners combined savings of over £3.75 million. One customer made a staggering annual saving of over £16,000 by switching to us! Handepay have over 28,000 UK customers and are rated Excellent on Trustpilot an independent review site. To take the Handepay Price Challenge simply email a copy or photograph of a recent merchant statement (your last bill) to pricechallenge@handepay.co.uk and one of our advisers will be in touch. INDUSTRY VIEW

To find out more call 0800 3777 382 or visit www.handepay.co.uk Terms and conditions apply. Offer only available to new customers. Images are for illustrative purposes only.

May 2017

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

business-reporter.co.uk

Business Reporter UK

@biznessreporter

No more future-gazing, no more predictions… digital has landed

OMENTARILY BLINDED by the disorientating dazzle of a technological revolution, today’s smartest organisations are now getting on with the truly transformational business of deployment. Roads-as-a-service, super-fast start-ups, paperless healthcare: Digital Britain plc is wising up to the whys and wherefores – and the rewards are being reaped in spades. A group of these committed trailblazers gathered at a Business Reporter roundtable lunch to trade tales of rebooted business models, better-served customers and leveraged bottom lines. Giant engineering firm Costain constructs motorways, bridges and power stations. They still build in concrete, steel and asphalt but are now in the maintenance business too, by using the Internet of Things and sensors to analyse data such as traffic flow, footfall and energy consumption. Bill Price, the firm’s business systems and technology director, described the company as bullish: “We are embracing technology in a big way to improve the performance and the life cycle management of our customers’ assets,” he said. “We used to just build. Now we provide an end-to-end service. Take roads: we now construct them and use smart infrastructure such as cameras and sensors to improve traffic flow and reduce journey times. The same technology allows us to map and repair potholes for a local authority in Sussex. Soon, connected cars, like the Tesla, will be doing that for us by simply driving over them and sending us the data we need to despatch engineers to the scene.” It’s about getting ahead of the rest. But it’s also about understanding that digital success can only be built on solid digital foundations. Sean Harley, chief information officer at B2B media company Ascential, says real digital transformation is only possible if a business’s front-facing functions are married to its back-end processes and supporting business systems. That’s when customers revel in the fully seamless, fully satisfying experience. “The customer experience is layered at the top with the front end, but it is really the business systems that enable all of that,” says Harley. “It’s things like CRM linking to finance systems. For example, when a client transacts with our business at the front end, we capture that data in the CRM platform, which then links seamlessly through to finance systems for invoicing or instant payment.” Start-ups are the companies likely to lap up the spoils of digitisation most

Clockwise from top right: Nathan Marke, Bill Price, Sean Harley, Joanne Frearson, Carolyn Lees, Rob Price, Lesley Sewell, Simon Wright, Karl Goatley, Beverly Smith; inset: Nathan Marke and Rob Price

Photos: Neil Atkinson

“Digitisation is an absolute imperative for all businesses now” – Nathan Marke, Daisy Group

energetically. Not for these bright young things the agonies of fighting legacy systems hard-wired to rebel. Lesley Sewell, chief operating officer at new challenger mortgage lender Vida Homeloans, said: “The technology strategy was always at the forefront of the business strategy. Our business is generated through a remote intermediary market – interacting with potential new customers away from an office environment and often in their own homes – so digital is really important to us. It is also how we interact with each other, within the organisation. We minimised the use of paper and maximised digital, and we have been able to build all of that from scratch, which has been fantastic.” Nathan Marke, chief digital officer at Daisy Group – one of the UK’s biggest enablers of digitisation for businesses small and large – believes an inflexion point has been reached. “Digitisation is an absolute imperative for all businesses now,” he says. “But a good digital business must have the digital foundations right. It can’t be the IT bolted onto the side. It has to be at the very heart of everything.” No surprises then that this is a view shared by 92 per cent of CEOs surveyed by PWC last year. But, although the desire might be there, implementation can be fraught. Carolyn Lees, global IT director at private equity firm Permira, said: “The digital agenda is quite interesting in our business model because we invest in a whole variety of companies that are at completely different stages of digital maturity.

Digital is a huge disruptor and you need the right people to support the processes. It is creating a dynamic which is extremely challenging. Think about the skill sets you need to deal with it – not just in your own tech space, but in business as a whole. That said, digital transformation is a huge opportunity: you have to enlighten the board about the possibilities that exist in your business.” In the NHS, the digital agenda is huge. Convert Karl Goatley, director of IT at Sussex Partnership NHS Foundation Trust, is already driving digital adoption programmes, and says it is redefining patient care. “It means taking paper records and digitising them so they are always available,” he says. “That then gives us the ability to join up disparate parts of the health record and share this across care settings. It gives healthcare professionals a holistic view of our patients and doctors can treat accordingly.” On a practical level, it can also transform service delivery. Goatley’s trust operates a street triage team in Eastbourne, providing late-night crisis care to the most vulnerable people with mental health issues. The team can access patient records and medication schedules from their mobile devices while on the move and operating alongside the local police force. “That’s digital in action,” he says. “And it’s helping save lives.” Health and welfare services firm MAXIMUS is also simplifying and supporting customers via digital. Beverly Smith, vice president UK IT, said: “We have introduced a number of digital services for internal processes and customers. One example is the introduction of transcription service for

doctors to try to encourage them not to write it down. Instead, it is dictated, translated and validated – all digitally.” Daisy Group’s partner in digitising UK plc is global tech giant Cisco. Its UK partner organisation’s chief technical officer Rob Price says it has several moving parts. “The first of these is the Internet of Things,” he says. “There are 15 billion things connected to the internet. By the end of the decade it will be 50 billion or more. That’s huge growth potential for businesses, right there.” However, the real benefit in connecting all these things together is that it allows us to gather huge amounts of data. This data can provide significant insights, and drive business outcomes. But it’s not all plain sailing. For digital opportunity, read threat of cyber-attack. Seventy per cent of FTSE 350 companies have paid ransomware demands. Lees believes that to inform workforces on cyber-security, it has to be culturally driven. “The tech is easy,” she says. “The toughest part is the culture and the awareness. People can see it as getting in the way of doing their job. We have tried to relate it to our people not in a business context, but in a personal one.” It’s clear that, for some companies, digital transformation is a challenge, while for others it has come naturally. But, whatever stage they are at, it is providing them with new opportunities that can influence their futures. And those futures look very bright. INDUSTRY VIEW

www.linkedin.com/company/daisy-group www.daisygroup.com

May 2017

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

facebook.com/biznessreporter

Inspector At the Business Reporter Christmas party the Inspector is always first on the dancefloor – indeed, he practises throwing the latest shapes for weeks beforehand. So when word arrived that hip-hop supremo/ self-styled business mogul/ walking web address will.i.am was now a strategic board advisor to Atom Bank, the UK’s first bank built for mobile startups he was over the moon. It’s not often you get to watch MTV Base as research for financial reportage, you know. After securing its banking license in June 2015, Atom launched properly in April 2016, offering two market-leading Fixed Saver accounts and secured business lending for SMEs. It has also launched its first mobile mortgage product, allowing borrowers to manage everything via an app, the aim being to build a customer-driven service that’s optimised for mobile technologies. Customers are able to open accounts using Atom’s mobile App, access financial information in a simple way and take advantage of a range of unique tools that will help them get the most out of their money. Will.i.am’s role at the bank will be to give the team an external perspective on culture, philanthropy and technology. Will.i.am has said on his role: “Our lives are faster than ever before, but the banking industry

info@lyonsdown.co.uk

Dogberry upon Thames had the best broadband in London, with an average speed of 34.7MB/s (the lowest had only 19.3MB/s), making it an excellent situation for a technology company.

“The exchange rate The exchange rate on Black Eyed Peas just went up

hasn’t kept up. The scale of Atom’s ambition to help people understand and manage their money better, and it’s clever use of technology to give people an entire bank on their phones, is awesome.” The London Borough of Havering has the best conditions to support technology start-ups in the UK, according to a survey by recruitment specialists Talentful, which researched the best boroughs in London for tech companies to start out. Talentful looked at the survival rate of registered tech start-ups in their first year and found that in Havering nine out of 10 new tech companies made it past the one-year mark. Rather than being centred on the Silicon Roundabout

(The Old Street Roundabout area) as you might expect, the sites for success were instead further away from mid-London, with lower costs and higher broadband speeds attracting newer firms. Elsewhere, Hillingdon had the cheapest average office rental space in London at only £174.79 a month for desk space, making it a good option for those looking to keep costs low. In Redbridge, nearly 45 per cent of the workforce had a degree, making it good recruitment territory, though it failed to claim the top spot due to a midrange rental cost (£312.50). In Merton, 88.21 per cent of tech companies based in the area survived their first year and 58 per cent of the available workers were university graduates. Richmond

Small business owners are twice as likely to say they loved their job compared to full time employees, according to a survey conducted by online business card outfit Vistaprint. Also almost double the amount of small business owners (23 per cent) said work/ life balance motivated them in their job compared with full time employees (12 per cent). They also felt more flexible in their positions. Almost three times as many small business owners (39.4 per cent) agreed their job was flexible compared to 12.9 per cent of full-time employees. However, twice as many small business owners (17.8 per cent) said they worked outside or working hours. This was only 8.8 per cent for full-time employees.

Female Entrepreneur Association

femaleentrepreneurassociation. com

The Female Entrepreneur Association has been ranked as one of the best entrepreneur blogs according to Feedspot. The blog gives women advice about building a business and features stories about successful female entrepreneurs. The website also includes weekly videos, a members club where likeminded women can share ideas, masterclasses and magazine.

LinkedIn Today

blog.linkedin.com/ 2011/03/10/linkedin-today

LinkedIn provides blogs and news to its users based on what your connections and industry peers are reading and sharing. If you are an SME it will show you what the top stories are in your network. Users can also follow industries to gain news from other areas that could

be of wider interest to their company.

The Small Business Blog sme-blog.com

The Small Business Blog provides SMEs with advice about everything they need to know to set up a business anything from banking to cloud computing. Some of the latest posts are about building customer loyalty for small businesses, the benefits of corporate hospitality for small business and 10 steps to survive a business disaster.

Warren Knight

http://warren-knight.com/

Intuit Quickbooks (free – iOS, Android)

Sort out your finances, accounts, payroll and payments via a variety of apps to suit your business, all available from the QuickBook store.

Slack (free – iOS, Android) This instant messaging platform lets your team communicate with each other and share files and images in real time, across different channels and groups.

Knight is an award winning blogger and in 2016 was voted UK’s Best Business Blog in the same year. He helps SME grow through social media, digital marketing and ecommerce. One of his latest blog posts is about how LinkedIn is a good social media revenue driver for B2B businesses.

The road to a successful event

VEN IN today’s highly automated world, with endless digital tools and platforms at your disposal, you simply can’t beat the engagement and personal touch that comes with a live event. Done well, you can really bring your message to life and create a lasting impression. So how do you ensure your event is a success?

It’s all in the detail Whoever your event is for, and whatever the reason, careful planning and absolute clarity on the “who, what, why, where, when and how” are essential. Having run hundreds of events over the years, our first step is always to define your critical success factors. After that,

it all comes down to making sure you’ve considered every intricate detail for all three phases of your event: the before, the during and the after. With so many variables to consider, the only viable way to stay on track is with a comprehensive event plan. We start with the date of the event and work backwards, scheduling in every task and activity, along with their owners and deadlines. In the “before” phase, we work to two breakpoints, typically 20 weeks and 12 weeks. Although you want to make sure you have plenty of time to plan your event, in the harsh light of day that isn’t always possible. But whatever your timeframes, don’t panic – there’s always a way.

Don’t forget the after By thoroughly planning all aspects of your event, you can ensure that every detail is perfect for you and your guests. But what happens next? You need to keep the magic alive. This is where the allimportant but often forgotten “after” phase comes in. Even the best events can fail to meet their objectives if nothing happens afterwards. Timely and relevant follow-ups can make a big difference to the overall success of your event, as well as your longer-term return on investment. INDUSTRY VIEW

To find out more, call 020 3058 2310 or visit www.easy-avenues.co.uk

May 2017

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

Business Zone

Four pages of analysis and expert comment

business-reporter.co.uk

Business Reporter UK

@biznessreporter

Cyber-health is keeping executives at smaller firms awake at night too A “Just as it is sensible to look after your health, so it makes sense to have a cyberhealth check for your company”

SK THE boss of a small or medium business if they have considered cyber-security and their response would be similar to that given to the guy at a car rental agency trying to upsell collision damage waiver: “That’s covered with my own insurance, thanks.” Persist further and they might say: “My IT department has it covered”, even if they have no idea. In reality, rather like the customer who waives the extra insurance, they believe it won’t happen to them, or if it does, that the cost of fixing things will be modest compared with the cost of protection. It also reflects a belief that doing nothing means the problem will somehow vanish, but it won’t. The boss needs to realise that in doing nothing they are in fact increasing risks that they do not fully comprehend. Importantly, governments have declared that cyber-security

is a board-level issue, and not just an IT one. To emphasise this, new rules and regulations will make companies liable for any breach of data protection. The General Date Protection Regulation (GDPR), which will come into force in a little over a year’s time, brings with it the threat of fines from the regulator of up to 4 per cent of group global turnover if the company is deemed liable for a loss of data. To understand what this means, we could perhaps look at the financial services industry, where, following the global financial crisis of 2008, the regulatory regime was heavily intensified. If you take the situation seriously and demonstrate that you have made reasonable efforts to safeguard your systems and data then the regulators will work with you. Ignore them, however, and the resulting penalties could make

the actual inconvenience from a data breach the least of your problems. So what should the prudent boss be doing about this? Just as it is sensible to look after your health and have regular checkups, so it makes sense to have a cyber-health check for your company before these new regulations come in. You don’t need to break the bank and much of the threat can be contained by proper software, but, to continue the analogy, this is an ongoing health regime – it’s about looking after yourself all year round, not just in the two weeks before the medical. Nor is it just about software. Research shows that almost

every data breach is because the human firewall was at fault. Your people might be your greatest asset, but they are also your weakest link when it comes to cyber-attack. State-of-the-art defensive software is necessary but not sufficient, for you or the regulator. Reviewing the systems, training your staff, putting in place protocols to both prevent attacks where possible and mitigate the impact when they do occur are all now needed to survive and thrive in an increasingly interconnected world. INDUSTRY VIEW

+44 (0)20 3290 0686 info@becybersure.com

Outsourced HR: The future for SMEs in an increasingly complex workplace

AGE RISES, auto enrolment, shared parental leave, holiday pay and commissions... we could go on. These are but a few recent additions to the grand old book of employment legislation. They squeeze the profits and boost the stress of employers. Larger businesses feel the effect – there’s no doubt about that. But they’re much more able to absorb the added costs. And with in-house HR, they’ve got the expertise to adapt their business to the changes. Smaller businesses, then, are most vulnerable to the increased costs and challenges of employing people. Sure, they have fewer staff. But often their profit margins are much tighter

– small increases in costs can have a dramatic effect on the bottom line. The challenges for SMEs don’t end there. Key to the success of a small business is – without a doubt – its people. Assembling the right team (and keeping them) requires winning the war for talent. And this is getting so much harder for SMEs that can’t afford the salaries their larger counterparts offer, or indeed the benefit offerings or perks available. To stand a chance, SMEs have to become excellent, flexible and desirable places to work, where employees must feel engaged, motivated and happy. The threat of doing things wrong looms like an ever-grey cloud. Nobody

wants a messy dispute, or worse to receive an invitation to a tribunal. Key to preventing this, and tackling all of the challenges facing small businesses, is the ability to access expert HR support on-tap when needed. But most small businesses don’t have, or need, a full-time HR resource in house – and neither can they afford one. That’s why thousands of SMEs wisely choose to outsource. The HR Dept’s insurance-backed advice line is offered nationally, but is delivered at a

local level. Each local office is run by someone of HR director-level experience, offering practical and pragmatic advice with a personal touch. As employing people becomes more complex and more expensive, it’s the solution SMEs have been looking for. For small and mediumsized organisations, outsourcing HR is the future! INDUSTRY VIEW

0345 208 1120 https://www.hrdept.co.uk

May 2017

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

facebook.com/biznessreporter

HE NHS is a major target for cyber-crime. Why is this? Some analysts would say that it is because medical data is so valuable. And indeed, it used to be the case that medical data was ten times the value of credit card data. This was in part because medical data could be used to steal people’s identities. But it was also because medical data could be used to make extremely profitable invoice frauds. But the value of medical data is dropping fast – you can now buy data on the dark web for as little as $1. In part this is because the market is saturated. By some estimates around half of the US population’s medical records have been stolen and are available online. But it is also because there is an easier way to make money: ransomware.

The rise of ransomware Criminals use ransomware to extort payments from organisations who need to regain access to their data and IT systems. For health organisations losing access to patients’ data can literally be a matter of life and death. The sensitivity of NHS organisations to ransomware attacks makes them an ideal target for criminals. And a Freedom of Information (FoI) request from NCC Group has revealed that almost half of NHS trusts (28 out of the 60 trusts who replied) admitted they were victims of a ransomware attack in the year to April 2016. Of the other 32 respondents only one said they hadn’t been infected that year. The other 31 simply refused to say.

The cause of the problem Why are ransomware – and other cyber attacks – such a problem for the NHS? It is partly (as with any organisation) because for most people in the NHS security isn’t their job. Busy doctors and nurses have plenty of other things to think about than cyber-security. Indeed, it is likely that most regard it as a problem for IT security specialists just as they have their own medical specialities. This opinion will be reinforced if those medical staff are not getting appropriate cyber-security training. And it appears they are not. Business Reporter has written that “approximately 70 per cent of (NGS) Trusts said they had limited training programmes if any in place to safeguard organisational information, including patient records, for staff using personal devices”. This problem is made worse by the presence of so many agency staff who inevitably will have less cyber-security training. Stories of passwords taped to screens or computer mice are common: it’s not really laziness but rather the prioritising of operational efficiency at the expense of security. Another factor is that NHS trusts (and the NHS itself) are complex organisations that involve many disparate entities that communicate using different (or absent)

info@lyonsdown.co.uk

Cracking the WannaCry attacks TEISS.co.uk’s Jeremy Swinfen Green ponders why the NHS is such a target for hackers security protocols – which gives hackers plenty of opportunity. And then there is also a common lack of cyber-security competence – research last year in the US found that 40 per cent of acute health providers were not encrypting data at rest and 30 per cent were not encrypting it in transit. Basic defence practices are being neglected. This is made worse by obsolete equipment and operating systems. Sometimes the reason for old equipment is the cost of upgrading; other times it is the need to preserve old data on old systems. Whatever the reason, again, cost and operational efficiency such as access to data is being prioritised over security. And this really is a problem. According to reports, an FoI request from Citrix in 2016 found that 90 per cent of NHS hospitals were still running the unsupported Windows XP. This is a basic failure and makes all of these hospitals ineligible to qualify for the UK Governments Cyber Essentials scheme.

Defending against ransomware Given these weaknesses, ransomware attacks on the NHS are set to continue causing problems. So what should be done? If we accept that they are going to be difficult to prevent (although education, up-to-date software and basic defences would help massively to prevent them) then the focus has to be on resilience after falling victim to an attack. Resilience could involve simply paying the blackmailers. But this is hardly an appropriate tactic for organisations funded by public money. In any event continued capitulation to the criminals’ demands would inevitably result in the ransoms demanded increasing. Rather the tactic used should be adequate backing up. This is never easy and has to involve a number of different techniques which could include:

• Automatic online back-ups, with back ups of those back ups (held in secure locations that are GDPR compliant) • Layered back-ups taken at different times so that if a particular back up fails there are earlier versions to be used • Manual back-ups of key information with an “airgap” where the back-ups can be scanned and cleaned without the danger of “command and control” software activating the ransomware

Video campaigns from Interpreting the WannaCry press hysteria: what your business needs to know

• Key data kept offline as well as online • The use of different back-up locations for different data sets so that corruption of 100 per cent of data is less likely As well as effective back-ups, it is important to implement regular testing of back-ups to ensure that rapid restoration of data and repair of systems can be delivered without undue damage to operational efficiency. As well as backing up data, organisations should consider whether equipment, such as MRI scanners, need to be constantly connected to the internet. An internet connection has many benefits for medical machinery. It can allow remote servicing of equipment, the sharing of utilisation data, and the communication of test results. But it is debatable whether these machines need constant connections. Perhaps a regime of regular connections, say at the end of each working day, combined with ad hoc connections, would decrease the vulnerability of these machines to cyber attacks. Ransomware is likely to be a problem for a considerable time and will never be particularly easy to manage. But is should be less of a problem than it is for the NHS and some basic cyber-hygiene would make a huge difference.

The reaction to the May 13 global ransomware attack was either a delayed response to our own weaknesses in cyber-defence or a hysterical misinterpretation of the events. Neither is good news. Joe Jouhal, CEO and founder of Avatu, claims the press has misinterpreted the WannaCry incident. Headlines suggested that criminals had targeted the NHS – and they succeeded. But if we look at the WannaCry code, the size of the ransom and the spread of the malware, the crime patterns suggests something much more menacing: lack of diligence. Watch Business Reporter’s Between the Lines and find out how you can fight cyber crime. https://business-reporter.co.uk/2017/05/23/wannacry-hysteriahealed-education /?getcat=2

Cyber-security

SMEs

This edition takes a look at the recent ransomware attack which hit the NHS. Follow the link below to read more.

How Brompton has blended tradition and innovation, and Mary Portas on creating the right culture in your business.

To watch these videos, and for more information, go to ezine.business-reporter.co.uk

May 2017

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

business-reporter.co.uk

Business Reporter UK

@biznessreporter

Helping SMEs cut costs and drive efficiency in their business

UNNING A business without enough operating cash in the system is a challenge many small and medium business face. By comparison, having sufficient working capital will open the door to numerous financial benefits and provide the fuel to drive business growth.

Time well spent As businesses win new work and grow, it is common for the level of cash tied up in accounts receivable to increase. Without careful attention to credit control, this can starve the business of the cash that it needs to develop. This is why an invoice finance facility that accelerates the conversion of debtors to cash as soon as the sale happens is so useful for many SMEs. This type of facility can include credit management services. This may generate direct cost savings over doing the work in-house, while maximising the time for management to focus on more productive activities.

early-settlement terms, where prompt payment can generate significant savings. A few percentage points’ reduction on input costs will flow straight to the bottom line.

Symptoms and solutions Improving supplier terms Having sufficient working capital may help unlock simple economies of scale, which also reduces costs. For example, a business with more cash available could purchase stocks or supplies in higher volumes at a lower cost. More certainty about the availability of cash will also enable businesses to forecast more confidently and, by giving suppliers visibility of sales volumes, management may negotiate better prices. An invoice finance facility can also help SMEs to benefit from suppliers’

For businesses that sell on credit terms, struggling to balance creditors and debtors is a common sign that they are missing out on opportunities for greater cost efficiency. If an SME’s ability to pay creditors relies upon debtors paying promptly, it is likely that invoice finance could help. INDUSTRY VIEW

John Onslow is CEO of Independent Growth Finance 0800 012 6028 www.igfgroup.com

Bridging the gap between the lender and the borrower

HEN A company gets in to difficulties with its bank it can be a challenging period. The business can come under threat of insolvency, forcing the director’s personal assets to come into focus. Its invariably an opportunity for the bank to charge more at precisely the time when the business cannot afford higher finance costs. Over the past 10 years we have helped borrowers exit from difficult situations with retail banks such as RBS and HBOS as well as vulture funds (loans sold to a third party), including Cerberus and Clipper. This solvent restructuring is a service we offer that helps companies retain their assets, continue to trade and avoid personal or business enforcement.

It also helps borrowers avoid costly litigation that can last for many years. We sit between the lender and the borrower, removing the emotion to deliver a structured plan to raise the finance needed to exit below the debt owed. We start by reviewing all documentation, loan covenants and historic business performance. We then engage with the lender to understand their objectives, pressures and timescales so any settlement proposals we table are aligned, as much as they can be, with their drivers. The next step is to benchmark the new finance available in the market and draft a report for submission to the incumbent lender. Thereafter we use a proven process to negotiate the specifics

10 The number of years Conduit Finance has helped borrowers exit from difficult situations with retail banks and vulture funds

of the settlement agreement which includes the sum, timescales, structure and legal conditions. Many of our clients have been in disputes with their bank for up to eight years. The average exit process takes between three and 12 months, with some cases lasting longer. Recent successes include debt reductions from £6million to £2.2million; £95million to £28million and £850,000 to £400,000. Recent personal guarantees meditations have seen liabilities reduced from £2million to £0 and from £450,000k to £40,000. INDUSTRY VIEW

enquiries@ConduitFinance.com www.conduitfinance.co.uk

May 2017

AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH

facebook.com/biznessreporter

info@lyonsdown.co.uk

The debate What is the greatest cyber-threat facing businesses today? Matt Walmsley

Nigel Hawthorn

EMEA director Vectra Networks

HE CONTINUING rise in cyber attacks has prompted overwhelming demand for highly skilled infosec professionals. Unfortunately, vacant infosec jobs are expected to reach over 1.5 million by 2019 due to an ongoing shortage of talent. As the gap in unfilled infosec jobs widens, it’s essential to pursue new strategies that overcome the skills shortage and set the industry down a long-term path to success. Automation is critical to this. By automating time-consuming attacker detection and response duties, the skilled infosec analysts already on your team can focus on prevention and remediation. Artificial intelligence is a key enabler for security automation. Developing cyber-security skills in freshly minted infosec graduates is equally critical. To overcome the talent shortage, hire based on learning and flexibility traits rather than focusing solely on experience and certification. Of these strategies, automation offers the shortest path and can reap maximum benefits. INDUSTRY VIEW

www.vectranetworks.com

Michael Viscuso

European spokesperson Skyhigh Networks

HERE ARE two major threats on the horizon: ever-stronger regulation, such as the GDPR, and the potential data loss from third-party outsourcers or cloud systems. Laws and regulations are getting more prescriptive, partly because businesses have done such a bad job of keeping data safe in the past, with higher fines, mandatory breach notification and requirements to ensure policies, procedures and technology are deployed to keep personal data safe. GDPR is just one of these, coming into force in May 2018 with fines up to €20m or 4 per cent of global turnover. As businesses outsource more IT and implement cloud services to be more agile and productive, the danger is that a data breach from those services could lose your data, and YOU are responsible for the security of your third-party services. It’s especially difficult if you do not have a complete record of all the outsourcers processing the data.

Kevin McMahon

CTO Carbon Black

HE BIGGEST cyber threat facing businesses today is multi-faceted. The threat vector that is, perhaps, the most dangerous is human beings. These motivated, human attackers are extraordinarily adept at conducting reconnaissance on potential targets and exploiting vulnerabilities on the enterprise. Once inside, these attackers will move laterally to remain undetected. Without the right prevention, detection and response mechanisms in place, these humans can cause havoc across the business. In parallel with these human threats is the rise of non-malware attacks, which leverage native operating system tools to carry our nefarious activities. Legacy antivirus, often the lone protection for some businesses, is useless against this type of attack. INDUSTRY VIEW

+44 (0)1628 24437 www.carbonblack.com

Chief technical officer CYJAX

HE SINGLE biggest cyber-threat to business today is user awareness. There are many cyber security and intelligence products on the market that, when combined, can do a fantastic job in securing your infrastructure. But none of them will teach your users not to open an attachment without thinking when it appears to have come from their boss, and none of them will tell your end users why they should not share their access, or send unnecessarily sensitive information to your supply chain via email, or even over the phone. This is where we as businesses are falling short, and this is what is being exploited by criminals and foreign agents intent on gaining access to our intellectual property or our bank accounts. There is no easy or cheap fix; it is going to take time and it needs to include everyone in our organisations, from those that sit in the boardroom to the most junior employees. Everyone can be exploited.

INDUSTRY VIEW

+44 (0)20 3006 6480 www.skyhighnetworks.com

+44 (0)20 7096 0668 info@cyjax.com