Cyber-attacks and data breaches represent one of the greatest risks facing modern businesses. The scale and subsequent damage of these digital threats continuously underlines the vulnerability of poorly protected IT systems, with the average data breach costing companies £3m in 2019.Secure Society
The Wannacry ransomware attack in 2017 affected more than 200,000 computers across 150 countries and caused billions of dollars of damage. In the UK, the attack led to nearly 20,000 cancelled hospital appointments and burdened the NHS with an estimated £92m in direct costs and lost output through disruption to services.
Researchers from the University of Southampton’s IT Innovation Centre are mitigating the risks surrounding cyber threats with machine reasoning through new startup SPYDERISK.
The business is automating the risk assessment of enterprise IT systems, saving time and money and making compliance easy.
“For an organisation to show that it’s managing its IT systems well, obtaining an ISO 27001 certificate can be a good option,” co-founder Dr Stephen Phillips explains. “In critical supply chains and other high risk environments, certification is increasingly required before suppliers are able to provide services.
“However, getting certified is a resource-intensive exercise requiring an expert understanding of all the key assets, thinking through what could threaten them, how to avoid the problems, and estimating the risk for each one.
“This means a qualified cyber-security professional can spend months each year manually writing these risk assessments for compliance purposes, taking away valuable time and resources which could be used for actually improving security.”
SPYDERISK automates a lot of the work, delivering significant savings for enterprise clients.
The startup builds upon seven years of work led by Professor Mike Surridge at the School of Electronics and Computer Science’s applied research centre IT Innovation Centre, which is advancing information technologies and their deployment in industry and commerce.
SPYDERISK combines a comprehensive system model with an innovative machine-reasoning technique and detailed knowledge base of threats and control strategies to create an unsurpassed view of the risks to a system.
“After you build a model of your IT assets and their relationships in our intuitive graphical interface, SPYDERISK follows the web of attack paths in the system, automatically identifying the threats and computing their likelihood, calculating the risk levels and proposing mitigations,” Stephen adds. “The data is then instantly output in the reporting format you need.”
The business is accelerating with backing from the UK Government’s Department for Digital, Culture, Media and Sport (DCMS) and Innovate UK, and is now in trials with a number of large organisations.
“We’re looking for industry mentors and early adopters who want to join us on our mission of making compliance easy,” Stephen says. You can get in touch with the SPYDERISK team through the contact form on this page.
SPYDERISK is targeting an early, but rapidly growing market through an online subscription model for scalable global reach. The number of ISO 27001 certificates in the UK has doubled in three years to 5,000, representing 10% of the global market.
Building on its ISO27001 position, Spyderisk will expand to other compliance frameworks such as SOC-2, which is popular in the US, enabling the business to scale globally.
This article is based on a blog published by Future Worlds, an on-campus startup accelerator at the University of Southampton, helping aspiring student and academic entrepreneurs change the world with their ideas. Future Worlds accelerates new ventures through inspiring events, workshops, investor pitching opportunities, commercial partners and mentoring from a network of seasoned founders, early stage investors and millionaire entrepreneurs.
Jon Nurse, Future Worlds
20 Nov 2019