Interview between Safety Detectives and Dr Bernard Parsons, CEO, Becrypt
Safety Detectives: What got you interested in cybersecurity?
Bernard Parsons: Before it was known as cybersecurity, I was in the IA (information assurance) sector. Prior to this, I had come from a software and engineering background and worked in the telecoms sector for a while, and then I was in academia doing research in robotics and artificial intelligence applied to human computer interaction in robotics. I took a job within the cybersecurity sector purely because there was a startup company that was located right near where I lived. And I needed somewhere that was really local to make my life easy because I hadn’t written my thesis up yet. So it was a complete accident. But it turned out to be a really lucky accident for me because it is a fascinating field.
A lot of the technologies that I had been studying previously became very relevant to the problems I was tackling within cybersecurity. I was immediately attracted to it and learned a lot from the experience I had with that first startup company over three years or so. I was the first developer on board, so I ended up growing the engineering team that we built in that company that went on to provide encryption technology in the UK Government.
SD: What gave you the idea to start Becrypt?
BP: There was a group of us that were all working for the previous company and saw an opportunity around the large scale deployment for the first time of laptops within government, and particularly within the defense sector. This is not an area that the company we were working for was focused on but it’s something we were interested in. So we set out on our own to meet the growing need for device and full disk encryption within that sector.
What was different about us back then was that we worked closely with the UK National Technical Authority, which today is the National Cyber Security Centre, to make sure the products that we built were certified for protecting classified data. Many people were working in the device encryption space, but we were particularly focused on being able to work in government-classified environments, which gave us a steppingstone to work more broadly. Today, we continue to do a lot of work within government that we sell right through the government supply chain in the private sector, but right down to small businesses.
Our company has evolved a lot since its focus on device encryption. We are still focused on endpoint security, though, in a more general sense.
SD: What would you say is your company’s flagship product or service?
BP: The flagship product is both a product and a service called Paradox. It is used primarily for providing very secure access to online services. It’s a very lightweight operating system that you can deploy across a range of devices—desktops, laptops, tablets, and USB memory sticks. We have customers that run this software off a memory stick. It creates a very secure environment for organisations that are primarily accessing cloud services. It allows an end-user device strategy to be implemented that derives value from cloud, not just in the cloud, but also in terms of how you’re investing, managing, and monitoring your end-user devices.
Paradox came out of a government project. The National Cyber Security Centre ran a project about three or four years ago called CloudClient, which was all about developing standards that would allow government departments to more effectively share IT infrastructure—wanting to collaborate, expose your services to other organisations, and collaborating organisations. We completed a research project for them, which did two things. Part of it was that it ended up being Paradox, which goes on the endpoint. But part of it is device identity management, so the infrastructure that’s required to make use of health measurements from end-user devices so that organisations can manage the health and identity of devices across collaborating in diverse infrastructures.
Many of the principles that were behind CloudClient are called "zero trust"—having no trust in the network, even if it’s a network that you own, making sure that you’ve got strong source of identity for users and for devices, and making use of health measurements so that you can then define policies which provide fine grained control to the services and those business policies reflecting how you as a business value the different services you’re exposing online.
CloudClient was a precursor to zero trust, and today the NCSC increasingly publishes more around principles of zero trust computing and advise that if you’re deploying architectures that are cloud native, then you should look at zero trust architecture.
We do a lot of work with both the government and the private sector, helping them deploy those kinds of environments where you’ve got that enduring trust in collaborative, diverse environments. Some of the endpoints will be running Paradox, but some of them will be running in your Windows or it’ll be a BYOD device but ensuring that organisations can sensibly differentiate trust levels appropriately.
SD: What do you think is the worst cyber threat out there?
BP: I think it’s the cybersecurity market itself is unhealthily structured. There’s a lot of VC money in the cybersecurity sector. It has created a very dynamic and exciting market, but it has created a market with a lot of noise. So it’s not unusual to see cybersecurity organisations spending 70% of their revenue on marketing, and that creates a lot of noise that makes it very difficult for the buyer community to differentiate between either good or bad products or good products that are irrelevant to them or not. And there’s no trusted source at the moment because of the way that the market is structured that allows organisations to find their way through that. If you’re a very well-funded organisation with expertise that has the ability to unpick that journey and carry out some evaluation or assurance of services and products yourselves, that works out well, but the vast majority of people don’t do that.
SD: How has the COVID-19 pandemic changed cybersecurity?
BP: We’re seeing reports that organisations are expecting to see a permanent increase in remote working now, so the cyber criminals are increasingly targeting some of the technologies that we’ll use for remote working. There has been an increase in attacks on VPNs, for example, if you have a VPN client that’s not patched or is subject to a public vulnerability, then you are have an increased risk now than you had three or four months ago because the focus has switched. Certainly, the theme of COVID is being used heavily for spear phishing campaigns and fraudulent websites, but I think there’s another aspect to this as well, because there’s the attacker side of it.
Lots of organisations have wanted to do more for a long time to support mobility, to support remote working, to make more use of cloud services than they have been to better serve those diverse communities. But there’s very often a level of corporate inertia that prevents projects moving forward at the pace that organisations would ideally want them to move forward. And there’s a draw towards staying with the legacy IT systems in many environments. Some of that is because there’s this misplaced trust in the security of legacy IT and the efficacy of legacy IT. So this has created a real opportunity because you’ve got a mindset shift off the back of that cultural change that COVID has instilled and there’s a real opportunity for many organisations to strengthen their cybersecurity.
If you do deploy remote working with cloud-based solutions and configure them in a secure, sensible way, then there’s a very good chance you’ll be improving your security posture over legacy IT systems, especially if you’re taking an opportunity to embrace some of the latest standards, looking at some of the principles around zero trust, as I mentioned earlier.
This whole idea of continual authentication, a point of access to services, as opposed to having permanent confidence in the health of your legacy IT systems, that transition could be a very positive one for organisations from a cyber resilience perspective.