Sophos: Inside an Oxfordshire cybercrime facility

Somewhere in the depths of the Oxfordshire countryside, in an inauspicious looking business park, sits Sophos’ global headquarters. This is a big glass ‘greenhouse’ with plenty of bright open spaces, wide staircases and lots of plants. From here it strives to fight the ever changing world of international cybercrime.

At 31, with a $125m IPO last year, Sophos, like Sage, is one of those great British companies. And now, with the increased emphasis on cybercrime everywhere, it is growing at a furious pace with a year-on-year increase of 20% and revenues of $478m [PDF of latest results].

This still puts it some way behind most of its main competitors though. These are Symantec ($6.5bn), McAfee ($2bn) and Trend Micro ($1.2bn) in the end-point security space and Fortinet ($1bn) and SonicWALL ($265 million) in the networking space. Yet it is the only company to straddle both areas – its business is divided almost 50/50 between each area. And as a business strategy Sophos has set its niche on mid-market companies who want a comprehensive, easy to implement solution for their limited security staff.

Unlike many walks of technology, cybersecurity is rather egalitarian. There is a right or a wrong answer – it’s harder to trump quality with marketing in this space – which means if you’re good you can prove yourself to be good. After all, there are “bad guys” to be fought and the threats are constantly evolving.

This is the reason behind Sophos’ recent high profile spat with Cylance, explains CEO Kris Hagerman who is keen to stress that Cylance is not a particular competitor. The problem is that this company is “consistently making bold claims but never makes its software available to test,” he says. This lets the whole industry down and “that’s why we ultimately made a point of it.”

Due to the nature of the business – competing against criminals – cybersecurity has a long pedigree of shared research, peer-reviewing and academic-style in-depth white papers. And Hagerman is generally happy about the collaboration between vendors. “I think the industry has got better because the bad guys have got better,” he says.

Much of the real research takes place in Sophos’ Labs, which is housed on the second floor of its Oxfordshire headquarters and, to the naked eye, looks just like any open plan office space. Yet from here it is analysing a daily feed of live global threats, reacting to what it finds and releasing a new alert every four hours – along with live updates to the cloud.

This is data intensive activity – it hosts some with AWS but due to the sensitivity of its work it also runs its own datacentre facility in the basement. “The most depressing thing is humans have not evolved beyond spam,” says one of the engineers who explains how the usual tricks – like Nigerian princes and personal enlargements – do the rounds, and incredibly, still gain some traction.

Making cybersecurity accessible is a “huge challenge to the industry,” adds James Lynne, Global Head of Research. “Cybercriminals move on a scale of hours, days, months” while education moves of a scale of years.

There are 54 gangs out there “that we know about,” he says. These are all competing on price and over the last few years have become increasingly professionalised. 

In the briefest of timeline he summarises that around five years ago the first exploit pack with web interface and reporting that was superior to many defence companies emerged on the market. Three years back a helpdesk appeared. While 18 months he saw the first managed service with a money back guarantee. “Although it might not be so easy to get your money back from a Russian criminal gang,” he adds.

The most recent development he has seen is that one gang stipulated that its solutions had to be used for targeted attacks only. The aim was to increase the longevity of its premium malicious code so it didn’t get fixed too quickly.

“It’s impossible to know how big the space is,” he says but it’s highly lucrative and it important to remember 99% of attackers just want to make money, he says.

This means the majority of attacks are simply a numbers game. And while a hacked system might be sold on to another operation for a more intrusive action, strikes are not normally that targeted.


Also read:

Sophos CEO talks joined-up network and endpoint protection for the mid-market


« Trust and technology boost Colombia's financial inclusion


World Wide Web Day: Google's brain re-wiring to constant-connectivity »


Do you think your smartphone is making you a workaholic?