For most people, mention the spa town of Malvern in Worcestershire and you evoke bucolic scenes of the rolling hills which flank it. For others, the town is best-known for its most famous son, the composer Sir Edward Elgar.
Few will instantly think of Malvern as a hotbed of technical innovation. But this is where dozens of companies have formed a cyber security cluster, renowned both in the UK and beyond. This unusual blend of scientific know-how ensconced in a rural idyll began in the Second World War, when Britain’s radar experts were moved – for safety and security reasons – from the south coast to the Worcestershire spa town.
This core of knowledge and intelligence has remained in Malvern ever since, in various guises. Its most recent incarnation is the Malvern Cyber Security Cluster, a group of more than 50 cyber security SMEs based around Malvern, but with members in Herefordshire and Gloucestershire.
The group co-operates on a range of initiatives to grow their cyber security businesses. “For many years Malvern had the highest number of PhDs per square mile of anywhere in the country,” says Dr Emma Philpott, founder and manager of the Malvern Cyber Security Cluster, which was created in 2011.
“With the area’s technological past, its current wealth of experts and the fact that GCHQ is down the road, it’s created a kind of historic perfect storm.” Cyber security is an increasingly important issue for businesses, big and small; in the 30 days up to 5 January 2015, there were more than 12 million reported cyber attacks around the world, according to the HackerWatch website run by McAfee Inc.
What’s more, only 10% of attacks are actually reported, according to Encription Ltd, an information-technology security firm in nearby Kidderminster, and a member of the Malvern Cyber Security Cluster. A 2013 report, entitled the Competitive analysis of the UK cyber security sector, commissioned by the Department for Business, Innovation and Skills (BIS), estimated the UK cyber security sector to be worth almost £2.8bn, forecast to reach over £3.4bn by 2017.
That represents an annual growth rate of 5.7%, whereas the total IT market in the UK is set to grow by only 2.1% in the same period. “The BIS report showed that 14% of the cyber security businesses in the UK are within a small geographic region referred to by Government as ‘Cyber Valley’, which runs from Malvern in the north down either side of the River Severn through Cheltenham, Gloucester and Bristol and across to Newport and Cardiff.
A materials scientist by profession, Dr Emma Philpott and her husband Adrian moved to Malvern from Singapore four years ago. “Everyone was working in cyber security and they didn’t know each other, so I just thought ‘let’s all meet up,’” she recalls. “It was just an informal, free meeting – no tone of reference or minutes – and as soon as they met they were sparking off each other.
“It’s a strange environment, because they tend to work on secret projects so they’re not able to talk to lots of people, or others just won’t understand what they’re working on. “Most of them have too much work, so just finding partners can be difficult – that’s where the cluster helps; there haven’t been any competition issues, it’s more about ‘let’s work together’.
The success of the Malvern cluster sparked interest from both the UK government and other cyber companies around the country. There are now 16 cyber clusters around the UK, all run from Malvern by Dr Philpott and her team.
Dr Philpott also helped to establish an umbrella organisation, the UK Cyber Security Forum, with over 300 small companies in the network. She is also CEO of cyber security company IASME Consortium Ltd, which offers an information assurance management standard for small companies. Certification to this standard shows that the business is implementing at least the basic requirements of cyber security.
The company is based at the National Cyber Skills Centre, which runs a range of Cyber Essentials courses, a government-backed, industry supported scheme to help organisations protect themselves against common cyber attacks.
Worcestershire County Council’s recognition of the region’s excellence in the field is highlighted in its Growing Cyber programme of tailored training and support for small and medium-sized Worcestershire-based businesses. “The clusters and forum give companies visibility,” says Dr Philpott. ”The biggest problem for small companies is getting security clearance, because you usually have to be a big company, so companies can’t even see the bid documents because they’re not cleared – it’s a major barrier.
“Last autumn I signed a memorandum of understanding with a big trade association called ADS and they now sponsor security clearance for any company in the UK Cyber Security Forum, which is brilliant.” As well as the growing risk of companies’ accounts being hacked, the government’s Cyber Essentials certification will soon be mandatory if companies wish to apply for government contracts.
“Cyber security is one of the few areas that has had an increase in budget throughout the recession,” says Dr Philpott. “It’s classified as a ‘Tier 1’ security threat – the same level as terrorism. “It’s a bit like selling insurance because you say ‘you might get hacked’; soon there will be EU legislation about mandatory reporting, so if you have a breach you will have to report it. At the moment you would not believe the amount of data and money going out that companies stay quiet about.”
“If you’re a small company and you want advice on cyber security you don’t go to a big multi-national, you go to the small company that is just as knowledgeable but they’re down the road and probably not as expensive.”
Dr Philpott says she is increasingly seeing a wider range of companies interested in cyber security that are keen on speaking to members of the cluster. “The sector’s booming and the companies here are some of the most exciting.
At the moment the only reason they’re not conquering the world is because of all the barriers – the way government and companies procure things does tend to favour big companies. If someone wants a solution to cyber security, either you have to contact a big company or try and find lots of small companies and patch it together yourself.
“We’re looking at a way of small companies working together.