The ‘pessimist’ who brings realism and track record to the powerhouse vision

Click to access article as a .pdf

By Mike Cowley

As a Northern businessman who took a failing Manchester-based business and turned it into a global success story listed on the FTSE 250, Rob Cotton was startled to be described as “a pessimist” when it came to the Northern powerhouse.

The charge was made by Joe Anderson, Liverpool’s combative mayor, and addressed to the chief executive of NCC Group, the world’s leading independent cybersecurity and risk mitigation specialist, during a Super North in The Times Forum when both men were invited panellists.

What Rob Cotton admits took him aback was the fact that he is immensely proud of his Northern roots and is well known as a leading supporter of the Northern powerhouse movement – and also that the criticism came from someone he had never previously met.

The underlying causes of the disagreement that appeared to put the NCC Group chief executive at odds with the elected Liverpool mayor were Mr Cotton’s take on the importance of infrastructure to progress the initiative, along with his somewhat controversial stance on the current role of Northern universities.

After all, NCC Group has become a stellar performer in the cybersecurity sector during a period when there have been no significant improvements to the road and rail links – “we have still found it easy to get our people down to London for meetings”, Mr Cotton says – and for years the business never recruited anyone from the its local universities, although relations are slowly improving.

“While I recognise the importance of infrastructure,” says Mr Cotton, “when we talk about this, we are talking about events that may not even happen in our lifetime. And who knows how the world may have changed by the time we get them? For me, it is all about doing things here and now. That’s the difference in perspective between business people and politicians.”

Mr Cotton admits that his take on infrastructure is probably influenced by his business being in the internet sector, which has transformed the way people communicate to collaborate – and which will continue to do so.

He also accepts that, while some people may not agree with him over the university sector, his views have been formed by the reality that, until his company became successful, there had been little or nothing in the way of offers of help to support his business.

As a result, he has set out what he sees as the business case for the Northern powerhouse in a letter to James Wharton MP, the minister with responsibility for such matters.

Rob Cotton
Rob Cotton

What Mr Cotton wants to see happen is for the main focus to switch to setting up four centres of excellence in the North, dealing with areas in which the region can become a global leader. Naturally, one of these areas is the one he knows best: cybersecurity.

It certainly seems that here is a major growth sector when you look at NCC Group’s recent performance. The latest results show that revenue for the group reached £93.5 million for the six months to the end of November 2015, a 50 per cent increase on the £62.3m reported for the same six-month period in 2014.

International revenue, most of which is currently derived from the US, grew strongly by 17 per cent to £34m in the six-month period, while other areas of global expansion continue apace and NCC Group now operates from 32 offices across the world, with more than 1,800 employees.

By way of example, the company has doubled the number of employees in its Madrid office, despite having only launched the base just a couple of months ago.

All this is a far cry from when Rob Cotton took over as chief executive more than a decade ago. On arrival, what the chartered accountant found was little more than a basket case business: the banks were closing in as lack of profitability meant it was running out of money.

He was forced to apply “good business principles”, which effectively meant cutting costs in the form of staffing and finding ways of making the company viable through having a clear focus. Given that the only part of the group which seemed to have a future was in escrow – and was not actually selling the service at the time – he saw this as the commer­cial lifeline. That, and being innovative.

A chance call from a couple of banks which were considering a joint internet banking service took NCC Group into cybersecurity virtually by accident. The conversation went something like this: “We are thinking about setting up a joint internet banking operation, do you think it is safe?” “It doesn’t sound very safe to me.” In due course this turned into the first major web-based security advisory project for NCC Group.

Not having been involved in cybersecurity before, this project called on NCC Group to innovate – and that is how the company has stayed ahead of the pack ever since. When your business involves keeping out increasingly sophisticated criminals, you always have to try to be one step ahead of them.

Research into cyber threats has been the key to NCC Group’s progress, and the most recent breakthrough is discov­ery of the threat that hackers pose to the latest automotive models. A team from NCC Group led by Mr Cotton is currently at the Mobile World Congress in Barcelona with a “virtual car”, to demonstrate the company’s security testing techniques when assessing vehicle systems.

What they have found is that several car “infotainment systems” are vulnera­ble to a hack attack that could potentially put lives at risk by seizing control of brakes and other control systems. This can happen by data being sent via digital audio broadcasting (DAB) radio signals.

NCC Group demonstrated part of its technique to BBC Radio 4’s PM pro­gramme from its offices in Cheltenham. By using relatively cheap off-the-shelf components connected to a laptop, the company’s research director, Andy Davis, created a DAB station. Because infotainment systems process DAB data to display text and pictures on car dash­board screens, an attacker could send code that would let them take over the system.

Once an infotainment system had been compromised, an attacker could then potentially use it as a way to con­trol more critical systems, including steering and braking. Depending on the power of the transmitter, a DAB broadcast could allow attackers to target many cars at once.

Wired magazine has backed up the NCC Group claim in a report where two US security researchers managed to remotely take control of a Jeep Cherokee’s air-conditioning system, radio and windscreen wipers while one of the magazine’s journalists was driving the vehicle.

NCC Group’s recent research has also produced another high-level threat warning – this time concerning phishing, in that 70 per cent of employees of large organisations cannot tell a legitimate website from a bogus phishing site.

The data comes from NCC Group’s phishing service Piranha, which it uses against clients during “red team” en­gagements and bespoke phishing social engineering projects. Over 500 emails were sent over a two-month period, with 22 per cent of recipients clicking through to a malicious site – and, of those, 70 per cent then went on to supply credentials.

Armed with this information, an at­tacker could gain a foothold within an organisation’s infrastructure. The emails were tailored to each target organisation but were not personalised for any individual.

“Phishing of this sort is the tool of choice for a number of threat actors – particularly organised crime rings and state-sponsored attackers that want to infiltrate a target organisation,” says Robert Horton, European managing director of NCC Group’s security consulting division. “Once they’ve obtained valid credentials, they can quickly move deeper into the organisation’s infrastructure in order to obtain access to sensitive data and then look to retain access.

“Protecting against these attacks is crucial and a 70 per cent success rate for an attack with relatively low sophistication puts the importance of employee education and the need for cyber-resilience into perspective.

“Given that the emails were tailored only to the organisation and not to in­dividuals, it stands to reason that fully targeted “spear phishing” – which involves emails that appear to be from an individual known to the recipient and in a context they expect – would have an even higher success rate.”

NCC Group actively encourages all its consultants to undertake their own research projects and develop associated innovative products – and there are so many of these that Rob Cotton does not know every single one. One thing he does know, however – and he believes that the Liverpool mayor Joe Anderson possibly does not know this – is that he has strong Liverpool connections, having not only attended university in the city but also having found his first job there.

“My Northern roots go down deep,” Mr Cotton insists, “and that’s why, like Joe Anderson, I am a strong supporter of the Northern powerhouse.

“Where possibly we do differ, even though we are both on the same side, is that he looks at it from the perspective of a politician, while my viewpoint is that of a businessman.”