The NCSC Cyber Accelerator is a collaboration between the UK Government Department for Digital, Culture, Media and Sport (DCMS), the National Cyber Security Centre (NCSC, part of GCHQ) , and Wayra UK (Telefónica's Open Innovation Hub).
What sort of companies is the NCSC Cyber Accelerator looking for in upcoming cohorts?
For the upcoming cohort that is due to start in January 2021 (TBC), we are seeking start-ups whose products / services are focussed on cyber security for Smart Cities. You can find out more about our Smart Cities scouting themes, that are briefly outlined in the titles below, here.
A key difference this year is that we are also accepting applications on a rolling basis and will be filling up further cohorts on a first-come-first-served basis throughout the year. Our first 10-week programme, starting in January (TBC), will centre on the NCSC Smart Cities titles outlined above.
However, we are always open to applications from start-ups with solutions that could be for any customers, from individuals at home to the world’s biggest companies, but start-ups must address one or more of the traditional NCSC challenge title themes outlined briefly in the bulletpoints below and fully in the "Themes" section further down this page.
As part of its mission to make the UK the safest place to live and work online, the NCSC is looking for start-ups who:
What does the NCSC Cyber Accelerator programme involve?
The NCSC Cyber Accelerator is run in partnership with Wayra UK, combining the NCSC’s technical expertise and Wayra’s commercial expertise to the World’s entrepreneurial ecosystem.
The programmes will run for 10 weeks each in Cheltenham and meet in person three days a week.
In order to make best use of working with the NCSC and GCHQ, the programme is based in Cheltenham and a founder of each company is expected to attend each day. To have a national reach but a Cheltenham-focus, the programme offers a £9,000 stipend to cover travel costs.
Each cohort selects up to 10 companies, which range in their maturity from early stage angel investment to securing initial seed investment.
Through a combination of technical and commercial mentorship and introductions, the programme works with start-ups to:
NCSC Cyber Accelerator Programme in 2020/2021
In order for start-ups to derive as much from the programme as possible, it has been established as a physical and in-person programme and we plan to maintain this key characteristic.
We intend to commence the first cohort, in person, in late July 2020, however we will confirm exact dates once there is more clarity on travel and lockdown restrictions due to COVID-19.
We are accepting applications on a rolling basis and will be filling up spaces on upcoming cohorts on a first come first served rule for those start-ups who are successful at a selection day.
Start-ups who have applied and progress to a selection day will need to attend (either virtually or in person) an NCSC selection day on one of the dates below. We will be scouting on a rolling basis for the three programme cohorts across the year. We have up to 10 spaces on each cohort.
Assessment Dates
Existing solutions tend to consider cross-domain technology as meeting a high-assurance need. We are interested in similar capabilities, but developed with more of a commodity threat model in mind.
Following on from this, MSPs, for example, manage in a ‘Browse-up’ manner. Solutions that achieve segregations such that an infection in one device does not infect others are important in this regard.
Anti-virus companies are well-versed in identifying cyber attacks and iterate their response as attacks evolve. Cutting-edge, disruptive techniques that would identify attacks are of interest, especially those that can anticipate early stages of process – preparation, information gathering, reconnaissance, and build-up. An attacker will generally assemble an infrastructure and utilise a number of methods to anonymise themselves. Next-generation tools to help characterise this are also welcome.
Tools that take account of real time threat and vulnerability information and allow a manager to change their operational posture in an agile way are also of interest. We acknowledge that it is difficult to keep track of vulnerabilities in real time – and that the vigilant will be patching as they go – but tools that assist in this regard are considered helpful.
Making threat intelligence actionable for small companies in an automated fashion is of value.
Conversely, there are some use cases where data aggregation can be a problem. A specific example here would be in Building Information Management where, for example, every person involved in the design of a building gets access to the totality of information, resulting in the entire design (complete with vulnerabilities) being – effectively – publically available.
Not ‘total cyber awareness’ but some simple straightforward tools/techniques and capabilities to make it easy to monitor the network of systems. Today, most people pipe the logs to disk and only review them post-incident.
Software agents that provide a monitoring capability are of interest; those which are agnostic of operating system would be most valuable. However, all operating system manufacturers want their system to operate in a controlled way (for example to prevent malware from obtaining the kind of privileges that AV products enjoy) and they typically provide system functionality to enable this.
Tooling that makes use of enterprise audit, monitoring or other existing functionality to identify anomalies or make improvement – eg spotting system crashes and working how many lost business hours there are – is preferred.
A big challenge in securing a large organisation is keeping track of where sensitive information actually is, against where the user thinks it is. This may be because of inadvertent data replication of data, or by users taking copies of data, or starting to use new processes and solutions outside of the visibility of the enterprise.
Tooling to help an organisation discover exactly where its data is, and provide indications of its relative value and the information and services that it relies upon, is valuable in helping to prioritising focus, and also to identify compliance issues in regulated sectors.
As with detection methods, there are numerous mature products in existence. We are interested in innovative, simplified, more efficient ways to stream, store, mine, and visualise heterogeneous network data, while retaining necessary security policy and auditing requirements, to enable the greatest capacity of analysts.
This could include the automation of routine procedures around data landing, linkage, sematic assignment, formatting, identity resolution, aggregated feature construction, imputation, and interpretation of missing data, anomaly detection and correction.
People find it very hard to generate and remember different and complex passwords for the range of devices and services they use. They also find it tiresome to enter them manually.
We are looking for approaches that reduce the burden of passwords without compromising security. Ideally solutions should adopt existing standards, and make use of hardware security features built into commercially available devices.
Existing products use a range of biometrics and physical tokens, with variations in the level of protection offered to credentials. We believe there is room to improve the state of the art in terms of the options available, the protection of critical components, and also novel combinations of techniques (such as multi-factor or continuous authentication).
Whilst it is true that there is a kids’ version of, for example Youtube or Itunes, it is difficult for the responsible adult to configure a machine to be child-friendly (or vulnerable person-friendly). An out-of-the-box solution that makes it safe for vulnerable people to interact on line would be a welcome addition to the marketplace. This includes making it harder to become the victim of grooming activities or visiting unsuitable websites.
Some users can be classed as VVIPs and require bespoke support. Tools that enable such individuals to understand their digital footprint and which can easily offer advice and guidance – or ‘canned’ environments – dependant on the situation are of interest. Enterprise versions of such tooling – which expose the digital footprint of an organisation – are also valuable.
Board members generally have limited time, limited understanding of cyber risks, limited money and a set of other pressing problems to solve. In this challenging environment, we are looking for mechanisms that help boards take the cyber risk more seriously, where information is presented in a way that is both compelling and digestible to that specific audience.
This same issue is prevalent more generally. Mechanisms that will allow a cyber conversation in a way that is accessible and persuasive to different audiences are of interest.
Tools that enable mobile phone users to be aware of and manage the activities and privileges of the apps they run are of interest, as are those that enable users to more easily use white/black lists for apps.
In addition, tools that make it easier for app users to manage the risks they face when they click “yes” to highly complex and voluminous terms and conditions, or how much identity and other information they are giving away, would be of value. Low-cost solutions are preferred.
Easy to digest, modern, high-quality training packages that are suitable for the lay person (and could potentially be NCSC approved) are currently in short supply and would be of interest.
Having said that, attempts to train users on ways to avoid phishing attacks do not work for everyone; humans are not best placed to make these decisions. Tools that enable the computer to determine whether an e-mail is trustworthy could help with this problem.
Tools that have a capability to ’learn’ what normal looks like (noting and accommodating the fact that the norm is not always the good) in terms of system/user access to sensitive sets of data in order to allow system owners to produce profiles (or other artefacts) from which anomalous behaviour can be identified and acted upon.
Related to this, an ability to profile user behaviour would assist us in awareness campaigns and to highlight areas where greater awareness may be necessary (or where no intervention is required).
Whilst large corporates are alive to the issues, organisations such as SMEs, charities and other non-profits are yet to fully understand the implications of GDPR, which require companies to prove they have taken adequate steps to properly manage personal data.
Charities in particular are focused on their front-line delivery and, as a rule, spend little on IT security. They believe that their mission – to do good – is enough to prevent any accusation of poor practice.
An ICO fine is likely to have a disproportionate effect on the survivability of organisations like these. Low cost, easily implemented solutions to this problem are required if we are to make a difference here.
Note that awareness raising alone is insufficient; we ae looking for products or services that improve security.
We would like to see many more small companies meeting the Cyber Essentials benchmark. Any tools that can assist in this regard would be of interest.
We want companies both to achieve Cyber Essentials, but also to maintain their security posture so, for example, automated vulnerability assessment may also feature here, as would any products and services that helped companies who had already achieved cyber essentials to take affordable next steps. As the objective relates to small companies, a low-cost solution is preferable.
One of last year’s cohort in the Cyber Accelerator programme is Trust Stamp, which uses artificial Intelligence, deep neural networks and biometrics to create unique digital identities, bypassing the need for usernames and passwords.
An application developed by the company records facial biometrics, irreversibly converts them into a 'non-PII hash' and matches them with multiple sources, such as public records or social media to verify a person’s identity. Trust or preference data can be connected to the hash to facilitate transactions, whether by commercial or governmental agencies. Mastercard has already invested in the enterprise.
The company was co-founded in 2016 by CEO Gareth Genner, who said: “Biometrics are now ubiquitous as a method of authenticating identity, but they should not be stored. Our application allows a mixture of biometrics to be used but protects against the common vulnerabilities of fake identities, phishing and online security breaches by storing a non-PII hash that is matched using probabilistic Artificial Intelligence.
“Our initial work with Mastercard has been focused on enhancing data security in environments with low connectivity, such as parts of Africa, where we can create protected legal identities that can help communities when they want to register for, say vaccination programmes.
“Our company ethos is to create a world where secure, trusted identity is a universal human right, empowering opportunity and access for all.”
Gareth adds that the company’s participation in the Cyber Accelerator programme brought the benefit of “access to a huge amount of expertise from the NCSC that was simply not available anywhere else in the world.
“Through our links with NCSC we now have eleven staff gaining from that expertise in Cheltenham, and means that this year we are creating 20 new jobs in the area.”
Robotic systems may be used in such things as critical city infrastructure and supply (water, power, logistics, etc…), smart manufacturing, unmanned transportation systems, robotic assistants and companions. This is “IoT on wheels”: IoT operating dynamically in uncontrolled environments off-grid, or with low bandwidth backhaul, or within restricted, isolated and/or constrained physical environments. Issues in addition to conventional fixed IoT include: assurance in the field of correct robot operation to avoid harm, accident, or malicious performance degradation; tamper detection on moving/transformational machinery; corruption of machine perception; perversion of machine personality & behaviours; safe destruction of on-board persistent and volatile data; reliable secure mobile communications (mesh/multimedia) in hostile environments; implications for personal data creation & handling (in medical/personal applications, etc…)
Why is it important to the NCSC?
The cybersecurity challenges within this topic are those already of concern to NCSC, but are intensified by the mobile nature of robotic systems in uncontrolled/semicontrolled environments – there are no obvious ways to scale or adapt existing mitigations to compensate for this elevated risk. There are additional challenges surrounding robotic behaviours, these affect reliability, safety, and trust as machines start to occupy roles previously occupied by humans. We need a deeper understanding of both these issues.
Data is central to any smart city. Taking a data driven approach to governing and operating a city can bring significant benefits in terms of efficiency and improvements to quality of life of its citizens. The volume of data collected is increasing with each new smart city initiative and the nature of the data collected can provide deeper insights to both the city infrastructure and the citizens. The data can be attractive as it may yield high-value or sensitive information if unintentionally disclosed or obtained by malicious actors. Increasingly citizens are beginning to have to share their data to participate in society. Data should be protected at rest and in transit and a primary focus should be on the privacy of the citizen. We seek solutions and technologies that enable safe sharing and consumption of smart city data at scale. Additionally, we seek solutions that help enhance the citizen’s trust in the systems that they interact with and that consume their data.
Why is this important to the NCSC?
NCSC issue guidance on data security and privacy. Smart cities are collecting more data and the nature of that data can provide new deep insights into the operations of a city or region and the citizens within. We would be interested in solutions that enable safe use of data at scale, that are operationally viable in a smart city.
The most distinctive feature of a smart city is heterogeneity, both in terms of technologies deployed and approaches taken to development. In the UK we see a growing number of smart city initiatives. Cities celebrate their uniqueness and have their own strategic directions. As a result, they are implementing specific and tailored solutions. This customised approach adds to the complexity with many smart cities initiatives looking like systems of systems. The enabling technologies are becoming more complicated and are being bolted onto large infrastructures. There is an increasing need to identify devices joining large and changing network infrastructure and to spot anomalous and or malicious behaviours. We seek solutions and technologies that help to improve situational awareness on large scale heterogeneous networks and help to improve the security posture.
Why is it important to the NCSC?
NCSC are seeing increased demand for advice on cyber security of smart cities. Tools and techniques that allow us to understand the composition of large infrastructures and identify anomalous or malicious behaviours can help with monitoring and incident management. These tools would need to be capable of identifying non-tradition devices such as IoT from a range of different vendors, all with there own cyber security risk profile.
As cities look to smart solutions to help drive improvements in the operational efficiency of their infrastructure, we inevitably see integration into Critical National Infrastructure. We need to understand the points at which smart cities and CNI meet and identify any additional cyber security risks and or interdependencies. Whilst smart management of national infrastructure can bring benefits it can also extend the attack surface. We seek solutions that enable safe and secure interfacing or integration with CNI.
Why is it important to the NCSC?
NCSC are expanding our research portfolio in CNI we regular provide advice and guidance on CNI cyber security. We are looking for solutions that help to shape our guidance as we see this emerging landscape of smart technologies interfacing with the CNI.
Solutions that help users, from the citizen to enterprise-level, to be safe online. Examples include (but are not limited to):
· products that make it easy for users to make secure decisions in online or connected environments;
· automated tools that take the onus off the user to avoid being phished;
· tools that enable users to manage the risks they face when using apps and online services, such as app-locking or other privacy mechanisms;
· products that integrate training and user education in novel ways.
An NCSC team are involved in the running of the accelerator and NCSC experts provide mentoring to the start-ups.
The programme is based in Cheltenham for 10 weeks and start-ups are required to have a founder present three days a week.
Wayra is part of Telefónica Open Innovation – a global accelerator hub network. This network runs seven hubs in Europe and Latin America, that reach the entrepreneurial ecosystems of 10 countries. This makes Wayra the world’s most global, connected and technological innovation hub.
Telefónica is one of the largest telecommunications companies in the world by market capitalisation and number of customers with a comprehensive offering and quality of connectivity that is delivered over world class fixed, mobile and broadband networks. As a growing company, it prides itself on providing a differential experience based both on its corporate values and a public position that defends customer interests. The company has a significant presence with over 346 million accesses around the world. Telefónica has a strong presence in Spain, Europe and Latin America, where the company focuses an important part of its growth strategy.
As a result, Wayra UK is especially well-placed to work with start-ups to help them understand the challenges faced by larger corporate and government entities, and how to work with them successfully. Wayra UK also runs numerous successful accelerators nationwide with other world-class partners. In each case, its primary aim is to find new sources of revenue and/or innovation for the start-ups.
The National Cyber Security Centre is a part of GCHQ and is integral to the UK’s efforts on cyber security.
Competing against a number of high quality submissions, Wayra UK won the procurement competition run by NCSC, in accordance with normal NCSC procurement procedures. The NCSC considered a number of high quality submissions, with Wayra UK being the eventual winner.
Wayra UK is part of Telefónica Open Innovation, the open programme that integrates the different initiatives of the whole Telefónica Group related to entrepreneurship and innovation.
NCSC does not comment on its relationship with any of its suppliers. All of the companies who participate in the accelerator programme have access to the NCSC’s technical expertise to support them in developing their products, solutions and businesses.
Wayra UK gives selected start-ups direct funding, acceleration and pre-acceleration services (such as co-working space, connectivity services, mentoring, access to Wayra UK’s network and knowhow, training in entrepreneurship and business skills). Since its launch in 2012, Wayra UK has supported 193 start-ups, which have a combined value of over $1bn and have had 137 trials with Telefónica.
By connecting companies with the wider ecosystem during the programme, they are better positioned to secure contracts and investment and become self-sustaining or, where appropriate, to submit a strong application for other leading UK Accelerators.
By agreement, companies can also continue to use the NCSC Cyber Accelerator brand in their corporate communications even after the programme has finished.
Wayra UK has an active Alumni community, who return regularly to provide updates and take advantage of the networking opportunities available at many of Wayra’s events. Alumni can also utilise the academy in Central London to run their own events and hold meetings. Wayra are in the process of developing an alumni network for the NCSC Accelerator programme specifically.
The companies are given desk space in a high-specification dedicated accelerator facility in Cheltenham, with internet access, meeting rooms, event space and kitchen.
No. Those companies entering the accelerator will be developing products and solutions for wider commercial distribution. The accelerator is, however, looking for companies that can make a difference to the NCSC right now.
The accelerator is for companies who are registered as a UK company, with an active presence in the UK. Given the access that the programme provides, companies and their staff should be prepared to undergo Government security checks as required.
No. By participating in the programme, the companies are not required to give away any rights to their IP whatsoever.
Neither NCSC, GCHQ or DCMS will be taking equity in any of the companies.
Wayra and other companies supporting the start-ups are welcome to invest if they wish and the companies can agree to this, but this is not a requirement for entry to the programmes.
The companies will receive financial support of £9,000. This “travel stipend” is provided to ensure that cost does not prohibit a company basing at least one founder in Cheltenham throughout the programme. Effectively, this is to ensure that the programmes have a national reach but a Cheltenham focus.
The programmes run for ten weeks each in Cheltenham and meet in person three days a week.
Companies are invited to apply through an open competition. The start-ups will be chosen by an expert panel of NCSC, GCHQ, Wayra and Telefónica staff, alongside a panel of investors. We are accepting applications on a rolling basis and will be filling up spaces on upcoming cohorts on a first come first served rule for those start-ups who are successful at a selection day.
The accelerator is a key component of one of two cyber innovation centres announced by the Government in 2015. These centres are intended to support the growth and development of the next generation of cyber security companies, growing capacity and capability nationally, supporting NCSC’s core activity as well as contributing to Government ambitions to promote prosperity.