Cybercrime, it is something from which prominent companies like JPMorgan Chase (JPM:US), eBay (EBAY:US), Apple (AAPL:US), Google (GOOG:US) and, most recently, Sony (SNE:US) have all suffered immensely. Nonetheless, this threat still is seen as too abstract and ungraspable in our day-to-day life and in our boardrooms, and therefore the topic is simply left untouched. However, neglecting this major threat is potentially destructive; estimations of global losses vary between $250bn and $1000bn. In order to cope effectively with the risks of cybercrime, companies and individuals should immerse themselves in the topic. Only then can they start to identify and implement fitting solutions. This article serves as a steppingstone into the world of cybersecurity and the investment possibilities created by the growing need of cybersecurity. Since these topics are so broad, this article will be divided into two parts. Part one gives an elaborate introduction into cybercrime and cybersecurity, to make the readers more familiar with the subject. Part two will focus on the players active in the market, building further on part one. This part will look at what cybercrime precisely contains, the importance, growth drivers for the industry, development of the Industry and hurdles.
What is Cyber Security?
Defining what exactly is Cyber Security is extremely difficult. Hence, gathering data to estimate the total costs involved remains a highly dubious matter. Symantec (SYMC:US) estimated the total costs to be around $250bn, whereas Intel (INTC:US) thought the number closer to be around $1000 bn. In order to increase certainty, a better definition needs to be established, as the United Kingdom’s government has done. They tried to define the whole industry rather broadly, including everything from Big Data analytics to identification theft. Following this broad definition will most certainly result in global losses closer to Intel’s higher-end of the bandwidth.
The Cyber Security industry is mostly conceived as abstract and complex, because of its highly technical nature. This complexity makes it a subject often to be neglected. However, the first step has to be to understand what cybercrime characterizes and its development is. Most technological trends are short lived and swiftly replaced by a more modern solution, phone calls are substituted by VOIP and hard disks are replaced by flash drives. The odd one out however is the internet; the internet is here to stay. Therefore, securing this medium is of the upmost importance.
Cybercrime started with college geeks trying to hack into a certain system, merely to see if it was possible to crack it. However, nowadays hackers have united themselves in fully professional organizations, mimicking organization styles of many SMBs. These organizations can have many motives for their doings, which makes them even harder to bust. Motives can take many forms, including organized crime, malice (vengeance or untargeted damage), terrorism and hacktivism (seeking attention for a certain cause). All these motives require different solutions, only further complicating finding proper security solutions.
Although no conclusive estimation can be given on the magnitude of the losses involved in cybercrime, it is evident that these losses stretch into the hundreds of billions. Moreover, as the number of internet users continues to grow (Figure 1), even more opportunities to hack present itself, enhancing the cyber risk and adding demand for Cyber Security.
Figure 1: Forecasted number of internet-connected devices
Source: The Economicst, Cisco
The Internet of Things (IoT) will have great influence on the demand for Cyber Security. Not only does this trend increase the number of internet users, it also changes the kind of equipment connected to the internet. Wearables like watches and other small gadgets need to pack a lot of hardware in a relatively small case, which increases the chance that the hardware and/or software leave vulnerabilities in the product. Consecutively, the IoT will expand the existing supply of data available, a trend called Big Data. Big Data carries a lot of value to certain people, some of which intend to acquire this by cybercrime. One last reason which stresses the (future) importance is that, due to the IoT, utilities and household appliances will be connected to the Cloud, the risk of physical damages due to cybercrime is becoming possible. Hackers theoretically can gain access to, for instance, breaking systems of cars, pace makers and even airplanes. The fact that people from the other side of the earth are capable of inflicting physical damages to our daily lives frightens many people. This fear even slows down many technological trends, simply because too many concerns exist whether or not these new technologies are safe enough in the first place. As becomes clear from this reasoning, the importance of cybercrime will only surge in the upcoming years. In order to analyse the catalysts to this industry, several growth drivers will be analysed in the following paragraph.
Understanding the main growth drivers is key in understanding and being able to take full advantage of the market. Some drivers have been touched upon in preceding paragraphs; mainly the increased demand for Cyber Security as an effect of the increasingly growing number of internet users.
Furthermore, cloud computing also plays an important role in the need for Cyber Security. Our lives are getting more inter-connected every day and this is partly because of cloud services. Data-centers storing these data sets need to have cutting-edge security in order to guarantee one’s privacy. The use of cloud computing is still gaining momentum, thereby qualifying as a fervent growth driver.
Moreover, governments have started and are continuing investing heavily in the cybersecurity market, mainly because they realize that the war of the future is no longer taking place on physical battlefields, but online. Adding to the effect of government cyber R&D is the fact that for instance the American government is actively collaborating with the private sector and willing to share precious insights. The US government does this in order to maintain its strong position on the cyber-warfare continuum, initiating a R&D frenzy. These public R&D programs provide definite upside potential to the sector.
Also, the increasing awareness of (potential) threats moves Cyber Security up on the priority list of boards. The full issues of lacking board awareness will be further discussed in the segment ‘Hurdles’. Concerning cybercrime awareness, media coverage on the matter is intensifying; countries and companies are openly accusing others of committing cybercrimes. This spreads fear and misunderstanding among the masses, which creates awareness and, in turn, growth for the industry.
Last but not least, regulations need to be suitable for business’ needs. As of now, it is illegal to commit cybercrime in the United States. However, some defence mechanisms include offensive elements that are currently illegal, to the dislike of many MNEs. This implies that certain prominent companies know exactly which country or company commits the crime, but when they act on actively shutting down the particular servers, they commit a crime themselves. Of course, companies in positions like these are truly frustrated.
Current laws need to be modernised in order to actively enable companies to defend themselves and their assets. Cybercrime is developing in a swift pace and in order to protect our economy, modern legislation and regulation is urgently needed. This modern legislation on the subject of cybercrime can definitely cause a real spike for the industry as a whole.
Cyber Security Today
The Cyber Security industry of today can be classified into two categories: pure-play companies and tech-giants, like IBM and Intel. In the past, software makers were heavily shattered and independent, as every company exploited their own niche market, but with the current pace of development, this is no longer sustainable and the industry needs consolidation. The internet industry is a great example of another branch that is consolidating different services into one ecosystem . Companies like Facebook, Google and Apple all have their own ecosystems; fenced off gardens, in which customers are “trapped” because all of their individual needs can be satisfied in the same location. Therefore, many of the giants acquire these niche players and integrate the acquired services into their own, striving for similar profitable ecosystems. However, as only a relatively small number of these pure-play companies exist, a true M&A frenzy has begun (figure 2), driving up the valuations from these “small” companies (further reading in Part 2).
Figure 2: M&A activity in the Technology Sector
Source: Centaur Partners
In support of the described reasons for the increased M&A demand, Figure 3 compares the different sectors within the Tech market. As can be seen, Security Industry is starting to gain pace, but growth levels nowhere close resemble those of the Internet and Data branches. The Cyber Security industry is on the verge of gaining global coverage, which will create promising M&A opportunities for the companies in the respective sector.
Figure 3: Global Technologysector 5-year share price performance
Source: CM Research
Another distinctive feature for the current phase of development for the Cyber Security industry is that prevention is labelled as the definitive solution for the cyber problem. Although prevention is always an important first means of defence, mere prevention is no longer sufficient to protect your valuable assets. Ted Schlein, General Partner at Kleiner Perkins Caufield & Byers (KPCB) comments on this development:
There are two types of companies: those that know they’ve been breached, and those that haven’t figured it out yet… The game is no longer about prevention; it’s about detection."
Schlein hints that the focus on prevention should shift to detection. Only if a threat is actively detected, can real time defence systems be triggered and only then can the threat be exterminated. Although the seemingly superfluous notion that detection is essential, this is less “obvious” than it seems to be. Traditional warfare is all about prevention and defence, literally entrenching as to repel the enemy. However, with cybercrime, the enemies are not as easily visible as with traditional warfare and therefore detection is crucial, i.e. what purpose serves entrenching when the enemy is invisible? This asks for real-time protection, actively incorporating and assessing all threat vectors, in order to instantly detect threats in order to find a suitable solution. This indicates that cybercrime has changed from single static events to high-frequency multiple attacks. The need for these Cyber Security dashboards, enabling real-time defence, is another argument in favour of the creation of the aforementioned ecosystems. In conclusion of this part, cybercrime is developing quickly and companies, if they implemented any security at all, should adapt continuously in order to stay in the game. Figure 4 provides a comprehensive overview of the current state and dynamics of cybercrime that have been elaborated in previous parts.
Figure 4: Modern vs. Legacy cybersecurity companies
Source: Wells Fargo securities
In this last section of part one, the most challenging flaws of Cyber Security will be discussed.
The first misconception, as has been briefly mentioned above, is that cybercrime is sufficiently understood in order to counter it, whilst it is not. Although this problem is diminishing, the board level understanding is still too low. One of the reasons for the low levels of awareness is that no company has been bankrupted by cybercrime (yet), causing the risks to be underestimated. Moreover, the technical and abstract nature of the industry causes it to be degraded to the operational levels of the company, placing Cyber Security outside the board’s scope. JP Morgan Chase names open communication as an easy but adequate solution for this problem; board members should have frequent conversations with their IT directors in order to make the IT department a central part of the company. Many companies have realized this already and employed CISOs – Chief Information Security Officers. Furthermore, the level of awareness has to increase, especially in the higher layers of companies, these executives need to be schooled in the risks of Cyber Security. Finally, the aforementioned dashboard-like control systems should be implemented, creating a bird’s eye overview of the company’s vulnerabilities. Again, some companies have pioneered in this, including Facebook (FB:US). This social media giant has implemented a platform called ThreatData, which serves as a continuous data stream, analysing potential threats. If threats are detects, then these will immediately be added to Facebook’s blacklist, rendering them harmless. The financial sector in the US, the most affected sector by cybercrime (Figure 5), decided to collaborate in a government initiative, the MS-ISAC – the Multi State Information Sharing & Analysis Centre, which spends $4.5 mm on Cyber Security annually. “The MS-ISAC 24x7 cyber security operations center provides real-time network monitoring, early cyber threat warnings and advisories, vulnerability identification and mitigation and incident response”, according to the MS-ISAC website.
Figure 5: Breach frequency per industry
Source: Wells Fargo Securities, LLC, Verizon 2014 Verizon Data Breach Investigations Report
However, many companies are still sitting-ducks. Apart from awareness, active solutions and board-room understanding, a relatively simple answer is the lack of funds invested in mitigating these security threats. Let me illustrate this using an example from Wells Fargo. Currently, small and large companies are spending about 5-8% on ICT. Within these ICT budgets, approximately 5% is accounted for security, leading to a 0.25% of a typical company’s annual revenue spent on Cyber Security. Wells Fargo and the Ponemon institute have both consented that the cost of cybercrime in the US is 2-4 times larger than the investment. This constitutes a clear mismatch- potentially serving as a further catalyst for the security sector.
In conclusion, a growing number of companies have been attacked in cyber space, further stressing the importance of Cyber Security. The losses at stake are more than enough to justify further investments. Furthermore, as cybercrime is becoming increasingly organized and the “crime” itself even more advanced, stakeholders require real-time security solutions. These systems can most simply be created by consolidating several so-called pure-players, a process giants like Intel and IBM already have engaged in. The Cyber Security industry is hot already, which will only be fuelled further due to the catalysts identified; board’s awareness, active engagement and increased spending.
This part, Part 1, has served as a general introduction into the specifics of the industry. The following part, Part 2, will focus more on the individual players active in the industry, comparing the larger and the smaller companies and their respective strategies. Moreover, the “older” companies will be analyzed to assess whether they can revolutionize enough to stay in the game. In short, Part 2 will serve as a roadmap into the complex, and sometimes highly overvalued, industry of Cyber Security, also highlighting somewhat more concrete investment advice.
Enjoyed this article?
With your help, we can keep this website ad-free. Support Foresight Investor with a donation!
Karsten is currently studying finance and is a member of Risk. He organised the Risk Finance Symposium and invests on his own account. He specializes in equities, technology and emerging markets.