Personal computers and smartphones have changed the way we talk, shop, work and learn. But they have also spawned a new breed of criminals who don’t need weapons to steal, threaten and intrude. As consumers, businesses and governments awaken to the danger, many are turning to cybersecurity companies for protection. That gives investors a prime opportunity to profit, but picking winners in a complex and fast-evolving space is no easy task.
Cybercrime is on a par with narcotics in its damage to the global economy, costing an estimated $400bn-$575bn (£255bn-£367bn) a year. That figure is close to £27bn for the UK alone. And the threat is growing – security breaches increased by almost two-thirds between 2012 and 2013, exposing the identities of 552m people worldwide. “Foreign governments, criminal syndicates and lone individuals are probing our financial, energy and public safety systems every day,” wrote US President Barack Obama in a recent comment piece for a US newspaper. “It would be the height of irresponsibility to leave a digital backdoor wide open to our cyber adversaries.” Perpetrators include Chinese espionage unit APT1, which has infiltrated 141 companies since 2006, and the Syrian Electronic Army, which hacked into half a dozen Western news agencies just last month.
Soaring cybercrime has implications for numerous industries. For instance, banks and retailers have clashed over their accountability for cyberattacks. The US 'cyberinsurance' market is already worth $2bn. And fraud is a major headache for advertisers, as unsavoury individuals can place invisible ads on websites, or pad their online traffic by using computer programmes called ‘bots’ or distribute malware that opens up unsolicited websites.
Several trends are magnifying the frequency and impact of attacks. The spread of connected devices, known as the ‘Internet of Things’, has made cars, homes and even wearable accessories vulnerable. A wily hacker fiddling with your thermostat might seem innocuous, but consider one that meddles with your burglar alarm or your car’s brake sensors. The flood of new generic top-level domains (gTLDs) such as .xyz and .co is another concern, as it’s easier than ever for fraudsters to pose as legitimate businesses. And workers are increasingly bringing their own laptops and smartphones to work – a trend that NCC (NCC) chief executive Rob Cotton calls “bring your own virus”.
NCC, one of several UK-listed cybersecurity companies, stores organisations’ critical data and helps them to identify and remove security flaws in their systems. Its latest money-spinner is .trust, a gated online community that requires members to meet and maintain rigorous security standards. Investors may salivate at the group’s prospects, with analysts forecasting pre-tax profit growth of 29 per cent next year. But its shares trade at 24 times full-year forecast earnings, which is far from a bargain.
It’s a similar story at GB Group (GBG), which helps the likes of HSBC and Skandia to electronically confirm the identity of their customers. It aims to “verify anyone, anywhere in the world, at any time”, says chief executive Richard Law. That isn’t a pipe dream, as GB’s services already encompass 4bn people. The group has boosted its outlook by acquiring Transactis, which parses transaction data to root out scams and tailor marketing, and Dectech, a specialist in fraud detection and credit risk analysis. The upshot is that analysts expect both sales and pre-tax profits to rise a third this year. But GB’s shares trade at the same rating as NCC, limiting short-term upside.
Both look cheap compared with Eckoh’s (ECK) shares, which trade at 38 times full-year forecast earnings. The recent surge in cyber-attacks is providing a tailwind, as “companies can’t afford to be the next headline”, says chief executive Nik Philpot. Eckoh’s flagship technology, CallGuard, bars call-centre staff from accessing customers’ credit and debit card numbers while they process applications or payments. But the real potential may lie in its new OneProx product, which encrypts card numbers to make them useless to thieves. The group plans to offer OneProx to e-commerce companies and eventually roll it out to point-of-sale terminals.
Eckoh recently won eight contracts in the UK, and its burgeoning US division has won three new deals since June and is already trading profitably. Moreover, it has signed an exclusive reseller agreement with West Corporation, which manages customer relationships for four-fifths of America’s 500 largest companies. Factoring in modest gains in the enormous US market, analysts at N+1 Singer expect Eckoh’s organic pre-tax profit growth to average 30 per cent over the next three years.
A better bet might be Accumuli (ACM), which lets companies outsource their security needs. It provides third-party data analytics and threat intelligence products, supported by its expertise and technology. The industry minnow continues to benefit from the proliferation of unsecured devices. “Lots of people spent ages building castles with really high walls,” says chief executive Gavin Lyons, referring to the companies behind traditional network security. “We’re knocking those walls down.”
Accumuli derives 64 per cent of its gross profits from recurring sales, giving investors a clear view of future revenues. And only a fifth of its 719 customers use more than one of its products, providing an obvious route to sales growth. The group has also made strides into the explosive ‘big data’ space by winning two large contracts for its data monitoring and analytics solutions. The result is that analysts expect both sales and cash profits to rise by about a quarter this year. Yet Accumuli’s shares trade at an enticing 14 times full-year earnings and offer a 3 per cent forecast yield, which should appeal to investors.
Rather than offering a broad suite of products, Corero Network Security (CNS) addresses ‘distributed denial of service’ (DDOS) attacks that disrupt servers and networks by overloading them. Perpetrators aren’t “teenagers in their bedrooms”, says chief executive Ashley Stephenson, citing cases of hackers hijacking residential and enterprise systems. “This is organised crime moving from the streets to the computer room.”Corero’s offerings include SmartWall, which protects data centres and networks, and SecureWatch Analytics, which enables customers to detect and analyse threats. Strong demand sent first-half orders up 9 per cent, and analysts expect the group’s full-year gross margin to widen from 65 to nearly 70 per cent. Still, investors may want to hold off as profitability is a distant prospect.Unauthorised access is a perennial worry for governments and companies alike. American and British authorities address the issue with Intercede’s (IGP) identity management software, MyID, which controls access to digital resources and physical facilities. Indeed, the NHS has used it to issue more than a million ID cards, while defence titan Lockheed Martin has allocated over 100,000 smart ID badges.
Intercede’s latest offering is a platform that installs trusted applications on secured devices, allowing clients to safely outfit their workforces with mobile devices. That should fuel strong top-line growth, but the group swung to a £1.1m operating loss last year due to delays in US government orders, and analysts expect losses per share of £100,000 this year and next.
Risk-averse investors may balk at backing niche businesses in a nascent industry. Fortunately, some broader-based companies have planted their flags. Falanx (FLX), a security and risk consultancy, recently launched FalanxAssuria, a cyberdefence division that offers managed services and bespoke solutions. It has already won a landmark contract with the UK government to support national cybersecurity. “It’s a real feather in our cap,” says chief executive John Blamire, adding that access to global threat intelligence will inform the group’s services.
Mr Blamire says the biggest threat to companies is fraud, because it not only hits their bottom lines but also erodes their clients’ trust. He adds that an attack that crashes a high-street retailer’s systems in the three weeks before Christmas could have “an existential effect on the business”. And in an increasingly connected world, enterprises have to protect every link in their supply chain. The scale of the challenge has led Falanx to partner with cloud data-storage specialist MDS Technologies and Digital Shadows, a cyberthreat intelligence group. The group’s shares have more than tripled in value in the past year, but we think it’s too soon to evaluate its prospects.
IC view: The proliferation of mobile and connected devices will only make companies and governments more vulnerable to cyberattacks. That should fuel demand for cybersecurity, particularly given the immense financial and reputational impact of successful attacks. We think investors can benefit from exposure to this fast-growing sector and lock up profits in the process.
Five types of cyber threats:
1. Malicious software or ‘malware’ can be used to access networks and applications, disrupt their processes and steal data. For instance, Cryptolocker is spread through disguised emails and encrypts an individual’s computer until a ransom is paid.
2. Mobile malware infects smartphones and tablets. It can record activity, make calls, install apps, access contact lists and collect location data. An analysis of 300 clones of blockbuster mobile game ‘Flappy Bird’ found that four-fifths contained malware.
3. Distributed denial-of-service attacks are used to overload servers and networks, often concealing more nefarious activities. Microsoft, Sony and Activision Blizzard’s gaming servers were taken offline by a co-ordinated attack in August.
4. Web threats include posing as legitimate websites to trick people into divulging sensitive information, or using links to direct people to malware-infected sites.
5. Messaging threats involve the use of email, SMS, blogs and other electronic communication systems to send spam.
A new frontier for aerospace and defence
Sweeping cuts to military budgets have plunged most of the defence industry into chaos. Some of the shrewder players have responded by diversifying into high-growth niche areas such as cybersecurity. That industry has jumped so far up the corporate board agenda that research group Marketsandmarkets estimates that the global market will double in size to be worth £120bn by 2017. This will come as welcome news to UK businesses such as Ultra Electronics (ULE), BAE Systems (BA.), Qinetiq (QQ.) and Chemring (CHG), all of which are fighting hard to increase their exposure to the latest budding industry.
BAE proved to be one of the first to identify a shift in government spending away from traditional defence kit. It acquired Detica, a cyberintelligence business with strong government links, in 2008. A series of bolt-on acquisitions, such as the E271m (£215m) acquisition of financial crime software company Norkom in 2011, then followed, culminating in the defence giant signing a five-year partnership last year with Vodafone (VOD) that focuses on safeguarding mobile devices.
Furthermore, BAE has recently increased its foothold in the US cybersecurity market by purchasing US-based SilverSky, a specialist in cloud-based email and network security services, for $232.5m (£148m). BAE now derives around 7 per cent of its revenues from its cybersecurity arm.
Advanced electronic-equipment supplier Ultra Electronics has also invested in specialist areas to help offset sluggish demand for traditional defence products. In fact, 22 per cent of its revenues now stem from its Security & Cyber segment. The US uses its ‘crypto’ scrambling technology on top-secret projects, while the UK and other Nato members seem willing to shell out for its software.
The scale of demand prompted Chemring, a seller of consumables such as flares, countermeasures and munitions used in conflict zones, to announce plans to drive growth in ‘key areas’ such as cybersecurity alongside its disappointing summer interim results. It began on this path in 2010, when it acquired Roke Manor Research for its electronic warfare devices and cybersecurity capabilities. A renewed focus in this particular growth market could revitalise its shrinking order book.
Likewise, Qinetiq has been struggling with sagging demand for conflict-related products of late, so much so that it recently sold off most of its US arm. This deal, however, excluded its profitable Virginia-based cybersecurity division, Cyveillance. Indeed, earlier this year Qinetiq claimed that it blocked an average of eight cyberattacks on clients each day. It has also unveiled plans to expand Cyveillance’s capabilities to small and midsized enterprises as well as international customers.
A handful of adapting UK defence firms aren’t the only companies eyeing opportunities in the sprouting cybersecurity industry. A&D giants such as Boeing (US: BOE), Lockheed Martin (US: LMT), General Dynamics (US: GD), Raytheon (US: RTN) and Northrop Grumman (US: NOC) are also fighting for a seat at the table. Given the breadth and scale of competition in this explosive industry, smart management and innovation will be crucial to prospects.
Cybersecurity in America
The US is ground zero for cybersecurity, and privacy has become a national issue since NSA whistleblower Edward Snowden revealed the spy organisation’s extensive surveillance programmes. A large crop of companies cater to the market. For instance, Intel’s (US:INTC) Wind River security division connects and secures ‘smart’ utility grids and mobile devices. And FireEye (US:FEYE) specialises in thwarting advanced cyberthreats across the web, network, endpoint and systems markets. Analysts at Wells Fargo called it “a once-in-a-decade opportunity to invest in a truly disruptive technology.”
Palo Alto Networks (US:PANW) boasts “the most comprehensive security portfolio in the industry” says broker Piper Jaffray, which expects the group’s sales to rise 42 per cent to $851m this year. A key growth driver is its cross-selling of WildFire and Cyvera, its cloud-based analytics and endpoint security products, to its mushrooming customer base.
Industry veteran Symantec (US:SYMC) operates in security and data protection. It returned $918m to shareholders through share repurchases and dividends this year, and plans to repeat that next year. It is also spinning off its information storage business to focus on its security business, Norton. Other players include Fortinet (US:FTNT), a specialist in high-end firewall platforms, and Imperva (IMPV), which secures web applications, databases and cloud servers.
Top 10 Cyber Attacks
1. The names, addresses and passwords of 223m eBay users were stolen after hackers broke into the online auctioneer’s database between February and March.
2. Domino’s Pizza was held to ransom by hackers who got their hands on the names, phone numbers and preferred pizza toppings of 600,000 customers.
3. Hackers accessed the personal details of up to 110 million of Target’s customers last November, costing the US retailer an estimated $420m.
4. An attack on JPMorgan Chase compromised the names and addresses of 76 million households and seven million small businesses this summer. The bank plans to spend $250m annually to prevent future breaches.
5. Details from up to 56 million credit and debit cards were accessed during a hack on Home Depot, after the retailer ignored a string of earlier attacks.
6. Intimate photos of Jennifer Lawrence and dozens of other celebrities were stolen and leaked online in August and September. Apple says hackers gained access to iCloud by guessing the victims’ login details.
7. Over 27,000 of Barclays’ files - containing details of accounts, mortgages, health records and passports - were leaked. However, the bank says the data is from 2008 or earlier.
8. It took eight months for US retailer Neiman Marcus to respond to a cyberattack that compromised 350,000 credit cards, of which 9,000 have been used fraudulently so far.
9. The South Carolina Department of Revenue lost 3.6 million social security numbers and 387,000 credit card numbers in a 2012 attack.
10. A recent attack on Sony's Hollywood studio resulted in the leaking of "Annie" and four other unreleased films, along with details of staff salaries.