Join our community of smart investors

Death, tax and cyber attacks

Former City analyst Robin Hardy delves into the booming world of cyber security to highlight the best opportunities for investors
May 24, 2022

Mark Twain suggested two certainties in life: death and taxes, but in today’s interconnected world we could add cyber attacks/crime. Cyber crime and cyber attacks are somewhat like the weather. Both are everywhere, all the time, you may not always be aware of them, you likely don’t understand how they work, and, most importantly, they have the potential to wreck your life. Unlike the weather, cyber attacks are always bad, relentlessly so. Protection comes in the form of the cyber security industry which is somewhere between an umbrella and flood defences that aim to protect people, businesses and public bodies from the severe damage that can be caused.  

Here to stay

While some technologies and IT-related areas rise and fall, cyber crime and the means to fight it are unlikely ever to go away. They will evolve and change (think VHS > DVD > Blu Ray > 4K streaming or 3G > 4G > 5G), getting smarter and faster and keeping data and key infrastructure safe is rising in importance. This is a battle between equally smart players – those working for a state-sponsored hacker are likely as competent and well rewarded as Silicon Valley higher flyers: this is the key reason cyber crime is such a problem. It is not low level, bungling criminals but some of the sharpest minds in IT in a game of constant advancement by both perpetrators and defenders. 

 

Businesses globally subject to at least 1 successful cyber attack - 2021

Source: CyberEdge Group

 

Not to be underestimated

To say that cyber security is vitally important for all businesses, organisations, public bodies and individuals is an understatement. A serious breach or the seizing control of vital systems can stop an organisation dead in its tracks, and if that organisation is a nuclear power plant or an air traffic control centre, a malicious attack could have catastrophic outcomes. At a personal level too, having one's personal data compromised can have acute and chronic consequences. 

Cyber attackers are growing in complexity and sophistication, moving from low level irritants or snooping in computer networks to now many state-sponsored hacking and hijacking programmes set on causing large and lasting harm. Cyber attacks are not always about money, and data from Crowdstrike suggests that only half of cyber attacks aim to steal money. The remainder are about gaining data, access and control known as exfiltration. 

Where cyber attacks occurred by sector – 2021

Healthcare

22%

Public sector

21%

Education

14%

Tech & media

13%

Retail

8%

Prof services

6%

Manufacturing industries

4%

Financial sector

4%

Other

8%

Source: itgovernance.co.uk

While one might expect cyber attacks to be primarily in the financial sector, that is not so. This sector has strong security, so attacks typically target the least well defended sectors and also those where there is likely to be a lot of compromisable, personal information. In total in 2021, it is estimated that over 5bn data records were breached  (the largest: Comcast – 1.5bn) with over 650m attempted ransomware attacks, 5.3trn network intrusion attempts, 5.4bn malware attacks and 60m Internet of Things (IoT) attacks, according to TechRepublic.

For all organisations, the need to protect against cyber attacks has risen rapidly up the agenda with many businesses (88 per cent according to industry forecaster Gartner) elevating cyber issues from IT issue to a major business risk. Successful cyber attacks can effectively stop a business from trading, disable supply lines, ruin reputation, generate serious profit/cash flow issues and, even for minor breaches, give rise (under EU law) to fines equal to 10 per cent of annual revenue. 

Cyber attacks can involve almost anyone connected to a private network or the public internet as a key route of attack against individuals connected using less well protected items such as phones, tablets, IoT devices or home computers. The main forms of attack are planting ‘malware’ or more directly tricking personal users into surrendering valuable login or other access details. Attacking corporate, government or utility networks directly is more problematic for the hackers, but attacking soft targets such as private individuals and stealing data from them is significantly easier. 

 

Attack mechanisms – constant, rapid evolution

This is a world of constant and rapid evolution as both criminal networks and, increasingly, state-sponsored attackers constantly scour for weak spots. There are, very broadly, four classes of cyber attack:

eCrime – financially motivated criminal intrusion. Around half of global activity.

Targeted – state-sponsored intrusion activity including espionage, destruction or control attacks. This is the fastest-growing area and is 30-40 per cent of total.

Hacktivist – to publicise a cause or ideology – a tiny portion at c.1 per cent of attacks. 

Unattributed – unknown reasons, potentially amateurs or ‘pilot fishing’ exercises.

Methods of attack are also changing from old school ‘brute-force’ or otherwise surreptitious entry to a network to increasingly gaining entry through the use of stolen, legitimate credentials. This makes detection and prevention more difficult and can render traditional perimeter security useless. The significant use of poorly protected home computers to connect to corporate networks when working from home has made this problem worse. Thus, today, security is much less about keeping unwanted players out and more about damage limitation on the assumption that breaches are almost inevitable. 

Attack mechanisms are hugely diverse but, broadly, drop into the following categories:

Malware – installed applications to disrupt or steal data. This can be achieved in numerous but largely ‘DNS tunnelling’ or ‘Drive-by attack’ via websites. Ransomware is the fastest-growing form.

Phishing – tricking a user into divulging key information, usually access credentials. A fast-growing area is targeting key executives and decision makers specifically.

Man-in-the-middle attack – intercepting person-to-person communication to steal data or implant false dialogue by use of eavesdropping on public networks (ie, the internet).

Distributed Denial-of-Service (DDoS) – flooding a network with fake traffic to slow or crash it.

SQL injection – exploiting insecure online forms to insert controlling commands into databases to steal or corrupt information. Cross-site scripting (XSS) is another form of this.

Zero-day exploit – exploiting a known vulnerability in software or operating systems before it can be ‘patched’.

Password attack – repeated attempts to ‘guess’ or otherwise crack a password – now largely ineffective.

IoT attacks – web-enabled devices (doorbells, thermostats, Alexa devices, etc) have generally low security and can offer a backdoor to networks. 

AI-powered attacks – a nascent but potentially hard to stop method as it will learn the best methods from the above list to use on each attack.

 

Policing cyberspace

Unsurprisingly then, the cyber security industry is substantial and growing rapidly as the frequency, scale, reach and complexity of cyber attacks rise relentlessly. According to research by marketsandmarkets, spending on cyber security from personal to major organisations totalled $217bn (£173bn) in 2021 and is set to grow by at least 8 per cent a year; another forecaster, Global Market Insights, expects 15 per cent growth to push the sector to $500bn annually. To put this in context, direct financial losses globally in 2021 were estimated (by cyber security firms McAfee and Atlas VPN) to be $1trillion, 50 per cent higher than they estimated in 2018. This is the direct cost but the total drag in the global economy could be three times this level. Note that these are the controlled losses after the world spent over $200bn on prevention.

A major problem in the cyber security space is that there are, in effect, no neat plug-and-play, one-size-fits all solutions. While home users can buy a boxed solution to prevent attack via their single internet connection, protecting corporate and public networks is massively more complex. While home users have a lot of commonality in set up (ie, a Windows PC using Chrome or Firefox), commercial systems are infinitely more diverse in the software they use (much of which is old and bespoke) with large-scale, complex interconnectivity. 

This means that almost no single software or cloud solution will cover an organisation’s security needs and many (most?) require a tailored solution comprising numerous different software and hardware providers. Most computer systems and networks contain numerous weaknesses and vulnerabilities that owners do not know or understand. This makes the selection of correct solution sets more difficult. 

 

Types of cyber security

In addition to the types of potential attacks being myriad, so are the mechanisms needed to offer protection. Cyber security is about: 1) keeping the bad guys out; 2) preventing harm or damage when someone breaks in; 3) restoration and repair after an attack. The first and third types are the most common and long-established, but can be unsophisticated and are often of limited use against access using stolen but legitimate credentials. This leaves the middle area as the key and likely fastest-growing area of this industry. Here Artificial Intelligence (AI) is a fast-growing area in both attacks  and security. Historically, human ingenuity decided how and where to attack and defend a network, but today AI and machine learning (ML) are being deployed by both sides. 

Cybersecurity focuses on the following key areas:

  • Critical infrastructure security – preventing, managing and repairing attacks on vital state and national systems such as power grids, water systems or telecommunications, where the aim is to cripple vital systems for political advantage or ransom. 
  • Application security – initial development approach to eliminate vulnerabilities in software and to ‘patch’ weaknesses that later appear. The prime issue here is ‘zero day’ attacks. 
  • Network security – policies, processes and practices to prevent, detect and monitor unauthorised access, misuse, modification, or denial of networks. This is where AI and ML offer the most potential.
  • Cloud security – network security for remote/diffuse rather than local/in-house networks. Additional issues are the weak points in data movement between office and remote cloud locations.
  • IoT security – connected devices (from domestic, to remote industrial or even monitored medical devices such as pacemakers) are a major threat area. Potentially three-quarters of all IoT devices are poorly protected. 
  • Information security – essentially encryption or access limitation of data in storage or, more importantly, in transit. This is more about policy than tools. 
  • Staff behaviour – a yawning hole in any security apparatus: lax email behaviour, poor password management, giving away information on social media and simply leaving a screen showing sensitive information when away from your desk are all issues that can be hard for software to address. Industry analyst Cybint believes that 95 per cent of cybersecurity breaches are ultimately caused by human error.  

Tactics used to initiate a cyber attack

Source: Verizon

Scope for investors

If spending is more than $200bn a year and assuming investors might be prepared to pay 10-15 times revenues for the best performers, this sector could have an aggregate market value of $2tn-$3tn. Most of the investable market is in the US and some of the companies also have business lines outside cyber: Microsoft (US:MSFT), Cisco (US:CSCO), Intel (US:INTC) (which owns McAfee) and IBM (US:IBM). Investing in broader-based businesses reduces the risk of share price fallout if a product/service fails to stop a catastrophic event. In the more specialist arena, there are numerous large-cap stocks such as SentinelOne (US:S), PaloAlto (US:PANW), Zscaler (US:ZS), Okta (US:OKTA), Fortinet (US:FTNT), NortonLifeLock (US:NLOK), Check Point (US:CHKP) or Crowdstrike (US:CRWD) accompanied by a long tail of mid-caps. Many stocks have been hit hard by the technology/growth stock sell-off.

In UK listings, choice is more limited with US subsidiaries, PE funded private companies and consultants dominating the market plus a number of UK leaders have been acquired (eg, Sophos). Available to investors: Darktrace is the highest profile (not always for the right reasons), BAE Systems (somewhat tangential), NCC (not truly a cyber business), Avast (in the middle of a difficult takeover by NortonLifeLock), Kape (again somewhat tangential) or Micro Focus. At the micro-cap end we have Shearwater, Corero, Osirium or Crossword. Not a huge selection as, in common tech stocks generally, it is best to take a portfolio approach.

Having set out some background on this space, we will look at some of the more interesting stocks in the US and UK in the next article in this short series on cyber security.