We live in an increasingly connected world. Employees use cloud computing to share content while at work, before returning to ‘smart homes’ at the end of the day. It is now possible to take one’s TV, kettle and even one’s burglar alarm online. The so-called ‘Internet of Things’ should, outwardly, make for a more seamless existence.
But such connectivity can cause problems. Every time we link a product to the internet, we create another virtual depository of personal information; one which might appeal to cyber criminals. The European security organisation Europol identifies cyber-crime as “any crime that can only be committed using computers, computer networks or other forms of information communication technology”. Such activity can include creating and spreading malware, hacking to steal data, or distributed denial of service (DDoS) attacks to cause financial or reputational damage.
While some attacks are targeted, we also regularly see indiscriminate ransomware incidents. Like malware, ransomware can encrypt or damage files; but, additionally, the culprit usually seeks money. The rise of Bitcoin and other cryptocurrencies has made it even easier for criminals to conceal their identities when demanding payment.
A spate of particularly high-profile breaches in recent months has thrust the cyber-security market into the limelight. In May, the WannaCry ransomware attack affected hundreds of thousands of computers around the world, including those of 47 NHS trusts. It exploited a weakness in Microsoft’s (US:MSFT) Windows XP platform, details of which had been stolen from the US National Security Agency (NSA).
In fact, Microsoft had issued a patch for this vulnerability; many simply failed to implement it. Plus, it was initially only available for newer versions of Windows (although a patch for unsupported versions was subsequently introduced). At the time, Microsoft’s president Brad Smith wrote, “this attack demonstrates the degree to which cyber-security has become a shared responsibility between tech companies and customers”.
In June, the attack known widely as “Petya” again affected many companies, including major advertising agency WPP (WPP), Mondelez (US:MDLZ) and Reckitt Benckiser (RB.). The latter two have both blamed Petya for a reduction in expected revenues. Reckitt said like-for-like sales for the second quarter of 2017 would fall by around 2 per cent, meaning a top-line decline of one percentage point for the full year.
These incidents are just the tip of a vast iceberg, which shows no signs of thawing as we increasingly live our lives online. On a positive note, the proliferation of online breaches and fraud in the last few years means that there are significant opportunities for investors. Plenty of companies – private and listed – are benefiting from the burgeoning cyber-security market.
The US cyber-security players
As the birthplace of various major tech companies, it may not come as a surprise that the US hosts some of the world’s largest cyber players. Examples include Cisco (US:CSCO) and Mimecast (US:MIME). In the first quarter ending 30 June, Mimecast added 900 new customers – making 27,300 in total. Revenue rose an impressive 40 per cent to $58.2m (£44.2m), while the adjusted cash profit margin grew from 4.5 per cent to 9 per cent.
Other leading public cyber-security experts from across the pond include FireEye (US:FEYE), Symantec (US:SYMC) and Palo Alto Networks (US:PANW), all of which saw their shares rise after the summer cyber-attacks.
State-backed hacking
Governments around the world are working with companies to protect consumers from cyber-crime. The EU’s General Data Protection Regulation (GDPR) will be enforced from May 2018. The UK’s Data Protection Bill is set to replace the 1998 Data Protection Act, with the intention of complying with the GDPR. The new rules will mean higher fines for data controllers and processors after serious breaches.
That said, there are instances in which governments are not, allegedly, the good guys. Yes, this might sound more in keeping with a James Bond narrative than real life. But many believe the Petya attack was launched by Russia, while Microsoft’s president recently told ITV that North Korea was behind WannaCry. Meanwhile, here in the UK, some Whitehall officials have blamed Iran for an attack on parliamentary email addresses.
And adding fuel to an already tense bilateral relationship, Russian cyber-security expert Kaspersky Lab has come under fire in the US over concerns that it might enable Putin’s government to spy on classified and confidential information. Founder Eugene Kaspersky denies such allegations, but the US has prohibited federal agencies from using its products.
It is perhaps not surprising that Symantec and private company McAfee have both refused to allow governments to review the source code of their software.
UK contenders
We tend only to hear about the most newsworthy hacking events. But in October 2016 the UK government established the National Cyber Security Centre as part of GCHQ. And during its first year of existence, the Committee received a huge 1,131 cyber incident reports, of which 590 were classified as “significant”.
Enter Sophos (SOPH): a leading cyber-security company listed here in the UK, which focuses on global mid-market organisations across various sectors. For the year to 31 March, billings grew by 18 per cent to $632m, while the contract renewal rate rose to 106 per cent. Since then, performance has been buoyed by attacks such as WannaCry. More recently, the group updated its forecasts for FY2018, now expecting billings growth of around 20 per cent instead of mid- to high-teens.
Sophos offers both end-user and network products. The company works with partner channels, with a leading example being Softcat (SCT). Softcat itself intends to be the “go to security company” in its own area of specialism: the provision of IT infrastructure products and services.
NCC (NCC) is another player in the UK market, although its cyber business has been somewhat beleaguered over the past year. Back in November 2015, the group raised £126m from investors to fund two cyber-security acquisitions. But, as we reported in their last full-year results, the company has had to take a £62m write-down on resultant intangible assets. While revenues rose in the 12 months to 31 May, an operating loss of £53.4m represented a massive swing from the previous year’s profit of £11.4m.
That said, management plans to sell off its web performance and software testing divisions, which “sit outside the cyber golden thread”, while the separate Escrow division “provides a stabilising influence on the group”.
Identity intelligence
GB (GBG) is an identity intelligence specialist. Its services include protecting against identity fraud, providing customer and location intelligence, and employee screening. A recent trading update revealed 40 per cent revenue growth to £52.6m for the first half to 30 September, with an organic growth rate of around 17 per cent – helped by the sale of a perpetual licence to a European bank. Its products include GBG ID3global, which can verify the identity of almost anyone, and IDscan Biometrics – authenticating ID documents.
Smaller-cap entry points
Smaller companies in the UK also offer entry points into the cyber-security market. Aim-traded Corero Network Security (CNS) offers DDoS protection via its SmartWall product. The group is focusing on growing revenues with the aim of reaching profitability.
Meanwhile, ECSC’s (ECSC) shares rose by nearly a third during the week after the WannaCry attack. But the group since reported it is enduring delays in converting their sales pipeline into committed orders and revenue. In the six months to 30 June, ECSC saw cash losses of £1.47m against a profit of £0.36m a year earlier, stemming from lower gross profits and higher sales, marketing and administrative costs.
Integrating cyber-security into a broader offering
In the financial services sector, companies require customers’ confidential details to carry out transactions. They thus represent a significant target for hackers – as made evident by the recent breach at Equifax, the credit reference agency.
Aim-traded Eckoh (ECK) is a global provider of 'card not present' secure payment products. A trading update for the six months to 30 September revealed seven new secure payments contracts had been won in the US, valued at $5.1m overall.
Elsewhere, businesses offering broader defence solutions have built up their cyber-security services. We recently noted that while Massachusetts-based Raytheon (US:RTN) makes and collaborates across various defence markets, it has also been focusing on its cyber division. Meanwhile, BAE Systems (BA.) saw “softening” in its cyber and intelligence turnover in the six months to 30 June, but is investing to improve this.
IC view:
Cyber-security has never been more important. With the rise of artificial intelligence (AI) and automation, and the prospect of driverless cars, people’s private information won’t be the only thing at risk: their lives might be, too. It is possible that one day, companies will internalise their cyber teams – but for now at least external specialists are still in high demand. Insurance is another area to consider as organisations take steps not only to protect against breaches, but to alleviate costs after one has occurred.
Favourites:
Sophos has demonstrated encouraging momentum. Chief financial officer Nick Bray says, “we’re in the right marketplace, which is only getting more important”. The launch of the Intercept X product last September stops ransomware from encrypting data – particularly pertinent – while the acquisition of Invincea brings machine learning capabilities. Given that payment fraud is central to the cyber-crime landscape, Eckoh’s performance also looks compelling.
Outsiders:
While NCC is showing some signs of improvement, we remain concerned by past mismanagement; for now, we are sceptical about its ability to keep up with other leaders in the UK. Meanwhile, ECSC said in September that its full-year revenue and cash profit would be below market expectations. With a market capitalisation of only £12m, we think it might face the risk of being squeezed out.
Expert view:
Bolstering digital society
There have been no reported deaths from cyberattacks and relatively little destruction. But the disruptive power of cyberattacks is increasingly clear, particularly in geopolitical threats. For example, a December 2015 cyberattack in Turkey impacted networks used by the country’s banks, media, and government. Later that month, the first known cyberattack to take down a power grid targeted Ukraine’s power distribution systems, cutting electricity to 230,000 residents. That attack also targeted the country’s phone system, preventing customers from reporting outages and thereby hindering power-restoration efforts. In June 2017, the Petya cyberattack, aimed at Ukrainian computers, disrupted business operations across the globe. Massive data breach risks are raising concerns about the power of cyber-attacks to ripple through the global economy.
Executives worldwide acknowledge the increasingly high stakes of cyber insecurity. In our 2018 Global State of Information Security Survey (GSISS), leaders of organisations that use automation or robotics indicate their awareness of the potentially significant fallout of cyber-attacks. 40 per cent of survey respondents cite the disruption of operations as the biggest potential consequence of a cyber-attack, 39 per cent cite the compromise of sensitive data, 32 per cent cite harm to product quality, 29 per cent cite damage to physical property, and 22 per cent cite harm to human life.
Yet, despite this awareness, many companies at risk of cyber-attacks remain unprepared to deal with them. 44 per cent of the 9,500 executives in 122 countries surveyed by the 2018 GSISS say they do not have an overall information security strategy. 48 per cent say they do not have an employee security awareness training program, and 54 per cent say they do not have an incident response process. “Many organisations need to evaluate their digital risk and focus on building resilience for the inevitable,” said Sean Joyce, PwC’s US Cyber-security and Privacy Leader.
Business leaders are not well served by cyber-security commentary that veers into either hyperbole about “cyber armageddon” or the countervailing viewpoint that most cyber threats are mundane. Much more productive would be a robust global conversation that gives business leaders actionable advice to build resilience against cyber shocks.
Extract: PricewaterhouseCoopers, (Key findings from PwC's “The Global State of Information Security Survey 2018”)
