The growing threat of cybercrime

01 Jan 2015

10 years of Vision: Allegations of Russian interference in elections, the WannaCry attack on the NHS and the more recent Equifax data breach show that cybersecurity remains a high priority. Perhaps the real surprise is that the cybersecurity market is expected to grow by ‘only’ c.8% p.a. in the medium term. Share prices of leading cybersecurity firms Check Point, Palo Alto and Symantec are +34%, +22% and +10% respectively over the past three years. 

A surge in viral attacks featured in Vision 2015, as data breaches and alleged voting interference saw a predicted spending rise.

Apple, Google, J.P. Morgan, Target, Adobe, Citibank, Facebook, Microsoft, Sears, Las Vegas Sands. No, that’s not a list of our preferred US equity holdings (although some of them are, but that’s another story) but rather a selection, in no particular order, of major companies that have been victims of cybercrime in the last few years.
Of course it’s not only major corporations that have been victims; there have also been high profile attacks on government agencies, including the Stuxnet ‘worm’ that attacked Iran’s nuclear programme, which came to light in June 2010.
Cybercriminals, or ‘actors’ to use the industry jargon, have a variety of motives, including idealism (for which ‘denial of service’ attacks may be employed to generate publicity), espionage (industrial and governmental), geopolitics (where fake media reports may be generated to try and destabilise a disliked regime) and even simple private entertainment (‘lulz’ in the jargon).
But to find the most common motivation one just has to take the advice of Deep Throat and “follow the money”.
In the cases of the companies listed above, most involved attempts to obtain personal information relating to customers – information that could potentially be used to siphon money directly out of bank accounts or to generate illegitimate transactions for gain. [This type of activity is a step short of out-and-out ‘identity theft’ whereby the perpetrator can create an entirely bogus persona in the name of another person because that typically requires additional information (such as social security number in the US) that wouldn’t typically be held alongside the data used in commercial transactions.]
The costs of cybercrime can be very substantial in terms of the immediate response, compensation for any direct financial losses incurred and reputational damage to the business.
The numbers are substantial; in the Target case, 70m sets of customer credentials (name, address, email etc) were stolen and 40m credit and debit card details compromised. At J.P. Morgan, the accounts of 70m households and 7m small businesses were affected, although the theft was limited to customer contact information and didn’t include log-in credentials or detailed financial or account information.1
Nevertheless, when the haul is so large it is easily conceivable that when combined with the fruits of other attacks a more comprehensive picture of a very large number of consumers can be built up.
The costs of cybercrime to those affected can be very substantial, not only in terms of the immediate response – for example contacting customers to let them know and advise that they change their security details – but also in compensation for any direct financial losses incurred by customers and reputational damage to the business.
In the example of Target, the US investment bank Wells Fargo has estimated that the total cost of the breach was between c.$550m and c.$750m. That’s around 15 20% of last year’s profits.
Reputational damage is particularly difficult to quantify and although there has been no high profile example so far it is not difficult to imagine a serious attack posing an existential threat to a business. Indeed, in the UK, the latest Information Security Breaches Survey Technical Report published by the Department for Business, Innovation & Skills reveals that 10% of organisations that suffered a breach over the past year were so badly damaged that they had to change the nature of their business.
From the perspective of a consumer it is easy to see why the opportunities for cybercrime are growing, with our increased use of e-commerce, online banking, social media and the like. But behind the scenes the way organisations ‘do’ computing is also changing in a way that opens up opportunities for the cybervillains.
Broadly speaking, computing is becoming increasingly ‘distributed’, with more people having more access to more data from more places using more devices. Every connection and every interaction creates a potential weakness for the criminals to exploit.
As far as the implications for security are concerned it is perhaps helpful to use the analogy of a building. Compared with a building in the old world the modern building has more doors and more people have the keys to those doors, including ones they’ve had cut for themselves (the analogy here is BYOD, or ‘bring your own device’, a method of working whereby employees access corporate resources using their own desktop PC, laptop, tablet or mobile phone).
All it needs is for one person to forget to lock a door properly, or to leave a key lying around, and the burglars will be in. And, not only are there more ways of getting into the building, there is more valuable stuff inside it as well.
If that wasn’t bad enough, it’s going to get worse as the ‘internet of things’ (IoT) comes to play an increasingly prominent role. The IoT is typically characterised in media coverage as a world in which it is possible to send instructions to your central heating from your smartphone, or for the fridge to order more sauvignon blanc when supplies are running dangerously low, and indeed these are valid enough examples.
The cost to the global economy of cybercrime and online espionage is around $445bn per year.
However, there are also vast commercial and governmental applications, including the management and monitoring of important infrastructure assets. Readers above a certain age will remember the scene in The Italian Job in which Professor Peach plays havoc with the Turin traffic light system by switching the computer tapes. Imagine limitless opportunities to perpetrate a modern version of that with bigger, more sinister consequences.
In this vein it has been reported – though it may be urban myth – that the heart pacemaker fitted to former US Vice President Dick Cheney was specially adapted to thwart remote assassination attempts based on interference with the device via Wi-Fi.
According to the Centre for Strategic and International Studies, the cost to the global economy of cybercrime and online industrial espionage is around $445bn per year – roughly equivalent to the GDP of Austria. Given the scale of the problem and the scope for it to grow it is reasonable to suppose that organisations are devoting increasing resources to cybersecurity, and indeed that supposition would be correct. According to the research firm Gartner, global IT security spending will grow from around $65.5bn in 2013 to c.$93bn by 2017.
Global IT security spending graph for Investec Vision 2018
That brings us to the question of the investment implications. Naturally enough there are plenty of companies whose business could be described in one way or another as being involved in cybersecurity. Some are private, and some are parts of larger corporations, but there is also a number of publicly listed companies, albeit mostly in the US.
On the face of it the growth prospects for cybersecurity spending suggest this should be a fruitful sector for investors; however in practice we see a number of challenges. First, we are talking about a fast moving business in which the villains are constantly trying to keep one step ahead of the cops.
A new technology that looks full of promise can easily prove to be a white elephant almost before it has got off the ground. Second, by their nature these companies are unlikely to be as transparent (not for sinister reasons but of necessity) as the thorough investor would like.
The growth prospects for cybersecurity spending suggest this should be a fruitful sector for investors.
The basic question, “so, what exactly is it you do?” is unlikely to elicit as fulsome a response as we would like (not that we would necessarily be much wiser if it did). Allied to this, the standard “who and how big is your largest customer?” gambit is unlikely to be particularly fruitful either.
Then, even if we are comfortable about investing in a company we really know little about and whose technology may or may not be relevant next year or even next quarter, we come to the ‘hype cycle’, which we have written about before (Vision 2013: Ahead in the Clouds) and of which technology investors should be ever mindful. 
The key point here is that at some point in their early life (at least where investors are concerned) promising new technology companies tend to attract valuations that reflect expectations that in the fullness of time are shown to be excessive; even if the company goes on to be successful
on any reasonable measure, investors can get their fingers badly burned by investing at the wrong time. 
None of this is meant to suggest that investors should entirely eschew cybersecurity companies, but rather to highlight the need to approach them with eyes wide open. Of course there is also the route of specialist technology funds which typically will have exposure to the sector. Making specific recommendations is beyond the remit of this publication, but for those readers whose interest is piqued the following table lists some of the leading US-listed players.
1: "Cybersecurity: Security Empowers People" published by Wells Fargo Securities, 27 October 2014.

Download the Vision 2018 Brochure

Book one

Book two

Book one

The first of a series of three Vision 2018 books, covering three key topics - War, Water and Investor Behaviour.

Book two

The second of a series of three Vision 2018 books, covering personalised medicine, the great taskmaster, and the price of data

Discover how Investec Wealth & Investment can help you and your clients

Find a Vision event near you