Watch out! The growing privacy invasion and cybercrime threat

Opinions expressed whether in general or in both on the performance of individual investments and in a wider economic context represent the views of the contributor at the time of preparation.

Executive summary: Every 12 seconds, someone becomes a victim of cybercrime. The direct and indirect cost of such criminal activity is estimated at over $270bn, almost the same size as the black market for illegal drugs. With the amount of data being produced globally set to double in the next two years, cybercrime is only likely to grow. Less than $70bn is spent on security products at present. Herein lies the major opportunity and many businesses have positioned themselves to benefit from this trend. Check Point, F5 Networks, Imperva, Computer Sciences Corporation, Swisscom and Gemalto constitute some of the major listed beneficiaries.

Edward Snowden’s revelations about widespread electronic spying on the part of America’s National Security Agency constituted one of the most newsworthy events of last year. As shocking as his disclosures may have been, they should also not be seen as too surprising. In other words, the invasion of privacy, or what some may also term the growth in cybercrime is an inevitable corollary of the expansion of the Internet (and the data generated via this resource) that has been witnessed in recent years. The stark reality is that as the data deluge has intensified, security spending to protect users has not, as highlighted by the growing number, range and scope of actual attacks and invasions. Therefore, significant opportunities exist for many businesses positioned to implement security solutions and hence increase privacy.

A cybercrime is defined simply as any crime that involves a computer and a network. The computer may either have been used in the commission of a crime (such as through electronic spying) or be the target of a crime (important information about the victim being accessed and hence exploited). Given that EMC estimates that the amount of data in existence is doubling every two years, the opportunity set for cybercrime is also rapidly increasing. Despite over 50% of the world’s population still lacking internet connections, some 200m emails are sent and more than 2m search enquiries made on Google every minute of the day. Research consultants eMarketer estimate that the average American spends 23 hours a week emailing, texting and using social media and other forms of online communications. Over 90% of online Americans check their email at least once a day, while more than 75% access Facebook and/ or Twitter on a daily basis.

The consequences of such behaviour are threefold: first, the more time spent online (in any form), the more susceptible users may be to cybercrime; next, the growth in big data trends and networking is rendering anonymity increasingly impossible; and, most crucially, the need to secure or protect online activities is growing. In its 2014 Digital Universe report, EMC calculates that at least 40% of the online world requires some level of security, from privacy protection to full-encryption, or ‘lock-down.’ Unfortunately, according to EMC, the amount of data that has protection relative to that which needs protection is less than half.
Against this background, cybercrime is becoming increasingly persistent and visible. Beyond the NSA/ Edward Snowden scandal, a range of high profile organisations including LinkedIn, eHarmony, Wells Fargo, JP Morgan, Bank of America and Target (among others) have all been victims of recent attacks, resulting in passwords compromised, personal information disclosed and, in some cases, financial losses. Security firm Symantec, in their annual Norton Cybercrime Report, estimate that over 1m people fall victim to cybercrime everyday around the world, equivalent to one every 12 seconds. Indeed, according to Norton, the probability of becoming a cyber-crime victim is almost three times higher (44% vs. 15%) than being the victim of a physical crime.

The cost of such security breaches is significant. At the most basic level, this is an emotional issue, engendering a loss of trust and undermining individuals’/ organisations’ reputations. With regard to the activities of the NSA and other related behaviour, the consequences may be more significant, escalating political tensions and even questioning some of the principles enshrined within democracy. The financial costs are harder to quantify, simply because there is no standard model for estimating such costs and the only data available is that which is made public by the organisations involved. Nonetheless, in the Norton Report, during which 13,000 people were interviewed, the costs of direct losses from cyber-crime (fraud, repairs, theft and so on) were calculated at $113bn. Taking into account lost time (opportunity cost) too, then the monetary losses escalated to $274bn. These figures should be seen in the context of the global black market for marijuana, cocaine and heroin combined being estimated at $288bn (by the United Nations).

In order to understand how to deal with cybercrime most effectively, it is perhaps pertinent first to consider the motivations for compromising security/ privacy and also how such acts are perpetrated. With regard to the former, a lot depends on who is doing it: organised criminals will likely be motivated by the financial gain that can be derived from stealing either data or intellectual property. By contrast, the actions of governments and their agencies to access similar information, or simply to spy, will likely be driven by policy, politics and potentially nationalistic convictions. Finally, others (sometimes referred to as ‘hactivists’) will simply be influenced by ideology or personal agenda, seeking a thrill or challenge, possibly intending either to access or disseminate obscene or offensive material.

There are many mechanisms open to those keen to commit cybercrimes. These can include: backdoors (methods that bypass normal authentication and secure remote access), direct access (the installation of software worms or covert listening devices as well as modifying operating systems), indirect access (using a third-party computer to launch an attack) or denial of service (suspending or interrupting services of a host connected to the internet). These options are not mutually exclusive and nor are they exhaustive. Ultimately, humans are also culpable: a system is no more secure than the user responsible for its operation. Malicious individuals have regularly been able to deceive users by convincing them through psychological means (or just simple deception, such as pretending to be a systems administrator) to disclose personal information. Moreover, as discussed earlier, the longer individuals spend online, the more likely they are to cast unintentionally a ‘digital shadow,’ inadvertently revealing sensitive data about themselves/ the organisations they work for.

The logical response to all of the above is that the market for services that can help protect privacy and improve security is set to boom. Estimates vary on its current size, but data firms including EMC and consultants IDC and Gartner suggest that the market today stands at between $50bn and $70bn. Most estimates also suggest that the industry should enjoy compound annual growth of at least 7% through to the end of the decade, implying that by 2020, the market for security products and services could be worth $80-110bn.

Before reviewing security options it is worth bearing in mind not only what an individual or organisation may wish to secure, but also that an effective process would likely comprise three elements: the ability to seek to prevent threats, detect them and then, if necessary, respond to them. As a consequence, the market is complicated and users may also seek to adopt a variety of solutions. At the most basic, there exist firewalls, intrusion detection software and hardware options, ranging from disabling USB ports to requiring biometric validation for remote access.

A range of more innovative options is also emerging. Swisscom, Switzerland’s national telecoms operator (still 51% owned by the government) is, for example, in the process of building a ‘Swiss Cloud,’ a secure network where, it believes it will be harder for intruders to access data. Switzerland’s privacy laws also mean that a formal request would have to be made to a public prosecutor before a third-party would be allowed access to the data. Another Swiss innovation is WISEekey, a digital information, authentication and identity management company based in Geneva, which encrypts and stores information in an underground bunker designed to withstand nuclear blasts. Elsewhere, apps such as Wickr and Confide are being developed that enable users to keep their data more secure and less vulnerable. Wickr uses military-grade encryption to send messages, where users have no access to these once they have been sent. Confide, by contrast, allows recipients only to see one word of a message at a time; when the user scrolls to the next word, the previous one disappears forever. Expect more of these services to develop.

While these are just some examples of nascent businesses emerging within the space, there are already a wide number of listed plays on security too. Investors should, of course, be mindful that as new threats continue to emerge, so do new players. The competitive landscape is therefore constantly evolving. Also, it should not be forgotten that however crucial security may seem, it does not constitute the highest priority of many corporate Chief Technology Officers (CTOs). In Morgan Stanley’s most recent quarterly survey of CTOs, security spend only ranked as the fourth highest software priority, behind cloud computing, analytics and enterprise resource planning. These two factors help explain why the revenue and margin profile – and hence corresponding share price performance – of many of the major listed security businesses has been relatively volatile in recent years. On the more positive side, however, the inherently disruptive nature of the industry means that M&A is likely to remain a salient factor, potentially benefiting smaller businesses in the space.

Among the best placed businesses would be Check Point Software Technologies, the world’s largest pure-play security technology company. Founded in 1993 and capitalised at over $13bn, all of the Fortune 500 companies use its services, according to Check Point. Elsewhere, F5 Networks is a leader in web application controllers and firewalls, while Imperva is at the forefront of data centre security. Founded by a former Check Point executive, the business has already secured 3,000 customers including five of the top-ten US commercial banks. Within the IT consultancy space, Computer Sciences Corporation provides a range of security traffic and analysis services, particularly to the intelligence community. In Europe, investors may wish to consider Swisscom (mentioned above) or Gemalto, a Dutch-listed designer and manufacturer of security software for chip cards, mobile phones and other devices. Finally, if all else fails, abandon your computer and go back to using something more ‘old-fashioned,’ perhaps a typewriter or even just pen-and-paper…

Alexander Gunz, Fund Manager