Cybercrime has the potential to paralyse countries and commerce, but companies and individuals are only just waking up to the threat. That spells opportunity for long-term investors, says Ben Judge.
Crime doesn’t pay – or so we are always told. But it’s not always true, and as crime becomes more sophisticated, that saying is becoming less true every day. Take robbing banks. According to Guinness World Records, the world’s biggest bank robbery was committed in 2005. A group of around ten crooks spent a weekend tunnelling 78 metres from a house they had rented directly into a branch of the Banco Central (Brazil’s central bank) in the town of Fortaleza, on the northeast coast. They bored though more than one metre of reinforced concrete into the vault and made off with 164,755,150 reals, around £38.6m. A tidy little haul, you might think.
Bank robberies go online
But Guinness is using a very narrow and outdated definition of bank robbery. And £38.6m is peanuts compared with today’s bank robbers’ hauls. The world’s biggest bank heist actually happened over several years, from 2013 to 2018, when a gang of Russian hackers used computer viruses to make off with £650m from 100 financial institutions around the world – no pneumatic drills necessary. The cybercriminals created accounts to receive cash; inflated balances in other accounts by changing bank database entries; and even programmed cash machines worldwide to spew out notes at specific times, when associates would be waiting with bags to fill. The cash was then laundered via cryptocurrency exchanges and spent on luxury cars and houses, among other things.
Crime has moved online. Online fraud is now the most common form of crime in England and Wales, according to the Office for National Statistics. The rewards are higher and the risk of getting caught dramatically lower. According to computer software security company McAfee and the Center for Strategic and International Studies, a US think tank, the most lucrative crime in the world is government corruption, followed by the narcotics trade and cybercrime. Ginni Rometty, IBM’s president and CEO, said in 2015 that “cybercrime… is the greatest threat to every profession, every industry, every company in the world”. It costs business around $600bn per year, or 0.8% of global GDP, estimates McAfee.
As technology makes users and companies more efficient, so it also makes criminals more efficient. As more and more things are connected to the internet, the opportunities for cybercriminals proliferate. It’s not just smartphones and computers. Manufacturers are cramming online connectivity into new models of everything from kettles to fridges, cars and doorbells. Each element of this “Internet of Things” (IoT) provides an opportunity for cybercriminals, who can hijack them and use them as a gateway to attack more lucrative targets.
Many contain glaring security deficiencies, exacerbated by the fact that many users don’t change the default usernames and passwords the machines come with and fail to upgrade security with the latest firmware. Hewlett Packard has said that it reckons 70% of IoT devices are vulnerable to hacking.
A favourite tactic is to use compromised devices to install “bots” (“web robots”, or autonomous software programs that perform simple tasks), which can launch so-called distributed denial of service (DDoS) attacks. The upshot is that multiple devices are used in a coordinated attack to overwhelm a victim’s system by flooding it with traffic. One such “botnet”, the Mirai botnet, was used in 2016 to cripple some of the internet’s biggest sites, including Twitter, Airbnb and Netflix.
Cybercrime moves into the cloud
One internet service provider reported 80 billion malicious scans, says McAfee, meaning cybercriminals probing for vulnerabilities, every day. The number of new viruses created every day is staggering, it says: between 300,000 and one million. These days programmers increasingly share files and collaborate online, or in the “cloud”. Cybercrime is mirroring this development. “Cybercrime as a service” is available to those who know where to look.
A developer can open up their code to other fraudsters who can plug in their own list of targets. This new economy includes custom malware, botnet rentals and malware distribution, says McAfee, enabling a “flood of new actors” to enter the scene. This leaves the experienced hacker to develop more specialised skills, “confident in their ability to find others… who can complement their services and with whom they can collaborate to develop new tools of unprecedented sophistication”. Adam Smith’s analysis of the division of labour giving productivity a big boost applies to the dark economy too.
Attacks are on the rise
Things are certainly picking up, as several recent high-profile incidents testify. Yahoo was hacked, which exposed the details of a billion users. The Equifax hack of September 2017 resulted in the leaking of personal and financial details of 140 million people in the US, Canada and the UK. The incident has been the subject of hundreds of lawsuits. McAfee reckons it cost the company $90m in the first four months after the breach, and income in the third quarter was down by 27%. Hotel chain Marriott said in November 2018 that the details of 383 million people had been disclosed from its guest reservation database. Along with financial losses, the hit to a brand’s reputation with customers can be long lasting.
Cybercrime is not just a question of sophisticated technology; another key problem is human credulity. Phishing is a technique whereby criminals disguise themselves as someone the victim trusts, such as a bank or colleague, and deceive them into revealing sensitive information, such as passwords or bank details, by convincing them to click on a malicious link, go to a fake website, or reveal information over the phone.
In 2017, around £130bn was stolen from global consumers, says The Guardian, £4.6bn of that from Britons. On top of the financial loss, each victim had to spend an average of two days dealing with the aftermath – securing information, changing passwords, etc. According to McAfee, two-thirds of people online have had their personal information stolen or compromised. Phishing isn’t confined to gullible individuals. Some of the most tech-savvy corporations fall victim too. Facebook and Google, says Forbes, were swindled out of more than $100m over two years by a crook posing as a supplier who convinced the companies’ accounting departments to wire money to bank accounts across eastern Europe.
Identity theft is perhaps individuals’ biggest fear. But in reality, while inconvenient and in many cases traumatic, it’s not the biggest problem related to global cybercrime. America’s Bureau of Justice Statistics reckons the average personal loss in 2012 was just $1,500, with more than half of victims suffering losses of $99 or less.
Cybercrime as modern warfare
The biggest danger is cybercrime perpetrated by nation states. China, Russia and North Korea are the most active countries in this context, while Iran is a growing threat. In May 2017 the WannaCry virus infected the NHS, crippling computers in more than 80 sites and resulting in more than 20,000 cancelled appointments and hospitals turning away ambulances. WannaCry encrypted files and demanded a ransom to be paid in bitcoins to unlock them. It spread quickly and did a lot of damage. But despite its efficiency, it was not the most sophisticated of viruses. It included a “killswitch”, a mechanism to shut it down, which was relatively easy to discover, so it was soon defeated. Many now believe it was created not by cybercriminals, but by agents working for the North Korean government in an attempt to bolster their country’s finances. Indeed, North Korea is probably the world’s biggest cyber-bank robber, according to the Associated Press. Its biggest heist so far is thought to be the 2016 raid on the central bank of Bangladesh, which netted it $81m.
Along with state-sponsored criminality, cyberwarfare is also a worry. One of the earliest high-profile cases was the Stuxnet virus, created by the intelligence agencies of Israel and the United States to take out Iran’s nuclear centrifuges. It was precisely targeted and extremely successful. But not all military-grade viruses are so accurately targeted. In the summer of 2017 the NotPetya virus ran rampant through the world’s Windows computers, scrambling their file systems.
It was first identified in Ukraine, but infected businesses around the world, including shipping firm Maersk and food group Mondelez. It did huge damage: Israeli cybersecurity firm Cybereason reckons it cost firms around $1.2bn in lost revenue. It is estimated to have cost Maersk between $250m and $300m; Reckitt Benckiser $129m; and Mondelez $150m.
The odd thing about NotPetya was that it didn’t appear to be motivated by profit at all. It did demand a $300 ransom be paid in bitcoin. But, says tech site The Register, the mechanisms to collect the money soon disintegrated; “little effort went into pocketing the loot”. The virus was created at a time of heightened tension between Ukraine and Russia, when Russia annexed Crimea. Cybersecurity experts blame Russia, although many think NotPetya’s foray into the West was just collateral damage in the two countries’ cyberwar. This is important from a commercial point of view. Mondelez’s insurer, Zurich American Insurance, has refused to pay out, saying the attack resulted from an act of war and therefore wasn’t covered by its policy. If Zurich prevails, says The Register’s Kieren McCarthy, it could create “a new market in cyberattack insurance almost overnight”.
Russia is also home to sophisticated private-sector criminals. Being a hotbed of cybercrime, Russia knows exactly how much damage can be wrought. It is now taking the drastic step of preparing a plan to disconnect itself completely from the global internet if it decides it is under attack (or likely to come under attack, perhaps as a counter-strike) from foreign cyber aggression. Clearly, that is not an avenue open to commercial organisations who want to stay in business. The threat will loom ever larger, with artificial intelligence set to develop more effective phishing techniques and the inevitable advent of software that can crack password-based security in nanoseconds.
A market poised for take-off
“The biggest threat to our cybersecurity is weak cybersecurity,” said Ciaran Martin, the head of the UK’s National Cyber Security Centre, part of GCHQ, in a speech to the EU in 2019. Despite the scale and seriousness of the threat, nations, corporations, small businesses and individuals look woefully underprepared. A survey from consultancy Accenture revealed that only 13% of organisations consider future threats when drawing up their IT security budgets. In December 2016, the average expenditure on IT security was just 5.6% of a company’s whole IT budget, says market research company Gartner. Things are improving, however. Spending on cybersecurity is expected to hit $124bn in 2019, a 12.4% increase on 2018, says Gartner. This pace of increase should endure for the next three years, says Steve Morgan of research company Cybersecurity Ventures.
Some companies are investing more aggressively, however, with JP Morgan doubling its cybersecurity budget from £250m to $500m in 2017, and Bank of America opting for an “unlimited budget” to combat cybercrime. Financial-services firms are the biggest investors in cybersecurity, says Information Age, followed by logistics and storage. The sector investing the least was the entertainment sector. Given the 2014 hack into Sony Pictures Entertainment (North Korea’s petulant response to the unflattering portrayal of Kim Jong-un in the film The Interview), which resulted in major leaks of internal Sony documents, that could be seen as short-sighted. As you might imagine, there are plenty of opportunities for investors when it comes to cybersecurity. We look at some of them below.
The stocks and funds to buy now
US tech blue-chip Cisco Systems (Nasdaq: CSCO), a provider of networking hardware, is not a pure cybersecurity play, but it is establishing itself as something of a leader in the field. It trades on a trailing price/earnings (p/e) ratio of 19.
Alternatively, IBM (NYSE: IBM) is beefing up its cybersecurity division, thanks to its expertise in cloud computing and artificial intelligence, and recently launched a new security cloud platform. It trades on a p/e ratio of around 15.
For a purer play, consider Czech-based, London-listed Avast (LSE: AVST). It develops security software, mostly for small and medium-sized businesses, but also for home users. Its anti-virus product for personal computers is the most popular on the market.
It listed in May 2018. Since then the stock has risen by around a fifth and it is now selling for 16 times earnings.
A more speculative play is Crossword Cybersecurity (Aim: CCS), which listed on London’s “junior” market in December 2018. It works with British universities to commercialise their research, and deals exclusively with cybersecurity. It’s early days still and the group has yet to make a profit. But the latest trading update is encouraging, with revenue up by 45% and full-year results expected to be in line with forecasts.
For those who prefer to spread risk by investing through a fund, the good news is that your range of options is slowly expanding, although most are listed in America. One London-listed possibility, however, is the ETFS ISE Cyber Security Go ETF (LSE: ISPY), which launched in 2015 to become Europe’s first cybersecurity exchange-traded fund. It tracks the ISE cybersecurity index, which comprises companies with a market capitalisation of at least $100m and a three-month average daily trading volume of at least $1m.
The ETF is primarily invested in systems software, communications equipment and IT services and is heavily weighted towards American stocks. These make up 72% of the portfolio, with 10% in Israeli stocks and just 5% in UK stocks. Its biggest holding is Swedish biometrics company Fingerprint Cards. The ETF charges 0.6%.
US fund ETFMG Prime Cyber Security ETF (NYSE: HACK) is based on the same index, but is composed slightly differently, with CyberArk Software the top holding. It also carries a 0.6% charge, as does the First Trust Nasdaq Cybersecurity ETF (Nasdaq: CIBR), which tracks the Nasdaq CTA Cybersecurity index. Its composition resembles both ISPY and HACK. First Trust’s top holding is Silicon Valley cybersecurity firm Palo Alto Networks.
A slightly more exotic fund, but less of a pure play, is the BlueStar Israel Technology ETF (NYSE Arca: ITEQ). Israel, home to many tech firms (as evidenced by the high proportion of Israeli stocks in the cybersecurity ETFs above), is in the forefront of this burgeoning field.
While ITEQ leans more towards artificial intelligence and big data, it does contain a reasonable proportion of cybersecurity firms. Its top holding is IT hardware and software provider Check Point Software Technologies, which concentrates on network and data security. ITEQ is dearer than the other three ETFs, charging 0.75%.