A new arms race is well under way. Not on land, nor underwater, nor in space – but in cyberspace.
“The bad guys are relentlessly going after information from their victims, but the victim organizations aren’t keeping pace with attackers,” Dave Merkel, CTO of cyber security systems developer FireEye (NASDAQ: FEYE) revealed to DarkReading.com.
After speaking at the recent Davos Economic Forum in Switzerland last week, cyber-security consultant Eugene Kaspersky illustrated to the BBC just how advanced cyber criminals and their weaponry have become:
“25 years ago they were just simple bicycles. 10-15 years ago they were cars. Now they are space shuttles,” he underscored the vast improvement in their attack capabilities.
These attackers are using their advanced skills and weaponry to organize large scale assaults on not just businesses but entire nations at a single time with unnerving results: “Hackers have targeted about 19,000 French websites,” reported CBS News after the early January terrorist attacks in Paris, France.
“What’s new, what’s important, is that this is 19,000 sites – that’s never been seen before,” Admiral Arnaud Coustilliere, head of cyber-defense for the French military expressed his concern to CBS News. “This is the first time that a country has been faced with such a large wave of cyber attacks.”
And it will only get worse according to the recently released McAfee Labs’ 2015 Threats Predictions Report, as transcribed by Business Insider:
“Cyber espionage attacks will continue to increase in frequency. Long-term players will become stealthier information gatherers, while newcomers will look for ways to steal money and disrupt their adversaries. Criminals are beginning to look and act more like sophisticated nation-state cyber-espionage actors, who watch and wait to gather intelligence.”
How have corporations and governments been coping with the ever increasing threats from these organized criminal enterprises and terrorist cells who are growing ever more adept at their cyber attack tactics? It may disconcert you to know that they are not faring well. In fact, most are grossly underprepared.
The Stakes are Growing
FireEye’s report revealed just how prevalent successful cyber attacks have been recently:
“Some 96% of organizations across 20 different vertical industries suffered some form of cyber attack in the first half of last year,” DarkReading cites FireEye’s report. “Advanced malware attacks — typically associated with cyber espionage or other targeted attack campaigns — made up nearly 30% of cyber intrusions at 1,200 companies, according to new data from FireEye collected from its network and email sensors that sit behind traditional security systems.”
But these aren’t just any companies that were penetrated. These include major corporations from the agriculture, auto and transportation, education, retail, and even aerospace and defense industries.
“The industry with the lowest percentage of attacks getting past its security perimeters was aerospace and defense with 76% of the companies getting hit,” DarkReading revealed. If even the most highly secure aerospace and defense industry can have as many as 76% of its companies infiltrated by cyber criminals, the remaining industries don’t stand a chance.
The Ponemon Institute reported last September that 43% of U.S. companies had experienced a data breach in the past year. The well publicized breech of Sony Pictures in December pales in comparison to many of these:
“Every week it seems, another major U.S. retailer says it’s been hacked,” reported Bloomberg. “Today [October 21, 2014], Staples said it was investigating a potential credit-card breach. Two weeks earlier it was Kmart. Three weeks earlier it was Supervalu and Albertsons. A month ago it was Home Depot. The list is longer than the checkout line at Target, which was breached late last year.”
Even systemically important financial behemoths are vulnerable, such as JP Morgan Chase (NYSE: JPM), whose attackers stole confidential banking information on 76 million households and 7 million small businesses in the summer of 2014.
At the recent Davos, Switzerland, conference of business leaders from around the globe, the World Economic Forum warned delegates that failure to improve cyber security could cost the global economy $3 trillion in lost productivity and wealth.
Is cyber espionage and hacking really that great a threat? Yes, especially when we consider how our dependence on cloud computing will continue to grow.
McKinsey and Company estimates “that cloud computing could create $3.72 trillion in value by 2020,” and that “over the next five to seven years, $9 trillion to $21 trillion of [online and offline] economic-value creation, worldwide, [will depend] on the robustness of the cyber-security environment”.
So are corporations and governments taking heed? Not by the looks of things. In fact, some 95% of corporations and government departments among more than 200 surveyed by McKinsey and Company are grossly ill-prepared.
Corporations and Governments are Ill-prepared
“Research McKinsey conducted in partnership with the World Economic Forum suggests that companies are struggling with their capabilities in cyber-risk management,” the research firm recently reported. “Most technology executives believe that they are losing ground to attackers.”
Based on their interviews with more than 200 chief information officers, chief information-security officers, regulators, policy makers, technology vendors, law-enforcement officials, and other kinds of practitioners in seven sectors across the Americas, Europe, the Middle East and Africa, and Asia, here’s the picture of readiness McKinsey’s research produced:
As per their graphic above, 34% of the companies they interviewed had a “nascent” or “beginning stage” cyber protection program, while another 61% were still in the process of developing one – the majority of which were still grossly underdeveloped. That accounts for 95%, leaving a mere 5% of companies with a “mature” protection system in place, while 0% have systems that are considered “state of the art”.
That simply will not do. These current level of protection employed by corporations and government agencies might stop your average teenager. But the serious threats come from attackers who are much more sophisticated and much better equipped.
The McAfee Labs’ 2015 Threats Predictions Report revealed that cyber attackers these days are “small nations and terror groups” looking to disrupt another nation’s economic infrastructure “by launching crippling distributed denial of service attacks or using malware that wipes the master boot record to destroy their enemies’ networks.”
They could even resort to using “ransomware”, which “locks down data and forces the victim to pay a ransom to retrieve it… With consumers now sending payment information over a protocol with known vulnerabilities, it is highly likely that attacks on this infrastructure will emerge in 2015,” the report added.
Three Companies Up to the Task
While most corporations and even government departments around the world are grossly under-equipped to wage war against such cyber enemies, at least three companies are already gearing up for the anticipated increased business ahead.
• Palo Alto Networks, Inc. (NYSE: PANW), market cap $10.41 billion, designs security platforms for enterprises, service providers, and government entities worldwide, including Next-Generation Firewall that protects against cyber threats, Threat Intelligence Cloud that offers central intelligence capabilities and preventative measures against cyber attacks from within their cloud, and Panorama for controlling and protecting attached appliances and devices. It also offers subscription services for laptop and mobile devices protection, malware and threats protection, and windows-based fixed and virtual endpoints protection services.
• FireEye, Inc. (NASDAQ: FEYE), market cap $4.92 billion, provides products and services for detecting, preventing, and resolving advanced cyber-security threats, including Web traffic analysis, cloud and email threat prevention that detects and stops advanced attacks, file threat prevention which analyzes network file servers to detect and quarantine malicious software, forensic analysis systems, and endpoint threat prevention systems that detect, analyze, and resolve security incidents.
• Fortinet Inc. (NASDAQ: FTNT), market cap $4.82 billion, provides network security and threat management solutions worldwide, including FortiGate physical and virtual appliances, FortiManager product family to manage system configuration and security functions of multiple FortiGate devices from a centralized console, FortiAnalyzer product family, which enables the collection, analysis, and archiving of content and log data produced by its other products, FortiAP secure wireless access points, FortiWeb for Web-based applications, FortiMail for multi-featured messaging security, FortiDB for centrally managed database-specific security, FortiClient for endpoint security of desktops, laptops, and mobile devices, and FortiScan for endpoint vulnerability assessment and remediation, among many other cyber threat solutions to such varied clients as the telecommunications, government, financial, retail, education, technology, healthcare, and manufacturing industries.
Over the past year, only Fortinet has reported positive margins and returns on assets and equity, while Palo Alto’s and FireEye’s margins and returns are all negative. Yet for quarterly revenue growth, Fortinet reported the least at +26.30% year-over-year, with Palo Alto reporting +50.10%, while FireEye reported an amazing +167.80% revenue growth.
As for stock performance, FireEye’s shares (beige) have been struggling as of late as graphed below, falling some 60% from last February to May, and trending sideways since then. Fortinent (blue) has been fairing better with gains of more than 30%, currently tripling the S&P 500 index. While Palo Alto (purple) has been simply on fire, rising nearly 110% over the past 12 months.
While these companies will be actively seeking to improve the security of corporations and governments the world over, their stocks just might be able to provide investors’ portfolios with some financial security from the stock market’s all too frequent attacks on their investments.