Technology

Cyber attacks fuel growth of digital security, 5.14.12

Like homeowners insulating their attics and basements, more and more companies are seeking to plug cracks in their information-technology infrastructure from costly cyber attacks.

As technology becomes more ingrained in how the world does business, cyber-security threats, such as breaches of customer data and the theft of intellectual property, are growing in scope and sophistication. And those security threats are expensive to deal with: the average cost to a company of a data breach was $5.5 million last year, according to Web-security firm Symantec and the Ponemon Institute. The Office of the U.S. Trade Representative pegs the cost of intellectual-property theft alone at about $250 billion annually. Overall, cyber attacks on companies rose 81% last year from 2010, with an average of 94 incidents daily.

In our estimation, the market for cyber security is so promising and lucrative that it should enable select security companies to generate double-digit earnings growth annually over the next two years. These companies include Check Point Software Technologies, Fortinet, Imperva, Sourcefire, and Websense.

Threats go beyond viruses

There was a time when security threats to companies were limited to the occasional hacker or computer virus. If you put up a firewall – a device designed to prevent unauthorized transmissions between computer networks – and installed anti-virus software on your network, you were largely safe. And only the biggest corporate fish really needed to worry about the barbed hook of security threats anyway; the threats were largely cast in the direction of Fortune 100 companies.

But that’s changing. Now, hackers, supported in some instances by organized crime syndicates and foreign nations, are trawling for companies of all sizes and in almost all industries. For example, Stuxnet, a cyber weapon, has infested tens of thousands of business computers in 155 countries, including those of a nuclear facility in Iran. Now, Stuxnet’s cousin Duqu spies with malign intent on Siemens industrial-control systems used in various industries. According to researchers from Symantec, Duqu is "looking for information such as design documents that could help [hackers] mount a future attack on an industrial-control facility." And now, Chief Security Officer, a trade publication, estimates that 45 million different viruses are circulating, with 2,000 new ones surfacing daily.

What’s more, hackers are stealing product designs, legal information, and strategic plans, then selling them to the highest bidder, such as a foreign government or a business rival. China in particular has raised the ire of technology firms for stealing software on a massive scale. The New York Times ranks China as the world’s second largest market for computer hardware sales, but only the eighth largest for software sales. This, the Times says, "strongly suggests" that China is buying its computer hardware but pirating much of its computer software.

Whether the attack on intellectual property is sanctioned privately or by a government, it usually comes in the form of what’s known in security-speak as "advanced persistent threats." Advanced persistent threats are precise cyber attacks on a specific enterprise that often occur over time, as the perpetrators systematically and patiently probe the prospective victim’s digital defenses, looking for the weakest point to exploit.

Forecast: more clouds

Meanwhile, as these attacks multiply, popular new technologies are presenting new security vulnerabilities. For example, a fresh target for cyber attacks is cloud computing – the housing of corporate data and digital services in off-site data centers, allowing employees to access their files and applications over the Internet from wherever they happen to be. According to researcher Global Industry Analysts, sales of cloud-computing services worldwide will reach $222 billion by 2015, up from about $40 billion last year.

The main convenience of cloud computing – its decentralized nature – is what makes it so hard to secure. Previously, in most corporate information-technology systems, just one perimeter had to be defended. Today, however, with cloud computing’s scope and remote accessibility, companies must fight a war on many fronts, and Web security must be updated continually to keep corporate systems protected.

Because many traditional security methods aren’t applicable to the cloud, the security industry is pushing for a new set of standards and practices, led by a nonprofit organization called the Cloud Security Alliance. As we see it, security in the cloud is the biggest challenge now facing corporate chief information officers.

Mobile devices grow explosively

Another new security vulnerability: heavy corporate use of smartphones and tablet computers. About 25% of the digital devices used at work are smartphones and tablets, Forrester Research says.

For smartphones and tablets, companies are increasingly adopting a policy of BYOD – Bring Your Own Device. The problem is that while employees are using their own smartphones and tablets at work, they often fail to take steps to secure these devices. Also, a study by the Computer Technology Industry Association reveals that 84% of employees use personal mobile devices for business, but only 22% of their employers have mobile-security policies in place.

The widespread use of unsecured mobile devices by employees and the absence of mobile-security policies by their employers have been a boon to hackers, security experts say. For example, hackers can embed malevolent codes in the hottest app or game, wait for good old Floyd from Accounting to download it, and sidestep the security measures in place at Floyd’s company.

Tweet while you work

Social media have added yet another dimension to cyber security. Americans spend 23% of their time online on social-media Web sites like Facebook and Twitter – and do so regularly on the job. A study by Palo Alto Networks shows that the amount of time employees spent using social media at work soared by 300% in the second half of 2011 from a year earlier.

Since many users of social media use the same passwords for everything digital, if a hacker cracks an employee’s social-media password, that means he can possibly breach the employer’s cyber-security defenses, too. And even if hackers aren’t involved, disgruntled or careless employees can leak propriety information via a tweet or an update of their Facebook page.

The combination of multiplying cyber attacks and the proliferation of new technology has led to changes in corporations’ hiring and spending patterns. For instance, some companies have resorted to employing former hackers to sniff out cyber threats. And companies are spending more on cyber security. In a Bank of America Merrill Lynch survey conducted in March, 21% of corporate buyers of information technology said they expect to increase their security spending this year. Canalys, a research firm, projects their spending will rise 8.7% this year.

As companies ratchet up their cyber-security efforts, we think five companies are especially well positioned to capitalize on those efforts in the near term:

Customer, beware

*  Check Point Software Technologies (headquarters: Tel Aviv, market capitalization: about $11 billion) provides Web-security solutions. The company got its start by developing enterprise firewalls, which block outsiders from corporate networks, and has evolved into the leader of Internet security. Check Point has established a collaborative network called ThreatCloud, which alerts a global network of subscribers to the latest security dangers. In the past three years the company has acquired security businesses from Nokia and FaceTime Communications to bolster its already formidable capabilities.

*  Fortinet (headquarters: Sunnyvale, California; market capitalization: about $3 billion) offers network-security hardware as well as software that runs on that hardware, an integrated approach called unified-threat management. At the end of last year, the company had an 18% share of the unified-threat management market. International Data Corporation, a research firm, projects the market will expand from $1.2 billion last year to $3.8 billion by 2015, and the market’s revenue will surpass that of traditional firewalls in 2012. The company has shipped more than 900,000 unified-threat management devices to more than 125,000 customers globally.

*  Imperva (headquarters: Redwood Shores, California; market capitalization: about $806 million) emphasizes the protection of data, and with good reason: data is growing at a massive rate; every day the world creates 2.5 exabytes of data (one exabyte equals one quintillion bytes) – enough data to fill the Library of Congress 30,000 times in a year. Imperva’s customers include three of the top five U.S. banks, four of the five leading global telecommunications firms, and four of the top five largest computer-hardware firms.

*  Sourcefire (headquarters: Columbia, Maryland; market capitalization: about $1 billion) got its start with the improbably named Snort – a pioneering intrusion-detection system using "open-source" code, which allows independent developers to modify and improve the software code. Another Sourcefire innovation, the Agile Security system, helps prevent an unwanted entry into a digital network long before it’s imminent, like using the crow’s nest to spot approaching warships on the horizon before they’re visible on the top deck. For now, Sourcefire’s competition in its market is limited, which we think helps explain how the company’s first-quarter revenue grew 50% from the same period last year, to $46.3 million.

*  Websense (headquarters: San Diego, market capitalization: about $752 million) markets products designed to minimize an enterprise’s internal security risks by monitoring and restricting employee Internet use. Websense also can integrate a firm’s digital systems with its Web-security, e-mail-security, mobile-security, and data-loss-prevention technologies. This year Websense was the only security company to win three awards for the effectiveness of its products from SC Magazine, an industry publication. To meet the need for mobile devices that can better withstand cyber attacks, the company recently strengthened the security features of its flagship Triton platform, whose sales are growing at a rate of more than 40% annually.

 

 

 

 

The views expressed represent the opinions of Turner Investments as of the date indicated and may change. They are not intended as a forecast, a guarantee of future results, investment recommendations, or an offer to buy or sell any securities. Opinions about individual securities mentioned may change, and there can be no guarantee that Turner will select and hold any particular security for its client portfolios. Earnings growth may not result in an increase in share price. Past performance is no guarantee of future results.

Turner Investments, founded in 1990 and based in Berwyn, Pennsylvania, is an investment firm with more than $13 billion in assets under management in stocks, as of March 31, 2012. Turner manages growth, global/international, and alternative separately-managed accounts and mutual funds for institutions and individuals.

For a quick rundown of Turner Investments’ views on the stock market and growth-investment strategy, watch the Quarterly Perspectives with Bob Turner video at this link: http://www.turnerinvestments.com/quarterly-perspective/for/inst.

As of April 30, 2012, Turner held in client accounts 25,280 shares of Check Point Software Technologies, 1.7 million shares of Fortinet, and 91,360 shares of Imperva. Turner held no shares of Sourcefire or Websense.