Cybersecurity – M&A Sector Report
Director Lars Stenvold Wik, talks cybersecurity and looks at the evolution of cyberattacks and the motives behind them.
Director Lars Stenvold Wik talks cybersecurity and looks at the evolution of cyberattacks and the motives behind them, as well as the key factors in preventing security breaches. He also provides an overview of the global cybersecurity M&A market which looks to be on a strong growth path.
Exceptionally Strong Market Outlook
By 2021, the global cybersecurity market worth is expected to be worth a staggering €172bn. With threat levels growing and corporations continuing to fall victim to damaging and costly data breaches, the global and endless magnitude of information security issues has left end-users looking for solutions.
Looking at the number of cybersecurity transactions closed last year compared to 2016, 505 and 436 respectively, it’s clear that the cybersecurity sector has a strong growth path ahead. Global M&A volume totaled €19.4bn in 2017 and with high valuation levels, low market interest rates and good pricing, the market outlook remains exceptionally strong.
Due to the extremely good levels of M&A activity we are seeing, many new European players are now entering the market. With private capital and a high level of funding available, there is a lot of money in the market and investors are actively looking to invest.
Cybersecurity – What’s it all About?
Cyberattacks Are Evolving – It’s Not Just the Banks Who Are Vulnerable
Though a significant motivation for cyberattacks remains monetary gain, attacks in order to access information or distribute false information are becoming almost as important. Previously banks were seen as the main targets, but now we are seeing more and more non-financial organizations and public institutions come under fire.
With the public sector and banks long being targets for attacks, they have additional security features in place and are much more prepared for attacks than other industries. The manufacturing industry for example, has been embedding cutting edge digital technology within its processes for a long time now and routine disruptions are common, however, with increasing functions and machines connected to the internet, the industry is fast becoming vulnerable to cyberattacks. Hackers accessing software and machinery such as robotic arms have the potential to effectively shut down or tamper with production, rendering it worthless and the costs to the business could be exponential.
In 2017, the top 5 industries hacked were Healthcare, Manufacturing, Financial Services, Government and Transportation, demonstrating the magnitude of industries that are targets for attack. Shipping conglomerate Maersk is a prime example of one of the big names in the transportation industry that was affected last year. In late June it fell victim to a global IT breakdown, hit by the “Petya” cyberattack; ransomware which essentially encrypts the infected computers, locking them until the ransom is paid.
In 2017 there were several major cybersecurity breaches announced and the average cost of a data breach stood at €3m (up 6% from the previous year) – so what’s the solution?
Locked Systems and Going Old Style?
Though some firms are reporting that they are indeed going old style; with locked systems that don’t link to the internet and no longer storing anything on the Cloud, this isn’t really the answer moving forward. On the contrary, in the future it’s more likely that everything will be more open and linked to the internet and it is unfortunate, but good hackers will always find a way in. The key is structuring information in several layers and triangulating information, as well as understanding and minimizing the potential breaches and risks.
HR Training is a Must, Not an Extra
Cyberattacks are evolving. Hackers have shifted from breaking into systems by means of cracking code, to attacking the human element, such as targeting individuals through spear phishing attacks, in order to gain entry into a personal network or system.
This is reflected in the number of breaches related to human error – 70% – clearly demonstrating that technology alone cannot successfully prevent cybersecurity attacks. Though it does provide automated safeguards and processes that prevent entry and exposure to the company, if these can be overridden in phishing attacks by just one click of a link or due to someone taking an action they shouldn’t, there needs to be more focus on raising awareness and educating the ‘people’ element in the equation.
Imagine the CEO or CFO of a company away on business who sends a confidential email to someone in the finance department, stating he is travelling and requesting the urgent transfer of money to fulfill an ongoing transaction, acquisition or procurement. The employee, believing the authenticity as it looks like any other internal, confidential email from the CFO, makes the transfer. Nowadays, with everything connected; calendars, phones etc. it’s all too easy for targeted hacks. Employees are unaware of the threats they are facing, proving that even companies with strong security measures are still vulnerable to attack.
Technological elements such as firewalls and processes are the bread and butter, but educating employees from the bottom of the company right up to the top is key. Just like a fire drill, practiced over and over again so that everyone knows the procedure in the event that a fire occurs, employees need to be trained in how to recognize and respond to attacks.
In the same vein, cybersecurity happens so fast and there are new hacks and codes being developed every day, plus there is always a back-door into a system. Many breaches are preventable however, so it’s a company’s responsibility to constantly educate its employees on new possible risks and ensure it is at a level that will minimize direct threats from scams.
Knowing What You’re Up Against
Of course, it would also help to know just what sort of attacks to try and safeguard against. However, though we are seeing more and more cyberattacks hitting the news headlines, it’s impossible to know just how many people have been hacked and how. Very few companies actually admit to having been hacked, in fear of their shareholders or clients finding out or highlighting concerns in their infrastructure. If more attacks were made public and people were aware of the type of attacks that are taking place, firms could look at putting procedures in place to prevent being attacked in the same manner.
Public Perception Matters
There seems to be an unspoken yet acceptable level of risk, hacks and breaches, with financial institutions and companies unable to protect themselves 100%. That being said, clients expect their money to be kept safe, along with their data (and to be used only for the purposes it was intended). Therefore, breaches can cause not only financial damage, but also harm an entity’s reputation – businesses are built on trust so it is key that clients perceive that cybersecurity is being taken seriously and measures are being taken to protect their data or their money. The one piece of good news for those having suffered breaches is that the public tends to forget quickly.
The General Data Protection Regulation (GDPR)
The GDPR was implemented in May 2018, with the primary objective of giving citizens and residents control back over their personal data and to simplify the regulatory environment for international businesses, by unifying regulations within the EU. Companies will essentially only be allowed to use personal information for the purpose for which it was collected.
If we take a look at the Facebook vs Cambridge Analytica breach, whereby the personal data of 87 million users was exposed, we catch a glimpse of just how personal data, search and phone histories and personal messages can be misused. On 11th April 2018, Facebook was summoned for a congressional hearing, regarding their security breach and their failure to properly protect their user’s data. This case highlights the current focus on the correct, limited and appropriate use of personal data.
In fact, the importance of complying with the GDPR means that we are now seeing a general trend in including data protection conditions related to the regulation in M&A SPAs.
Identifying Potential Risks As Early As Possible
Until now, cybersecurity has traditionally been under emphasized during due diligence, but this is changing. Scalability and consolidation of acquisition platforms still remain top concerns but understanding the cybersecurity risks and handling of personal data is now a top priority in many ongoing transactions.
Understandably, if security issues in a company are identified during the M&A process, it can potentially lead to price reductions or even the breakdown of deals. Therefore, it’s clear that companies must ensure they have adequate cybersecurity protective measures in place, limiting the risks of this occurring.
Using Big Data and Artificial Intelligence (AI) to Stay One Step Ahead
IBM Watson AI is already one of several big players in the market and it is forecast that it will remain one of the key means in helping companies stay ahead of the hackers. Uniquely positioned not only to handle the sheer volume of big data information, it can also discern the crucial context that can recognize what sorts of threats exist – something that would otherwise need to be done manually with human input.
Additionally, Blockchain-based security platforms address the fundamental flaws in general security by essentially removing the human factor from the equation – which is usually the weakest link. This technology and all engines that look for flaws/patterns on the web to prevent simple attacks will be game changers over the coming years.
Unfortunately, many large software companies currently face the problem of having big data they can’t currently process. By aggregating with small, niche consultancies with advanced scalable cybersecurity software solutions such as FutureScope, they are able to standardize products and services, as well as develop next level security products. Due to the lack of specialized knowledge in this area in many organizations, during the few years people with these skills will be highly attractive hires.
IMAP Europe Cybersecurity Market Survey Feedback
IMAP Europe conducted a survey in 2017 to understand local cybersecurity markets, interviewing some of the largest European cybersecurity companies. One finding was unanimous; that the same problems are being seen across all the regions and a lack of resources and internal knowhow are both current and future bottlenecks.
Data providers, email providers and the public sector were highlighted as the sectors most vulnerable and likely to experience future cyberattacks.
The products most in demand by customers to prevent attacks are data loss protection services and firewalls in the cloud which are expected to see the largest growth over the upcoming years. In addition, software to prevent Ransomware and firewalls to protect both business and personal devices are likely to be in high demand.
Looking at what were thought to be the most common reasons for data loss, respondents agreed that personal behavior, too little knowhow and negligence along with lack of awareness were the main causes. They also expected that there would be more “smarter” attacks in the future along with industry spying. Furthermore, sophisticated crime for economic gain, as well as public sector manipulation through cyberattacks is likely to increase in the future.