Who are you going to call to prevent a hack attack?

The spectacular North Korean hack of Sony last year, and other high-profile corporate security breaches, have put a rocket under the valuations of firms that offer cyber protection. But are they really worth it?

Jamie Nimmo
Saturday 27 June 2015 02:12
Heavy security surrounds the entrance of United Artists theater during the premiere of the film "The Interview" in Los Angeles
Heavy security surrounds the entrance of United Artists theater during the premiere of the film "The Interview" in Los Angeles

Cyber security was thrust into the public eye last year when a group of hackers managed in effect to shut down Sony Pictures. The attack on the entertainment giant came as it prepared for the launch of the controversial film The Interview, which involved a plot to assassinate the North Korean leader Kim Jong-un.

The hack attack, which exposed embarrassing emails from studio executives about Hollywood stars, intensified when those behind it – calling themselves “Guardians of Peace” and fingered by US intelligence as North Koreans – said they would target cinemas showing the movie. The premiere was cancelled, although the film was released at a later date.

The incident rammed home how vulnerable even the largest corporations are to cyber invasions. It has also increased demand for shares in cyber security firms.

In the US the share price of the security software maker AVG Technologies has jumped 41 per cent since the start of the year. And the UK’s Sophos, which makes antivirus software to protect mid-sized businesses from data breaches, will float in London next week with a £1bn price tag in its third attempt at an IPO.

It will raise $125m (£80m) to cut debt and grow the business – $25m more than planned when the blueprint for its flotation was unveiled just a few weeks ago.

In going public, Sophos will join the list of so-called “unicorns”, those tech start-ups with valuations of more than $1bn, though Sophos has actually been around since 1985.

While demand is clearly there for its shares, not everyone is convinced. The technology research firm Megabuyte questions the market’s lofty valuation for Sophos and says it will only be merited if it can accelerate revenue growth.

There are also questions over the services on offer from security software providers.

The IT security expert Gary Newe, technical director at the cyber security firm F5 Networks, says that while companies need to bolster their protection, those supplying the security technology “also have to step up”.

There are plenty of providers that have one basic product but do not offer a number of solutions to cover all possible scenarios, he explained.

“It’s not enough to say you’ve got one device in your data centre – if there’s a more joined-up solution, we might be able to mitigate some of these attacks a bit better,” he told The Independent.

Asked if companies were not taking the risks seriously, he responded: “I don’t think anyone is purposefully neglecting it [cyber security]. I just think there needs to be more education from the vendor community and on what the actual risk is.”

Mr Newe said that a year ago even he thought some of the fears over cyber security were “just hype”. But now he sees it as a very real danger. “It’s becoming the new, easy way to attack people. It’s a new way to extort money,” he said.

Dan Glaser, the chief executive of the professional services giant Marsh & McLennan Companies, recently warned that cyber security is the “biggest man-made risk issue of our time”.

“These breaches are happening all across the world and can manifest themselves not only economically but also physically with things like critical infrastructure, power grids and dams under threat. There could be some pretty disastrous results,” he said.

A report out this week from the credit agency Experian revealed that British businesses could face £20bn in fines if they fail to protect their customers from data breaches when new European Union rules come into force.

The new laws will require companies to inform the Data Protection Authority of a breach within 72 hours. The maximum fine will also rise from £500,000 to €100m (£72m), or up to 5 per cent of annual turnover.

“The introduction of EU data protection regulation – expected to come fully into force within the next three years – will fundamentally and dramatically alter the data breach landscape,” explained Amir Goshtai, managing director of Experian Consumer Services.

“Even in the absence of a strict notification law at this time, it is well within companies’ best interests to put preventative measures and plans in place now.”

The ratings agency Standard & Poor’s has also warned of the potential impact of hacks. “Given a severe enough incident, a cyber attack could potentially have credit-rating consequences, most likely through adversely affecting revenues, profitability and credit metrics,” it said.

The US retail heavyweight Target is a case in point. In 2013 it suffered at the hands of hackers who perpetrated a massive data breach that exposed the credit and debit card data of 40 million customers. In March Target agreed to pay up to $10m in compensation. The company was also forced to beef up its data security by appointing a chief information security officer and providing training for staff.

The upshot is that companies find themselves with no choice but to invest in cyber security. Good news for security companies like Sophos, but bad news for lawyers, who are set to pocket up to $6.75m from the Target hack alone.

Security men: Leading lights

John McAfee

McAfee antivirus

Having made $100m creating his eponymous IT security business, John McAfee went to live in Belize. But his behaviour became increasingly erratic. His neighbour was murdered and police named him as a “person of interest” whom they wanted to interview, so he went on the run through the jungles of South America, at one stage spending a spell in a Guatemalan prison. Curiously, he would blog about his disguises – one included smearing himself with shoe polish and pretending to be a Guatemalan trinket peddlar. He topped off the disguise by inserting a tampon up his right nostril to change the shape of his nose. Earlier this month he appeared in London to talk of his pet topic: state intrusion on civil liberties.

Eugene Kaspersky

Kaspersky Lab

The Moscow-based Eugene Kaspersky is often whispered to have been involved in state security – though he denies it. He was educated at the higher school of the KGB, and clients are believed to include the Russian Government. He still lives in Moscow, even though his child was kidnapped there.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

View comments