Cybersecurity is an umbrella term for a broad range of technologies and IT practices designed to protect computing systems, applications, networks, and data from unauthorised access, data breaches, and attacks.
In today’s interconnected world, all businesses need to have a cybersecurity plan to defend against, detect, and respond to cyber threats in order to maintain the integrity and availability of digital assets. After all, the stakes are high as even a single breach can be costly. IBM's Cost of a Data Breach Report 2024 recently reported the global average cost of a data breach reached US$4.88 million in 2024, up 10% over the prior year. According to Statista, the global cost of cybercrimes is expected to be a staggering US$13.82 trillion by 2028, up from $860 billion in 2018. (Figure A)
Figure A: The cost of cybercrime
Source: Statista
The escalation in cyberattacks can be attributed to several factors. Hostile state actors, organised criminal syndicates, and opportunistic hackers are all ramping up their activities. Exponential growth of digital infrastructure – including the proliferation of connected devices – has expanded the surface area available to malicious actors, thereby making it easier for them to find vulnerabilities. The COVID-19 pandemic accelerated this trend, with the FBI reporting a 300% spike in cybercrime since the onset of the pandemic. According to the Whitehouse’s National Cybersecurity Strategy document, state-sponsored attacks have also become more prevalent, with China, Russia, Iran, and North Korea noted to be "aggressively using advanced cyber capabilities to pursue objectives that run counter to our interests."
Moreover, the emergence of ransomware as a service (RaaS) has lowered the barrier to entry for cybercriminals, particularly as the broader adoption of cryptocurrencies has enabled attackers to monetise their exploits anonymously. According to the recently released Zscaler ThreatLabs 2024 Ransomware Report, ransomware attacks foiled by the Zscaler cloud increased 18% year over year globally in the 12 months ended April 2024, including a staggering 93% increase in attacks against U.S.-based organisations (where nearly 50% of all ransomware attacks occurred).
Overall, inadequate cybersecurity measures, combined with exponential digitisation, has created a perfect storm for the proliferation of cyberattacks across all sectors of the economy. It is therefore not a surprise that robust cybersecurity solutions have evolved into a critical business imperative – one that is becoming ever more important with each passing day.
Common Cyber Threats
Next we will discuss some of the most common forms of cyber threats:
Malware
Malware (short for malicious software) is a category of programs designed to infiltrate and exploit computing devices such as laptops, smartphones, and servers. There are various types of malware:
- Viruses are self-replicating programs that spread by attaching to other files or programs, often propagating through email attachments or infected websites.
- Trojans are malicious software that are disguised as legitimate and trick users to willingly install them on their devices; once installed they open a backdoor for threat actors. Trojans are common amongst pirated software and illegitimate mobile apps.
- Spyware operates covertly in the background, gathering sensitive information without the user's knowledge and potentially leading to identity theft or financial fraud.
- Ransomware encrypts files or locks computer access, demanding payment (often in cryptocurrency) for the decryption key.
One of the largest known malware attack was the WannaCry ransomware that occurred in 2017 and affected over 200,000 computers across 150 countries, causing billions of dollars of damage. WannaCry exploited a vulnerability in Windows machines (that weren’t updated with the latest security patches) to encrypt users' files; the attackers demand payment in Bitcoin for decrypting the files. Among the high-profile organisations impacted was the UK’s National Health Service, which resulted in widespread disruption across the UK's national health services.
Zscaler’s ThreatLabz 2024 Ransomware Report more recently highlighted a record-breaking $75 million ransomware payment made by an organisation to the Dark Angels ransomware group – nearly double the previous highest publicly known ransomware payout – marking a massive windfall that will likely only encourage other bad actors to ramp their own illicit efforts.
Distributed Denial of Service (DDoS) Attacks
DDoS attacks harness networks of compromised computers (“botnets”) to overwhelm a target service or network with the goal of making it inaccessible to its users. These attacks come in various forms such as flooding a system with requests, exploiting protocol-level vulnerabilities, or targeting specific application layer services. The primary goal of these attacks is to disrupt service availability, thus potentially causing financial and/or reputation damage to the impacted organisation.
There have been a number of high-profile DDoS attacks in recent years. In September 2017, Google was the victim of a massive attack that manipulated 180,000 web servers to send their responses to Google. This attack reached a colossal 2.54Tbps. The following year, GitHub was hit by an attack that peaked at 1.3Tbps, with perpetrators leveraging the amplification effect of a popular database caching system. In February 2020, Amazon Web Services (AWS) reported mitigating a staggering 2.3 Tbps DDoS attack, where malicious actors exploited hijacked Connection-less Lightweight Directory Access Protocol (CLDAP) web servers. These high-profile incidents underscore the evolving and ever-present nature of DDoS threats, driving continued innovation in mitigation strategies and technologies within the cybersecurity industry.
Identity-based Attacks
Identity-based attacks often exploit stolen or weak passwords to gain unauthorised access to systems. Common forms include credential stuffing, where attackers use automated tools to test large numbers of stolen username/password combinations across various websites, and password spraying, which attempts to access numerous accounts using a few commonly used passwords.
Identity attacks can have far-reaching implications. In 2012, 6.5 million hashed passwords were stolen from LinkedIn and later cracked. As users tend to reuse passwords, in 2016 Netflix observed a surge in fraudulent logins thanks to perpetrators leveraging the LinkedIn leak.
Organisations are mitigating against these risks by adopting multi-factor authentication (MFA) and passwordless authentication models such as biometric logins.
Code Injection Attacks
Code injection attacks involve inserting malicious code into vulnerable applications to alter their function or gain unauthorised access to systems and data. Common types of attacks include threat actors inserting malicious SQL code into input fields (SQL injection), malicious scripts on websites (Cross-site scripting), and remote code execution. These attacks can lead to data breaches, system outages, and financial loss.
One infamous example of this type of attack was the breach experienced by Equifax – one of the world’s largest credit reporting agencies – in 2017. Attackers discovered that one of Equifax’s servers was running an unpatched version of Apache Struts software, and they leveraged the vulnerability to gain access to sensitive data of 147 million Americans. In 2019, Capital One fell victim to a major data breach affecting over 100 million customers, which was facilitated by a server-side request forgery (SSRF) attack, a form of code injection, and a weakness (at that time) in Amazon Web Services’ EC2 service infrastructure.
Secure coding practices and regular patching of IT infrastructure can go a long way toward mitigating these risks.
Social Engineering Attacks
Social engineering attacks exploit human psychology to manipulate individuals into divulging confidential information or performing actions that compromise security. These attacks often rely on creating a false sense of trust or urgency, exploiting human tendencies rather than technical vulnerabilities.
Phishing is the most prevalent form of social engineering attacks. Phishing commonly occurs via emails, text messages, or websites that appear to be legitimate (but are not), with the victim falling for the masquerade and willingly providing sensitive information to the attacker. The goal is usually to steal credentials, financial information, or install malware on the victim's device. While phishing attacks generally cast a wide net, "whaling" targets high-value individuals specifically.
Other common social engineering approaches include baiting and voice phishing.
As social engineering attacks become more prevalent and sophisticated, organisations will need to consider the human-in-the-loop factor when designing security measures. In particular, enterprises that intertwine technical defences with human-oriented security measures are likely going to be more successful at thwarting threat vectors than those that primarily focus on the former.
Evolution of Enterprise Cybersecurity
In the early days of the Internet, security was mostly limited to protocol design and access control. The late 1980s saw the emergence of antivirus software, which perhaps can be considered to mark the beginning of dedicated security software solutions.
The consideration of IT infrastructure security gained prominence with the invention of the World Wide Web (“Web”) and the widespread adoption of the Internet starting in the 1990s. As businesses started deploying their corporate networks, the idea of building a defensive perimeter (or “moat”) around the corporate IT infrastructure (or “castle”) started to take hold. The resulting birth of castle-and-moat security saw firewalls emerge as the bulwark of the security measures.
Initially, firewalls were packet filters between the trusted internal and untrusted external network. With cyberthreats becoming more sophisticated, the mid-1990s saw adoption of intrusion detection systems (i.e., security appliances or software that monitor network traffic for suspicious activity and policy violations). As technology matured, next-generation firewalls incorporated solutions such as deep packet inspection and intrusion detection systems.
The increase in threats and their sophistication resulted in the birth of security information and event management (SIEM) systems in the early 2000s. SIEM systems collect and analyse security related event data from across an organisation’s IT infrastructure. Typical SIEM systems include capabilities such as log management, event correlation and analytics, and automated incident response capabilities. These capabilities enable enterprise security teams to identify anomalies and deploy automated threat remediation strategies.
Then, the late 2000s saw another paradigm shift caused by the smartphone revolution and the widespread adoption of cloud computing. AWS launched its first cloud services in 2006, and the iPhone was introduced in 2007. While these technologies transformed how people lived and worked, the shift also dramatically increased the attack surface (e.g., cloud and mobile technologies introduced new apps, anytime anywhere access, distributed computing and storage infrastructure). These developments pushed forward advancement of identity management solutions, introduction of new cloud security frameworks, development of cloud-native security solutions and mobile device management tools.
For instance, with increasing complexity in technology stacks, we saw cloud-based identity and access management (IAM) solutions gain ground. IAM solutions help manage digital identities and user access to data, systems, and resources. It includes features like single sign-on (SSO), multi-factor authentication (MFA) and privileged access management (PAM).
Moreover, with no clear delineation of the corporate perimeter in the cloud computing world, a new Zero-Trust security framework started to take hold in the 2010s. Unlike traditional perimeter-based security models, Zero-Trust assumes that threats exist both inside and outside traditional network boundaries. This approach requires all users, whether inside or outside the organisation's network, to be continuously validated before being granted access to applications and data.
Ideas such as Cloud Access Security Brokers (CASBs) emerged, providing visibility and control over cloud applications. Cloud Security Posture Management (CSPM) tools also gained prominence as organisations focussed on assessing and managing their cloud security risks.
More recently, AI and machine learning are being leveraged to detect and respond to threats more quickly and effectively, enabling predictive security measures. To cope with the sheer volume of security events, organisations are increasingly turning to security orchestration, automation, and response (SOAR) platforms. Extended Detection and Response (XDR) has evolved as a framework for unifying endpoint, network, and cloud data to provide holistic protection and faster threat detection and response.
It is important to realise that cybersecurity is an arms race of sorts. Cybersecurity specialists are continually working towards securing systems, while threat actors are always on the look for new sophisticated attacks – with both increasingly leveraging AI and machine learning in their respective efforts. In this race, only those companies that have the tenacity to stay at the forefront of innovation can thrive over the long-term.
Cybersecurity is a good business
Like enterprise software companies, cybersecurity businesses often exhibit attractive characteristics that make them compelling investment opportunities.
The market for cybersecurity is rapidly expanding, propelled by the increasing frequency and sophistication of cyber threats. This growth potential makes this sector particularly interesting to investors seeking high-growth technology exposure.
Further, modern security solutions are offered as subscription-based services, thus providing predictable and recurring revenue streams, a trait favoured by investors. In addition, cloud-based cybersecurity solutions can easily scale to meet growing customer demands without significant capital investments. In other words, modern cybersecurity businesses can be asset-light compounders.
It is also important to note that security solutions often fall in the “must have” and not in the “good to have” category. Thus, even in difficult macroeconomic conditions, cybersecurity spending is mission critical and likely to be impacted to a lesser extent than other businesses.
There are many listed behemoths and several up-and-coming innovative cybersecurity players in the public markets. Enterprise software behemoth Microsoft offers a comprehensive range of security solutions, including identity and access management solutions, unified XDR and SIEM platforms, as well as firewall and DDoS protection services. Networking giant Cisco offers a wide range of networking and security solutions, including endpoint security and cloud security, and recently bolstered its position with the completion of its acquisition of business and web analytics leader Splunk in 2024.
Among the security specialists, Palo Alto Networks is a veteran security vendor that has its roots in selling hardware security appliances. The company has more recently migrated to selling cloud-based security solutions.
There are also many next-generation, rapidly growing cybersecurity pure-plays to consider.
While cybersecurity offers plenty of growth potential, investors should not overlook the risks. The lucrative nature of this industry results in intense competition. Technological shifts can also cause dislocation and alter competitive dynamics. Finally, the attractive nature of the industry tends to push valuations up, which might crimp investors’ future returns.
Sizing the opportunity
The cybersecurity market is large and rapidly growing, thrust forward by factors such as digital transformation and the increasing sophistication of threats.
According to Precedence Research, the global cybersecurity market is expected to compound at 12.6% annually over their forecast period, 2024 to 2034, reaching US$878 billion by 2034 (Figure B). According to Grand View Research, IT investments in 5G, Internet of Things (IOT), and the Bring Your Own Device (BYOD) trend is expected to significantly increase the number of endpoints, which is likely to be beneficial to businesses focussed on cloud security solutions.
Figure B: Cybersecurity market size forecast
Source: Precedence Research
In our view, as cyber threats continue to evolve and proliferate, high-quality cybersecurity businesses with innovative solutions, scalable platforms, and efficient operational models are well-positioned to thrive. These companies are likely to be at the forefront of developing cutting-edge solutions to combat emerging cyber threats, thereby strengthening their market positions and financial performance. However, as with any rapidly evolving industry, not all cybersecurity businesses are created equal, and there will inevitably be winners and losers.
Unlike certain markets that tend to be of the “winner takes all” kind or support only a few big winners, we think cybersecurity has the opportunity to support multiple winners. This is because enterprises often adopt a layered security model, implementing a variety of security solutions for different parts of their IT infrastructure. A layered approach can reduce vulnerability as malicious actors need to breach multiple defences to wreak havoc. Further, this mindset often results in companies becoming specialists in their own chosen arena.
The dynamic threat landscape, rapid technological advancements, and shifting regulatory environments mean that some companies in this space may struggle to keep pace or fail to differentiate their offerings effectively. Therefore, investors will need to carefully evaluate potential cybersecurity investments before committing their capital, considering factors such as rate of technological innovation, adaptability to new threats, scalability of solutions (including efficiency of go-to-market strategies), and the company's track record in protecting against breaches. After carrying out in-depth research, our firm has identified and invested in the most promising, rapidly growing cybersecurity companies in the public markets.
At AlphaTarget, we invest our capital in some of the most promising disruptive businesses at the forefront of secular trends; and utilise stage analysis and other technical tools to continuously monitor our holdings and manage our investment portfolio. AlphaTarget produces cutting edge research and those who subscribe to our research service gain exclusive access to information such as the holdings in our investment portfolio, our in-depth fundamental and technical analysis of each company, our portfolio management moves and details of our proprietary systematic trend following hedging strategy to reduce portfolio drawdowns.
To learn more about our research service, please visit https://alphatarget.com/subscriptions/.