October 2013

Investing in a Changing Technology Landscape

Author

Executive Summary

Robert C. Zeuthen, CFA

Senior Portfolio Manager

We live in an increasingly connected world, enabled by the constant evolution of technology.

Smartphones, tablets, cloud computing and other recent innovations have empowered
consumers and businesses, while also providing greater vulnerability to cyberthreats. As
these threats proliferate, becoming more dangerous and harder to detect, companies need to
boost their defenses or risk significant losses of data and intellectual property. This is creating
significant investment opportunity in the security software space.

Introduction
Over the past three years, the Information Technology sector has been a relative underperformer
in the U.S. equity market, primarily because of a difficult macroeconomic backdrop that
has strained both corporate and consumer budgets. As a capital expenditure, technology is
susceptible to budget uncertainties, and as a result, the sector generally lags during periods of
risk aversion in the markets.

Exhibit 1: Underperformance in Tech

80%

70%

66.2%

Cumulative Return

60%

50%

50.2%

40%

30%

20%

10%

0%
Jul-10

Oct-10

Jan-11

Apr-11

Jul-11

Oct-11

Jan-12

Morgan Stanley High Tech 35

Apr-12

Jul-12

Oct-12

Jan-13

Apr-13

S&P 500

Source: Bloomberg

No investment strategy or risk management technique can guarantee returns or eliminate risk in any market environment.

Cyber Insecurity: Investing in a Changing Technology Landscape

However, this recent chronic underperformance may be reaching an imminent end. Technology is in the midst of
several secular growth tailwinds, including the surging popularity of mobile devices, the wider adoption of cloud
computing, and the ubiquity of Big Data, as companies seek to extract more value from the increasing amount of
data they generate.1 Together, these themes are reshaping the way the world does business, creating a vast network
of connections, but they are also leaving consumers and companies more exposed to criminal exploitation. From an
investment standpoint, then, software security firms may end up being a key beneficiary.

The Complexity of Cybercrime

As the number of devices, applications and operating systems rapidly proliferates, the resulting diversity creates a
fertile environment upon which hackers capitalize. In 2012 alone, 5,291 new vulnerabilities were discovered, with
415 of them found in mobile devices, according to a report from security vendor Symantec.2
Although the number of threats is multiplying, they are also becoming more robust and difficult to detect. As
outlined in Exhibit 2, they are morphing from conventional spam emails to more insidious forms.

Exhibit 2: High-Profile Threat Types

Advanced Targeted
Attack (ATA)

This type of threat is aimed at a specific target i.e., an industry, company or individual.

Advanced Persistent
Threat (APT)

This threat, usually in corporate networks, encrypts information and merges it with regular corporate
traffic to send it out of the network. Such data theft is often motivated by sabotage or industrial
espionage. It can persist for a long period of time, as it is difficult to detect.

BOT Zombies

These are infected PCs that are controlled by a hacker and often used to launch attacks on other users.

Denial of Service
Attacks (DNS)

These occur when BOT zombies bombard a targeted website with a high volume of traffic, which can let
bad traffic through or crash the site, affecting its users.

Fake Anti-Virus

This malware deceives users into believing they have a virus, prompting them to download fake antivirus software that ultimately infects their devices.

Malware

It is a malicious piece of code that attaches itself to email or other types of downloaded data. It is
designed to steal data, spy and/or propagate onto new targets.

Ransomware

This threat encrypts data and effectively disables a targets device, requiring the user to pay ransom.

Watering Holes

These threats infect a website, which in turn infects other users and websites that come in contact with
it. Small and medium businesses are frequent targets, providing hackers a way into larger companies.

As cyberhazards grow more pervasive and robust, key targets now include governments, financial companies and
health-care institutions. However, individuals are also being targeted more specifically, with corporate executives,
knowledge workers and financial staff being selected for their access to key information.

No investment strategy or risk management technique can guarantee returns or eliminate risk in any market environment.

www.thebostoncompany.com
2

Cyber Insecurity: Investing in a Changing Technology Landscape

VICTIms BY thE numBErS

Exhibit 3: Victims by the Numbers

Industries Being targeted by advanced attackers

17% Aerospace & Defense
Energy, Oil & Gas

14%
11% Finance

Computer Hardware & Software

8%
7% Legal & Consulting Services

Media & Entertainment

7%

Pharmaceuticals

4%

6% Telecommunications

25% Other

In 2012 we noted an increase in

attacker activity in several key areas:

media & Entertainment up from 2% to 7%

pharmaceuticals up from 1% to 4%

Finance up from 7% to 11 %

Source: Mandiant

A Perfect Storm of Risks

how compromises are Being detected

Cybercrime is gaining a greater foothold given several driving factors in the technology landscape. Perhaps the most
forceful is the rise in mobility, resulting in greater connectivity to the Internet. According to IMS Research, the
number of devices connected to the Internet is expected to climb from roughly 10 billion at the end of 2012 to 28
billion by the end of 2020.3

37%

63%

2% by a customer
4% by a business partner

This proliferation is exponentially expanding the opportunity for more infection, as many of these devices are mobile
in nature, such as smartphones and tablets, and thus more exposed to threats. From March 2012 to March 2013, the
Juniper Networks Mobile Threat
reported
a 614% growth rate in mobile malware
threats,
to notified
276,259 total
ofCenter
victims
discovered
of victims
were
malicious applications.4 Such threats
are frequently
downloaded in apps from dubious
appexternal
stores. entity
the breach
internally
by an
For instance, some apps for Android mobile devices are written in original Java source code, but slightly altered to
include a threat. User activity can secretly trigger a monthly payment (later disclosed on a monthly bill) or elicit the
user to send messages to premium text-messaging sites. Other free apps have an increased likelihood of embedding
spyware and sending user-activity-based data back to hackers. Because of its open source code and growing market
M-Trends
attack the security gap
2
share,
Android is becoming an especially popular target, attractingMandiant
92% of
all mobile-malware
threats this year,
according to Juniper.

Another source of susceptibility for the corporate sector is the BYOD bring your own device trend. Increasingly,
companies are enabling their employees to use their own devices to connect to their networks. As these employees
use their devices to store, send and transact with sensitive company data, they are also at greater risk of introducing
threats into the corporate network and of having data stolen via malware. Use of social media sites can also pose
an additional risk for both businesses and consumers. Phishing attacks on social-media sites rose 123% in 2012,
according to Symantec.5
Widespread adoption of cloud computing may also provide criminals a key entry point into sensitive information.
According to data compiled by Cisco, global data-center traffic is expected to quadruple over the next five years,
and the fastest-growing component is cloud data. By 2016, global cloud traffic will make up nearly two-thirds of all

No investment strategy or risk management technique can guarantee returns or eliminate risk in any market environment.

www.thebostoncompany.com
3

15% by an outsource

Cyber Insecurity: Investing in a Changing Technology Landscape

data center traffic.6 This poses a unique challenge for many businesses that take advantage of the virtualization and
flexibility offered by the cloud, but do not then own or operate the data centers they are using.
Another crucial element of the big-picture security risk is the sheer volume of data being collected, stored and mined
by companies. Essentially, according to Cisco, big data increases the vectors and angles that enterprise security
teams and security solutions must cover.7 While the volume of data is doubling every two years, less than
20% of it is protected.8
Cybercriminals are seizing these opportunities, at considerable cost. According to estimates from the 2012 Norton
Cybercrime Report, consumer cybercrime claims about 556 million victims a year, at an annual global price tag of
about $110 billion. In fact, Army Gen. Keith B. Alexander, director of the National Security Agency, has referred to
the intellectual property stolen by hackers as the greatest transfer of wealth in history.9
John N. Stewart, chief security officer at Cisco, weighed in with a similarly ominous assessment:

Cybercrime is no longer an annoyance or another cost of doing business. We are approaching a

tipping point where the economic losses generated by cybercrime are threatening to overwhelm the
economic benefits created by information technology.10

Response to Growing Threats

A recent study by PricewaterhouseCoopers showed that companies spend an average 8% of their IT budgets on
information security, and 50% of large organizations expect to spend more next year.11 Yet, another survey by
Radware showed that while 55% of companies believe they may be a target of a cyberwarfare attack, 81% do not feel
prepared.12 As Radware puts it, many of these organizations are bringing a knife to a gunfight.
In light of this mounting risk, the U.S. government is also taking action. President Barack Obama has advanced
legislation to urge cooperation between companies, and his budget proposes to boost Defense Department spending
on cyber efforts to $4.7 billion, $800 million more than current levels, even as overall Pentagon spending is cut by
$3.9 billion.13 In 2011, the Securities and Exchange Commission issued directives to encourage publicly traded
companies to disclose cybersecurity breaches and risks.14
Unfortunately, the average company does not even know it has been compromised for 243 days, an improvement
over 416 days in 2011.15 In other words, awareness is up, but obviously, significant value can be lost and destroyed
in a much shorter time. Plus, more than half 63% of cybercrime victims were notified of a compromise by an
external entity, meaning that internal detection may be falling short of expectations.
Perhaps not surprisingly, then, security software is a robust and growing market. The rising and rapidly evolving
threat of cybercrime has generated a desperate need for security, creating opportunities for companies willing to
accept the challenge. Security software firms are constantly researching and developing new technology applications
to bolster network security and reduce their risks. According to Gartner Inc., worldwide security software revenue
totaled $19.2 billion in 2012, a 7.9% increase from 2011.16
Projections for this market are only growing. Gartner forecasts that the worldwide security technology and services
market will reach $67.2 billion in 2013, up 8.7% from $61.8 billion in 2012, and to exceed $86 billion in 2016.17
Even if macroeconomic concerns linger, security may not be a luxury purchase for many companies, as the cost of
cybercrime can be devastating.

Investment Opportunities
While cybercrime is complex and problematic, companies with effective solutions exist. Many are emerging, smallcap growth companies with the new technology needed to combat todays threats. These companies are taking share
from legacy vendors. Some are beginning to leverage the breadth and power of the cloud to monitor, update and
prevent future attacks through real-time analysis. These are the companies we believe have the potential to grow

No investment strategy or risk management technique can guarantee returns or eliminate risk in any market environment.

www.thebostoncompany.com
4

Cyber Insecurity: Investing in a Changing Technology Landscape

in this dynamic environment, as they can provide their customers with higher levels of protection, prevention and
visibility in an uncertain IT landscape.
We expect to see increased M&A activity as larger legacy vendors look to broaden their reach and deepen their
product set. Interested parties include both hardware and software companies that are looking to differentiate their
products and/or improve the security of their products. In addition, we believe that IPO activity will remain robust
as newer companies with emerging technologies and products become public to fund their growth in this rapidly
expanding segment of the market.
As we consider the secular threat posed by cybercrime, we believe it will fundamentally alter the purchasing of
Information Technology products and services as well as the structural design of networks.

About The Author

Robert C. Zeuthen, CFA, Managing Director
Rob is a Senior Portfolio Manager on The Boston Companys US Small, Small Mid and Mid Cap Growth Investment Team. He
also provides research coverage of the Information Technology and Telecommunication Services sectors.
Before joining The Boston Company, Rob worked at Bricoleur Capital, leading technology investing across all market caps for its
long/short hedge fund. In that role, he managed up to $500 million in capital with portfolio discretion.
Rob began his career at Prudential and its subsidiary Jennison Associates. Starting as a Credit Analyst, he then helped launch a
U.S. small cap fund and served as an Analyst and Portfolio Manager for Global Small Cap Equities. He also was a Senior Equity
Analyst for Prudentials U.S. Emerging Growth Fund.
Rob received a B.A. in Finance with honors from Boston College and holds the Chartered Financial Analyst designation.

No investment strategy or risk management technique can guarantee returns or eliminate risk in any market environment.

www.thebostoncompany.com
5

Disclosure
Any statements of opinion constitute only current opinions of The Boston Company Asset Management, LLC (TBCAM), which are subject to change and which
TBCAM does not undertake to update. Due to, among other things, the volatile nature of the markets and the investment areas discussed herein, they may
only be suitable for certain investors.
This publication or any portion thereof may not be copied or distributed without prior written approval from TBCAM. Statements are correct as of the date of
the material only. This document may not be used for the purpose of an offer or solicitation in any jurisdiction or in any circumstances in which such offer or
solicitation is unlawful or not authorised. The information in this publication is for general information only and is not intended to provide specific investment
advice or recommendations for any purchase or sale of any specific security.
Some information contained herein has been obtained from third party sources that are believed to be reliable, but the information has not been independently
verified by TBCAM. TBCAM makes no representations as to the accuracy or the completeness of such information.
No investment strategy or risk management technique can guarantee returns or eliminate risk in any market environment.

References
1
2
3

The Boston Companys Core Research Technology Team, A Renewed Emergence of Creative Destruction in Technology, September 2012.
2013 Internet Security Threat Report, Vol. 18, Symantec Corp., April 2013.
Internet Connected Devices Approaching 10 Billion, to exceed 28 Billion by 2020, IHS Inc. press release, Oct. 4, 2012.
Juniper Networks finds mobile threats continue rampant growth as attackers become more entrepreneurial, Juniper Networks Inc. press release,
June 26, 2013.

4

Paul Wood, Phishing on Social Networks: Whats the value of your small biz Twitter account? Symantec official blog, May 16, 2013.

2013 Cisco Annual Security Report, page 8.

2013 Cisco Annual Security Report, page 29.

Joel P. Fishbein Jr. et al, Key security themes ahead of RSA conference, Lazard Capital Markets, Feb. 22, 2013, page 1.

Claudette Roulo, Cybercom Chief: Culture, Commerce Changing Through Technology, American Forces Press Service, Oct. 12, 2012.

10

2013 Cisco Annual Security Report, page 11.

11

PricewaterhouseCooper, Information security breaches survey, April 2012.

12

Radware Global Application & Network Security Report, 2012, page 11.

13

Andy Sullivan, Obama budget makes cybersecurity a growing U.S. priority, Reuters, April 10, 2013.

14

Joseph Menn, SEC issues guidelines on hacking, Financial Times, Oct. 14, 2011.

15

Mandiant 2013 Threat Report, page 1.

16

Gartner says worldwide security software market grew 7.9 percent in 2012, Gartner Inc. press release, May 30, 2012.

17

Gartner says worldwide security market to grow 8.7 percent in 2013, Gartner Inc. press release, June 11, 2013.

For more information on the market perspectives of The Boston Company Asset Management, please visit our website at
http://www.thebostoncompany.com/literature/views-and-insights.html

No investment strategy or risk management technique can guarantee returns or eliminate risk in any market environment.