The cybersecurity industry capitalised on the Covid-19 crisis. It raised billions in venture capital and sold tons of solutions as a result of the pandemic forcing companies to accelerate their digitalisation efforts and introduce remote working. Now the industry is betting on the war in Ukraine to keep the gravy train going. The fact that government officials around the world are warning businesses to get their act together is sure to keep demand high. The latest person to do so is US president Joe Biden.
On Monday the White House urged companies to tighten their cybersecurity. The Biden administration reiterated concerns that Russia may respond to the unprecedented sanctions imposed against the Federation after its attack on Ukraine with new cyberattacks.
“This is a critical moment to accelerate our work to improve domestic cybersecurity and bolster our national resilience,” Biden said in a statement.
“I have previously warned about the potential that Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners. It’s part of Russia’s playbook. Today, my administration is reiterating those warnings based on evolving intelligence that the Russian government is exploring options for potential cyberattacks.”
The warning echoes similar calls to action made by western governments to tighten their cybersecurity resilience in response to Vladimir Putin’s war. For instance, the The New York Department of Financial Services has cautioned private companies to be vigilant against digital attacks. The US Cybersecurity & Infrastructure Security Agency has warned all organisations that hacks are coming and that it’s time to put “shields up.” The UK’s National Cyber Security Centre has issued similar calls to action.
US banks have responded by bolstering their digital defences and governors around the States have already called for stronger digital defences for critical infrastructures.
The measures underline one key fact: cybersecurity is still massively important to businesses. Over the past two years, companies have already forked out billions to make their firewalls impenetrable. With this latest round of warnings about the risk of state-sponsored hacks, it’s clear cybersecurity companies hope that the boom will continue.
“With the mounting cyber threat as war between Ukraine and Russia escalates, and president Biden’s latest warning to businesses about the possibility for cyberattacks to develop as part of the conflict, it’s important that leaders keep their workforces well-informed and aware of the way threats can infiltrate a company,” says John Davis, director UK & Ireland at the cybersecurity company SANS Institute.
To see if they are right, it is important to recognise just how much the cybersecurity sector has exploded due to Covid-19.
Covid-19 created a cybersecurity boom
It didn’t take long before cyber criminals started to take advantage of the pandemic. Even before the World Health Organization (WHO) had declared that the coronavirus had grown into a full-blown pandemic on 11 March 2020, experts warned that laptop-wielding larcenists had taken the opportunity to exploit people’s desire to learn more about the contagion. Unsuspecting victims would go into websites with maps demonstrating the spread – believing that they belonged to the WHO or the Centers for Disease Control – where bad actors would be lurking, waiting to steal their private data.
The situation quickly worsened. Ruthless digital thugs would hack hospitals and other health services, denying them access to critical systems that would literally mean the difference between life and death, knowing that these organisations would be desperate enough to pay ransoms. Then there was the US Federal Bureau of Investigation’s warning of phishing emails pretending to be from healthcare institutions.
The number of attacks only grew. In June 2020, the Swiss National Cyber Security Center said there had been 350 reported cyberattacks in Switzerland in April that year, compared to the norm of between 100 and 150 attacks. Other governmental institutions reported similar spikes around the world.
“Cybersecurity challenges increased dramatically through Covid-19, as the pandemic sent the digital revolution into hyperdrive,” Adam Hunt, CTO at threat mapping Microsoft company RiskIQ, tells Verdict. “As companies transitioned to remote working, they dispersed entire businesses and their operations, moving the perimeters of their organisation’s digital attack surfaces with them all over the globe.”
In other words: cybersecurity threats grew during the pandemic due to a combination of cyber criminals upping the scale and number of attacks, and professionals – those who could, anyway – starting to work from home. It shouldn’t surprise anyone that the result was booming demand for digital defences.
Cybersecurity funding skyrocketed during Covid-19
The cybersecurity industry enjoyed a boom thanks to Covid-19. Gartner forecasted in May last year that worldwide security and risk management spending would jump by 12.4% to exceed $150bn in 2021, reflecting growing demand for remote worker technologies and cloud security. Cybersecurity firms had seemingly jumped on the opportunity to meet the demand created by cyber criminals and often had no qualms about getting generously compensated for the effort.
“A trend we’ve long since identified in the cybersecurity industry is that as soon as a new problem emerges, so do any number of ‘solutions’ that are tacked on to existing security stacks,” Jay Coley, senior security architect at cloud computing service provider Fastly, tells Verdict. “This often results in overly complicated and pricey security toolings with individually tailored responses to each individual threat that has arisen over time.”
The rising demand can also be seen in the growing number of venture financing deals in the sector.
The number of financing, M&A and public float deals reached a fever pitch at the height of the pandemic. Back in 2017, GlobalData recorded 641 deals worth $103.29bn in total. Jump forward to 2021 and the number of deals had spiked to 1,383 deals worth $220.93bn in total.
2022 is also off to a descent start so far, with companies like BlueVoyant, Beyond Identity and Phosphorus Cybersecurity having raised hundreds of millions of dollars in new investment rounds.
“The pandemic-induced digital shift has been a leading catalyst in the industry as organisations have increasingly diverse assets and more platforms in place than ever before,” Detectify CEO Rickard Carlsson tells Verdict. “The increase in funding can not be seen as isolated by the Covid effect. This also a threat as actors have increased their activity putting more companies at risk.”
The cybersecurity industry has certainly had reason to celebrate throughout the pandemic. It was hardly alone. The fintech industry, supply chain startups, ecommerce giants like Amazon and home entertainment ventures also enjoyed boons to their bottomlines.
Now some people are getting optimistic that the end of the health crisis is on the horizon. Management consultancy giant McKinsey has noted that while there’s cause to be bullish, this “relative optimism” hinges on whether or not the virus will mutate into new variants. Time will tell.
Given that Covid-19 helped create the cybersecurity boom, one has to wonder what the end of the coronavirus crisis will mean for the future of the sector. As it turns out, digital defence providers won’t have to worry. The pandemic exacerbated existing problems and created a new normal, neither of which will go anywhere anytime soon. And it’s not as if new cybersecurity concerns aren’t created on a daily basis, especially with the threat of a global cyber war coming out of Russia.
Remote working is here to stay
Remote working has been identified as a key factor in the cybersecurity boom. Social distancing rules forced employers to accept that employees would work from home. However, that raised the risk of cyberattacks.
“There are two main reasons for this: firstly, companies have to rely on their individual employees to pay attention to any potential security threats, and secondly, these individual workers often end up carrying out sensitive work on networks which don’t necessarily have the same levels of protection as those of an in-person office,” says Coley. “This can force IT teams to use new security controls or rely on slow, outdated, and inefficient VPN technology.”
So why just not bring people back to the office? If people working remotely has put companies’ digital infrastructure at risk, then surely more than one CISO must’ve been tempted to ask themselves that question. Sure, theoretically that could work. There is just one problem with the idea: employees don’t want to go back to the old normal. They like working from home. In fact, the desire to work remotely entirely or to enjoy some sort of hybrid model has been linked to the so-called Great Resignation.
“Long story short, record breaking amounts of people are quitting their jobs because they simply no longer have the desire to work with the same outdated work life constraints and work-life compartmentalisation,” Ann Maya, VP and general manager of application and data services at intelligent connectivity company Boomi, tells Verdict.
Or, to put it this way: security professionals may think that they’re solving companies’ cybersecurity woes by forcing staff back to the office as the risk of Covid-19 seems to be subsiding, but it would create a massive headache for their colleagues in the HR department. HR departments everywhere are currently struggling with the combined problem of talent being drained from the company and the problem of filling those empty positions in a candidate-led market where people desire at least a hybrid-style working model. Moreover, it is also likely that it will worsen the cybersecurity skills gap itself.
“In many cases, demand for cybersecurity talent is outpacing supply, and the implications for businesses that are unable to recruit cyber talent are significant,” Mandeep Thandi, director of cyber and digital at professional services firm Gemserv, tells Verdict. “Lack of expertise will mean risk assessments and mitigation plans are not completed and maintained, resulting in risk programmes that aren’t up to standard.”
Business leaders are unlikely to force staff to return to the office amidst the Great Resignation, meaning companies would still have to invest in solutions enabling remote working.
Cyber attacks are still happening
Covid-19 created new attack surfaces for cyber criminals to exploit. However, it is not as if ransomware attacks and phishing campaigns weren’t happening before the pandemic. With the war in Ukraine, it’s clear that these threats will continue to plague all industries. The White House’s warning to businesses to strengthen their cyber resilience or risk falling victim to Russian retaliations serves as a stark reminder of that fact.
It’s not as if business leaders needed much reminding, though. Plenty of big hacks have already provided that type of reminder. Here’s a quick refresher: Russian nation-state hacking group Nobelium compromised software company SolarWinds in hack with wide-ranging consequences. As SolarWinds products are used by many other companies and organisations, the attackers were then able to use their initial work as a launchpad to compromise another 18,000 organisations, including major US tech companies and government agencies
In June 2021, meat processing company JBS paid $11m to its attackers to draw a line under the hack. In July, the REvil ransomware syndicate demanded $70m after encrypting the systems of thousands of organisations via the Kaseya supply chain attack.
These sort of attacks are expected to continue, meaning that cybersecurity companies won’t fall out of style anytime soon. And that’s even without the Ukraine crisis.
The Ukraine factor
Russian tanks rolled into Ukraine on 24 February. At the time, industry experts expected that this would be a preamble to the Putin regime going full on in cyber space. After all, Russia is no stranger to cyberattacks. Research from cybersecurity company Trellix suggests Russian and Chinese nation-state backed groups were responsible for 46% of all observed advanced persistent threats in the second half of 2021. Putin’s regime has launched cyberattacks against Ukraine since it first annexed the Crimean peninsula in 2014.
The Ukrainian government has said that Russia has launched cyberattacks against it on multiple occasions. Understandably, it has taken action to prevent that from happening now, having enlisted the nation’s hacking communities and sought out the help from Big Tech giants like Microsoft.
The industry has, unsurprisingly, warned that the conflict could spread far outside Ukraine’s borders. Cybersecurity wonks have noted that once a virus – whether biological or digital – has been unleashed into the wild, it is prone to spread. After all, that is what happened in 2017 when hacking group Sandworm launched the NotPetya attack in Ukraine, but the malware quickly spread out of control, crippling ports, government platforms and companies around the world, including in Russia. Even if it’s not Russia’s intention, starting a cyberwar in Ukraine could quickly become a global problem.
Maybe that is why that hasn’t happened so far, or maybe it’s because even totalitarian dictator like Putin recognises that too big cyber attacks on western entities will lead to massive retaliations.
Despite political experts having predicted for years about how the next war would be fought in cyberspace, these predictions have yet to materialise, as far as we are aware. That hasn’t prevented industry stakeholders from warning businesses about the risks.
“While the expected Russian cyber blitzkrieg most pundits expected has not occurred, there remains a risk that Russia may, at some point in the future, direct attacks against countries which it considers to be helping the Ukrainian cause,” James Blake, Field CISO at cybersecurity firm Rubrik, tells Verdict.
More regulation is coming
The cybersecurity industry can also expect a boost from the drive by governments around the world to introduce new rules for how businesses manage their digital defences.
In the US, the Securities and Exchange Commission (SEC) has unveiled a smattering of new rules for how companies disclose cybersecurity incidents and risk management. The rules follows from a previous proposal to introduce substantial new requirements for investment advisers and companies. The US Senate has introduced similar regulations to drive greater transparency around data breaches and ransomware payments and improve support for impacted organisations.
In January, the UK government also proposed laws that would force firms providing essential digital services to follow strict cybersecurity rules. Failing to comply to these duties could land them with hefty fines. The proposals were part of the UK’s £2.6bn National Cyber Strategy.
“Every UK organisation must take their cyber resilience seriously as we strive to grow, innovate and protect people online. It is not an optional extra,” Julia Lopez, minister of state for media, data and digital infrastructure, said at the time.
Similar proposals have been suggested across Europe too. The European Council approved the Network and Information Security 2 (NIS2) Directive in December last year, which has paved the way for revamping the current EU-wide framework for cybersecurity
The cybersec gravy train will continue
In summary, the Covid-19 crisis created a massive cybersecurity boom as companies rushed to enable workers to work remotely. At the same time hackers upped their attacks.
Now, the pandemic is hopefully coming to an end, but the industry isn’t losing any sleep over it for a number of reasons. Firstly, cybercriminals are still launching attacks. Secondly, more regulations means businesses must work harder to comply with new rules. Thirdly, the war in Ukraine is creating more opportunities for businesses in the sector to promote their solutions, especially as world leaders are encouraging companies to boost their cybersecurity.
“With enhanced cyber threats and so much at stake we’ve seen a boom in industry solutions developing, as sudden market maturity is opening up opportunities for fast-growing companies who offer strong products,” Davis says. “Cybercrime is only set to grow, and analysis estimates the cost the global economy to skyrocket to $10.5tn annually by 2025, so it’s not surprising that green shoots of business are budding around it.”
GlobalData is the parent company of Verdict and its sister publications.