Information Security

Defending the digital infrastructure

alphaspirit - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Cybersecurity investment pays more than monetary dividends

Companies are investing in cybersecurity startups to reap the benefits of working with problem-solving technology.

When Australian bank Westpac Group wanted to improve its data security by deploying quantum encryption, the financial firm decided against just buying a product. Instead, the 13-million-customer banking group invested in a company.

In June, QuintessenceLabs (QLabs), which provides quantum encryption and key management technology, announced a strategic partnership with Westpac Group. The undisclosed investment will give Westpac an 11% stake in the Australian security company, with the option to increase its ownership to 16%. Westpac's direct investment in QLabs and its quantum encryption technologies marked a rare occurrence for the banking industry.

Vikram SharmaVikram Sharma

Such strategic investments benefit both the startup and the investing firm, says Vikram Sharma, founder and CEO of QLabs. Westpac gains the benefits of having some of its engineering team work with QLabs' developers plus the ability to nudge product development in a direction better suited to the banking industry. QLabs, which grew out of research on quantum encryption at Australian National University, gains more insights into the financial industry's needs for its products and access to capital to fund its international expansion.

"Enterprises and banks see strategic investments as a good way to tap into innovative, unfettered thinking as well as the agility-in-response needed to address some big picture problems," Sharma says.

Hot market for financial capital

Investments in cybersecurity startups are taking off. Driven by CEO and board-level demand for promising technology aimed at protecting corporate networks and sensitive data, financial and venture-capital firms are pouring money into dozens of cybersecurity companies each year. In 2014, venture-capital firms completed 56 deals worth a hefty $1.2 billion, according to investment tracking firm CB Insights. In 2015, the industry is on track to pay out a similar amount, albeit in a smaller number of deals. (See: "Smart Money Investment Deals and Dollars in Cybersecurity.")

Smart Money Investment Deals

While most such investments are aimed at turning a profit for venture-capital firms -- chasing after the $1 billion payoff of so-called "unicorn" initial public offerings (IPOs) -- many companies are investing in cybersecurity startups not just for monetary dividends, but to reap the early benefits of working with new technology and to direct product development.

Such investments represent yet another step for financial institutions, whose VC arms in the last two years have emerged as key players in early stage cybersecurity funding. Citi Ventures, the corporate VC of Citigroup, is among the investors in vArmour, a distributed security system for virtual data centers. Norwest Venture Partners (Wells Fargo is its sole limited partner) participated in the early funding of FireEye, investing $22 million before the threat prevention company's 2013 IPO. The Wells Fargo VC has also funded SecurAlert, an Israeli cloud-based threat management company, and Shape Security, a Web security platform to counter botnets.

Enterprises and banks see strategic investments as a good way to tap into innovative, unfettered thinking as well as the agility-in-response needed to address some big picture problems.
Vikram SharmaFounder and CEO, QuintessenceLabs

With 46% of financial institutions rating cybersecurity attacks in 2015 as the biggest threat to their businesses -- nearly double the 24% a year earlier, according to a study issued by financial-infrastructure provider Depository, Trust and Clearing Corp. (DTCC) -- investing in the firms developing technology to address the frequency and sophistication of these attacks allows financial services firms to promote cybersecurity innovation.

The stakes are higher for Westpac. With a direct investment in QLabs, the banking group may consider marketing its quantum encryption and key management technology to other financial institutions and industries.

"Protection of customer information and sensitive commercial data is an industry-wide priority," Westpac Group's CIO Dave Curran noted in June when the QLabs deal was first announced. "This investment signals Westpac is stepping up its proactive, strategic approach to building our security capabilities now and in the future."

Beyond the beta customer

Yet it's not just financial firms. Corporate VCs are funding innovative cybersecurity startups, a move that may lessen the sponsors' need for research and development. In May, Lockheed Martin went from beta customer to co-owner when the defense giant invested $25 million in Cybereason, an Israeli company, founded in 2012, that is focused on threat intelligence and real-time tracking of attacks. Last year, commercial and industrial-control system maker Siemens announced an investment in CyActive, also an Israeli company, which aims to use predictive cybersecurity technology based on "bio algorithms" to lock down the industrial-control networks run by customers of Siemens and other vendors. "We see broad potential across major industries and are particularly excited by its approach to securing industrial and utilities assets," said Ralf Schnell, CEO of the venture capital unit of Siemens, when the deal was announced.

Most companies are satisfied with buying a technology or becoming a beta customer of an early-stage cybersecurity startup. But when the right product or service is not available, or a promising technology startup cannot dedicate resources to a company's business case, it may be time for an investment. By moving beyond being a beta customer and taking an ownership role, companies can take a promising startup and make its products fit their business models.

Problem solving for money

Such deals can help a startup focus on the customer as well. In 2010, researchers from Virginia Polytechnic Institute and State University, commonly known as Virginia Tech, teamed up with industry veterans to create PFP Cybersecurity, a company in Washington, D.C., that aims to secure devices in the supply chain using power fingerprinting analysis.

PFP Cybersecurity is currently considering a handful of strategic-investment offers, according to Steven Chen, CEO and co-founder. In each case, the potential investor has a security problem that needs solving, and they are trying to find the right startup to create the product or service to address it, says Chen, who is also a principal in investment firm Blu Venture Investors.

Steven ChenSteven Chen

Startups have to agree to support the goals of the investor, however. "By taking the money, you're committing to putting resources toward the joint project," Chen says. "They are funding the collaboration, so you have to spend part of investment toward solving their problem."

A cybersecurity startup's windfall from strategic investments is the easiest to quantify, since the growing firm garners an influx of cash, yet the benefits go beyond cash flow. For Nok Nok Labs Inc., signing strategic agreements with DoCoMo Capital from Japan, Thundersoft from China and DaouKiwoom Group in South Korea opened up doors to international markets for the two-factor authentication firm, according to CEO Phillip Dunkelberger. In other investments, Nok Nok Labs, whose S3 Authentication Suite is based on Fast Identity Online protocols, works with other product or service companies to tightly integrate their technologies. "Each relationship has its unique benefits," Dunkelberger says.

For the information-security teams at the companies investing in startups and new technologies, the benefits are not as straightforward. For Westpac, the QLabs deal gave it access to the complex technology of quantum encryption and key distribution, but more importantly, access to the expertise of the technology firm's engineers.

"They want to ensure that they have the best quality security technology and best practices from around the world," Sharma says. "Working with us is a useful complement to the bank's security team."

Standing out in a crowded market

With fewer venture-capital deals in 2015 accounting for nearly the same cash volume, it is clear there is more money chasing fewer startup companies. "There is a lot more financing activity now then there was five years ago," says Matthew Wong, research analyst, CB Insights. "We are in a boom cycle, and that is bearing out in these growth rounds. There is a much larger opportunity with cybersecurity for investors."

While there appears to be increasing interest in non-traditional investment firms funding startups, the trend in strategic cybersecurity investments is not easily quantified. While cloud, mobile and identity management are hot areas, according to CB Insights, investors seeking the most in-demand startups need to differentiate themselves. Venture capital investors that bring potential joint ventures and customer experience to the table could be more attractive to startups, convincing them to accept a deal.

In the end, however, strategic investors have a key differentiator, because they are a partner who is as interested in the technology as the potential exit value of the startup, according to PFP Cybersecurity's Chen.

"The strategic investors do not nickel and dime your valuation, because they are looking at potential relationships and generating revenue for themselves," he says.

About the author
Robert Lemos is an award-winning technology journalist, who has reported on computer security and cybercrime for 18 years. He currently writes for several publications focused on information security issues. 


Article 3 of 7

Next Steps

Five venture capitalist firms that invest in the SDN market

String of cyberattacks shows risk of skimping on security

This was last published in October 2015

Dig Deeper on Risk assessments, metrics and frameworks

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

If you were a corporate VC or angel investor, what security technologies and services would you invest in?
1) GRC
2) Making sure security was part of the SDLC if the startup were a tech company
True that Cyber Security investments pay more than monetary investments, however it is crucial to equally understand that correct and effective investments are made, rather than just deploying services, which are on trend and which we hear a lot.

Companies need to deploy services based on there business roles and the risk parameters they have. They need to work in line with the Risk and IT team, to understand the pain points in each areas and deploy services accordingly.

Primarily they need to understand that just having an Anti Virus solution will not heal all the problem. The first thing they need to ask is that "Is Anti-Virus enough…?"

One common observation is that, no matter if it is a small or an enterprise organization. Most of them have at least a single shield IT infrastructure and network. They have deployed some kind of anti-virus softwares, which makes them more confident of been safe in the cyber world.

First we would need to remove the misconception from there minds is that, Just an anti virus will not heal the problem. One things which they really need to think about is;

The malware ecosystem has changed radically in the past 10 years, to the point that the old precautionary measures are quite recently no sufficiently longer.

You don't have to click to get hit. Previously, it was adequate to just abstain from tapping on presume connections or going by terrible locales. This is not true anymore in light of new attack vectors like malvertising. In a malvertising attack, a honest to goodness site unconsciously pulls malignant substance from an awful site, and the noxious substance looks for ways (frequently endeavors) to introduce itself on your PC. You may have heard these attack called "drive by downloads." Just by going by a decent website on the wrong day, you get contaminated.

Customary AV reaction times to new dangers are too moderate. As indicated by information ordered by Panda Research, customary AV just stops 30-50 percent of new zero-hour malware when it's first observed.

A few take up to eight hours to reach even the 90 percent level, with the majority share requiring an entire 24 hours. What's more, it takes them an entire seven days to get to the high 90's. That is a mess of time to miss insurance!

A late review by the Enterprise Strategy Group showed that almost half of the undertakings surveyed had endured a fruitful malware attack even however they were running hostile to infection.

Adventures are all around. Numerous product items, quite including Java and Flash, were composed in a time when PC security was a great deal less genuine concern. Furthermore, the most exceedingly bad piece of endeavor based malware is that the time from the underlying adventure to location and remediation – is on average almost a year.

There is formation of new infections consistently: The present hostile to malware programming are powerful when managing known infections however can't be depended on when managing recently discharged infections. To recognize an infection and remove the ransomware, the designers require first to see how an infection attempts to program a hostile to infection that can coordinate the newfound infection.

Lamentably, before the sellers can tailor an antivirus for the malware, the infection has figured out how to contaminate a couple of associations. Hence, it has turned out to be overpowering for the merchants to keep up the pace of the programmers in light of the fact that the awful folks discharge the infections consistently. The primary motivation behind why you ought not trust you're the antivirus programming is that even the sellers are encouraging purchasers to stop depending on them.

Most assaults don't include your PC: The online networking is the new field that programmers are utilizing taint your PC. Accordingly, regardless of the possibility that the antivirus sellers figured out how to identify all the new infections discharged, there is still another escape clause.

It began as right on time as 2007 when an assortment of online networking stages such Twitter and Pinterest were hacked. These assaults go past your PC to your online networking profile keeping in mind the end goal to send spam connections to defame sites.

It will likewise raise your eyebrows to understand that even the cloud-based records have a similar arrangement of concerns. The programmers have even gone past the online networking stages to distributed computing accounts where they take significant information. Be that as it may, you can store your information in cloud supplier with hearty barriers enough to avoid the endeavors by the terrible folks.

No client Action is Required: A couple of years prior, you could securely maintain a strategic distance from the programmers by keeping away from suspicious connections and pernicious sites. Individuals would even output each document the downloaded from the web before opening it just to be on a similar side.

This is a past technique, on account of the internet promoting. These days, online noxious publicizing conversationally known as malvertising assaults make utilization of true blue sites that you can trust and unconsciously pull their malignant substance which they use to introduce malware on your PC.

These downloads have turned out to be amazingly perilous on the grounds that a PC will simply get contaminated by going to a put stock in webpage at a grievous minute. The awful folks escape with this by basically embedding’s their vindictive promotions between the authentic ones.

These downloads have turned out to be amazingly risky in light of the fact that a PC will simply get tainted by going by a put stock in webpage at a shocking minute. The terrible folks escape with this by just embedding’s their vindictive advertisements between the real ones.

Focused on assaults can without much of a stretch sidestep boycotting. The conventional antivirus security utilizes boycotting to recognize terrible documents and stop them. In any case, the propelled dangers can figure out how to remain undetected in the framework for quite a while permitting them to finish their objective. They figure out how to take passwords and even access different frameworks.

Modified malware assaults represent most information ruptures: A Verizon report still positions malware as among the top techniques utilized as a part of information breaks. The report recorded 621 affirmed information rupture episodes in 2012, 40% of which were brought about by malware. Half of the aggregate episodes happened inside organizations with under 1,000 workers. This incorporates 193 episodes in organizations with less than 100 workers. The odds of information break are higher when SMBs trust that their conventional antivirus is sufficient to ensure their benefits, especially against altered assaults. Improvements in the cybercriminal underground permit aggressors to streamline their assaults to suit their objectives' particular conditions. For instance, assailants can utilize polymorphic malware, target obsolete programming, and afterward perform social building. These additional complexities give them the capacity to sidestep essential antivirus programming identification.

Cybercrime is extending: Alongside the expanded occurrences of complex assaults and tweaked malware, the cybercrime underground economy, as well, has extended quickly over the previous years. This spells inconvenience for IT managers in light of the fact that these assailants may concentrate on gathering arranged information from their frameworks. Fraudsters who flourish in the cybercriminal underground have figured out how to make the Internet their playing field. As indicated by a Trend Micro research paper, the Russian cybercriminal underground constantly enhances innovations and alters its objectives to upgrade their apparently lucrative organizations. Cybercrime upgrades put SMBs at hazard. Enhanced ransomware, for instance, keeps its casualties from getting to their frameworks while holding their information hostage. Tools have likewise been made to serve portable threats. Another exploration recommends that secret markets are fundamentally intended for illegal exercises which may regularly include offering business insight and exchanging data about programming flaws.

Social building doesn't leave style: Indeed, even with a dependable antivirus arrangement set up, SMBs may discover it a test to remain secured against social designing assaults through phishing tricks and pernicious URLs. Social building is a strategy that depends vigorously on human association keeping in mind the end goal to control individuals into uncovering delicate data or to click certain connections. Dangers can be camouflaged as official messages from locales clients know about, as Facebook. Since social designing does not require an abnormal state of specialized skill. Assailants have since a long time ago utilized this strategy as a technique to assemble data about an organization. Building up representative trust and mental control are critical segments in a fruitful social designing assault. These parts are the motivation behind why having antivirus programming is insufficient—once aggressors exploit a worker's trust, they can as of now access classified information

In the present risk scene, no association is protected. Each business with set up antivirus arrangements are prime cybercrime targets. All the better you can do to secure your business is to:

• Empower your representatives with best practices and rules to limit the danger of falling prey to the different parts of cybercrime. 
• Employ a quicker witted, more complete across the board security answer for ensure your online experience—whatever you're doing and whatever gadget you're doing it on.

• Set guidelines for representatives utilizing their own particular cell phones at work. Antivirus arrangements are not ready to identify malevolent portable applications or give versatile Web notoriety.


Jinu Francis
Business Development - Cyber Security


Get More Information Security

Access to all of our back issues View All