Rising Cybersecurity Threats Expected to Continue in 2022
We expect the cat-and-mouse game between organisations, consumers and the cybercriminals who covet their data to intensify this year. The latest concern is a vulnerability in internet software known as Log4j that could jeopardise hundreds of millions of systems globally. This threat follows multiple high-profile breaches in 2021, including the ransomware attack that compromised Colonial Pipeline’s fuel distribution across the eastern U.S. Cyber events like these continue to grow more frequent and costly, especially attacks on critical infrastructure and supply chains. And this threat is likely to only grow more acute as the global economy continues to digitalise and put sensitive data at risk. As a result, we expect heightened awareness of and expenditure on cybersecurity solutions to create long-term tailwinds for the cybersecurity investment theme.
- Cyberattacks were prevalent and costly in 2021, a trend likely to continue into 2022. The average data breach cost increased from $3.86 million in 2020 to $4.24 million in 2021, the highest total cost in the 17 years IBM has published its Cost of a Data Breach Report 2021.1
- Corporations, governments, and consumers are increasing their cybersecurity commitments and enhancing measures to protect themselves. Corporations, for example, are expected to spend $172 billion in 2022.2
- Identity, network, and endpoint security continue to be points of emphasis for cybersecurity efforts with network security expected to grow the fastest at 24% between 2021 and 2026.3
The Digital World Reveals Its Vulnerabilities in 2021
The world now creates an estimated 2.5 quintillion bytes of data every day—that’s 2.5 followed by 18 zeros.4 As a result, hackers have more access to sensitive data than ever, and they will have many more opportunities as the world continues to digitise and data volumes increase. In particular, the Internet of Things (IoT) devices will be a major contributor to the data pool. At the end of 2021, there were 14.6 billion connected devices.5 That number could grow nearly 18% in 2022, and then more than double by 2027.6
The economy’s shift to hybrid and remote work also creates significant opportunities for cybercriminals. Pandemic-induced lockdowns eased in the U.S. in 2021, but as many as 45% of full-time employees continued to work from home at least part-time.7 Whether due to new variants or employee preference, work-from-home initiatives are likely to remain intact, resulting in data vulnerabilities for the foreseeable future. According to an IBM report, remote work was a factor in 17.5% of reported data breaches in 2021.8 The average cost of these breaches was also 16.6% higher than breaches where remote work was not a factor.9
In 2021, several high-profile companies were victims of costly cyberattacks. The ransomware attack on Colonial Pipeline resulted in a $4.4 million payout to their attackers.10 CNA Financial paid ransomware hackers $40 million to decrypt parts of their digital infrastructure from which they locked the company out of.11 And JBS, the largest meat producer in the world, shut down several of its plants due to a cyberattack.12 These examples are just a few of the major attacks that victimised companies last year, at times resulting in multi-million dollar losses.
Recent Attacks Encourage Cybersecurity Spending
Even the most sophisticated solutions may not be able to eliminate all vulnerabilities, but they can stymy many threats and help protect against the worst outcomes. In 2021, companies, the U.S. government and consumers demonstrated a growing awareness of cyber threats and commitment to preventative measures.
- Corporations: Victims of ransomware attacks, their suppliers, customers and their competitors understand the disruption security breaches can cause. The cost of damages often exceeds the cost of investment in proper solutions. Large enterprises typically spend $2–5 million on cybersecurity annually, while a single ransomware breach costs companies $4.62 million on average.13,14 That cost is one reason why in a recent survey of more than 3,000 executives, 69% of respondents anticipated more cybersecurity spending in 2022.15 By one estimate, spending on data protection and risk management could increase 11% from 2021 to $172 billion in 2022.16
- Governments: In May 2021, President Biden signed an executive order that aims to modernise federal cybersecurity capabilities, standardize response strategies to cyberattacks, and increase information sharing requirements for government contractors. Then in July, Biden signed a national security memorandum that aims to prevent cyberattacks on critical infrastructure, especially power, water, and transportation. These measures translated into real dollars in the Infrastructure Investment and Jobs Act, which directs $1.7 billion in dedicated spending and about $7 billion in potential spending toward improving the country’s cybersecurity.17 Also last year, the Senate unanimously confirmed the White House’s first national cyber director. Congress created the position as part of the 2021 National Defense Authorization Act, signaling an increased emphasis on cybersecurity in administrations to come.
- Consumers: A small but growing share of cybersecurity spending comes from consumers. About 53% of consumers are victims of at least one cybercrime, prompting many to take precautions such as personal VPNs, two-factor authentication, and identity theft protection services.18 The pandemic exacerbated threats to individuals, as emboldened scammers capitalised on the inflated time consumers spent online. Americans lost $586 million to COVID-related scams as of October 2021.19 However, consumers are conscious of the heightened threat. Last year, almost 40% of adults took steps to safeguard their online activity as a direct result of the pandemic.20 Digital protection habits learned during the pandemic could accelerate consumer adoption of cybersecurity services.
Key Cybersecurity Areas to Watch
- Identity Security: With the explosion of remote work, securing who’s accessing critical data, resources, and apps is a must for organisations. Within this vertical, cybersecurity sub-segments include Identity and Access Management (IAM), Privileged Account Management (PAM), and Identity Governance & Administration (IGA). These sub-segments are forecasted to grow by an average compound annual growth rate (CAGR) of 19% between 2021 and 2026.21
- Network Security: Companies in this vertical are responsible of protecting a network’s integrity, confidentiality, and accessibility from misuse or breaches. Overly permissive networks can cause cyberattacks to move horizontally (i.e. from user to user) once an individual has been compromised. Zero Trust Networks, for example, provide users with access to internal apps, without the need to connect to a company’s network or expose those users to the internet. Within this vertical, cybersecurity sub-segments include Zero Trust Network Access (ZTNA), Software-Defined Networking (SDWAN), Network Detection and Response (NDR), Firewall / NGFW / Unified Threat Management (UTM), and Secure Access Secure Edge (SASE). These sub-segments are forecasted to grow by an average CAGR of 24% between 2021 and 2026.22
- Endpoint Security: The multitude of internet-connected devices presents new entry points for hackers, adding challenges and complexity to effectively manage security for firms and individuals. Successful IoT deployments will require multi-layered, end-to-end security that ranges from up front baked-in security requirements to the ongoing management and protection of sensitive machine-generated data. Within this vertical, cybersecurity sub-segments include Endpoint Protection Platform (EPP), Endpoint Detection and Response (EDR), and Data Loss Prevention (DLP). Overall the Endpoint Security vertical is forecasted to grow by an 8% CAGR between 2021 and 2026.23
Beyond these fast-growing areas, cybersecurity companies are increasingly looking at consolidation. Typically, cybersecurity providers specialise in specific verticals, forcing customers to secure their data using a patchwork of different providers. This dynamic can lead to costly delays and other potentially damaging inefficiencies; indeed, the average data breach took 287 days to identify and contain in 2021.24 In an effort to improve protection capabilities end to end, several prominent cybersecurity providers engaged in mergers and acquisitions in 2021. Noteworthy activity included CrowdStrike Holdings’ $352 million acquisition of Humio, and Rapid7’s $335 million acquisition of IntSights, allowing the companies involved to field more integrated product offerings.25,26 This surge in consolidation activity is likely to continue in 2022, with antivirus and VPN service providers Norton and Avast set to merge in a deal valued over $8 billion.27
2021 featured some of the most impactful cyber intrusions in recent memory, and the world’s ongoing digital transformation only increases the likelihood of comparable attacks in the future. However, we believe that digital protection lessons learned during this period could further accelerate the adoption of cybersecurity services. In our view, recent financial commitments to thwart cybercriminals can form tailwinds for cybersecurity companies in 2022 and strengthen the long-term investment case for the cybersecurity theme overall.
This document is not intended to be, or does not constitute, investment research