Cyber security companies are thriving — even when they fail

Stay informed with free updates

Simply sign up to the Technology sector myFT Digest — delivered directly to your inbox.

It is a sad but undeniable truth that some of the world’s most profitable products are terrible. That lightbulb realisation dawned on me when I worked on the FT’s Lex column and learnt that the most successful pharmaceutical drugs — for manufacturers if not patients — were those that alleviated symptoms but did not cure the complaint. Eliminate the problem and you kill demand. Where is the financial incentive in that?

Lightbulbs, curiously enough, are another example of the same phenomenon. Why develop everlasting lightbulbs (the Centennial Bulb has been in continuous operation in a Californian firehouse since 1901) when you can sell ones that blow periodically? Economic theory suggests that these inefficiencies should be competed away. Real life does not always work that way.

Take cyber security, perhaps the ultimate industry for providing highly lucrative, but ineffective, solutions. Companies and governments are spending an escalating fortune on IT security but cyber crime is only growing worse. According to Gartner, global spending on information security will increase by some 13 per cent to $184bn this year creating a bonanza for many cyber security companies. Even so, the “speed and ferocity” of cyber attacks continues to accelerate, according to the latest global threat report from CrowdStrike. The security company itself botched a software update in July that temporarily shut down 8.5mn Windows devices. 

There are many reasons for the explosion in cyber crime: criminals are becoming more devious and elusive; hacking tools and techniques are becoming cheaper and more potent; and digital weak spots are multiplying as billions more devices are connected online. One of the most alarming recent trends is “quishing”, in which criminals stick deceptive QR codes on parking meters or restaurant tables or secrete them in email attachments. Once clicked, these links direct users to fake sites where criminals can steal their data or dump malware on their device.  

Over many centuries, humanity has failed to eradicate physical crime. There are strong reasons to believe cyber crime may prove even more ineradicable. Anyone with a computer connection anywhere in the world can now become a cybercriminal. The detection rates are low and conviction rates still lower. The just over $1bn in ransomware paid out by businesses in 2023 has helped fund a tech upgrade by criminal gangs. The increasing use of artificial intelligence enables hackers to industrialise and personalise attacks.

Some nation states, most notably Russia and North Korea, have actively colluded with gangs allowing them to act with impunity, according to Christopher Ahlberg, co-founder and chief executive of Recorded Future, a threat intelligence company. These criminals’ ability to extort money and transfer illicit funds globally through opaque crypto exchanges has helped them flourish.

Pre-empting ransomware threats, Recorded Future’s speciality, is one way to combat criminality. Tracking money flows can also tackle fraud. To that end, the credit card company Mastercard last month agreed to buy Recorded Future for $2.65bn.  

China is emerging as a bigger cyber threat. As security experts say, if Russia is a hurricane, then China is more like global warming. Although Beijing does not condone overt criminal cyber activity, it is actively stealing intellectual property, spying on other states and penetrating critical infrastructure in readiness for any conflict with potential adversaries, Ahlberg tells me. This penetration is the “scary part”, he says. “It started in 2021 in south-east Asia, and it’s slowly migrated across the world, and it’s grown in sophistication”.

Fearful companies are hardening their cyber infrastructure. But the more extensive their networks, the tougher it is to protect all access points. “This entire economy in security is broken, and it’s becoming worse and worse,” says Shlomo Kramer, a veteran Israeli cyber expert who is co-founder and CEO of Cato Networks.

Cato is deploying a more comprehensive form of cyber security, known as Secure Access Service Edge. This cloud-based, AI-enabled cyber security architecture combines both network and security services. “Once you plug into the network, like you plug into electricity, immediately you get not only networking but also full stack security,” Kramer tells me. The challenge is to keep innovating fast enough to outrun malign hackers.

Because of the asymmetric advantages that the bad guys enjoy, cyber security companies are never likely to solve the problem they were created to tackle. But few users can survive without them. And their investors are likely to enjoy a lavish return all the same.

[email protected]