Cybersecurity investments on the up but not sustainable – study

Research from Strategic Cyber Ventures points to an increased appetite for cyber security investments, but the euphoria sweeping the segment forward is not sustainable.

On numerous occasions we have commented security is the ugly duckling of the technology world. It is critical to ensure the industry, and digital society on the whole, functions appropriately, though more often than not it is ignored. There will be numerous reasons for this, perhaps because security is a thankless and often impossible task, but the data suggests 2018 might have been a watershed year.

Not only did 2018 see $5.3 billion in global venture capital funding, 81% more than 2016, M&A activity increased as did private equity investments. On the M&A side of things, Cisco made a bang with a $2.4 billion acquisition of Duo Security, while Blackberry acquired Cylance for $1.4 billion. These are two of the larger deals, though there was increased activity in the segment across the period.

In terms of private equity, Barracuda Networks was acquired for $1.6 billion by Thoma Bravo, Bomgar by Francisco Partners for $739 million, while Blackrock spent $400 million on Cofense. Elsewhere in the more complicated financial world, Skyhigh Networks acquired McAfee with assistance from its financial sponsors Thoma Bravo and TPG Capital.

Cybersecurity one

Overall, the trends for the security segments are heading in the right direction. Perhaps now this is an area which will be taken more seriously by the industry, with adequate investments heading into security department.

That said, Strategic Cyber Ventures has warned the trends from a funding perspective are not exactly the most favourable. The amount of cash being invested is increasing, though it does not appear the rewards are reflecting this. Some of these companies have raised funds through big rounds, but growth has slowed, perhaps due to vendor fatigue or increased competition. The risk here is firms cannot raise additional funds at increased valuations from prior rounds, meaning they will have to lean on existing investors. Eventually these parties will grow tired of keeping them alive for minimal rewards.

The issue here is the need and hype around security. Its critical to secure the expanding perimeter of the digital economy, creating the need for the segment, while executives constantly talk about security being a number one priority of firms, creating the hype. This would seem to be the perfect recipe for investment in security companies and start-ups. However, the segment hasn’t taken off, perhaps due to the preference of customers investing in technologies which will make the company money as opposed to more secure?

This is maybe the most accurate assumption on why the security segment has faltered continuously over the years. Companies have limited spending power with executives choosing to invest in areas which will make the company more profitable, such is the pressure from investors and shareholders. However, consumer attitudes might be changing.

While many would have ignored the security risks of the digital economy in years gone, today’s consumer is more educated. Privacy scandals have demonstrated the power of data forcing the consumer to consider security more critically. This might have an impact on future buying decisions.

According to research by Onbuy.com 60% of US and 44% of UK consumers believe there is a risk to personal safety in the sharing economy, while 58% of all the respondents believed the risks outweigh the benefits in the sharing economy. Such attitudes will force companies to consider their security credentials as there is now a direct link back to the bottom line.

What this means for VC funding and investments from around the ecosystem remains to be seen, though the tides are turning in favour of the security segment. As Strategic Cyber Ventures notes, the current levels of investment are unsustainable, but there certainly are rewards.

Privacy International points GDPR finger at Facebook

An investigation from privacy advocacy group Privacy International on the flow of personal information has questioned whether Facebook and its advertisers are violating Europe’s GDPR.

To date there have not been any major challenges using the data privacy regulation. There have of course been numerous violations of user privacy, but as these incidents occurred prior to the implementation of GDPR, the old-version of the rules and punishments were used. This investigation from Privacy International could prove to be a landmark.

The investigation itself questions whether Facebook and the app-developers which use its platform for data collection and user identification is acting responsibly and legally. Using the Facebook Software Development Kit (SDK), data is automatically sent back to the social media giant, irrelevant as to whether consent has been collected, or even if the user has a Facebook book account.

“Facebook routinely tracks users, non-users and logged-out users outside its platform through Facebook Business Tools,” Privacy International states on its website.

“App developers share data with Facebook through the Facebook Software Development Kit (SDK), a set of software development tools that help developers build apps for a specific operating system. Using the free and open source software tool called ‘mitmproxy’, an interactive HTTPS proxy, Privacy International has analysed the data that a number of Android apps transmit to Facebook through the Facebook SDK.”

After testing dozens of different apps, Privacy International claims 61% automatically transfer data to Facebook the moment a user opens the app, while others routinely send Facebook data that is incredibly detailed. Some of these users may be logged out of the platform or might not even have a Facebook account in the first place. Developers tested include travel comparison app Kayak, job search company Indeed and crowd-sourced search service Yelp.

Looking at the Kayak example, not only was information transferred back to Facebook once the app was opened and closed, but also during each stage of the search process. In the example Privacy International gives, the user selected a flight from London Gatwick to Tokyo between December 2 and 5, Narita Airport was then selected, before another search was conducted searching for hotels for two adults in the city. All of this information was sent to Facebook without prompt, despite Kayak claiming, ‘don’t worry, we’ll never share anything without your permission’, when the user signs in.

Alone this information is useful, but not incredibly so. However, when you consider the huge number of apps which will be sending information back to Facebook, an incredibly detailed picture of the user can be built. Using the other apps tested in this investigation, Facebook could also learn or make assumptions about the user’s religion (Muslim Pro), music interests (Shazam), salary and disposable income (Indeed Job Search) and interest in physical activities (MyFitnessPal). All of this information could be used to feed incredibly personalised advertisements to the user.

The big question which remains is whether this could be perceived as a violation of GDPR. Facebook has stated it released an update to the SDK which allowed developers to suspend the automatic data transfers, though this was only for version 4.34 and later. With the Opt-out section (the Google advertising ID) automatically turned off, some might suggest the user is being led as opposed to asked.

Another factor which could work against Facebook is the collection of data on users who do not have Facebook accounts; this is much more suspect. As per GDPR, a company has to have a specific and justified reason to collect personal information. It does appear Facebook is collecting information on users despite having no purpose or valid reason to do so.

With fines for violating GDPR up to 3% of annual turnover, the stakes are very high. This could prove to be one of the first tests of the rules, designed to protect the privacy of the general public, and few will be surprised Facebook is a central character in the story. With the social media giant seemingly antagonising many governments around the world, we suspect there will be a queue forming to have a swing with the sharp GDPR stick.

A ticket to ride is just a Whim away

The subscription based mobile app Whim aims to replace car ownership. It is getting closer to that aim but is not quite there yet.

The app, and the Finnish startup behind it, MaaS Global (standing for “Mobility as a Service”), drew broader attention outside of Finland when Whim won the European Startup Prize for Mobility earlier this year. The concept is to consolidate journey planner, ride booking, and payment of customers’ travels on public transport (bus, metro, tram, and local train), bike hire, car sharing, car rental, and taxi rides, all to one mobile app. When the user selects the starting and ending points and the time of travel, the app will plan the optimum trip combining all means of transport available.

It offers subscribers different payment options. Cautious users may choose the pay per ride option, to test out the app. In Helsinki, a basic tier of €49 per month will give users unlimited access to all local public transport, plus bike hires, at a price level slightly lower than the official monthly travel card (€54.70, without access to bike hires). The user then can choose “pay-as-you-go” if she needs to add taxi rides and other services. An all-inclusive package of €499 will also cover a certain mileage of taxi ride, car rental, and car sharing.

Helsinki set itself a target to rid all cars from the city centre by 2050. Whim is moving in the right direction. In monetary terms, the €499 monthly package is already more economical than the total cost of owning a car, to consider the annual depreciation, insurance, tax, parking, fuel, maintenance, and, unique to countries in the far north, winter and summer tyres. Helsinki also has an advantage to make the app more useful: the buses almost always run on time, to the minute. This will become less of a concern for busier cities with more traffic when connected vehicles supported by IoT come to the streets, especially when 5G becomes more available.

MaaS Global has raised funds from private investors, the biggest being Toyota and the Japanese insurance company Aioi Nissay Dowa, which combined have invested over €10 million. Whim is now operational in Finland’s capital area, the four-city cluster including Helsinki, and has recently expanded to Birmingham, the UK’s second largest city. More cities on its map or been explored include Seoul, Toronto, Antwerp, Vienna, Amsterdam, Vancouver, Miami, etc.

However if a consumer should make the decision to sell his car and sign on services like Whim, monetary savings would not be his only consideration. He should not make too much sacrifice in convenience owning a car would have brought him. It is on this point that Whim still falls short, largely due to two main factors.

One is temporary and easier to fix. Helsinki’s bike-sharing is still dock-based. They will not be easily integrated into Whim planning if there is not a station near a user or along the route she is travelling. Introduction of dockless bikes will alleviate this problem, like the one we have seen in Manchester, supplied by the Chinese venture Mobike.

The other is generic and more difficult to fix: the availability of transport at the right place at the right time. Just imagine 20,000 people coming out of a concert at the O2 Arena after midnight, and the tube has stopped. Hardly any car-sharing apps could help take these people home quick enough.

There are also special cases when owning a car would be easier. For example a group of friends decide to transport their bicycles to the countryside for a ride. They would need a couple of cars fixed with the gear to transport bikes to be available at a specific location at a specific time.

The app, and the concept, is clearly running on consumer trend to move from ownership to access, as demonstrated in streaming music and video overtaking download and disc purchase. But, as was commented in a feature done recently by the BBC’s technology reporter Dave Lee, when subscriptions become the essence of being, we would be left with nothing if we could no longer afford the subscription, or the service we subscribe to ceases to operate. It is the psychological hesitation that may prevent us from giving up ownership entirely, cars or something else.