The news on Valentine’s Day of 2017 was massive. PayPal, the global financial services company that was serving 203 million customers, announced that it had agreed to acquire Vancouver-based TIO Networks for CAD $304 million.
At the time, TIO was a leading multi-channel bill payment processor with 16 million consumer accounts, more than 10,000 billers, and had processed USD $7 billion in bill payments.
Unfortunately, the alliance didn’t last long. Because nine months later, PayPal suspended TIO’s operations as part of an investigation into security vulnerabilities of the TIO platform. Then in December of that year, TIO announced the potential compromise of the personally identifiable information of approximately 1.6 million customers.
The following March of 2018, just over a year after the acquisition, TIO was shut down completely. “After careful consideration,” a statement read, “PayPal has decided to not restore TIO’s services and will wind down TIO’s business accordingly.” PayPal would go on to write-off tens of millions of dollars related to their TIO assets.
Taking on a $6 trillion industry
Cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015, according to a report from Cybersecurity Ventures, a research organization focused on the global cyber economy. Those costs include the damage and destruction of data, IP theft, stolen money and reputational harm. Cyberattacks are the fastest-growing crime in the US, and they are increasing in size, sophistication and cost.
In response, organizations around the world are investing more on security tools, and a leading partner for them is Vancouver-based Absolute Software (TSX: ABT) and Christy Wyatt, their chief executive since November 2018.
“The biggest thing that’s changed over the last 20 or 30 years is the amount of money we’re spending on cybersecurity,” Wyatt tells me during a conversation at her office in downtown Vancouver. By 2022, there’s going to be $174 billion spent on cybersecurity annually, she explains, with $50 billion of that going to endpoint security controls. Endpoint security means the securing of end-user devices like mobile devices, desktops, and laptops; essentially, access points to an enterprise network that can be exploited by cybercriminals.
Something else that has changed over the past few decades is that criminals are finding more and more ways to steal corporate and personal data and infiltrate networks. Because of this, Wyatt tells me, IT departments keep adding additional applications to devices, like malware detection or password management tools. They start to layer these new software capabilities on top of each other, and what eventually happens is similar to when you’re playing a game of Jenga. “The tower starts to get too tall; it gets a little fragile and then things fall over,” Wyatt says. “The tools stop working, users delete them. And so, that complexity is the biggest problem we have in the security industry today.”
“You have to assume you’re going to get compromised.”
Wyatt’s 500-person company tackles this issue of complexity for 12,000 customers around the world, and they do it in a way that’s unlike any other endpoint visibility and control platform.
There are more than 3,000 IT security software companies serving enterprises, but most produce applications or programs that run on a device’s operating system. Absolute runs underneath the operating system in the firmware, which is basically a software program permanently etched into a hardware device. It gives permanent instructions for how the hardware should communicate to other devices.
Nearly twenty years ago, Absolute began to partner with device manufacturers — companies like Dell, HP, and Lenovo — to be factory-embedded within their firmware, and because of this, Absolute is basically impossible to remove from a device. Why does this matter? Well, whenever someone — a hacker or maybe just a frustrated employee — attempts to delete or reconfigure Absolute, it simply reasserts itself on the next boot sequence. Put another way, Absolute enables critical security tools — like antivirus software or encryption — to automatically self-heal when they’re disabled, altered, or otherwise made vulnerable.
“Because we sort of wake up before the operating system does, it makes us more resilient,” Wyatt says. “Resilience is a word we use a lot because it has a lot of meaning in the enterprise. It’s one thing to kind of lock things down, but you have to assume you’re going to get compromised.”
Understanding the “dark endpoint”
Wyatt’s claim that organizations must assume they will get compromised might come across as overly pessimistic. However, it’s based on research that Absolute conducted. Their 2019 Endpoint Security Trends Report, which analyzed more than six million enterprise devices over a one-year period, found that: “much of endpoint security spend is voided because tools and agents fail, reliably and predictably.” More specifically, 42% of all endpoints (devices) are unprotected at any given time and 2% of endpoint agents (programs/applications) fail per week. They say this means that 100 per cent of endpoint security tools eventually fail. The obvious question is, How and why does this happen? The short answer: Humans.
Last year, Wyatt recalls being in a room full of chief security officers of banks, governments, and large utility companies. They were all asked about what their biggest security challenge is. You would expect them to say nation-state attacks or insider threats, Wyatt says. Instead, they said, “It’s the basics. The basics are the hardest because these devices move around, and human beings touch them.” People, it turns out, make the basics very difficult.
“Humans plus complexity equals what we call the dark endpoint,” explains Wyatt. A dark endpoint is essentially any device that becomes invisible to the central security administrator because of a faulty security agent or application. Sometimes employees cannot be held responsible for dark endpoints, but in many cases they can be. And the challenge is that “you can’t expect every employee in your organization to be a cyber ninja,” says Wyatt. “That’s just not scalable.”
Why startups should start investing in security now
For early-stage companies, the kind of startups that have been popping up in Vancouver and across BC, security is a must-have at the early stages if they want to do business with large buyers and avoid a similar fate as TIO.
“I think that there used to be an impression that you invested in security when you got to scale, right?” says Wyatt. “And you could afford to be a little fast and loose when you were small because you were so focused on just kind of getting the business going.” She believes that’s no longer the case. Data breaches or compromises can come from any number of places, such as employees, competitors, or negligence.
This means that startups need to evaluate what their actual security capabilities are right now. “As a startup, you’re clearly not going to be able to invest at the same scale that the World Bank is going to be able to invest,” Wyatt says. “But you’re still going to have the same problems.”
When asked about what the IT security industry will be focused on throughout 2020, Wyatt returns to the theme of resilience. Although security has become a critical competency for every size and flavour and vertical market of organization, she says, “We’re not seeing the number of breaches go down.” That’s partly due to the fact that cybercriminals are improving their tools. Wyatt, however, also suggests, “True resiliency as a core competency hasn’t actually established itself.”
“So we’ve focused a lot as an industry on how to protect things, how to detect bad things and how to protect yourselves from them,” Wyatt adds. “But this healing component, how do you recover? How do you snap back? How do you restore your business, get your data back, and get your people up and running?”
You guessed it — Absolute has an app for that.