For companies fighting hackers, the enemy is themselves

Register now

(Bloomberg) -- Tasteless trades abound on financial markets. When war breaks out, defense shares usually rise; so it goes with cyber-war, which benefits firms that put up barriers against hackers. With global IT systems now being hacked by malicious blackmailers for the second time in as many months, any buzz should be good buzz for those fighting the black hats.

Yet the hype seems to be fizzing out somewhat. The U.S-traded ISE Cyber Security Index is down 1.6 percent in three days, under-performing the S&P 500, while a Europe-listed fund designed to track its performance is down 3.7 percent over the same period. On Wednesday alone, U.K. software specialist Sophos Group Plc fell as much as 5 percent. If the "WannaCry" attack last month was a "wake-up call" for cyber-security, this week's "Petya" seems to be putting everyone to sleep.

On one level, this is part of a healthy, broader sell-off in technology stocks after a great six months. Sophos shares are up an eye-popping 73 percent so far this year, even including Wednesday's fall. It's valued at a forward price-to-earnings ratio of 107.3, according to Bloomberg data, about twice the peer-group median. This is a fast-growing company with double-digit growth in customer billings and has probably hit fair value, reckons Cenkos Securities analyst Martin O'Sullivan.

But the bigger question is whether a rising tide of hacking worry really will lift all cyber-security boats. This is a growing market, to be sure, with estimates suggesting companies will by 2020 have pumped up spending on IT security by some 38 percent. But the average IT budget still only allocates about 10 percent to security, according to Belden Inc. Chief Financial Officer Henk Derksen, and ransomware headlines -- while helpful for getting everyone talking -- are unlikely to change that. A third of companies spend more on marketing than on IT security, according to one survey by NTT. This isn't a binge.

There's also a deep disconnect between the souped-up security technology on offer and the ransomware breaches that are currently hitting the headlines. WannaCry and Petya seem effective at exposing basic holes in corporate cyber-defenses that are as much human as they are technological. Sophos' ransomware defense checklist starts with keeping Microsoft Windows up to date, which is more about basic software hygiene and organizational efficiency than firewalls. It's also telling that 44 percent of U.K. employees think opening any e-mail on their computer is safe, according to one survey. Rocket scientists need not apply.

Firms splurging on technology may be lulled into a false sense of security because -- through other errors -- they can still end up getting hacked. Imagine being a CEO content with the current set-up and spending, secure in the belief that outside providers or internal directors have everything under control, only to stumble at the last hurdle. One security firm, SecureWorks, said earlier this month that about "a dozen" clients on its roster were impacted by WannaCry, which it blamed on other network weaknesses not under its control and human errors like "a consultant bringing something on their device." More spending doesn't seem to be the solution here.

Today's market reaction to the global hacking suggests there are diminishing returns from the power of headlines to really shake up corporate thinking -- and spending. It's certainly good for marketing, brand-building and long-term spending, reckons Shore Capital analyst Ben McSkelly. But in the short term, the real wake-up call concerns human ineptitude rather than technological wizardry.

(About the author: Lionel Laurent is a Bloomberg Gadfly columnist covering finance and markets. He previously worked at Reuters and Forbes.)

For reprint and licensing requests for this article, click here.