Like any other industry, cybersecurity evolves in response to market trends and drivers that steer innovation and technology development. As alluded to in Inovia’s 2023 State of Canadian Software Report, the COVID-19 pandemic, widespread adoption of remote and hybrid work models, the emergence of Generative AI, and other influential factors have significantly impacted all sectors, including cybersecurity. As early-stage investors focusing on cybersecurity, we have the fortune of being at the forefront of exploring how these trends shape new business models and technologies, ultimately affecting security capabilities across both private and public sectors.
In recent years, cybersecurity has transformed from a peripheral concern for select industries into an essential component that organizations of all sizes and sectors can no longer afford to overlook (see Figure i). Yet, amidst this evolving complexity, navigating the cybersecurity market and identifying the most critical priorities can be daunting for industry stakeholders.
As investors, we constantly seek to understand the pressing security needs from the perspective of Chief Information Security Officers (CISOs) and anticipate where budgets will be allocated. Drawing insights from our discussions with our network of cybersecurity professionals and industry publications, we wanted to share our perspectives on four critical themes shaping the cybersecurity landscape in 2024.
Figure i | Select high-profile data breaches of 2023
Victim | Attack Summary | Impact |
---|---|---|
MailChimp | • An unauthorized actor accessed MailChimp’s tools used by teams interacting with customers | • Data was compromised for 133 MailChimp enterprise customers |
Activision | • Attackers gained access to the internal systems through an SMS phishing attack on an employee | • Bad actors were able to obtain sensitive workplace documents and employee information |
ChatGPT | • The data breach was caused by a bug in the Redis open-source library, which led to the exposure of other users’ personal information | • The breach potentially revealed information (e.g., email addresses, last four digits of credit cards) about 1.2% of ChatGPT Plus subscribers |
Shields Healthcare | • The data breach involved unauthorized access to Shield’s systems | • Attackers accessed a wide range of sensitive patient information / confidential data of 2.3 million people |
MOVEit | • The breach involved a zero-day vulnerability in MOVEit Transfer, which allowed attackers to raid MOVEit Transfer servers and steal customers’ sensitive data | • As of August 2023, over 1,000 victim organizations and more than 60 million individuals were impacted • Total estimated cost of ~$10B. This figure could potentially scale to at least $65B |
Indonesian Immigration | • The data breach involved the unauthorized access and leakage of passport data of more than 34 million Indonesian citizens | • The breached data of 34.9 million Indonesian passport holders was offered for sale for $10,000 |
T-Mobile | • The breach involved two security incidents (employee and customer data exposure) | • Latest reports suggest that the personal information of millions of individuals could have been exposed |
Source: NordLayer – Breakdown of the 12 most significant 2023 data breaches
Identity: The dissolution of the perimeter
The proliferation of hybrid and work-from-home policies, and SaaS apps has led to a surge in digital identities within organizations. Additionally, the transition from on-premise to the cloud has dissolved the corporate perimeter and expanded the attack surface.
Figure ii | Number of digital identities within organizations
Source: Oasis – What are Non-Human Identities?
The challenges are multifaceted: Organizations often allow remote access across diverse devices, increasing unauthorized access risks. Compounded by the dark web’s ready supply of leaked credentials, malicious actors can easily navigate through an organization’s digital infrastructure. Additionally, the disparate nature of IAM infrastructures complicates security oversight.
In addition to typical Identity and Access Management (IAM)/Identity Governance and Administration (IGA) tools, companies must invest in products that discover identities, improve posture/hygiene, and monitor runtime activity for suspicious behaviour. Furthermore, these solutions need to cover shadow IT and Non-Human-Identities (NHI), which outnumber human identities in an organization (see Figure ii).
Several innovative startups are emerging with novel approaches to tackle this critical problem, including companies like Oasis, Opal Security, CloudFence, Conductor One, Cerby, Silverfort, Sempris, and many more.
SMB-Targeted Attacks and the Emergence of MSPs & MSSPs
As previously emphasized, cybersecurity has become a non-negotiable priority for businesses of all sizes. With the shift to hybrid work models during the COVID-19 pandemic, small and medium-sized enterprises (SMBs) have increasingly become targets of cyber attacks (see Figure iii1). Hackers have identified SMBs as vulnerable targets with fewer cyber protection measures in place compared to larger enterprises. This lopsided dynamic has placed SMBs in an uphill battle, as they typically lack the expertise, resources, budget, and time to establish robust internal cybersecurity practices and teams.
Figure iii | Percentage of SMBs who experienced a data breach, a cyberattack, or both in the last 12 months
Source: Identity Theft Resource Center (2023 Business Impact Report, October 2023)
Consequently, SMBs have turned to third-party service providers, known as Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs), to outsource their security and IT needs. At Inovia, we are excited about this market trend, evident in our investments in cybersecurity firms like Cavelo, which has developed tailored solutions to cater to MSPs and MSSPs. In addition to Cavelo, other startups adopting this indirect go-to-market and/or an SMB strategy include Evo, Zorus, Judy Security and Defendify.
Software Supply Chain
With rising supply chain attacks, like those seen in the SolarWinds and Log4J incidents, reliance on open-source libraries has become both a boon and a bane for software developers. The vast libraries of shared open-source code multiply the vectors for potential attacks across a large number of end-users. In addition to compromised open-source code, misconfigured and vulnerable CI/CD pipelines can result in breaches. In light of these incidents, the Biden administration has introduced new regulations to standardize secure software development practices within organizations.
Conventional scanners (SAST, secrets, etc), with their high false positives, fall short, and this is where Application Security Posture Management (ASPM) vendors such as Aikido, along with Ox, Legit, Boost, and Jit, step in. These solutions sift through the noise to prioritize and correlate alerts, and incorporate custom policy enforcement.
Pushing the envelope further, innovators like Socket.dev and Endor Labs advance the field of OSS security. These platforms are on the lookout for malware and typosquatting in open-source code and deceptive packages. They evaluate how well open-source projects are maintained and gauge their trustworthiness. VLT (Inovia portfolio company) is helping solve this problem by building new, secure package management infrastructure for the JavaScript ecosystem. Together, these new-age tools and services weave a tighter safety net across the expanding frontier of open-source software development.
AI’s Dual Impact on Cybersecurity
Artificial Intelligence (AI) models, including Generative AI, are poised to revolutionize cybersecurity. While the potential for innovation and new use cases is vast, industry stakeholders must recognize that AI will not only benefit security providers but also empower hackers.
On the defensive front, Large Language Models (LLMs) present a significant opportunity to enhance cyber vendors’ capabilities across various use cases and applications. We are particularly excited about the opportunity to make security analysts more efficient by auto-investigating, prioritizing, and remediating repetitive tasks. Examples of companies include Dropzone AI, Arcanna, and Radiant Security.
Conversely, on the offensive front, AI models and LLMs empower hackers and lower barriers to attack. Examples such as “BadGPT” and “FraudGPT” illustrate how malicious AI chatbots can be leveraged to craft sophisticated phishing emails. Moreover, inadequately secured and tested “good” models can inadvertently expose organizations to cyber breaches, with prompt injection being a common attack vector. This vulnerability and other risks surrounding LLM applications such as data poisoning and model theft, underscores the need for a new cybersecurity category focused on securing AI models. These AI security vendors will require security skills but also a unique combination of deep expertise in AI, sowing the seeds for new categories and category-leading companies to emerge. There has been a lot written on the AI security landscape so we will not rehash that here, but exciting companies that we have come across include Lakera, Protect AI, Hidden Layer, Troj AI, Credo AI, Calypso AI, Liminal AI, Private AI, Jericho, and Aim Security.
We are genuinely excited about the ongoing evolution of cybersecurity in the years ahead. As the landscape transforms, we are eager to meet new startups and founders who will contribute fresh perspectives to this dynamic field. To stay connected with the Inovia Cyber Practice and explore potential opportunities, please don’t hesitate to reach out directly to Taha Mubashir, Principal, or Etienne Gauthier, Investment Associate.
1. ITRC online survey conducted to explore the impacts of cybercrimes on small businesses as defined by the U.S. Small Business Administration. The survey was conducted in September 2023, covering the previous 12 months. Sample size of 276 respondents, characterized as being a person in a leadership position or an IT professional at a company of 500 employees or less.