Are there rubbish dumps for CISSP

A whitepaper on cybersecurity and data protection

Transcript

1 Version 4.0 A Whitepaper on Cybersecurity and Privacy A Whitepaper on Cybersecurity and Privacy Prepared March 2020 TEMATICA RESEARCH, LLC

2 A whitepaper on cybersecurity and data protection SUMMARY ... 3 A SHORT HISTORY OF SECURITY ... 4 TABLE OF CONTENTS AUTHENTICATION - IS DIGITALLY SECURE? ... 5 HOW COMMUNICATION DEVELOPED ... 6 FROM COMMUNICATION TO MONITORING. / DATA COLLECTION ... 7 THE WORLD IS WAKING UP TO THE SECURITY PROBLEM ... 8 CYBER SECURITY ... 8 EXAMPLES OF THE LATEST CYBER ATTACKS GREATER CONNECTIVITY MEANS GREATER VULNERABILITY ... 11 DATA PROTECTION - SEARCH FOR CYBER ... 13 PRIVACY POLICY DRIVES CYBER ISSUES ... 13 MORE PRIVACY POLICIES WILL BE ADOPTED WORLDWIDE ... 15 CYBER SECURITY WILL CONTINUE TO GROW ... 17 CONCLUSION ... 19 ENDNOTES Tematica Research, LLC Tematica Research, LLC Tematica Research is a trademark of. All rights reserved

3 EXECUTIVE SUMMARY The Tematica Research Cybersecurity & Data Privacy investment theme appears to benefit from the problems posed by the growing threat of cyber-attacks, ubiquitous data breaches and the impact of the evolving regulatory environment. We have already seen a significant surge in global investment in cybersecurity, which is defined as the practice of defending systems, networks, programs, devices and data against malicious cyber attacks. Cyber ​​attacks are usually aimed at accessing (and selling) sensitive information, altering or destroying it, extorting money from users or disrupting normal business processes. In today's increasingly digitized world, the amount of data being accessed, used and shared across a growing number of connected devices is growing. The dark side of this robust growth in connectivity is the sharp increase in cyber vulnerabilities and privacy violations. In the case of individuals, this digitized connectivity eliminates activity-related friction and enables a variety of convenience. In the case of corporations and institutions, it is used to increase efficiency, reduce costs, and build data-driven businesses that are better suited to the modern world. The problem is quite simple in that the digital adoption puts individuals and companies in the cyber attack zone. In addition to investing in combating cyber attacks themselves, companies spend a lot of money on IT security measures that help to comply with new data protection regulations, such as e.g. The General Data Protection Regulation (GDPR) Like many aspects of the 21st century, what we do has essentially not changed. How we do these things, however, gets interesting and often complicated. in Europe to respond. The problem of cyber attacks and invasion of privacy is exacerbated by new technologies such as cloud computing, artificial intelligence, IoT and 5G. Together, these technologies will open up new vulnerabilities and enable new forms of attacks. There is no question that cybersecurity is a growth market where individuals, companies and other institutions want to ward off future attacks, strengthen their existing cyber defense systems, assess attacks and intrusion analysis and become more secure. All of this leads to one thing: spending on security. Cybersecurity, of course, is rooted in security. Below is an introduction to the basic elements of security. 3

4 A BRIEF HISTORY OF SECURITY For more than a millennium, people have tried to improve the protection of goods and information, including safe delivery and verified receipt. Seals made of clay and later of wax have been around the world since at least BC. It was used until the 19th century to ensure that the documents were in the original, not tampered with and received by the intended recipient (of course via a sealed return receipt). A key aspect of this development was not only securing the information, but also increasing the delivery speed. Look at the electric telegraph. Although originally conceived in the 18th century, the electric telegraph was commercialized and not widely used until the 19th century ii. At first glance, telegraph communication was as fast as one could communicate, and as a wired network it offered the security of direct, end-to-end communication. However, intercepting messages was as simple as physically tapping the cable and setting up another receiving station. In the early 20th century, when Guglielmo Marconi was demonstrating his wireless telegraph, saboteurs hijacked the frequency used in the demonstration and managed to send their own message, essentially offending Marconi (figuratively and literally) with his own creation. iii As the 20th century progressed, the phone established itself as the next step in the evolution of communications technology, but unfortunately it still shared the same security concerns as its predecessors. Intercepting phone calls was as simple as finding any point along the miles of cables and hooking up a listening device to that point to capture all of the traffic along the route. 4th

5 A promotional photo of Italian radio pioneer Guglielmo Marconi posing in front of his early wireless telegraph fast-forward to this day, and wireless communications security can just as easily be compromised by simply setting up a receiving station and determining which frequency to monitor. Indeed, modern communications pose a myriad of security problems and users are increasingly turning to another ancient means of securing communications - cryptography. Cryptography relies on the use of a cipher to decrypt an encrypted message. Implementing a cryptographic solution can be as simple as childhood "code" speaking in "pig Latin" - the cipher consists of moving the first letter of a word to the end of that word and adding an "ay" - to add aloud, or, as one would say, say "Ig-pay Atin-lay". A cipher can also be as complicated as a modern 128-bit key that has around 3.4e + 38 keys or 340 billion billion possible solutions! iv AUTHENTICATION - IS DIGITALLY SECURE? In the past, authenticating the recipient of a message was fairly straightforward, with important messages being delivered by hand, or at least chain-of-custody delivery, the New Yorker published a now famous cartoon of two dogs in an office, in one dog sitting at a desk with his paw on a keyboard and explaining to the other dog that "nobody on the internet knows you're a dog". v While this may be true for users of the Internet, authentication technology ensures that the appropriate user (human, dog, or otherwise) has approved access to systems and information. Nowadays, authentication does not just include confirmation that the user account 5

6 has access rights to the information, but also that the device you are using has rights to the network on which the information is stored and also that the user himself is the authorized account user. This becomes important when we think about privacy in the modern world. HOW COMMUNICATION HAS DEVELOPED Just as communication methods have evolved over time, so have the information we convey. Until about 50 years ago, the messages were generally limited to actionable information such as instructions, instructions, predictions and the like. Since then, the proliferation of digital data has meant that "news" today encompasses almost everything from preferences, photos, movies, transactions, health records, and other personal information. As for the more traditional news, it wasn't too long ago that public information was somewhat limited, at least by today's standards. The only way to find a person's address and phone number was to get a copy of the local phone book. If the person you were looking for had a common name, you had fun dialing through the n similarly named entries in the phone book to find the person you were looking for. For private and personal information, the bank records were in one of three places: (a) at your bank, (b) at your home if you kept your bank statements, or (c) at the local landfill, if you threw the bank statements in the trash. State or local government IDs can be found at the appropriate agency or in your wallet. Likewise, the medical records could be found in your doctor's office and, if you requested a copy, at your home. Other personal information, such as When and where you could go running in the morning, your taste in music, your taste for movies or television programs, restaurants you visited and other things could only be determined by questioning the person or interviewing witnesses (if you could find them). While libraries have long been a source of information about individual interests, the advent of search engines from Infoseek to Yahoo to Alta Vista and Google made it possible for companies and, more broadly, governments to keep records of every subject that was searched by each user including the time and - with some extrapolation - the place where it happened. As much as search engines agree, the point is, as our lives become more digitized, more and more information about "us" - some of it quite personal - exists in cyberspace, where it is potentially accessible to those with nefarious intentions. 6th

With the ability to discern what individuals are considering or not, social media companies have taken this thing to an entirely different level. What's even more incredible is that all of this information was provided on a purely voluntary basis. FROM COMMUNICATION TO DATA COLLECTION / MONITORING Another aspect of modern digitization is that, up to the turn of the millennium, spontaneous and autonomous data collection was usually limited to commercial ventures, e.g. the manufacture of sensors to monitor production environments or position data to facilitate the proper functioning of communication networks. Systems and sensors that recorded limited amounts of commercially critical data in the past are now collecting huge amounts of data that were thought to be perishable until the turn of the millennium. New age systems include the introduction of Facebook in 2004 vi, Twitter in 2006 vii, Instagram in 2010 viii, Snapchat in 2011 ix. The new age sensors include devices like Fitbit (2007), Amazon Alexa (2014), and all of their later imitators. The "smartphone" lies on the border between systems and sensors. While cell phones have long had the ability to provide location information, it wasn't until the introduction of the first iPhone in 2008 that consumers, businesses, and governments began to understand the potential of all data generated by smartphones. The digital transformation of our society - or the digitization of everything through the Internet of Things (IoT), as it is called - goes beyond the individual. Several industries, including aerospace, manufacturing, and healthcare, have used digitization to improve their operations and customer responsiveness for a variety of operational benefits. We are also seeing technology companies and their businesses spill over into other industries such as financial services and healthcare. In both cases, the increasing penetration of digitalization leads to a growing number of attack vectors and threats that have the potential to disrupt and endanger individuals, companies, governments and other institutions. THE WORLD IS WAKING UP TO THE SECURITY PROBLEM In today's increasingly digitized world, the amount of data that is accessed, used and shared across a growing number of connected devices is growing. In this developing world, consumers are increasingly concerned about the protection of their personal information as online accounts 7

8 are being used more and more frequently by financial providers such as banks, utility companies or service providers. Consumers are also concerned about their own vulnerabilities and that of the companies that hold their private information. They are also concerned about threats to government institutions and cities. x This gives rise to data security and privacy initiatives by individuals, businesses, government and other institutions to ward off cyber attacks. CYBERSECURITY As mentioned earlier, cybersecurity is defined as the practice of defending systems, networks, programs, devices and data from malicious cyber attacks. In the light of our historical discussion, we can say that cybersecurity deals with: Securing the communications infrastructure, whether physical or otherwise; securing the content of communication; and authentication of the approved recipients of these communications. Let us now take a look at the most important types of attacks: Attacks on the infrastructure: Denial-of-service attack (DoS attack) - In a denial-of-service attack (DoS attack), an attacker floods systems, servers or networks with traffic that depletes resources and bandwidth, causing service breakdown (or denial of service). In a distributed denial of services (DDoS) attack, which is just as common, the attack is launched from a large number of host computers that are infected with malicious software that is controlled by the attacker. In contrast to other types of attacks, DoS and DDoS attacks do not offer any direct advantages for the attacker, apart from the 8th

9 Enjoyment of refusal to serve. However, they have been shown to be used in the business-to-business competitive battle "where one company tries to get a head start on another company. Man-in-the-Middle (MitM) attack - A Man-in-the-middle (MitM) attack occurs when an attacker intervenes between two-party communications. Once the attacker breaks traffic, they can filter and steal data. The most common entry point for a MitM attack is An insecure public Wi-Fi network. An attacker establishes a Wi-Fi connection with a legitimate sounding name and only has to wait for someone to connect, and once that connection is established, the attacker gains instant access to the connected device Attacks on the content of messages: SQL Injection An SQL injection or a structured query language injection occurs when an attacker injects malicious code into a server that is using SQL (a domain name) specific language) and forces the server to reveal information that it would not normally divulge. [4] SQL injections are only successful if there is a vulnerability in the software of an application. Malware Malware is a term used to describe malicious software such as ransom, spyware, adware, viruses, infectors, and worms. In malware attacks, code is used that is used to secretly manipulate a compromised computer system without the consent or knowledge of the user. Typically, these attacks break through a network through a certain vulnerability, e.g. when a user clicks a dangerous link or attachment, which then installs malicious software. Drive-by attack Drive-by attacks target users via their Internet browser and install malware on their computer as soon as they land on an infected website. These attacks can also occur when a user visits a legitimate, compromised website, either by directly infecting the user or by redirecting them to another legitimate looking website that has been compromised. Ransomware Ransomware is the most common type of malware. According to the Verizon 2018 Data Breach Investigations Report, [1] the report also highlights that ransom requests have become so common that criminals now have access to standard toolkits that allow them to request ransom in minutes be able to create and use. Attacks on authentication: phishing Phishing is the practice of sending fraudulent messages that appear to have come from a reputable source, usually as of 9

10. The attacker's goal is to steal sensitive data such as login information and credit card numbers or to install malware on the victim's computer. Social Engineering In the age of passwords, personal information is often the key to password decryption. To this end, seemingly innocuous things like information about family, pets, hobbies, travel, etc. provide an opportunity to find out how a person can think or prioritize when creating passwords. User Error While not an attack per se, a user error, sometimes referred to in technology circles as an "ID-10.T" error, can be responsible for the inadvertent public disclosure of restricted information. Examples of this are users who leave written passwords open, leave sensitive systems unsecured, the loss of prototype devices, the discussion of sensitive information in public areas. The list is seemingly endless. EXAMPLES OF THE RECENT CYBER ATTACKS In October 2012, then Secretary of Defense Leon E. Panetta warned that the US was facing the possibility of a "Cyber ​​Pearl Harbor". He emphasized the country's increasing vulnerability to foreign hackers who are able to dismantle the country's power grid, transportation system, financial networks and even the government of the country. xi Minister Panetta was little aware of the extent to which cyber attacks would become commonplace in the years to come as companies, governments and other institutions increasingly venture into the digital world. In May 2017, the infamous "WannaCry" ransom note spread like wildfire across the globe in what has been dubbed the worst cyber attack in history. The attack targeted computers running Microsoft Windows by infecting and encrypting files on the PC's hard drive (which in turn made those files inaccessible) and then demanding a ransom payment (in bitcoins!) To decrypt them. xii Nearly a quarter of Americans, 23%, say they or someone in their household had their personal, credit card, or financial information stolen by computer hackers in 2018. xiii In 2018, Singapore suffered an unprecedented attack on public health IT systems that compromised the data of some patients. The attack followed similar data extraction efforts in other countries in the region, including the massive data breach that hit Malaysian telecommunications in 2017. xiv In the spring of 2018, the city of Atlanta, Georgia suffered a ransom attack by SamSam, a cryptographic malware that caused $ 30 million in losses to US hospitals, communities, institutions and other victims, according to the Department of Justice. The cyber attack affected more than a third of the 424 10 used by Atlanta

11 computer applications, preventing the city government from providing a wide variety of public services. xv In June 2019, hackers launched a ransom cyber attack in Lake City, Florida that crippled the city's computer systems. xvi The attack lasted several days before the city council called an emergency meeting and approved the payment of the ransom the hackers demanded: 42 bitcoin, worth about dollars at the time. This was the second reported attack in as many weeks - the week before Rivera Beach, Florida, had signed an extraordinary payment in dollars, also in Bitcoin. xvii More recently, the Door Dash food delivery service was breached, potentially leaking information on 4.9 million customers, executives and restaurants. xviii GREATER CONNECTIVITY MEANS GREATER VULNERABILITY By the beginning of the 21st century, there were fewer than 250 million Internet users worldwide. Over the next 20 years, that user base exploded to 4.5 billion by June 2019, according to Internet World Stats. published data corresponds to about 59% of the world population. Over the past two decades, consumers and businesses have flocked to the internet to transact, shop, stream, communicate, and process information and other content. The current Cisco Visual Networking Index (VNI), which measures and forecasts growth in IP traffic volume, expects global IP traffic to almost triple between 2017 and 2022. xx In October 2012, then Defense Minister Leon E. Panetta warned that the US was facing the possibility of a "Cyber ​​Pearl Harbor". He highlighted the country's increasing vulnerability to foreign hackers who are able to dismantle the country's power grid, transportation system, financial networks and even the government of the country. 11

12 An important driver of this growth will be the exponentially increasing number of connected devices per household and per person. By 2022, the number of connected devices and connections per person is expected to reach 3.6, up from 2.4 in 2017.xxi Each year, various new devices in different form factors with increased capabilities and intelligence are introduced and adopted by the market. A growing number of machine to machine (M2M) applications, such as Smart meters, video surveillance, healthcare surveillance, transportation, and parcel or asset tracking are major contributors to the growth of devices and connections. By 2022, M2M connections will account for 51% of all devices and connections. Xxii The dark side of this robust growth in connectivity is the sharp increase in cyber vulnerabilities and privacy violations. In the case of individuals, this digitized connectivity eliminates transactional friction and enables a multitude of convenience. In the case of corporations and institutions, it is used to increase efficiency, reduce costs, and build data-driven businesses that are better suited to the modern world. The problem is quite simple in that the digital adoption puts individuals and companies in the cyber attack zone. These security and privacy concerns are, according to Park Associates. xxiii some of the reasons why 22% of UK broadband users have not yet installed a smart home device and are not planning to purchase one. According to the new Deloitte study on US consumer privacy, nearly half of US consumers (47%) believe they have almost no control over their personal information, and one in three has their information compromised. 12th

13 PRIVACY POLICY - THE NEXT FOCUS FOR CYBER ISSUES Spending in the consumer cybersecurity category includes: Identity theft protection services. Computer and cell phone repair services specifically designed to remove malware and viruses. Installation of anti-virus and anti-malware software. Post-attack services, including data recovery and user education on best practices for personal cyber protection. Privacy concerns have become a key driver for consumers and will grow the global privacy software market to $ 1.6 billion by 2027, up from $ 521 million in 2018, according to a research published by ResearchAndMarkets. published study. xxiv A recent study published by Statista found that 53% of online users worldwide are concerned about their online privacy. xxv ​​According to the new Deloitte US Consumer Data Privacy Study, nearly half of US consumers (47%) feel that they have little to no control over their personal information, and one in three has their data compromised. Perhaps, therefore, it is not surprising that the vast majority (86%) of consumers believe that they should have the option to choose not to sell their data. xxvi PRIVACY POLICY DRIVE CYBER ISSUES In addition to investing in combating cyber attacks themselves, companies are investing heavily in IT security measures that will help them move into the new 13

14 data protection regulations, e.g. the General Data Protection Regulation (GDPR) in Europe. A recent Spiceworks survey found that IT executives agreed with a recent Gartner survey that the two top drivers driving IT budgets are heightened security concerns and regulatory changes. Other data, including some released by Proofpoint, an enterprise cybersecurity firm, showed that while 56% of companies reported increasing their security concerns, 37% were busy focusing on regulatory compliance changes focus. Recent results from Cisco Systems, another major cybersecurity company, also indicate that executives are increasingly viewing regulations and compliance as a key driver of future cybersecurity spending. xxviii As the GDPR rules apply to any company doing business in the EU, they affect companies around the world and hold them responsible for the improper handling of people's personal data. There have been numerous massive data breaches in recent years, including millions from Yahoo !, LinkedIn, and MySpace account information. According to GDPR, the "destruction, loss, alteration, unauthorized disclosure of or unauthorized access to" data of individuals must be reported to the data protection authority of a country. The most talked about aspect of GDPR is the ability for regulators to fine companies that fail to comply. If an organization fails to properly protect or process an individual's data, it can ... while 56% of organizations reported increasing their security concerns, 37% were busy focusing on complying with regulatory changes. be fined. If this is necessary and a company does not have a data protection officer, it can be fined. If there is a security breach, it can be fined. GDPR (administrative) fines can be as high as 20 million euros or 4% of annual global sales, whichever is greater. Before GDPR was enforced, the maximum fine for each data breach was ($) - as Facebook experienced when it was fined that amount in July 2018. xxix Several high profile GDPR fines have been imposed to date. British Airways faced a record $ 230 million fine after the website failure compromised the personal account information of some customers. xxx These 230 million 14

A $ 15 fine is roughly 1.5% of British Airways' annual revenue. Regardless, Marriott International has been fined just over 124 million dollars for disclosing a large amount of personal information in 339 million guest records worldwide. xxxi MORE PRIVACY POLICIES ARE BEING PROVIDED WORLDWIDE In the United States, a similar provision was passed in the California Consumer Privacy Act (CCPA). A draft is in a public consultation phase that includes several public hearings, with submissions open until December 6, 2019. The CCPA is expected to come into force on January 1, 2020, with final guidelines expected by July 1, 2020. xxxii The CCPA brings a number of new regulations The law will have an "optout" button on every page with it that will change the way in which brands the consumer data that dictate the growth of the website that fueled digital advertising Gathering enables consumers to manage and restrict them significantly. Businesses the Easy Way The law will require an "opt-out" button on everyone to notify that they do not want to page of any website that will allow consumers to collect their data, manage and / or sell the business in an easy way to be communicated that they don't want to be. that their data is collected, managed and / or sold. Consumers can also instruct technology companies, publishers, or brands to delete their data. You can also opt out of a company's terms of use without losing access to its offers. Companies are also not allowed to sell data from persons under the age of 16 without express consent. As for fines for those who violate these and other related regulations, the CCPA imposes a fine of $ 100 to $ 750 per user, or actual damages (whichever is greater) for an unintentional violation as well. That means a relatively small web service with 1 million accounts can be fined between $ 100 million and $ 750 million, a sum that could put it out of business. And as the CCPA moves towards completion and implementation, more American laws are snaking their way through various US states. The next state we'll be watching is New York with its Stop Hacks and Improve 15

16 Electronic Data Security Act (SHIELD Act), which comes into force in March 2020.xxxiii The SHIELD Act expands the definition of "personal information". Prior to the SHIELD Act, personal data included "any information about a natural person that could be used to identify that natural person based on their name, number, identifier or other means of identification". H. Data generated by electronic measurements of a person's unique physical characteristics, such as: a fingerprint, voice print, retinal or iris image, or any other unique physical or digital representation of biometric data used to authenticate or establish the person's identity; or n a username or address in combination with a password or a security question and an answer that would allow access to an online account xxxv We are in the early stages of more far-reaching regulatory requirements that are creating a strong demand for security and privacy products as companies seek to counter increasingly sophisticated attacks and protect data from breaches that could result in severe penalties. xxxv 16

17 New York State is not the only state to broaden the definition of "private information". Illinois, Oregon, and Rhode Island have also expanded their definitions to include not just medical information but certain health insurance identifiers as well. CYBERSECURITY WILL CONTINUE TO GROW This means that spending on cybersecurity will increase. We are in the middle of a cyber boom as new attack vectors emerge and new countermeasures are developed. This is reflected in forecasts that according to Cybersecurity Ventures, cybercrime will cost $ 6 trillion annually by 2021, up from $ 3 trillion in year xxxvi This forecast includes costs related to data corruption and destruction, stolen money, lost productivity, theft of intellectual property, personal and financial information theft, embezzlement, fraud, post-attack disruption, forensic investigation, hacked data and system recovery, and reputational damage. The problem of cyber attacks and invasion of privacy is exacerbated by new technologies such as cloud computing, artificial intelligence, IoT and 5G. Together, these technologies will open up new vulnerabilities and enable new forms of attacks. As for the potential vulnerabilities, the IoT market alone, which includes connected devices from automobiles and factory production lines to baby monitors and traffic lights, as well as smart devices, smoke detectors, and other internet-connected smart devices, will be seen through 2021, according to data compiled by Gartner expected to reach 25 billion devices. xxxvii To put this into perspective, Cybersecurity Ventures expects a company to fall victim to a ransom attack every 11 seconds by 2021, down from one every 14 seconds in 2019 and one every 40 seconds in xxxviii 17

18 This provides some context for why executives in the US, Canada, and Europe identified cyberattacks as the top risk, as reported by the World Economic Forum in partnership with Zurich Insurance Group and Marsh & McLennan. xxxix Unsurprisingly, decision makers are making cybersecurity one of their top considerations in digital transformation. We see this sentiment reflected in several cybersecurity spending forecasts: Gartner expects IT security spending worldwide to grow 8.7% in 2019 to $ 124 billion compared to 2018. Gartner also sees security services accounting for up to 1 percent of cybersecurity budgets, with the top investment areas being security services, infrastructure protection, and network security equipment.xl Global spending on information security products and services (a subset of the broader cybersecurity market) exceeded billions of dollars and, according to Gartner, that market will be $ 4 billion. xli The problem of cyber attacks and invasion of privacy is exacerbated by new technologies such as cloud computing, artificial intelligence, IoT and 5G. Global spending on security awareness training and employee phishing simulation programs - one of the fastest growing categories in the cybersecurity industry - is projected to reach $ 10 billion by 2027, up from approximately $ 1 billion a year xlii MarketsandMarkets predicts the cybersecurity market will grow by , Will reach $ 3 billion and grow at a CAGR of 10% over the period. xliii Cybersecurity Ventures predicts global cybersecurity spending will cumulatively exceed $ 1 trillion from 2017 to 2021. xliv According to an updated forecast from the International Data Corporation's (IDC) Worldwide Semiannual Security Spending Guide, global spending on security-related hardware, software and services will increase 10.7% in 2019 to $ 106.6 billion in 2019 and will continue grow and reach $ 2 billion a year. xlv 18

19 CONCLUSION In our opinion, there is no question that cybersecurity is a growth market where individuals, companies and other institutions are trying to ward off future attacks, strengthen their existing cyber defense systems, assess the analysis of attacks and intrusions and become more secure become. All of this leads to one thing: spending on security. While actual dollar amounts may vary, what all of these predictions have in common is an upward vector and an accelerating pace, with cybersecurity spending making up a larger portion of the overall IT spending budget. According to Gartner, general IT spending is expected to increase 3.2% in 2019, compared to 8.7% for cybersecurity. xlvi This trend suggests continued growth in cyber spending as cybersecurity is an arms race in which evil actors try to exploit new vulnerabilities with novel attacks. However, history would suggest that the industry's spending projections are overly conservative. For example, Gartner forecast spending in 2017 would rise to $ 93 billion in mid-2018, Gartner revised that spending forecast to $ 114 billion for the full year xlvii Gartner's data shows that even this upward revision fell slightly below $ 114.1 billion issued in 2018. All of this bodes well for Tematica Research's cybersecurity and privacy investment theme. According to an updated forecast from the International Data Corporation's (IDC) Worldwide Semiannual Security Spending Guide, global spending on security-related hardware, software and services will increase and continue to grow by 10.7% in 2019 to $ 106.6 billion in 2019 and reach $ 2 billion a year. xlv 19

20 Important Disclosures and Certifications Analyst Certification - The author certifies that this research report accurately states his / her personal views about the subject securities, which are reflected in the ratings as well as in the substance of this report. The author certifies that no part of his / her compensation was, is, or will be directly or indirectly related to the specific recommendations or views contained in this research report. Investment opinions are based on each stock s 6-12 month return potential. Our ratings are not based on formal price targets, however, our analysts will discuss fair value and / or target price ranges in research reports. Decisions to buy or sell a stock should be based on the investor's investment objectives and risk tolerance and should not rely solely on the rating. Investors should read carefully the entire research report, which provides a more complete discussion of the analyst's views. This research report is provided for informational purposes only and shall in no event be construed as an offer to sell or a solicitation of an offer to buy any securities. The information described in is taken from sources, which we believe to be reliable, but the accuracy and completeness of such information is not guaranteed by us. The opinions expressed in may be given only such weight as opinions warrant. This firm, its officers, directors, employees, third party data providers or members of their families may have positions in the securities mentioned and may make purchases or sales of such securities from time to time in the open market. 20th

21 end notes i. Collon (ed.), Dominique (1997) Years of Seals. London: British Museum Press, p225 ii. E.A. Marland, Early Electrical Communication, Abelard-Schuman Ltd, London 1964, pp17-19 iii. The Great Wireless Hack 1903 Available at the-great-wireless-hack-of-1903/250665 / iv. 128-bit encryption available at v. The New Yorker cartoon by Peter Steiner, 1993 vi. From Alibaba to Google, here are the 10 biggest tech IPOs of all time Available at com / 2018/02 / biggest-tech-ipo-of-all-time / vii. viii. Ibid Our story Available at ix. From Alibaba to Google, here are the 10 biggest tech IPOs of all time Available at com / 2018/02 / biggest-tech-ipo-of-all-time / x. ZDNet, Most consumers have cyber security concerns, but a fraction take action, Available at xi. The New York Times, Panetta Warns of Dire Threat of Cyberattack on U.S., Available at xii. CSO, The 6 biggest ransomware attacks of the last 5 years, Available at com / article / /the-5-biggest-ransomware-attacks-of-the-last-5-years.html xiii. Gallup, One in Four Americans Have Experienced Cybercrime, Available at com / poll / 245336 / one-four-americans-experienced-cybercrime.aspx xiv. The Straits Times, Info on 1.5m SingHealth patients stolen in worst cyber attack, Available at xv. The New York Times, A Cyberattack Hobbles Atlanta, and Security Experts Shudder, Available at xvi. The Hacker News, Two Florida Cities Paid $ 1.1 Million to Ransomware Hackers This Month, Available at xvii. The Hacker News, Two Florida Cities Paid $ 1.1 Million to Ransomware Hackers This Month, Available at xviii. CNBC, DoorDash hack leaks data of 4.9 million customers, restaurants, Available at cnbc.com/2019/09/27/doordash-hack-leaks-data-of-4point9-million-customers-restaurants.html xix. Internet World Stats. Available at xx. Cisco Systems, Cisco Visual Networking Index: Forecast and Trends, White Paper Available at xxi. xxii. Ibid Ibid xxiii. Park Associates, U.K. smart home adoption lagging compared to the U.S., Available at

22 xxiv. ResearchAndMakets, Privacy Management Software Market to 2027, Available at researchandmarkets.com/reports/ / privacy-management-software-market-to-2027 # pos-0 xxv. Statista, Online privacy - Statistics & Facts, Available at online-privacy / xxvii. Proofpoint, Understanding Fraud. Available at pfpt-us-tr-survey-of-understanding- -fraud pdf xxviii. Cisco System, Maximizing the value of your data privacy investments, Available at cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/dpbs-2019.pdf xxvi. Chain Store Age, Deloitte: Consumers seek control of personal data, Available at xxix. The Guardian, UK fines Facebook 500,000 for failing to protect user data, Available at xxx. CNN, British Airways faces $ 230 million fine. It would be a record under Europe's tough data privacy law, Available at xxxi. Compliance Week, Marriott reveals $ 124M GDPR fine for data breach, Available at complianceweek.com/data-privacy/marriott-reveals-124m-gdpr-fine-for-data-breach/27373.article xxxii. CNBC, California AG tells businesses like Facebook and Google how they must comply with the state s new landmark privacy law, Available at xxxiii. JD Supra, SHIELD Act Overhauls New York s Data Privacy Framework, Available at jdsupra.com/legalnews/shield-act-overhauls-new-york-s-data-33724/ xxxiv. Workplace Privacy, Data Management & Security Report, New York Enacts the SHIELD Act, Available at xxxv. Ibid xxxvi. Cybersecurity Ventures, Global Cybercrime Damages Predicted To Reach $ 6 Trillion Annually By 2021, Available at xxxvii. Network World, Gartner s top 10 IoT trends for 2019 and beyond, Available at networkworld.com/article/ /a-critical-look-at-gartners-top-10-iot-trends.html xxxviii. Cybersecurity Ventures, Global Cybercrime Damages Predicted To Reach $ 6 Trillion Annually By 2021, Available at xxxix. Insurance Journal, Cyber-Attacks Named as Top Business Risk in U.S., Canada and Europe, by WEF Survey, Available at xl. Security Intelligence, 11 Trends to Inform Your 2020 Cybersecurity Budget, Available at securityintelligence.com/articles/11-stats-on-ciso-spending-to-inform-your-2020-cybersecurity-budget/ xli. Cybersecurity Ventures, Global Cybercrime Damages Predicted To Reach $ 6 Trillion Annually By 2021, Available at xlii. Ibid xliii. MarketsandMarkets, Cybersecurity Market worth $ 248.3 billion by 2023, Available at xliv. Cybersecurity Ventures, Global Cybercrime Damages Predicted To Reach $ 6 Trillion Annually By 2021, Available at 22

23 xlv. IDC, New IDC Spending Guide Sees Solid Growth Ahead for Security Products and Services, Available at xlvi. Gartner, Gartner Says Global IT Spending to Grow 3.2 Percent in 2019, Available at xlvii. Gartner, Gartner Forecasts Worldwide Information Security Spending to Exceed $ 124 Billion in 2019, Available at 23