Cyber deal shows consumer-corporate security divide
Norton and Avast were early pioneers in security, but now the threats are bigger and the stakes are higher. A merger may not save them
The pending merger of two major names in cybersecurity is sorely needed by both companies. It also highlights the role consumer products need to play in the ongoing battle to protect corporate networks.
NortonLifeLock Inc. announced this week it would buy Prague-based Avast Plc in a cash and share deal worth up to $8.6 billion. Both are storied names in consumer-facing cybersecurity. Previously known as Symantec Corp., the U.S. company bought the Norton brand three decades ago, when malicious code was mostly passed through infected floppy disks. Avast is almost as old, and was an early pioneer in the antivirus market.
That the two should merge now makes complete sense, but the digital world has changed a lot in 30 years and their place in it isn't assured.
With work-from-home becoming the norm thanks to lockdowns and shelter-in-place orders, the real vulnerabilities lie in remote access to corporate servers. Companies have little control over their staff's personal digital hygiene — from visiting websites with malicious links to accidentally downloading nefarious code — and many were caught unprepared when Covid-19 hit. Few have true end-to-end security protocols in place, which means that a hacker's best strategy for penetrating a corporate network is to plant malicious code on a home computer and watch as it spreads.
Standard consumer products can mitigate this threat by scanning for viruses and malware, but may not be as effective in stopping specific, focused attacks. Avast recognizes this shortcoming and last year launched its Remote Access Shield to halt exploits of the Remote Desktop Protocol — a Microsoft Corp. tool commonly used to access company servers from home.
This is the future of cybersecurity — expanding corporate defenses and preventing attackers from leaping through the employee-company firewall. Ransomware attacks and data theft are costly and highly disruptive. The Colonial Pipeline breach in May, which led to a shortage of fuel supplies across swathes of the U.S. East Coast, was followed soon after by a hack at Brazilian meat processor JBS SA. Both victims are large companies with lots of staff.
Yet Norton and Avast are focused on consumers and small businesses. The former doubled down on this sector when the company, then still Symantec, sold its enterprise security business to Broadcom Corp. in 2019. But in the new era of cyber offensives, consumers are generally not the target.
As more businesses start to understand this weakness, they're likely to enforce digital security on employee devices. Since Norton and Avast don't really sell to big companies, and a computer doesn't need two sets of security software, those solely focused on the consumer market are likely to be left out in the cold.
As Avast noted in its financial results this week, the company is facing plenty of headwinds. Revenue growth has been weak: After posting a threefold expansion in sales from 2015 to 2018, the pace dropped to single-digit percentages in recent years. While both Norton and Avast's product lineups are good, they're insufficient. They get money by allowing consumers to download free versions of security software in the hopes that they may upgrade to a paid version later. But they sit in a crowded market offering virtual private networks, virus scans and identity security (tell them your details, and they'll tell you whether your name appears on a list of compromised accounts). This is commodity stuff.
There are broader challenges, too. Across the sector, expenses are rising as demand for talent increases amid a boom in hacks that include ransomware attacks and data theft. At the same time, marketing costs are being driven higher because companies are bidding up ad prices as business picks up amid the Covid-19 recovery.
Norton and Avast may have been ahead of the curve in securing personal devices against the perils of a connected world, but the threats are bigger now and the stakes much larger. A timely merger won't be enough to safeguard their future.