Prize Catches in Security Software

While phishing threatens unsuspecting Web surfers and their bank accounts, stocks such as McAfee and their investors only stand to benefit

Security threats faced by organizations and individuals are evolving. Past threats typically came from young computer nerds creating viruses in an attempt to gain notoriety among peers. "We think the largest emerging threat is very different," says Gary McDaniel, who follows software stocks for Standard & Poor's Equity Research. "Today's threats are not based on notoriety, but on profit."

The Anti-Phishing Working Group recently released a study that found 15,244 phishing attacks in the month of December. That's down from 16,882 attacks in November. However, the number of unique phishing Web sites jumped to nearly 7,200 from 4,630 in November. It also found that 80% of the attacks were targeted at seven brands, primarily banks, credit unions, and other financial institutions. The notable scams in December were targeted at Wal-Mart (WMT) and the Internal Revenue Service (See BW Online, 12/5/05, "Phishing: Beware the Internal Revenue Scam").

The rise in online attacks means demand will remain healthy for security software and hardware. McDaniel's favorite stock in the group is McAfee (MFE.

BusinessWeek Online's Karyn McCormack recently spoke with McDaniel about security software trends and his favorite stocks. Edited excerpts of their conversation follow.

Note: Gary McDaniel is a Standard & Poor's Equity Research analyst. He has no ownership interest in or affiliation with any of the companies on which he writes research. All of the views expressed here accurately reflect the analyst's personal views regarding any and all of the subject securities or issuers. No part of the analyst's compensation was, is, or will be, directly or indirectly, related to the specific recommendations or views expressed in this story.

What's your outlook for security software makers?

Security software vendors are part of the systems software group, on which we have a positive fundamental outlook. We expect spending on security software by both businesses and consumers to demonstrate the highest growth rate among the different segments that comprise the systems software group. Of the seven stocks we follow in this space, we have one strong buy recommendation, two buy recommendations, and four hold recommendations.

We expect spending on IT security to grow at a high-teens rate through the end of the decade, with security services, particularly implementation services and security outsourcing services, to show the strongest growth. We also look for high growth in secure content management -- meaning managing spam prevention, content inspection, and virus protection for content that enters, flows within, and leaves the corporate network.

In addition, we see very strong growth ahead in the security hardware arena, particularly for unified threat management (UTM) and secure content management (SCM) appliances, which will primarily be sold into the small and midsize business segment.

The players we like best in this area are Internet Security Systems (ISSX) and Check Point Software (CHKP), which are both ranked 4 STARS (buy). User authentication is also an area where we look for strong growth rates -- we like RSA Security (RSAS); 3 STARS, hold) in this area.

What's the biggest driver of sales?

We believe there are several factors driving demand for security software. The primary driver, we believe, is the evolution of the security threats faced by organizations and individuals. In the past, the typical security threat was a 16- to 23-year-old computer nerd who couldn't get a date and created viruses and worms to gain notoriety among his peers. Unfortunately, those days are behind us.

We think the largest emerging threat is very different. Today's threats are not based on notoriety, but on profit. The new threats are being targeted at specific organizations, primarily financial services institutions, with a goal of hijacking an individual's bank account, credit card, or identity in order to perpetrate financial fraud.

These new attacks are largely taking the form of phishing and pharming. Phishing is an attempt to steal a consumer's personal identity data and financial account information by using tactics such as spoofed e-mails from banks that ask a user to click on a link to update information. That link directs users to a counterfeit Web site designed to mimic the look and feel of the actual Web site where users are prompted to enter account and identification information under the pretenses of updating the bank's records or re-validating the user.

Phishing can also be accomplished by installing crimeware on a user's machine which logs their username and password for banking sites and transmits this data to the attacker.

Pharming is the act of hijacking a DNS server and redirecting a user who uses that DNS server to go to, for example,, to a fraudulent Web site that mimics that real Web site. Once users are redirected to that phony Web site and enter their log-in credentials, that information is stored by the attacker.

These emerging threats have spurred governments to establish regulations that are adding further fuel to security demand. In the U.S. these include the Gramm-Leach-Bliley (GLB) Financial Modernization Act, the Government Information Security Reform Act (GISRA), FERC's Security Standards for Electric Market Participants, HIPPA (the Health Insurance Portability & Accountability Act of 1996), the Basel Capital Accord of 1988, and the Sarbanes-Oxley Act of 2002.

In Japan, an attack on an online bank prompted regulators to demand stronger user authentication standards for online banking. And in Europe, data privacy regulations will require security software spending.

Microsoft (MSFT) is entering the security area -- what does this mean for the pure plays?

First of all, let me say that we are very bullish on Microsoft, and it carries our highest rating of 5 STARS (strong buy). We believe the company is in the midst of the most important product-release schedule in its history, and we expect the new products it's releasing during this cycle to drive meaningful growth over the coming years. That said, we do not see Microsoft's entry as a large threat to the rest of the security industry.

Although we think Microsoft's entry into the consumer security market may impact some competitors in this segment, we expect increasing penetration as more consumers opt to protect themselves from growing online threats rather than ignoring these threats (See BW Online, 2/16/06, "Symantec's New Target: Consumers"). We believe only half of all consumers have up-to-date antivirus software, and we expect this figure to rise.

Moreover, we expect corporate spending, particularly by small and midsize businesses, to show substantial growth in the years ahead, and we do not believe Microsoft is likely to make meaningful inroads in the business segment.

What are your favorite stocks in the group? And what sets the company apart from the rest?

Our favorite stock is McAfee, which carries our highest rating of 5 STARS. We have a $34 price target on it. Although the stock took a large hit when the company preannounced disappointing fourth-quarter results, we believe the decline was overdone and see the shares trading at a significant discount to peers on both a p-e basis and on a PEG [p-e-to-growth] basis.

Some of the things we like about McAfee, aside from the extremely attractive valuation, are its strong brand name; its relationships with ISPs, Dell (DELL), and Gateway (GTW), which we expect to drive sales growth in the consumer segment; the rising attach rate for McAfee's other products by consumers through the ISP channel; and its comprehensive suite of security applications.

Do you see consolidation? Do you think any of these companies are attractive takeover targets?

We do expect some consolidation, and several of the companies we follow have either recently closed on or announced acquisitions, including Symantec's (SYMC) purchase of BindView, SonicWALL's (SNWL) purchase of MailFrontier, and Microsoft's purchase of Alacris.

However, we don't expect any of the companies we cover to be takeover targets. We expect M&A activity within the sector to be confined to smaller players that have a particular technology or capability that serves a defined niche.

    Before it's here, it's on the Bloomberg Terminal.