Interview: AVG

Ten years ago, when every other security firm was charging for protection, what made you decide to offer it for free, and how has that ended up shaping your business?

The free model has evolved over time, but the original decision to launch free was really to grab market share. Now it’s completely viral. The user base supports itself through forums; 70 per cent of people who use our free product do so because somebody recommended it.

But couldn’t you have made more money by charging? Or would you not have been anywhere near your current size if you did?

The driver behind the business has been the ‘freemium’ model. I find it hard to see how we would have got to 110 million through traditional methods.

We’re growing on average 80 per cent a year, we have margins that are twice the industry average; it’s a beautiful story and we did it all by giving it away.

So where does the money come from?

The paid base helps support the free base; a lot of small businesses buy it, and a lot of consumers just buy it too. There are a lot of ways we monetise underneath. We get so much information back on what’s malicious and what’s not – on the web and on people’s computers. That information is really valuable and it changes every hour.

There are lots of companies out there that will pay us for that information, like Microsoft and Cisco, who have large user bases. So we sell them information – not about the end user, just about the threat landscape.

These days people are accessing the internet on more and more types of device – presumably with very different types of vulnerabilities. What are the main challenges for a security company now compared to when AVG started?

The challenges are driven by a few things. Number one is the devices, then you’ve got user behaviour. Today people live their whole lives online and that’s really impacted the type of threats we’re seeing – they are focused on what people are doing and where they are doing it.

What we’ve had to do is modify how we protect people. Traditionally it was just anti-virus, but much of what we do now is in the cloud, and there’s also a lot of behavioural analysis. If a programme acts suspiciously, like dialling China, block it.

Then we have web protection. Some of the other players have crawlers all over the internet scanning websites – we don’t have that infrastructure or the desire to have it.

What we have is 110 million users using the product – they are the scanners. About 50 per cent choose voluntarily to send us back what they’re seeing. It’s not anything about them, we’re just getting the results back. So we will be one step ahead of you the entire time you’re online.

The sites get scanned every time you click them, and that’s the only type of defence that’s really effective; it protects you in real time. There’s really nobody else that does this from our competition. With our new products we have the best detection rates in the industry and it is really, really fast.

What we really want to do is get the message out that protection is an obligation, it’s not an option. You send people documents, you interact with your bank – if more people are protected there’s less chance that others will be infected.

Since Intel bought MacAfee it has announced its interests in the security market. However, in doing so it has made its position clear that security software firms are no longer sufficient alone to protect computers on their own – would you refute that?

It’s an interesting dilemma. Putting security on the chip is hardware. How do you dynamically update hardware every 20 minutes? I’m struggling to see how even the smartest engineers in the world are going to get a piece of plastic to do that.

Intel may find applications in mobile and the enterprise space with their new acquisition, but I do question whether or not they can put that on the chip. And will Microsoft, which also provides security, allow Intel access to the operating system through the chip? There are a lot of unknowns there.

There’s no way they will eliminate the need for security software. They might be able to do anti-virus there, which I doubt, but think of the other layers I mentioned. By the time they get the technology to do part of it, behaviour and threats will have evolved so far that if you aren’t dynamic and quick moving, forget about it.

It’s like having one lock manufacturer – you will never protect the way you need to. It has always been a dynamic and fast moving industry; it’s good that they’re thinking about it, but…

So you’d certainly dispute the idea that software alone is no longer fit for purpose?

Forget about it. There are lots of drivers behind what they were doing. You can read all the speculation, but it was nice they could buy a healthy revenue stream.

The recent Stuxnet worm that seemed to target infrastructure in Iran has been labelled as a ‘prototype’ state-funded weapon by some, as well as the shape of cyberwarfare in the future. Some, such as Kaspersky Labs, believe that it only could have operated with a government behind it, or ‘nationstate support.’ Would you agree with that assessment and what role do security software organisations have to play?

Is it a government-backed cyber-attack? I don’t know. Is it plausible? Certainly.

You will see that as a platform for cyber warfare. I think all governments around the world are making sure they’re working on the latest technology, and that’s where a lot of great technologies come from.

They are working with a lot of enterprise players – we often will give advice too but we’re very much focused on consumers, so we’re not into that level of intricacy. But there’s validity to it. Wasn’t it three years ago the whole infrastructure of Estonia was taken out? You know it can be done.

There is definitely a whole lot of corporate espionage happening, where the Chinese are stealing highly classified prints and documents for everything from planes, trains and automobiles. It would be really foolish to think that it isn’t number one on most governments’ watch lists. They will be thinking ‘what are we doing about it, are we protecting our infrastructure?’ For sure.

Governments won’t necessarily be savvy to what the cyber threats are though. Do they have to turn to guys like you in the tech industry?

Absolutely, and they do. Banks, hospitals, enterprises – there’s a huge amount of information there, everywhere you go there’s an opportunity there for some type of threat. So yeah, I would say there is a lot of co-oporation.

Have increases in sophistication or tenacity of cyber threats hindered the ascension of the cloud at all?

I think you’re right, I think it probably has. Especially if you’re a small business. We know there are threats and we read about them at least once a week. I think for adoption of managed services in the cloud, or just storage in the cloud, it’s definitely slowed uptake.

And small businesses often have less protection than a consumer – if someone drains their bank account they aren’t necessarily as protected as you or I.

The way cyber threats are evolving now, what to you think the landscape will be like in around ten years’ time?

I think they will get more and more complex. The individuals and groups that are orchestrating cyber crime are incredibly organised. They’ve got offices, build schedules, and automation. I believe that 80 per cent of what we see is all just smokescreen, while only 20 per cent is actually real and could do some damage.

From what we’re seeing now, the signs are that they have their own scanners, and they’re taking your name and bits of information from different sources and putting it together. So you don’t have to do something silly once, they can pick off stuff.

The botnets are becoming more intelligent; in fact a lot of them will try to fight back. If they see it’s security software going after them, they’ll attack. Our chief scientist even got scammed. We’re blocking about 5,000 malicious programmes from Facebook a day, and we’re going to see a lot more impersonation threats.