Cybersecurity continues to be a major area for investment among businesses, and today a startup building solutions for smaller enterprises is announcing a funding round to meet that demand. CyberSmart -- a U.K. startup that has built an all-in-one platform providing cybersecurity technology for small and medium businesses, and cyber insurance if things go wrong regardless -- has closed a Series B of £12.75 million ($15.4 million).
CyberSmart currently has 4,000 customers in the U.K., with 1,800 of them also taking the company's insurance policies as well -- the tip of the iceberg in a market with 5.5 million small and medium enterprises (SMBs) overall -- but Jamie Akhtar, the co-founder and CEO, said there is a lot of interest out there and it's about meeting that demand right now, so the plan is to use the funding to continue developing its product, to potentially make some acquisitions, and to expand its channel partners, and customers, in its home market as well as further afield in Europe, Australia and New Zealand.
The funding is being led by Oxx -- the European VC that focuses on growth rounds for SaaS startups -- with strategic and other interesting backers participating. They include British Patient Capital (the commercial subsidiary of the U.K. government's British Business Bank), Legal & General Capital (affiliated with the insurance giant) and Solano Partners; previous backers IQ Capital, Eos Venture Partners, Winton Ventures and Seedcamp are also participating. The company had previously raised £8 million and it's not disclosing its valuation with this round but Akhtar said it was oversubscribed.
Investor and customer interest for a company like CyberSmart speaks to a bigger shift we've been seeing in the market. Small and medium businesses used to be overlooked when it came to cybersecurity. That was for a combination of reasons: criminals typically focused attention on the biggest targets as the biggest prizes, SMBs are not known to be big spenders when it comes to any kind of IT, and for those reasons the companies building the most interesting cybersecurity tech weren't focused on them as target use cases and customers.
That has changed significantly over time. Not only are incidents of cybercrime continuing to grow -- up by 38% in 2022 globally, estimates Checkpoint Research -- but SMBs have become a prime target for these attacks, accounting for 58% of them, according to 2019 research from the Global Cyber Alliance.
The small and medium business segment, as a result, has increasingly become a target for those building cybersecurity solutions. That's included others like Cowbell and Guardz, which are mixing the propositions for security and insurance together, as well as those focused only on tech, and specifically kinds of security incidents, such as ActZero and its focus on ransomware in particular.
“SME's are notoriously under-protected from the rising cyber threat, and existing cybersecurity and insurance propositions are neither fit for purpose nor affordable," said Phil Edmondson-Jones, partner at Oxx, in a statement. "We have spent a long time searching for the right business model that can enact a step-change in this important & enormous market. CyberSmart's category leading SME security product; combined with its unique ability to collect 'inside-out' data on real-time risk indicators, will propel the business to become a core part of the infrastructure for cyber protection and insurance. We are thrilled to support CyberSmart and its stellar team in driving urgent adoption in the market, and rapidly expanding internationally.” He's also joining the board with this round.
A lot of activity may be new, but CyberSmart itself is not: The company is actually six years old, and is thus something of an early mover in identifying and targeting SMBs with cybersecurity technology. The startup was initially incubated at an accelerator run by GCHQ, the U.K. equivalent of the NSA, with Akhtar building the business out of his own experience after working for more than a decade in cybersecurity at other firms.
"I could see that SME security was broken," he said. "So many of them were unaware of cyber risks, and they didn't have the tools and resources to tackle it anyway. We approached the problem from that perspective."
The product is aimed squarely at the "S" end of SMB (or SME as it's commonly called in the U.K.), with average customer sizes ranging between 10 and 50 employees, and no plans to expand to much larger businesses, the mid-market or anything else. And its primary sales route speaks to the market that CyberSmart has identified and understands: It sells mainly through channel partners, which consult smaller businesses on their overall IT needs sell them packages of IT hardware and software as part of that, with CyberSmart taking on the security piece of that offering.
“As cyber-attacks grow increasingly sophisticated, the technology needed to protect against them must do so as well. For many SMEs, this is a difficult challenge to tackle, either because of financial constraints or a lack of in-house expertise," added Catherine Lewis La Torre, CEO of British Patient Capital. "CyberSmart was created to address this problem, providing not only affordable and easy-to-use cyber protection but also training, certification and insurance. We are delighted to be supporting such a dynamic and ambitious business on its growth journey.”
That security piece comes in the form of its flagship product Active Protect, which Akhtar describes as a "baseline" security tool that can be installed and used without any need for IT experts to integrate or manage it. Active Protect is distributed to staff via a link, which can be downloaded on any device used on a company's network, and after it's installed it provides continuous monitoring, with proactive information and advice when it spots any kind of suspicious activity, as well as prompts for people to go through training to be more aware of and vigilant against typical attack vectors (email phishing for example being one of the most common that comes down to humans making sound calls). It describes its aim as the "most common" vulnerabilities.
Alongside this, CyberSmart has built out an insurance product in partnership with Aviva and Superscript. It comes bundled with Active Protect but it only kicks in as a policy once a user has followed all of the instructions to secure devices, address security issues when they are identified and go through training when it is recommended.
The aim here is two-fold: Akhtar believes that a lot of SMBs might not typically take out cyber insurance because of the premiums, so offering something as a free add-on will get more people to sign up for its security product. But in addition to cost, Akhtar believes that a lot of cyber insurance aimed at the SMB market is a hard sell because of the relatively strict parameters that need to be met for support. Linking it directly to how a security policy is managed makes the most sense. (These are likely two big reasons why we are seeing a number of other companies bundling cybersecurity solutions with insurance, too.)
Notably, Akhtar tells me that since the company launched the insurance product over a year ago, there hasn't been a single claim made against it -- a sign, he believes, of his startup's formula working as it should.
Yet there are some gaps in what CyberSmart is providing to the market -- for example, if the most common vulnerabilities are being addressed, isn't it just a matter of time before hackers start tackling SMBs with increasingly more sophisticated approaches? And if the main approach to remediation currently is providing guidance to a company's team of human employees, is there scope for complementing that also with more automated approaches, or tech that can tackle more sophisticated attacks? These are areas where CyberSmart will either likely be building more tech itself, or bringing in additional functionality by way of acquisitions.
On the acquisitions front, Akhtar noted that his own fundraising journey this time around really laid bare the state of the market right now. "I spoke to hundreds of VCs over nine months," he told me (and if I was asked to use an emoji to describe his expression at that moment, it would be the one of the face with the slightly uneasy smile and bead of sweat running down the side: 😅).
In the event of CyberSmart, he said part of this was also because he and his team were being selective and were looking for partners that could help with business growth, not just bank account growth. But more generally, it emphasizes how hard it is right now to close rounds for a lot of businesses, and there will be promising technologists out there who are running out of runway, or getting bad financing offers, who might be willing instead to sell at a lower price and team up with a partner to grow something together.
Even further down the line, the plan will be to raise a bigger Series C to enter the U.S., Akhtar said.