The Prague, Czech Republic-based Avast Software claims to be the most popular consumer security company in the world. Vincent Steckler , its American CEO since 2009, was recently in Bengaluru, where he found time to sit down with Georgy S Thomas of Deccan Herald for an interaction on the trends in the global security market. Excerpts:
Is Prague a good location to run an anti-virus company?
Yes. It has a very mathematical, very engineering-oriented culture. The major university in Prague is called Charles University. It is the oldest university in Central Europe. It is also the University where Albert Einstein was first a professor. It has a very, very long tradition in Math and Science. Security software is fundamentally mathematics. So we work very closely with the universities there, for recruiting and for research.
Prague is a small city by Indian standards, it is only two million people. The whole country is only 10 . 5 million people, so it is a very small country; but the two most popular security products in the world both come from the Czech Republic. We protect about 30 per cent of the world. The second-most popular consumer security company is called AVG, also from the Czech Republic. They have about half of our installed base. And Norton, which you would usually think as the most popular, probably has about not even 30 per cent of our installed base. So our installed base is about 3.5 times Norton's and twice that of AVG.
What is your installed base in numbers?
Our installed base on the Windows side (desktop) is approximately 180 million, which outside of China, gives us a 30 per cent share in the consumer world. We don't count China, because China fundamentally doesn't allow non-Chinese security products. We were banned in China for most of 2015.
What is the split between paid and free customers?
Out of 180 million, about 2–3 per cent are paid. The rest are free, which is actually our business model. For security companies like Norton or McAfee (Now Intel Security) or Trend Micro, their offerings are bundled with the new PCs that you buy. I used to do those deals when I was in Norton. It used to be very good because about 20 per cent of the people who bought a PC would end up subscribing to the security product.
So you are paying a lot of money to HP, Acer, Lenovo, etc. upfront, and then you are going to eventually make money. So it's essentially a freemium model also. However, it's not free to the consumer. What happens is that Norton, McAfee (Intel Security), etc. pay money to the middle man. The middle man takes the value for the first one, two, or three years, and then Norton, McAfee (Intel Security), etc. gets value if the consumer keeps renewing. What we decided to do is to keep the middle man out of the loop. Instead of using HP and all for distribution and paying them, and not making any money, we would just make the product available free on the internet and count that a small percentage of users would upgrade to the premium product.
Are there any geographical differences in the percentage of upgrades?
It varies by country. If you go to an English-speaking country like Australia, about 12 per cent of the users pay for our product. In the US, it is 10 per cent. In the UK, it is 8–9 per cent, France is maybe 6–7 per cent. And then globally, it is between 2–3 per cent.
But if you take a small percentage times a massive installed base, you have good revenues. And it is very scalable because it doesn't cost us much money to support our free users. So our total cost, incremental cost for each user we add, is between two and three cents a year. And it is because we built a very scalable business, everything is hugely automated.
What data do you get from the free users?
What we get is the threat data. Between the Windows site, the Mac site, and the mobile site, we have close to 250 million end-points. Each of those is a security sensor, and in many cases an active sensor, in that they also run things called honey pots to purposely attract infections. Then it's all running inside a virtual machine that is on the computer, and is transparent to the user. They are kind of listening on what is happening on the internet, they are getting attacked on the internet, they are encountering things, and they ship all of that data to our cloud servers. Our cloud servers are basically a massive machine learning network. And we take all that data in the cloud servers and we figure out what is going on. And then we tell all those 250 million clients what to do. So everything a user does on a computer, every URL they visit, every programme they execute, every programme that gets executed on their computers without their knowledge…all of that stuff goes to our cloud servers.
Our cloud servers on the last order handled 38 million simultaneous connections per second. There are only a handful of companies in the world with the infrastructure to handle something like that. We do because we have by far the largest installed base for any security company, and also because we have moved all the security basically into the cloud. It is just AI in the cloud which processes everything. So our products are always talking to our cloud servers.
What are your revenues?
We will close 2015 with revenues of around $300 million. Even though we are a European company, we do our accounting in dollars because the Czech Republic is not in the euro zone.
Are you a profitable company?
We are an extraordinarily profitable company. Our profitability (EBITDA) is in the high 60 per cent. Last year it was 71 per cent, and this year we will do 68-69 per cent. High profitability has always been one of our hallmarks. In a software business, the largest cost driver isn't building the software. It is taking it to market — marketing, sales, distribution, and support — and we use our community for that.
Are you not present in the enterprise market?
We have a little bit of presence in that market. There's a general belief that the enterprise market is where the business is. So when people ask me as to why we are in consumer, I will go back to an old story set in the 1930s during the Great Depression regarding a bank robber called Willie Sutton. A reporter asked him one day as to why he was robbing banks, and he said because that's where the money is (laughs). So that's why we are in consumer...the consumer security market is bigger than the enterprise security market. It has far fewer competitors. It very much relies on technologically sophisticated products. The consumer AV (anti-virus) product is much more sophisticated than the corporate AV product. In a corporation, you have got many layers of protection. For the consumer, the thing that they call AV has to do everything...firewalls, intrusion detection, vulnerability assessments, network protection...everything into one. So they are very complex products.
Are you not looking at the enterprise market?
It is very difficult to be profitable there. The popular one in the enterprise market right now is FireEye. It basically runs the same technology that we do. Only it doesn't run any cloud servers. Instead, it puts a big server on-premise for the customer to run all that machine learning. FireEye lost big (editors: $443.8 million) last year. Enterprise is very expensive because you need engineers onsite to install and you need them 7x24 onsite to take care of problems. So it is very difficult to make money there.
What about small businesses? Are you active there?
When you get a small, small business, you can't tell the difference between a small business and a consumer. They use consumer form factor computers, they use consumer products. We are probably big in there, but we can't really measure it. What we did about a few months ago is we switched our entire corporate product over to a freemium model. So our entire corporate product is now free. It comes with a central management console, and protections for the server, not just the client. It is in the cloud management environment — you can manage anything from 10 nodes to tens of thousands of nodes — it is actually an enterprise-class console and completely free. What we are driving at is to have a large installed base. We have learned that if you have a large installed base, you can make money — all for free.
It was the same thing with Facebook. Remember for many years, Facebook did not care about making money. They were focused on getting that installed base. Once you get the installed base, you can then lay out monetisation.
How many installations on the enterprise side?
We will finish this year with around one million end-points. The average size is around 50 employees or computers.
The desktop world itself is not growing. What about mobiles?
On the desktop consumer side we are by far the largest. The second-largest is AVG. The third-largest is probably is Qihoo in China. In the mobile side, it is kind of the same. The four largest players in mobile security are the two Chinese and the two Czech companies. The four Cs — Cheetah and Qihoo in China, and Avast and AVG from Czech Republic.
Cheetah mobile has been throwing massive amounts of money in online marketing and probably has the largest installed base in mobiles. After that it is a toss-up between the other three. But the gap between the four of us and everyone else is huge. We probably have 10 times the mobile installed base of a Kaspersky or a McAfee (Intel Security). We haven't measured our market share in mobile globally. In some places like Brazil, it is around 50 per cent; in India it is around 10–11 per cent. In mobile, we have around 75 million installations. We have very little revenues on mobile. The objective here is to have a massive installed base, upwards of 100 million.
What about the need to educate users because of the perception that mobile doesn't need security?
Traditional players in the space bring the model from the Windows world over into mobile. And users have different threats on mobile. They are not exposed to the same type of security issues as they have on Windows. A big part of that is because the two mobile platforms — iOS and Android — are very primitive. So think about a piece of malware. It is just an application. An app by itself isn't doing any harm just because it is running.
To do harm, it has to cause harm to your device or it has to steal information. Android and iOS don't allow apps to talk to each other. It can steal from the system by asking for permission to access certain things when it installs — you know, apps that are marketing scams and steal private information. But in the classic malware sense of digging through your computer and stealing stuff, iOS and Android are primitive. All apps run at the same level of priority; no apps can exchange data with each other; no apps are allowed access to the kernel of the OS.
When you do simple computing, that looks perfectly fine. When you go back to the original Windows, that was how it was. But as people need more power in their software applications and programmes, the OS starts becoming more complex. And that is when there will probably be more of the classic security issues with mobiles. Because Android and iOS will eventually have to get more complicated and allow apps to talk to each other, and run at different priorities.
Just like it has happened in the rest of the computing world. But right now, people are concerned with different things on mobiles. One thing they are concerned is losing it. Your business life, your personal life, everything is on the mobile. How do you safeguard it? If you lose it, how do you find it? And if you can't get it back, how do you make sure no one can exploit any of the data on it? So a key part of our mobile security product is actually that whole protection for the mobile.
How do you do it?
We don't disclose how, but because that makes people figure out how to get Avast out of the phone. We did a study. First, we bought 20 used Androids from eBay. Then we 'lost' them after unlocking them — 10 in San Francisco and 10 in New York. We got four back. Sixteen were gone. Of the 16 lost, 15 were immediately factory-reset. Before we lost them, we had installed on them Avast, Cheetah, and Lookout security products. The factory reset immediately deleted Lookout and Cheetah. A factory reset will essentially delete every anti-virus on a mobile except Avast. We have some techniques of integrating ourselves into an Android phone which we don't disclose, which prevents us from being removed by a factory reset. If a technician really knows what he is doing, then he can eventually find out software and get rid of it. So we survived 11 of the 15 factory resets. But that's far better than zero out of 15 for our competitors.
And then when we survive the factory reset, we know everything. We know the location of the phone, we can take pictures of the person using the phone, we can send messages; but most importantly, the phone is constantly talking to the original owner and sending messages on where it is; and if the user replaces the SIM, a message is sent to the original owner saying, 'Hey, your phone now has this phone number'.
So this is one thing that your product does that your competitors' do not?
Right. But what we don't understand is, why even put an anti-theft product on a device that even a factory reset immediately removes? Everyone does a factory reset. That is why pretty much all the anti-theft devices are fundamentally useless. We don't bother doing this for iOS. But Android is like the Wild West.
What are your mobile products?
We have five. The flagship is Avast Mobile Security which is anti-theft and security, focused on Android.
Apple doesn't allow anti-theft products, and Apple fundamentally does not allow security products, except useless single-file scanners. So the security products in the iOS store are basically jokes. Our second mobile product is called 'Wi-Fi Finder' which allows you to find all the publicly and semi-publicly available Wi-Fis in any location.
Then we have another Wi-Fi product called 'Secure Me'. It scans Wi-Fis to find if they are for real. Then we run a scan on the Wi-Fi router to see if it has been compromised or the DNS has been hijacked. And if it is all safe, we let the user log on and then we turn on a VPN. And all of that is free. If the Wi-Fi is fake, we don''t allow the users to log on, period. But if it has been compromised, we recommend that the users don't log on. But they can overrule us and log on. The fourth product is called 'Password Manager'. Then we have a VPN called 'Secure Line'. We used to have a paid mobile security product, but we have just dropped it. But other than the heavy-duty VPN, all our mobile products are free.