A few years ago, a strong password and antivirus software were all businesses needed to stay safe online. According to Ian Paterson, CEO of Victoria-based Plurilock, that era has ended.
“You should expect that some of your defences are going to be compromised, meaning you should just accept that you cannot keep the bad guys out,” Paterson told BetaKit. “Success now looks like being able to recognize that intrusion and eradicating the intruders before they’re able to commit damage. To me, that’s an indication that the bad guys have the edge.”
“We’re seeing a tremendous amount of interest and caution around generative AI, so we’re very active in helping our customers think through what it means for their businesses.”
A quick glance at this year’s headlines bears this out. Indigo Books, Toronto’s Hospital for Sick Children, Suncor, Petro Canada, and even the Prime Minister’s Office are just a handful of Canadian institutions that have fallen victim to cyberattacks this year.
Plurilock, which offers zero-trust authentication products based on technologies like behavioural biometrics and data loss prevention (DLP) to mid-market organizations, has been keenly watching the growing number of cyberattacks on Canadian firms in recent years, as well as the rise of new threat vectors for cybercriminals, and how regulators have sought to respond.
At the same time, Plurilock has scaled significantly—executing a roll-up strategy that has seen the company make four acquisitions and grow its revenue from roughly $500,000 to over $64 million in just two years.
Buoyed by this recent growth, and in light of the increasing wave of high-profile hacks and resulting regulatory scrutiny, Plurilock is setting its sights on the industry’s next disruptive force: generative AI.
The path to growth less travelled
Plurilock traces its origins to a group of University of Victoria PhDs, who in 2016, were conducting research into a then-novel form of authentication: behavioural biometrics.
Behavioural biometrics refers to the unique patterns and behaviours individuals exhibit when interacting with digital devices or systems. Unlike physical biometrics like fingerprints or retina scans, behavioural biometrics focuses on task performance, such as typing rhythms or mouse movements. These patterns are unique and consistent enough among individuals to serve as a form of identification.
“There was a good corpus of intellectual property that had been amassed, and it looked like it was commercially viable,” Paterson said.
Following several years of product development, Plurilock secured contracts with customers in finance and defence. Today, its product suite uses behavioural biometrics and artificial intelligence to provide continuous authentication and allow organizations to discover threats.
Plurilock’s tools are designed to be invisible to the end-user, unless unusual behaviour is detected, in which case the software immediately prompts the user for manual authentication and alerts security staff.
Compared to most Canadian tech companies, Plurilock has had a somewhat unorthodox approach to growth. Paterson noticed early on that the cybersecurity industry was highly fragmented; with every emerging threat, a new wave of solutions would appear, which means companies often accrue a vast number of disparate security tools.
Rather than pouring resources into an expansive enterprise sales force, raising successive rounds of venture capital, or attempting to “brute force” its market presence while staying private, Plurilock has opted to instead grow through acquisition.
Following its debut on the TSX Venture Exchange in 2020, Plurilock has pursued a roll-up strategy that has seen the company acquire four companies since 2020: Aurora Systems Consulting, Integra Networks Corporation, Atrion Communications, and CloudCodes. According to Paterson, Plurilock has grown significantly directly as a result of this strategy—in its 2022 financial results, the company reported earning $64 million in revenue during the year, compared to $479,000 just two years prior.
With the company’s customer base now exceeding 600, including heavyweights like the US Departments of Defense and Homeland Security, Paterson believes achieving such scale would not have been possible without its roll-up strategy.
“Because of that scale, we now have a lot of leverage,” he added. “Because we sit in the role as a trusted adviser to our customers, we now have other software companies approaching us about getting access to that customer base.”
Engaging AI in stealth mode
The use of generative AI tools has surged in the last year, which Paterson said has raised a new set of concerns for Plurilock’s customers. “This is a once-in-a-decade technology shift that will have profound impacts on how businesses operate,” he added.
The CEO said Plurilock’s customers have communicated a dual need: they want to leverage AI’s promised efficiencies while adhering to data protection regulations. While many AI platforms make assurances that inbound data is secure, recent issues, notably involving ChatGPT, have revealed systemic vulnerabilities that could jeopardize proprietary company information.
In July, Plurilock opened early access to PromptGuard, a new tool that detects and anonymizes sensitive data fed to generative AI tools in real time. Once the AI completes its task, the original data is returned to the user.
While Plurilock is also not the only player in this arena (DLP technology is also being applied to generative AI tools by companies like Forcepoint, Trellix, Sentra) Paterson believes Plurilock’s existing expertise in AI and cybersecurity made it uniquely positioned to launch PromptGuard quickly.
According to the CEO, Plurilock is planning to continue its focus on generative AI. “We’re seeing a tremendous amount of interest and caution around generative AI, so we’re very active in helping our customers think through what it means for their businesses, and also how to build controls and safeguards to be able to use those [tools] effectively,” he added.
Risks, regulations, and rivals
To Paterson, the rise of high-profile cyber attacks on companies has emphasized a few emerging trends. He said organizations are increasingly adopting a two-fold approach to these threats: a defence-in-depth and zero-trust strategy. The zero-trust model emphasizes continuous authentication, whereas defence-in-depth incorporates multiple security controls at various infrastructure points, to ensure that additional layers of protection are in place even if one were to fail.
Plurilock exists at the identity threat detection and response (IDTR) layer, and it’s far from the only player applying behavioural biometrics here. Some of these IDTR companies operate in Plurilock’s backyard, such as Vancouver-based BehavioSec (acquired by LexisNexis Risk Solutions in 2022) and NuData Security (acquired by Mastercard in 2017). While the technology behind those products bears a resemblance to Plurilock’s, those solutions are designed to protect customers, rather than employees.
Another notable shift is the intensified scrutiny of regulators, given the rise of global cyberattacks. In June, the US Securities and Exchange Commission announced it would require publicly traded firms to disclose material cybersecurity incidents within four days. Canadian politicians have also been working to pass Bill C-26, which proposes significant new cybersecurity requirements for federally regulated industries, though the legislation has yet to pass a third reading in the House of Commons.
“Because of the increase of regulation, we’re seeing particular concern around staying compliant for larger companies that operate in so many different jurisdictions,” Paterson said, noting that these regulations will have “a profound impact” on how organizations prioritize and invest in their cybersecurity programs.
Another distinct trend Paterson has noted, which he sees as a boon for Plurilock, is the shift towards “platformification.” Rather than amassing a fragmented collection of specialized solutions, he said many firms are opting for one holistic cybersecurity platform. One of the benefits of this is cost reduction—in 2021, large businesses spent $340,000 more on the prevention and detection of cybersecurity incidents than they did in 2019.
“That really speaks to our strategy of rolling up cybersecurity companies, because we believe that aligns with what our customers are preferring to do,” the CEO added.
As long as cyber threats persist and regulations evolve, Paterson believes Plurilock will have a valuable role to play for mid-market enterprises’ cyberdefenses, though he doesn’t believe his company will be the only key player.
“Cybersecurity is a team sport, particularly when it comes to enterprise cybersecurity,” he added. “You need multiple technology solutions to hold together in order to effect a strong cyber defence.”
Feature image source Unsplash. Photo by Sigmund.