Good afternoon, and warm welcome to SSH Communications Security's Capital Markets Day 2023, Riding Cybersecurity Technology Waves. My name is Lauri Koponen. I'm Communications Lead here at SSH, and it's my pleasure to guide you through this insightful event. We are recording the event from Helsinki, Sanoma House, and we have guests, guests actually here on site and also online. The event will last approximately three hours, and we will end at 4:00 P.M. Eastern European Summer Time . During the event, some of the discussions or statements can be forward-looking. So here is just as a reminder, Safe Harbor statement . Here you can see our speakers of the day.
We will have SSH leadership team as a whole joining us, and also SSH board member and OP Financial Group cybersecurity expert, Catharina Candolin , and also Juha Vartiainen, co-founder and international affairs officer of IQM Finland. Here is also agenda as follows. In the middle, we will have coffee break for 15 minutes and continue with the program 2:55 P.M. Now, we will kick off the event with Henri Österlund, Chairman of the Board of SSH. I would like to welcome Henri on the stage to give his opening remarks for the event.
Thank you, Lauri. Also, warm welcome on my behalf. It's a pleasure to have you here on site and online. I thought I say a couple of words about myself and Accendo. So Accendo is a investment firm which is investing in the free human mind. Free minds can only operate in free environments. For a better word, we call it capitalism. Because of this, we typically invest in technology companies and especially software companies. We have had SSH on our radar since the inception of the fund, 2008, so 15 years ago. And then back in 2020, we had the possibility to acquire shares from the founder, Tatu Ylönen, and I've been chairman since 2020. It's good to reflect some of the changes that have taken place during the first three years.
If we think of the strategic direction, I would say that there are 2 things you should take away. One is the change into a subscription model. The subscription model has clearly benefits for the customers because these are complex products. The environment is changing all the time, so customers need to have products that are living software products. Not that you acquire a license, and then 3 years down the road, you take it away, install a new, improved software, but you need to have a product that is constantly updated and a live product. Then for us as a company, it also has the benefit that the revenue streams are more stable.
When SSH was making the living out of license sales, you know, a quarter when you sell two licenses was a very good quarter, and a quarter when you did not sell any licenses was a horrible quarter. So this is a big change the company has undergone the last few years. And then the other thing is that SSH has clearly been focusing on what we call lighthouse customers, customers within industries where other companies are following. And I do think that we have had pretty good success on that front. I mean, unfortunately, we can't talk that much about the individual clients, but the clients we have been able to attract are some of the very best in the whole world. Maybe one thing to make you aware of is that now when the management is talking, pay special attention to PrivX. That's very important.
That's the engine for the company going forward. SSH was very dependent on Tectia software products, and then during the, say, past five years, SSH has developed the PrivX product line. It's a privileged access management solution, but it's not only that. It's also that all the Zero Trust Editions of SSH products, they have as their engine, PrivX. So it enables much more than just one product line... and on that front, I'm happy to see the success we have had. Thank you, Lauri.
Thank you, Henri. Thank you very much, and let's continue with the program. Through the event, you will have opportunity to ask questions in the chat, and we have also a moderator in the chat moderating the questions, and he'll try to answer your questions also during the chat. Dear guests here on site, you see QR codes on the table. You can join via QR codes the chat also, so you can engage with the remote participants also. Guests on site, you have also possibility to ask questions via microphone. We will have, in the end of the event, dedicated Q&A session, but we will also try to find a moment after each presentation. If you have some very, very urgent question, we can address them also, but please write them in chat or be ready to raise your hand.
The event will be recorded, and the recording, plus presentation, will be available at our webpage for investors after the event. So let's continue. Our next speaker is Michael Kommonen, our Chief Financial Officer, and he will be sharing the fresh financial results and key updates of the company. Please, Michael, the floor is yours.
Thank you, Lauri. Good afternoon, and welcome also on my behalf to SSH Capital Markets Day 2023. If you look at the picture behind me, you'll notice fish on the slide. I'm not a big fisherman myself, so this presentation will focus most on the fish we already have in the boat, and then we will have Teemu and Rami later speaking about actually the process of catching the fish. So with that, we'll go into the financial results and the key updates of SSH. Overall, we can see that the strategy execution continues to progress well. If we look back from when this strategic journey started in 2020, we've experienced clear sales growth and positive EBITDA since.
Starting from 2021, 40%, 2022, 20%, and in the most recent six months, the first half of 2023, we had a sales growth of 9% while maintaining positive EBITDA. Overall, from a financial perspective, we continue to invest in growth, meaning the sales growth we generate, we continue to invest in both our research and development capabilities, as well as our go-to-market capabilities and organization. We're also continuing the transition to the recurring revenue model that Henri already alluded to. I will go into a bit more detail in that shortly. If we look at the most recent quarter, the Q2 of this year, we had net sales of EUR 4.9 million, while EBITDA was positive EUR 0.1 million. Inside that sales, I would highlight particularly the subscription sales growth.
We had subscription sales growing 33% in the Q2, and our deferred revenues grew to EUR 12.6 million, so significantly up from a year earlier of the EUR 7.4 million. EBITDA, as mentioned, was EUR 0.1 million, and EBIT negative EUR 0.7 million. Overall, if you look at the numbers, the sales growth and the profitability, we can see some headwinds from the macroeconomic environment and the geopolitical and situation in Europe. So we're seeing among our customers some delays in decision-making and, and investment. Cash flow from operations was negative EUR 1.4 million, driven by our continued investments in marketing and R&D, as mentioned. We ended the Q2 with EUR 2.6 million on hand, in cash.
This is a cash position that we expect to improve during the latter half of the year, reflecting the typical seasonality of SSH business. If we then go into the net sales a bit, in a bit more detail, starting from 2020, the first half, as a comparison, at that period, we had net sales of EUR 5.7 million, and of that sales, 6% was subscription sales, so not a significant amount. In the first half of this year, our net sales had grown to nearly EUR 10 million, EUR 9.6 million, but equally significant is the substantial increase in subscription sales. So over half of our sales now consists of subscription-based sales. If we look at the total recurring revenue as such, which in our case is subscription sales and maintenance sales, this number is above 90%.
So a significant, a very significant part of our sales is currently recurring revenue. And as Henry mentioned, there are several benefits with this sales model. So there's a couple of reasons why it's good for SSH. It's also something that our customers appreciate and, and are increasingly moving towards too. If you have a cybersecurity product that is 2, 3, 4 years old, it will not protect against cybersecurity threats, hackers that are growing increasingly creative and sophisticated. Of course, for us as a company, the subscription sales model brings a lot more stability and predictability to our business. As our costs are mostly consist of personnel costs, recurring costs, the sales is now better matched with our costs and improves the predictability and forecasting of the business going forward. Then shortly about the cybersecurity market and SSH position in this market.
If we start by looking at the information technology market, it's estimated to be somewhere close to $9 trillion annually, with a growth rate of approximately 8% per year. Within that market, we have this total cybersecurity market that last year was estimated at EUR 180 billion, with a clearly higher growth rate of around 13%-14% annually. If we then go into the cybersecurity market, the top impacts within the cybersecurity market, this is based on a study, a poll made by IBM to CISOs of corporations, chief information security officers, asked on what they see as the most the major impacts and threats to their business. The number one impact is from ransomware, with over 20% responding that.
We have data theft almost at the same number, credential harvesting, data leak, and brand reputation, the largest impacts. Where SSH comes in with the Zero Trust Suite, with PrivX at its core, with our other products, UKM, Tectia, our Communication Suite 2024, and NQX, we are very well positioned to answer towards these threats that are in the market. As our name suggests, we provide communications security between people, systems, applications, networks, and sites. The market where we operate, the market within the cybersecurity market, we estimate the total addressable market to be in excess of EUR 1 billion annually, growing also around 13%-14%. So if you do a quick calculation looking at our revenue and looking at the market size, you can see there's a major opportunity, significant room to grow within this market.
Finally, on the top threat mentioned in the previous slide, ransomware. CISOs listing their top threats in cybersecurity, their top risks, 19% put ransomware as their top risk, 35% placed it in the top three of their risks, 25% in the top five. So collectively, nearly 80% see ransomware as a, at a minimum, as their in their top five cybersecurity concerns. So with that, I'll hand over to Teemu, who will go into more detail on the direction of SSH.
Thank you, Michael. Yep, yes, please submit your questions in the chat. If you have now some question to Michael, straight ahead, especially people here on site, you can raise your hand, or we address the questions during the Q&A session. Okay, thank you very much, Michael. Next, following Michael's, Michael's presentation, we have our CEO, Teemu Tunkelo, joining us, and will take us beyond the boundaries and show direction for SSH. Please welcome, Teemu.
... Now, you heard my name, and I've been lately meeting a lot of customers, and two things stayed in my mind. One European major bank said that, "Every time somebody, super user, power user, touches our production system, it's like breaking the glass. It has to be controlled." An American credit card company said, "We need to tighten the screws to our production systems." I was thinking that, well, how can I explain to you what we do because I can't talk about the customer names? Luckily, I was in an airplane, and a Polish guy was sitting next to me, and I ended up chatting with him, and I said, "What do you do?" He said, "Well, I have a factory that makes ball point bearings or the ball point balls. I'm the only company in Europe who does it.
No signature would be done on any contract without my balls," I said. "Well, how do you make the ball?" "I can't tell you that." So that kind of tries to explain how I try to take you with me for the next hour, talking about cybersecurity, which I can't talk about. So without further ado, we are an amazing company. When I joined SSH three and a half years ago, the founder of Nixu, Pekka Nikander, told me, "Teemu, you're not going to a company, you're going to a cult. What we can do with software, we have intelligent people, 150 of them. We have customers any other our size company would dream about. The only question is: how do we get more money out of them?" And I'll try to tell you about our operating environment, about our portfolio, and the major problem.
I only have one problem: get the go-to-market better. How can we compete in this market in the realities we are surrounded with? So the first choice we made is that we don't go everywhere. We go just to the countries who are leaders in technology. We luckily have a great customer base. We know, I think what we are doing; we have over 100 granted patents. The products have been used, oldest ones, 10 years, youngest ones, 5 years, and they will be used another 20 years. And with the subscription model, the revenue recognition helps us a stable way to keep our people working on the stuff. And what we have done, and what we continue to do, is to invest in the technology, because the underlying technology is changing all the time, so we have to keep our product future-proof.
And that's one of the big things we have done in the last three years. So the fundamental change that we, as SSH Communications Security, try to explain is that it doesn't help to build walls. I know there's a guy in the US who was building walls. Didn't really, but actually closer to me, my wife got a new job, and she works for the Swiss government, and she has a desktop computer, and she can't read her email outside the office. Now, that's kind of, for me, a little bit old-fashioned because the world where I live, you can work anytime, anywhere. But when you do it, the communication security becomes the topic. It's not about blocking the roads, it's about maximizing the traffic, and that's what we do. So change is difficult because looking change and predicting it, it's very difficult.
I used to always say that I trust you like the Soviet Union, but then it collapsed. I never believed it would have happened. Now, this is since my graduation, the computers I used to program with. The time then was about CPUs, about operating systems. That's all gone. Now, we are closer to customer. We talk about the cloud, and the edge, and front end, and back end, and we put everything in the cloud. And that's what SSH does. We help our customers on this journey. Thank you. So if we take... Still sticking to the wall paradigm, this is the picture of my favorite city.... It's Munich. You can see on the bottom right corner, kind of a round thing, which is the Altstadt, which used to be surrounded by walls. What you can't see is the subway under the city.
What you also cannot see is the digital infrastructure. We live in the digital infrastructure. Now, if I take fast backwards to starting of 1800, that's how the city of Munich used to look like. What does that have to do with our business? I try to explain. The city wall is like firewall from Cisco or others. It protects our people because good people are inside and the bad people are outside, right? Then you have the moat, vallihauta, and then you have the bad world outside. For partners, we give a little place called extranet, so they can come and see some stuff. Outside the moat, we have the demilitarized zone, which kind of sounds funny that IT talks with military terms, but that's a computer that is at risk because it's in internet.
Now, we take you away from all that, because if we go back to Munich, this is the traffic control real-time situation from some weeks back. And you can see, you can still see the city walls, but they are irrelevant. There, there is now a road instead there, and the dark red, the highest traffic is to the airport. So if you look at this 200 years, it has changed, and the speed of change is only getting faster, and I'll come back to that later as well. Now, some stuff is even slower. This is at the late medieval times. That's how Munich used to look like. And industrial automation, which is very close to my heart, every supplier has their own road to the city, which they control themselves, if the customer wants.
That's why we have PrivX OT Edition, because we help customers to control the access. Don't lose your keys to the kingdom. You have to know who comes and does what to your production systems. And with that, we have had really great success lately. Now, the other thing that impacts us a lot is, like, Michael said, the geopolitical situation in Europe. It has risen a lot on the awareness that it's nice to have running water, that the wastewater goes away, you have heating, cooling, even electricity. It's a better world. So every country has their own plan to improve cybersecurity for critical infrastructure. Standards are also developing. ISO 9000 came way back. Everybody made a quality organization.
Then you had sustainability, ESG with stock-listed companies, and now most of the companies we talk with are looking at how to implement the critical infrastructure and cyber security protection based on the regulations from the government. And that's not the only change we need to deal with. The other thing is the user needs. They want to go to cloud because it's cheaper. I don't want to own a computer. And the underlying technology is also changing because clouds become serverless. The infrastructure has to be automated. The biggest customer we have has almost 1 million servers. You can't manage them one by one. You need to have automation, which we provide. And you want to get rid of passwords. You want to get rid of keys that you might lose. And these are the things that are driving our thinking moving forward.
So the old world was to say, "Internet is bad, intranet is good, extranet is somewhere in between." Most of the data breaches happening are happening inside the organization, or a third-party employee who comes and does something in your system. Even with post-COVID world, even your own people work from home, so your security posture has completely changed. And that brings one thing on top. If you look at the word cloud, this was done by a university asking the world thought leaders, "When you hear cybersecurity, what is the thing that comes to your mind first?" The bigger the word, the more important it is. And we are communication security. Now, how do we go about it? We are communication security between human systems, networks, applications. And what we do is the same as the CCTV systems in any public place or any hotel.
We record the traffic, and we know who did what, and we can provide access. We are expanding that from our traditional environment of systems and applications and SSH, which means Secure Shell, a safe way to access a critical system. We also do human-to-human communications, and Rami will talk more about it later today. We see a huge opportunity in an untapped market of factories, harbors, airports, container terminals. With NQX, connecting the factory to the cloud, the site to the cloud, connecting sites with high-performance thing where you don't need to have a proprietary appliance. Our product, you can run on a PC. All this can be secure for the long term with post-quantum cryptography , so software-based algorithms that keep the computer safe, even if the quantum computers come, and Juha will talk about it later today.
They might come, and one of our customers, when I was talking to him, he, I said, "What do you think about quantum computers?" He said, "I don't know if they ever come, but I need to be prepared for it." So what we do is like a key card in a hotel. We take away the keys, and you get the card, which the owner of the house can control when you can get in, and he knows who did and did what and when. And with that data, you can also do behavioral analysis to say, "I can also predict multiple data breaches," and all this with PrivX, because that is the core platform of our technology today. Now, we have five product lines. PrivX is in the middle, and I will go through the product lines.
After, I just want to take you again back to the history on what are the changes that have happened, and, you know, for me, cybersecurity is like music. So I'm sure you all have seen LPs, played with them, quite sensitive, difficult. Then V cassettes had their own problems, but you could record yourself. And then you got the other technologies. Today, I don't pay for music. I just stream what I want. If it's not on the net for free, I don't listen to that music. That's how that work, world has changed. The theory behind it is the technology curve, which is actually irrelevant. What is relevant is the golden curve. So when the market gets mature, the next wave will come, and you still have the install base to serve.
I was just in Davos, my hometown, my other hometown, some weeks ago, and they still maintain... Who remembers Macintosh? They still serve them. We have customers who have product. Actually, I was just talking with one European government institution, and they said that they are planning to get rid of Sun Microsystems in the next two years. Who remembers Sun? They are still in production, and we support them, and that's one of our powers with Tectia. And with Tectia, with PrivX, we can help you to get passwords away from them without touching the old system, because who would know how to touch a Sun Microsystems? So looking at it all, where are we on the technology curve we are attacking? We are just about to climb the mountain. I think the opportunity is good.
I think we have a good foundation to go further. And if you think the... As I said about Sun Microsystems, mainframes, I thought were dead already 20 years back, but they are still there. We serve micro comp--, mainframes, we serve minicomputers, we serve tablets, we serve laptops. Nobody talks about the desktops anymore, I think. But the future, there are other waves coming. Cloudification, we all know. Cloud must be cheaper, so we should go there. And post-quantum will come long term. So that's one level of change. And, and there we have basically chosen in the IT world, the almost EUR 9 billion market, like Michael said, we've chosen three things: ZT, OT, and quantum safe. Get rid of the passwords, get factories digitally safe, and be prepared for the future. Now, if we look at what we actually do, we do cryptography....
That's like the ballpoint pen ball. What's that? But without it, nothing works because you can't write. Have you ever had the feeling when you take your ballpoint pen, and you don't get the ink out? Not good. Can you do your own ballpoint pen ball? I can't. So that's the environment where we have lived these waves, Tectia over 20 years ago, the current portfolio later, and we are always mentally in the forefront. As you can see from the picture, I believe we are ahead of the market, which is, of course, bad because if you want to sell potatoes, you have to sell potatoes where potatoes are sold. If you want to buy a used car, here you would go to Kehä III, because there you have 10 shops next to each other, and you can compare and look at them.
But if you don't know what you are buying, who do you call? You call your friend, who might know something about the topic. You know, when I did my PhD some years back, five years back, six years, the one of the three professors that were guiding me said, "Teemu," when I was preparing for the dissertation, said, "Teemu, I don't understand anything you are talking about." But I still got through, and we have the same challenge, especially the people who sit on the wallet, like Michael. They might not exactly understand why I need more money. Because why? It's something, it's not tangible. But if something happens, it's very tangible, and that we can see. So, helping the customer on the road, moving forward, we ask these four questions to check the maturity of the customer. Do you know what is your critical data?
Do you know where it is, in which cloud, in which server, in which country? Do you know who can read the data? Do you have a Snowden in your organization or in your ecosystem? And do you know if it's safe for the future? If you can answer all these four questions, you don't need us. So we provide just-in-time access, just enough access based on roles, because biggest of our customers have tens of thousands of super users who can read your data. You cannot manage them individually. You have to have it automated based on the roles, which is what PrivX does. Actually, PrivX does all these things. If I look at the end market, and I've kind of referred to it, and Henry also said it, we are coming with the banks. Most of the big banks use us.
Many of the public sector people use us, and Rami will tell more about the names we are allowed to say. There are two big market areas where PrivX has been extended with a special version for managed service providers and for operational technology. These markets have not yet learned how to deal with privacy and security. It's funny, I think public sector, having been slow, it's different. It wants to go to cloud faster because they understand about IT less. But GDPR, especially in Europe, made it that every public sector vendor has to really understand, is the private data really private? That's why they have done a lot also with us. One of our biggest customers is government.
So we see OT, where we have had significant success with OT and with outsourcing companies, so we see that as a growth engine from the end market we go after. Now, PrivX is great. PrivX is kind of funny way of saying privileged access. Privileged is somebody who has something else, and that's you have the keys to the cookie jar. And containers is an underlying technology with computers, and I pardon you for this little part of a lecture. Containers are a thousand times cheaper than anything else today. So you just pay for the data, for the data access, memory, processing power by millisecond, but it requires from something from the system. So in the good old days, when you owned your own car, didn't lease it, you had your own computer.
Amazon had their own computer center, and that's why they created AWS, because they thought the utilization was so low. So how to reduce it? You put the old computer to run in a box, in a virtual environment called virtual machine, but you don't have to touch the program. But if you really want to go cheap because you still have to run the whole thing, that's easy... you have to break the program between data, memory, algorithms, and the user interface in a browser, and communications in between. You have to rewrite it. We don't, because PrivX was made on that technology. The competitors, big ones are 10, 15 years older, they have no chance of rewriting their application. PrivX is cost-effective because it runs natively in a container. All the big boys cannot. They are not cloud-ready. They are not good in hybrid environment.
We are, because we are cloud-native. But going back, it's not only about the future. If you take the sunrise, the business from midnight to 9:00 P.M., it's interesting, the cloud is growing, but it's only 20% of the business. The sunset business from 9:00 P.M. to 12:00 A.M., it's still most of your budget. If you are the CFO, the CIO, the CISO, you still have to take care of the installed base because they keep the lights on in the building. And if we look at the market rate that is estimated for cybersecurity of 15.5%, and we think we start now with 20% market share, with the, with the new stuff, in 10 years, it will be only half. That's where our history helps. We can do both sides, and we are future-proof with PrivX.
The customer has to learn on their own because cybersecurity is a new thing, especially outside banking. The yellow part, customers have to make processes, build an organization. The dark blue part, we can help. Companies like Nixu can provide you the security operation center to do the rest 24/7, pen testing, all these wonderful things that we don't do. We just provide software. Just providing software is that we also have to get our products to be future-proof. We have the core that keeps the lights on, and we have invested significantly on different products. I don't go through them in detail, but we are ready for the future, and we can take care of the 80% of our customer spending and the security of it. That's what we call Zero Trust Suite.
Get rid of passwords, move the data, and know who did what, when. And on that journey to the passwordless world, because the passwords are annoying. I don't know how many passwords I have. Do you have more than 10 passwords you have to manage? And my wife is completely upset because in her company organization, they have to change passwords every 3 years. She has used my name, my birthday, her brother's birthday, her mother's birthday, and she's running out of ideas she could remember. And when I used to be at Cultor, the CIO, our biggest problem at the help desk was this time of the year, when people came back from vacation, they didn't remember their passwords. And if I give my password to Lauri, he can log in like me. Why do you have passwords?
They annoy you, and they are a risk. So that part of the story, the staircase up to the mountain, I think people have done more. They are at level two. There's a forced password rotation. Everybody is investing in identity management, and most people are dreaming about the passwordless life, because it's a better life. But passwords are only 10% of the secrets that you need to run your business. The other part are keys that created by Tatu Ylönen, and there they are invisible, they worked for years, nobody pays any attention. Banks do, but not many other people. And there, the journey is longer, and that's where our UKM product, especially with UKM Zero Trust Edition, is helping customers on that way.
Because basically, the vision we want to provide to our customers is that you can be keyless and passwordless in the borderless world, and you just get into the system with your face or your fingerprint or for your iris, and you are in. The system knows your identity and knows what you are allowed to do, all automated. We can do all this. We actually, I think, amazing company because we are 75% our business is outside Finland. One-third of our business is in U.S., which is cool for a European software company. Asia is fastest growing, but it's always the one that follows the technology later. And Europe, it's our home. So I'm really happy to work in a company that is truly global and truly software only....
And if we now say, "Well, well, what do we do?" If you take the famous Boston Consulting matrix, we have five product lines. Three of them are core. They are the ones that keep the lights on. And PrivX is a grown-up by now. It's doing well. NQX has grown also up to the late teens. And we have revitalized the professional services because our product is part of customers' ecosystem, and that's why it's better that we can help them, that they can get the product in production faster, so that they can tighten the screws of their production systems. And that leads to the thing that the benefit we provide to the customers is less interfaces, more system responsibility by us. Because as you can see, all of our products, the light blue are the newer kids in the block, all of them have different competitors.
So would you like to buy five products to have communication security, or would you rather buy from one vendor all the things you need for two people, systems, applications, networks, clouds, communication? That's why you should talk to us, and that's why people are talking to us. So I go very briefly now through the products, and you get the material online, so don't worry if I'm going too fast. So Tectia is the oldest product, the most profitable product, and it's more than just a Secure Shell client. Shell is the program that super users use to address the raw data in the system. Secure Shell is the one that Tatu made and put into open source, so that's why our biggest competitor is our own code. We also do tunneling. We do the fastest file transfer. The bad news is file transfer is over.
It's gonna go to messaging. We can get rid of the passwords, and we can be quantum safe. UKM was done because there were two mistakes that Tatu made, which were understandable at that time. SSH keys have no expiry dates. They are... The one who has it, holds it, and so you have to manage them. You have to have somebody to control the keys. UKM does that, and this is our Sherlock product, which every customer we are able to sell it, you're also gonna get the free version. They are surprised. I didn't know that in my network, this computer talks to that computer. Why is that? Because they never saw it. We make the SSH key network visible, like the map makes the subway visible. PrivX, which is, like Henry mentioned, that's the thing to remember from this presentation.
PrivX is a modern, I hate this word as well, Privileged Access Management, which means the guy who's like the janitor, who has the keys to every house. We provide that for network devices, for applications, for systems. It's cheap, it's installable in hours, it scales to biggest. Our biggest volume with our customer now is 1 million sessions per day. It's just in time, just enough access, not just a key that you can take away and use when you want. It's low cost, it's future-proof, based on what I told you about containers, and it's hybrid. Most of our customers, especially banking customers, they still use it in data centers. They don't go to cloud. They are afraid to go to cloud. So we have a competitive edge because we can do on-premise and on-cloud at the same time with the same service.
Now, that is the key technology that we have developed with about 30 people out of 150 for the last five years. We have put an enormous investment from the size of the company to make the portfolio that is both proven in use and cloud native. It's domain independent, now supported with services, with post-quantum. Juha will tell you more about what is quantum. Then we are not gonna anymore paint our own paintings and cut our own hair. We are gonna use upstream partners to extend the technology we have. I was thinking that for this audience, because I think you kind of all deal with money, you must know what the safety deposit box is. I want to compare PrivX to a bank. You go there, you have to show your ID to the clerk. PrivX does it with your fingerprint.
Then he takes you to the vault, where your box is, and you can only open the box with the clerk. Once you're done, you go back out, and the clerk keeps the other key. You can't come back. PrivX does that in the invisible digital world... cheaply, simply, nice to use. And then I go to the new thing very briefly, but Rami will tell you more about our Communication Suite for humans. Securities and Exchange Commission , close to Wall Street, has fined now altogether $2.5 billion fines for companies because their employees have been using their private devices to talk to their clients without company oversight, and that's where the companies broke the law. You cannot let your people talk and not store the communication with your client.
That's a lot of money, and I think the tax man is happy, or whoever gets the money. But that's an opportunity for us that every PrivX user will need our Communication Suite for human-to-human communication in transit, in rest, and in use. The background of the company is that there we are doing also a major investment. We are moving the old technology to PrivX. We make it look more modern. We are going for faster release cycle, so two times a year, because our customers don't want to upgrade all the time because they have to be certified and tested. And we do market changes on how we go to the market. Without taking the power away from Rami, we are gonna go for instant messaging and video calls that are both secure. Email is still growing, but it's history.
File transfer is still growing, but it's history. Everything goes to instant messaging, and that's what we are working on. NQX, last but not least, is an encryption device, and that's kind of a, the Cisco killer. You don't need a firewall anymore. You need a line encryptor that is separate from firewall. People still buy firewalls, but they actually don't need it. What they need is traffic control, and that's what we do on software. So the competition makes proprietary hardware for some thousands of computers a year. Our stuff runs on a PC, and the customers hate to buy proprietary spare parts and get software updates that are done physically then. No, they can do it on their own because it's just a PC, and it's much better performing, and there is technology behind it that I can tell you why it's more performing than others.
Because our guys can code. We also have put in PrivX there for higher level of automation because our biggest customer has 700,000 connections going on. You don't want to manage 700,000 connections like an old switchboard by hand. It needs to be automated based on roles, and it's certified for critical use. Turvallisuus 3 in Finland. Now, giving a little bit of a segue to Juha's presentation. When quantum computers come, they can break anything you encrypt today, and that's a big risk if you have data that is valuable for years to come. So the data that is critical for you, you have to keep safe. So the journey for our customers, where we assist them, is get rid of the walls, live for the next 10 years in a hybrid environment or longer, and go for passwordless and keyless world.
To the business model, we are just a software company. We are building a stronger ecosystem because we just do as much professional services as it makes customers to have a faster journey to get the system into production. Now, the other changes, I go a little bit to the partnering side of things, because actually, SSH, the company itself, was created by Sun Microsystems. Funny enough, I took it as an example earlier. They came to SSH and said, "It's wonderful that you made OpenSSH, but we can't use it. We want to use a product. Can you make a product out of it?" That's Tectia. And with Sun's reach to the market, proportionally became big. Oracle did the same with CyberArk, which is the market leader today. Oracle didn't want to develop their PAM. They bought it, or they licensed it from CyberArk.
IBM did that in Europe with Duo Security, which with Centrify is now Delinea. That's the second biggest in the market. You know also the story about IBM, how they did PC by mistake. That also would take the whole evening, if I, if you would let me. And they went for open source, they went for Linux, and they bought Red Hat with $36 billion. SAP, by mistake, ended up creating a market for ServiceNow because SAP is so difficult to use, but ServiceNow made the field force management doable even if you have SAP. And the last two logos are maybe in the wrong order because Beyond Identity is bigger than us, but they provide us the device recognition, biometric recognition, get rid of the SMSes, and we've joined forces with them.
So this all is about the opportunity in the upside, on the upstream. On the downstream, we need to be more focused on partners. We have half of our business with partners, but it hasn't been our focus. So that's our internal problem, which is always easier to solve. The partners themselves are changing because if you are just a wholesaler, like Onninen or Thomesto, you have to live on very small margins. So people want to get paid for the work they do, and over that, they also want to go to the operating cost side, so recurring revenue, like we do, own value-add solution providers, outsourcers. So our focus is also moving away from distributors of software to value-added resellers and operators of the customer environment. So we are putting effort on strengthening the ecosystem and also leveraging the open source inside our product, like IBM does.
Now I want to jump to the digital phase because people buy differently. If you buy a new car, do you first go to a shop and talk to a salesperson, or what do you do? You might be googling first. That's what business buyers do today. They identify the long list and even the short list before they even talk to a salesperson. That's why we have put a lot of effort, and Lauri is leading the effort with us, that our digital face is even better looking than I am. I'm not sure if it's possible, but we drive that we have better digital content. 3-minute reads, 1-minute videos, monthly podcasts , because people don't have the patience to listen to a lecture that I'm giving to you now. Luckily, you can't leave, so I can keep you here.
We also have to look at that there are different customers. There are customers who want the budget, there are the technical leads who can talk the same language as our team, and then you have the people who actually use our product. But I guarantee you, nobody who makes the decision of buying an SSH product will ever, ever, never use it themselves. Again, very similar to SAP. I've bought and I've sold a lot of SAP systems, but I've never used SAP. And the last, most important thing for me in the digital phase is the thought leadership on letting people to learn, and there we have a huge advantage with SSH Academy, originally done by Tatu. So if you want to understand the cryptography, come to SSH Academy.
If you just look at the web traffic, if our major competitors are ten times bigger than we are, we have ten times more traffic on SSH Academy. Over 5 million visitors every year. So that's what we do. Those are the mega trends I've said, and we focus on going for solutions, so more customer value add. We focus on getting deal size bigger, and Rami will talk about that as well more. Partnering, I discussed that, is the big change we are doing. Open source, we have used before, we'll continue to use it. And we want to have services, but we are not gonna become a service company. We just do the service to sell our products better and making our customers happier. So this, in very short, is us.
Before I hand over to Juha, I only have one wish to you and your friends and partners: Don't lose your keys to the kingdom. Thank you.
Thank you, Teemu. Very insightful. Actually, as you started to speak, the chat exploded, almost. Not yet, but we are very happy, and we'll try to address most of the questions during the Q&A session, and if we, we'll run out of the time, we will answer each questions after the event. But I see at least couple of questions about generative AI. So how is SSH positioned in the heat of the discussion about generative AI? Because you have five minutes, yes, yet before the end, so maybe you can tell about AI.
Well, artificial intelligence was a promise, I think, for a long time. The problem is that it also needs humans to model it, and it needs an organization to run. So I think the technology is there. We have artificial intelligence in our PrivX with the worst acronym ever, UEBA, User Behavioral Analysis. So basically, we can look at the, like you saw in UKM, you can see who talks to who, and we can see that's a normal pattern. If Teemu calls to the network at midnight, then there's a red flag. He shouldn't be here. Why is he here now? And that can be all automated, so PrivX does it already. But the bigger problem is for customers to leverage the data that's coming out of AI.
Because if you take one video camera or one PrivX in a big environment, it creates 30 GB of data every day. Who wants to read 30 GB of data a day? So you need automation to actually leverage the stuff, and that's why it takes time.
Yeah. Thank you, and well, maybe we'll have one more question, and we will be exactly in time in agenda. How do you see the value of the 100+ patents going forward?
Well, we have only a defensive patent strategy because I used to compete with Honeywell, and they had an Oracle, and they have tons of lawyers that cost a lot of money because they are aggressive in their patenting. They want to get money out of their patents. We tried that also some years ago. We now do patents that if somebody steals our technology, we have already patented it, that we can continue to use our stuff. And we only get active on patents if somebody else starts to challenge us. So it, it's a defense, like we are defensive cybersecurity. It's only defense.
Thank you very much, Teemu.
Thank you.
Next, we'll dive into the fascinating realm of quantum computing. Juha Vartiainen, co-founder and international affairs officer of IQM Finland, will share his expertise. Juha, please.
Thank you, Lauri. Thank you for Teemu and Lauri inviting me here. Why I'm on the stage today is, of course, since these gentlemen are so kind, and, and we have had a good discussion about possible collaborations in future, since we are both working in a sector which are slightly overlapping. They're in a, in a post-quantum cryptography, and, and we have, we have some touch points. But I think mostly why I'm invited here is that the cyber world start to see the threat now in quantum. Actually, I was half a year ago in Washington, D.C., and, there were some, high-level officials from White House who, who said, like, the what is the biggest problem or, like, a threat for America at the moment?
Of course, there are some military threats, maybe Russia, China, but he listed quantum as the highest level threat. And why is that? Is that since the quantum is directly addressing the core of a nation, so it's this core of this intelligence collection, whole society works around that thing, that secrets remain secret. And there is even slight chance that quantum computer, maybe after some time, maybe 10, 20 years, it will challenge that one, and that's why White House is taking that very seriously. And of course, the rest of the world should follow as they are acting rationally. But let's say, I'm coming from IQM. I'm one of the founders of the company.
We are not so much working in this defense or security sector, which is driving the development in U.S., but we see there are a lot of positive applications, and I also want to talk about those ones, and I want to bring some, some, let's say, the realism to the discussion. So first, something about the quantum computing. So it has been actually invented three times, as I know. First by Richard Feynman, 1982. He, his, let's say, realization was that nature, by its lowest level, it's quantum mechanical. It follows different laws of physics than regular computers. So in order to simulate it efficiently, you better to have a quantum mechanical computer.
From that, let's say, history, there are those applications of quantum computing for molecular simulation and some other, which are still maybe the lowest hanging fruit for useful applications. Then, four years later came, let's say, the most maybe visionary use case coming from David Deutsch. And he was thinking in, like, the fabric of reality, since quantum mechanics, it's very different worldview, if you take it really seriously... And this is like highly philosophical question, and it's not of general interest. As long as they are physicists who are staying in their labs, studying atoms, what you don't really see, and elementary particles, which are. It's okay to. Since you can calculate the right outcome, but it doesn't really make any sense how it seems to work.
But he thinks that if we would have, like, a, and you would run it on quantum mechanical hardware, then the AI would get, like, first-hand input from quantum world, and it could be capable of telling you how you should interpret that. So that would answer to the very philosophical question of fabric of nature. And there comes, like, AI solutions, quantum machine learning, and so on. And then the third time, 1994, Peter Shor, he's mathematician, and he was thinking, like, computational complexity. Different mathematical problems have different computational complexity. So, now, very often you need to...
Let's say, when you program something to the computer, you need to, when the data, number of data grows, it's the computational complexity tells you if the computational time grows in proportional to the data as it grows, or is it exponential or some polynomial behavior. And, and he found out that if you would release. Or it depends, the computational complexity depends on, on, on the system on which you are running your ... or what, what are you using to solve the problem. And, and he found out, he analyzed that what if you would, instead of regular digital computer, you would switch to quantum mechanical computer? What would stay the same, and what would change? And he was able to show that actually, the computational complexity will change dramatically.
He invented already, long time ago, this Shor's algorithm, which particularly is still maybe the most important use case, at least in the long run. So you can factorize a big integer into two factors, probably in polynomial time, and no other algorithm known in existing computers, which could do that. So that's the big invention by him, and that has been driving this development a lot. And if you look now, where is quantum computing, that's a kind of new, completely, let's say, new kind of industry. It was university research till not so long time ago. So at the moment, as industry, it's building the foundation. So technological capabilities are ramping up from close to zero to somewhere where they are usable.
So it's still mostly for educational research sector, where, where it's interest, and it's mostly publicly funded, so it's beyond the limit of becoming commercially viable. But then this discussion is when it becomes commercially viable, is this quantum advantage. So that means when for the first time, quantum computer, alone or together with a high-performance computer, will solve some problem either faster or with less energy, or it will solve something which is not solvable otherwise. So three different categories. But one of those will happen maybe in 3-5 years. Might be molecular simulation, might be, for example, AI accelerating some of the AI computation, since it's very computational heavy nowadays. So that might make it profitable for the first time.
And then there will be a lot of applications areas, one by one, which become beyond this level to become useful. And that maybe still takes 5-10 years, maybe long time. And eventually, the capabilities of quantum computer have developed to the stage where it's like a general purpose error-corrected, like a very different from now what it is. So it's like a fully mature technology. And there we will see the disruption, which is where these quantum computers become cryptography relevant. And as of today or last year, this is the market, so it's below $1 billion. It's growing, like, 25% a year, and the biggest sector in application area is finance. So they are very interested since they can make immediately money if there is some quantum advantage.
The second most popular application area is the research of quantum computing itself, and the third one is cybersecurity. Then there are, like, a number of others, namely, this pharmaceutical industry is very interested about this as well. Today, maybe the most interesting application is this cryptography. A big part of internet security, security in general, is built on top of this public key infrastructure. It's based on the facts that factoring a large integer is very, very difficult... and Shor's algorithm, as I told, it potentially gives a polynomial time solution. Why it's potentially? Since there has been a lot of doubts that can this kind of computer ever build, be built, which would be running this computer, so there are maybe some physical limitations, very difficult.
But now it seems that it's only an engineering problem. So as more and more engineering work is put there, then it seems that these boundaries are pushed further and further, and we believe there are no, no fundamental limits there. So eventually, we have a capable enough quantum computer for this purpose. And what is maybe, maybe good or, let's say, why we can sleep well, is, is that, this time when this quantum computer, like anyone would have it, which can break this, it's, it's years away. And, and, like, this kind of breaking the RSA code with the reasonable key lengths, it takes a lot of time at the moment.
But still, why we should build awareness, why SSH Academy, we have IQM Academy as well, why they are very important, is that we have to educate people that people should start protecting their data. They should take this seriously, since storing data is very cheap, so harvest now, decrypt later is a strategy what can be used for some data which still has a value after maybe 10, 20 years. If someone decrypt this later and then finds out some facts which are still valuable, you might be in big trouble. Okay, then there are constantly coming some suggestions for shortcuts. So maybe there are maybe some clever algorithm which is more feasible than Shor's algorithm.
Last winter, there was the so-called Schnorr algorithm, which is very close to Shor's algorithm, and it's. There was a lot of claims that it can actually do something useful with much less qubit. So in Shor's algorithm, usually millions of qubits are needed, but they said that only hundreds would be enough. This was kind of not so well-studied approach, and it caused a lot of attention last year or this year. And it seemed like not very valid, but it was very difficult to say, is it true or not? And lately, there was a paper where they analyzed it very well, and it seems to be untrue. So it seems to work for small integers, but when the integer grows bigger, then it doesn't work anymore.
So at the moment, no other polynomial time algorithm is known for this problem. And this is now a little bit technical picture, but I like it. So, we have here kind of the two fundamental characteristics of a quantum computer. So there are actually very different modalities of quantum computer, very different approaches. But you can kind of put them on the same picture this way, that you put how many qubits you have, how much information you can code in the quantum computer, and then on y-axis, you put the error rate, how much error you introduce in one operation. So everybody start at the lower left corner, and as the technology develops, it goes to the right top corner.
I have plotted here with these red dots, maybe one possible trajectory of some company who would push this technology forward. So first, increase the fidelity going up, navigating north, and then in some point, once the fidelity is on the green zone, where there start to be some applications, then start to increase the complexity of the system and go to the right. And those red lines there are—those are the RSA codes with different key lengths. And it—from this figure, you can quite well see, so I have drawn there 15 points. So maybe, maybe that is, like, a distance between the points is maybe development in 1 year, what a company could do. So it's maybe 15 years away in this respect, but this is my, let's say, estimation.
Okay, who could be capable of doing this kind of development? So, we can check the funding situation. So China seems to be $25 billion public funding, so they are very, very serious about this. This is in the five-year plan of Communist Party, that they need to make quantum computer working. So I think they take it very, very seriously. Second is European Union altogether, and Germany alone is quite a big. But then U.S. public funding is not that high, but we have to take into account that there are a lot of private companies investing a lot of private money there, and then there might be some defense projects which are not visible in this figure. But anyway, this is like a geopolitical game now or race.
China, US developing their technology, investing a lot. There are a lot of export controls and, so they are treating this area of technology almost like a nuclear weapons back in the days. Finland is actually positioned here very well. So you can see small Finnish flags in all of those three categories. This is not done by me, but Boston Consulting Group, so there's some credibility in this figure as well. Finland has invested on this technology since 1960s, and there is, like, a lot of scientific activity. Last year, we hosted a scientific conference of 300 top scientists in this area in Finland. Actually, this week, it's there in Munich, where we have our other office, so it's IQM hosted second time now.
And so we have actually very good position in this, this technology. And so just a couple of words about the IQM. So we are the biggest European company developing quantum computers. We are hardware company, so we also do a little bit software, but by heart, we are hardware company. We build those actual systems. We are mostly here in Finland, also Munich, and three other countries. And we have a big quantum computer delivery projects. We deliver one to... Or actually two computers we have delivered to Finland. We are now delivering two computers to Germany, also other countries. This is connected to high-performance computing, so we have connected our quantum computer at the LUMI supercomputer, third fastest computer in the world.
So we foresee that this kind of acceleration hybrid model will be the kind of winning one, at least in the early stages. Okay, do we have-- Yeah, so this is the slide I was looking for. So we have seen, like, a lot of benefits of doing certain marketing activities together. We are discussing this, and these post-quantum cryptography products are very interesting also for us. Thanks.
Thank you. Thank you, Juha. Maybe couple of questions. I actually also prepared one. How you see the development of quantum computing impacting the cybersecurity industry overall? You mentioned a little bit, but if you go little bit deeper with that topic.
Yeah, so there are actually a lot of dimensions in quantum technologies, and they are only, let's say, starting to mature. So, of course, there is this quantum computing, which will maybe challenge some of the encryption methods in later years, as I mentioned. But then there are also other dimensions. One of those is a quantum key distribution, which is actually bringing, like, probably uncompromisable way of distributing keys between the, let's say, distant locations over the fiber optic cable or over the satellite connection. So that is, definitely something which will shape the industry. And, of course, there is this whole development of polarization of the world, geopolitics game and which countries have access to this technology, which don't, and that probably also is reflected at the industrial side. Yeah.
Are we basically at the same moment, which were somewhere in the 1990s, when first encryption and, for example, SSH protocol was invented, and now as the quantum computers will emerge, traditional encryption will almost be, like, not working?
Yeah, I think this has to be taken very seriously. So this is very serious threat, and I think, like all the industries who take seriously their information security should really consider how they tackle this threat.
Do we have any questions to Juha here at audience? We are 5 minutes ahead of the time, but, well, that will give us 5 minutes more for coffee. If no, then thank you very much, Juha.
Thank you.
Like I said, next, we have coffee break. So we'll continue with the program in 20 minutes, so around 3:50 P.M. And before that, you can enjoy coffee, and people online, come back around 3:50 P.M. We'll proceed then. Thank you very much.
Welcome back. Welcome back, dear guests. As we reconvene, we continue with the program. I encourage you to write the questions in the chat. We'll address them at the latest at the Q&A session, and questions which we will not now answer, we will get back to them after the event. So next, we will have Rami Raulas, our head of the EMEA region. He will demonstrate how our SSH solution are geared towards securing our customers' future. So please, Rami, welcome.
So I am Rami. Proven what I have and what I am, so strong identity. Now you can believe me. Now, I'm not a fisherman, I'm a whaler. My job is to haul in whales and sell more to the whales... and we stay there. Here are some of our customers, some whales, some salmons, some trouts. And there are three things I want to go through today with you. One is the underlying opportunities, kind of tailwind trends, ZTOT. You know, I'm a big AC/DC fan, so it was easy to come with the strategy of ZTOT, Zero Trust and Operational Technology. How can we land and expand, so sell more of the same, but to more people within our customers? And how can we cross-sell, sell the Zero Trust Suite to our existing customers who only have one product from us, not the suite of solutions?
How we can replicate—With the new wins, how can we replicate if we have two of the top six paper and pulp companies for OT now in the bank, how do we get the next three? So how do we replicate wins within industries? One thing—So this is like, we cannot show all the great customer names publicly. These are the ones that we can. We always try, but it's like me telling that my house is protected with Abloy key, and it's under the side doormat. I shouldn't have said that. Now you know my secret.
But one thing that we wanted to also say, apart from utilizing the growth opportunities and trends, selling more to existing customers, land and expand, cross-sell, and replicating successes to peers in OT and other industries, we also want to increase the size of average deals. Here are a couple of examples of some average deals. Deal sizes, which are already significantly larger than you would have seen two years ago. These are all recurring revenue customers, so we are sticky. You know, they won't go away overnight. Some customers have committed financially to us for 5 years. Most of our customers will use these products for between 7 and 10 years. These are a couple of examples. One of the world's biggest retailer.
We have also won one of the biggest with PrivX, one of the world's biggest e-tailer, but it doesn't qualify on the list 'cause it's slightly under EUR 300,000 a year. Nor do the paper and pulp company, 'cause they are still just shy of EUR 300,000 as well. So you can see fairly even distribution between industries, different solutions, and different geographies for increasing the customer size and landing and expanding and selling more to them. But we can only grow that much with our own organization. We are limited in terms of headcount in our sales and marketing, so we need more feet on the ground. We need to excite a partner network, like Teemu was saying earlier.
With the partner network, we clearly see a development from just software or box shifters, like distributors or pure resellers who add little value to systems integrators and managed service providers. So these are a couple of names for distributors that we have and will keep, but we're banking on their growth. Here are some typical resellers in the U.S., Europe, and here in the Nordics. Here. Then our aim is to grow with the systems integrator, solution integrators, which are big guys. These are whales or very large salmons. Salmons as partners, not as end customers and partners. 'Cause more and more customers are outsourcing their work to these guys. They make the technology decisions and choices with us. Some even outsource those technology choices to their partners.
But typically, we influence—we get the kind of technical win, and then we partner with the systems integrators and get them to deliver and maintain, do application management services. As an example, we just had a training session for Wipro, which is one of the big five Indian guys, 45 people, sales, pre-sales, and technical support people training for... They want to go to the OT market with us, with PrivX OT Edition. So 45 people were stunned. They said, "We've been trying to do with this, with the market-leading product, CyberArk. It doesn't work there. Your product is perfect." So we have opportunities there, which we need to now engage, and we need to get those people. We won't get from Wipro, we won't get all 500 account managers to be the evangelists for our PrivX OT solution.
But if we get 25, that's ten times more than other salespeople we have. So that's really is an important top-topic. But it's not only the downstream partners that are important for us. So this, if we call these downstream partners, people who talk in of, in favor, win customers, and deliver services together with us for their customer base. We also want to and need to expand our offering a little bit. This is the ecosystem, so I would not want to be a CISO, Chief Information Security Officer, 'cause I would have 70 domains to manage and only money for half of them, and resources for a third of those. So you need to prioritize. And we can only do so much, right? So we can do only that much in the different spaces.
So we have decided that we will partner with so-called upstream technology partners, people who have technology that we would love to have, we would love to develop, but don't have the R+D research to do ourselves or resources to do ourselves. So we partner with these guys to have a broader and more meaningful offering. I mean, coming up with the Zero Trust Suite, so from selling point solutions, the five-point solutions that Teemu described, to selling it as a suite. So as an example, one of the biggest Swiss banks, which has only been buying Tectia from us, now is curious about Zero Trust. I think they are under an audit threat. They need to do something more at the moment.
So there are a couple of these companies that we are working on to bring on the sexy words of the market growth called SASE and CASB. And we're working with a company called Menlo Security there, which offers functionalities to secure more users. Now, we secure now the hardcore administrators and super users and developers and database administrators, network administrators. But with this offering, we can cover all of us. You know, we can secure all of us from doing something fishy in the middle of the night in the internet. I wonder what side you were on, Teemu. But we would know. With that solution, we would know, or we would maybe even say, "Hey, you know, on your home computer you can do it, but not with the office computer." And a couple of others.
So this will broaden our offering. We are integrating it with our solution. So we're not, aim is not to take another solution and resell it, we are integrating this to add value to our own solutions. And some of these partners also will act as channels for us, 'cause they have their own customer base, widely larger than our own customer base. And they can integrate and take mainly the PrivX core technology, and integrate it into their solution as an additional functionality to what they already have been selling to their customers. So this acts as a kind of a two-way street with many, many of these partners. All right, but let's have a look at some of the... I said that I wanna discover the trends and the land and expand, and the new customer wins.
So let's have a look at some of the favorable trends that are happening for us. So these are the, you know, the analyst Gartner. This is Gartner Group, who says that these are the biggest threats materializing soon, and even customers are now talking about them as well. Zero Trust. Yeah, okay. It seems like we made a nice choice there. Everybody wants to understand what Zero Trust is all about. It's a philosophy, and it kind of means never trust, always verify, right? Well, this would be one way of verifying. Don't leave back doors open, don't leave the keys to your kingdom hanging around. And KPMG made an interesting... I'll come to that in a minute.
That's not just a kind of an insurance cost or cybersecurity measure, it's kind of a business imperative already, and you need to automate it. It's too vast amount of data to be trying to handle with manpower. You need to automate it. And surprise, surprise, actually, with our solution suite, we can actually cover quite a bit of these areas with our Zero Trust Suite. So at least we seem to be spot on money on the trajectories that analysts are predicting to be important, and we are seeing that. I'll cover Zero Trust, OT, operational technology, and a little bit coming back to the quantum safe. So I have divided my presentation into those three parts. But so let's...
But let's have a look at what KPMG has found. They tend to do a kind of a CEO research, and two years ago, cyber rose as number one in terms of risk management by CEOs. So hurricanes and floods are less important than cyber threat. And I'll show you some figures in a minute. And that was repeated also last year. Now, in all honesty, at the moment, maybe the biggest hindrance or challenge for us is the economic situation, investment situation, interest rates. So we're seeing people not canceling, but postponing. So it's a bit slower to close deals. But the topic of cyber and cybersecurity is on top of the minds of CFOs and actually boards. We have board members here as well for risk management.
Some companies are even clever to turning this into a strategic function and seeing it as a competitive advantage, and I'll show you in a minute why, why that indeed is really, really important. One challenge we have, which we are trying to address now, is that we've been talking to the techies, the nerds, you know, the security architects, the guys who run the operations, the network guys, and they all understand that. They visit the academy 5 million times a year, right? They get it. But we haven't been able to deliver our message, why this is important, and why they need to choose us for the CXOs, you know, CFOs, CIOs, and COO, CEOs. That's where we are trying to lift and need to lift our communication.
So kind of have the tech communication, and then the business communication a little bit more separated from each other. But this is totally not just an insurance cost or risk management cost, it's also total cost of ownership benefit, and cleverly so seen also a return of investment for the money. But that's more difficult to calculate, obviously. Okay, so let's talk about these three trends a bit more in detail, and I'll show you a couple of customer examples. But let's start from OT. OT, as Teemu was saying, is the kind of the forgotten part. Banks are well protected, maybe not against quantum threat yet. Public sector is okay.
Many service providers, you know, the big software companies, the big service providers, like Fujitsu and Wipro, and the names you saw on the previous chart, surprisingly, don't Suutarin lapsilla ei ole kenkiä. Shoemakers' children don't have shoes, right? So they need to be equipping. And we have lots of wins and lot of opportunities ongoing at the moment with many service providers there. But the least protected and the most old-fashioned in terms of security is OT, operational technology, manufacturing companies, critical infrastructure, and I'll come to that in a bit more. It's only not us saying it, this is also from the same X-Force, IBM's survey, saying that the biggest attacks, biggest ransomware attacks, do indeed take place in manufacturing and critical infrastructure, not in banks.
Maybe there's more money in banks to hijack, but they are more protected, so this is an easier piece to go after. Lots of zeros, right? Is that a billion or a trillion? Whatever, it's a big sum. So this is an analyst report from, no, NIS2, sorry, NIS2. The cost of ransomware risks materialized in companies, and especially manufacturing and critical infrastructure organizations, will rise from $20 billion to $265 billion. So there's a lot of money at stake. We can help protect that. Okay, so you can take an ostrich strategy and put your head in the sand and show your ass and hope that nothing happens. But quite a bit has happened.
Here are a couple of just very recent, couple of years back, attacks, ransomware, data theft in the world. You've maybe seen some of these. It's a real shame that Nokian Tyres, 1,000 R&D and manufacturing documents were stolen by the employees, by the way, and bosses, because it was not detected. And now we have Black Donuts manufacturing tires in Middle East and Russia. Okay, well, from Russia, you can't bring them in anymore, but so don't let that happen. Vastaamo, we all know, you know, patient data leaking because somebody forgot to turn security on, and the database was called Database, and the password for database was Password 01. Oh, my God! I mean, how can that happen? Why are the guys not in jail? And a couple of other cases. Tower Semiconductor is a really good example.
Maersk, of course, ships stopped at sea because they could not be controlled anymore. Big, big, big thing. But this Tower Semiconductor, it's an Israeli company which merged with Jazz Semiconductor , so Panasonic Semiconductor, some years back. They were ransomwared, so they had to stop production for four days, and they paid $250,000 for production stoppage and $250,000 for ransomware. So $500 million cost. Okay, no wonder IBM now bought them at low price. So it has a market cap impact, at least, if you don't treat your cybersecurity properly enough. So what we want to do and help here is really to help—'cause in the physical world, help protect this, put a digital gatekeeper in place, right?
'Cause in the physical world, when you go to a manufacturing site or a power plant or, I mean, I can't even get to Loviisa nuclear power plant. It takes over a year to even get through the gate. So in the physical world, you are stopped at the gate, your passport is taken away, and somebody takes you in, and somebody kicks you out. In the physical world, like Teemu showed, every vendor has their own hole in the fence, a tunnel under the fence, or they climb over the fence. So we have no idea who is coming and what are they doing. Not good. So we provide that digital gatekeeper. Oh, by the way, two weeks ago, there was another one with ABB. This Black Basta gang managed to hack them. Let's see how much it will cost them.
I would assume a quarter of a billion, but let's see. So why is this important? Not only for the money, but there's also kind of a must and mandate. We have a Network Information Security Act or legislation or regulation in Europe, and now there's a new version of it, NIS2, Network Information Security 2, coming into legislation in October next year. So people have less than a year to comply with this, and this will now cover more critical infrastructure players, as you can see from there, food, transportation, public administration. We were just talking in June with the biggest healthcare operator in Finland and asked, "How are you prepared for NIS2?" "Oh, yeah, we started to think about it last week and asked for Traficom, the NCSC, for recommendation.
They promised to come back in a few weeks time." Wow! I mean, people are late, late with this. It's, it's about putting supply chain security in place, putting security gateways, as we said earlier, gatekeepers, being able to respond and detect strong encryption, encryption in transit and at rest so that the data is not readable, and then swift reporting and reaction. Now, there is also a monetary aspect to this, that is, people will be liable, us in management teams and boards will be liable if we don't adhere to this. European Union itself is saying this is a good headwind for us. It's saying that, that this will have to increase the IT cost and security, cybersecurity cost by 22% - be ready, more ready.
So that's a nice tailwind, tailwind for us, once we just get these companies educated and reacted within the next year. All right. So I'll show you a few customer examples in the OT space. Now, Maersk ships were stopped at sea because of hack. Alpha Ori ships won't, 200 ships, because they are controlled by PrivX. Earlier, the service engineer had to fly to the harbor and wait for a few days in the harbor for the ship to arrive to do some service job, you know, program the computers and service the ships. Now, it's done online in a minute over the satellite network, strong encryption using PrivX technology to control the ships remotely. So they will not be stopped at sea at all.
Another interesting one is that there are—this is a manufacturer of seaport and container handling systems, 37,000 of them in different harbors. Earlier, they were not able to control who can go to what device. So the Chinese guys go to the German harbors and vice versa. Now, by implementing the PrivX OT technology, they can control the identity of the person, say that, "Hey, you can only go to that crane in Shanghai Harbor only for next 35 minutes, and then you're out. And next time you try, we'll still verify that it is still you that does it." And so it's really. And they are selling this as part of their solution to the customers, and they see this coming back to the KPMG message.
They see this as a competitive advantage over their competitors. They can say, "Hey, our systems are better protected. There's less risk in your harbor." Because the harbors are really automated. There are no people operating this. These are remotely controlled, automated. And how about securing service business and enable Industry 4.0? This is a household manufacturer with, you know, washing machines and ovens, and they, they have computers, right? And they, they need service upgrades. So the problem they had earlier was that every machine has the same public key, and this is coming back to our innovation of SSH and secure shell and public key, private key encryption from 1995. Every household device has the same public key, and every service engineer around the world has the same private key. So what the hell stops the Chinese service...?
Sorry for using so much China here, but it's on the topic in yesterday's news in Finland and in the US in the past months. So what's to stop this Chinese service engineer from selling his key to his brother's company? Then you've lost your service business to that Chinese company. Not anymore. Now they use PrivX. Every service engineer is strongly authenticated, identity is checked, and they only get access to that device. They don't—And they don't know what the key is. They no longer know. There's nothing for them to sell or steal. This is a major paper and pulp manufacturer earlier. I mean, typically, when you are in the OT space, especially in process industry, machines have to run at 98%, and the yield has to be 96%.
If it's below that, you'll never make money, so you can't have stoppages, and if there's an outage, you have to fix it really, really quickly. So earlier, it took them, believe it or not, 5 days to get a service engineer remotely accessing the system. Now, when they have installed PrivX in 4 regions, 2,000 service engineers, 39 sites around the globe, including Brazil, which needs another server because the connections to Brazil are so slow. Now the service engineers get an access within 30 seconds. So from 5 days to 30 seconds. Now, I think you can calculate the productivity gain from that very clearly. But we wanna repeat that. Okay, let's have a little bit of look at the quantum, although that's maybe the longest term impact for our business, but there are considerations for that.
So of course, you know, we need to help protect the nation and the nations. Now, in this space, I cannot tell you anything about customers, 'cause if I tell you, then I have to kill you. So I cannot really say anything here. But another NATO compatibility, being able to communicate with NATO is a big topic for us now. I think Catharina will say a few words with her experience from having actually worked within NATO as well earlier. But another example is, we talked about critical infrastructure being under attack, so the electricity grid needs to be protected, whether it's Ellevio in Sweden or Fingrid here in Finland. We have helped them protect it. First of all, all the people who communicate with them communicate securely with secure communications, secure email.
They actually identified electronically from passports if they are not Finnish people, who then are identified with the Finnish certificate. But they also use PrivX to protect access to the infrastructure and the Finnish electricity grid. And Kari Suominen, who was the CIO when I last spoke with him, he also actually came out in the news as well, that there are more than 20 attacks to our electricity grid, to Fingrid daily, most of them from the east. Not only Russia, I mean, North Korea is financing their nuclear program with ransomware, so there are other players in the market as well. 20 a day. Now, most of them are harmless attacks, but some of them are trying to get into the network as well. So let's protect it. Oops, wrong button.
We, here in Finland, we have partnered very strongly with the local players, Cinia, Rejlers, Erillisverkot. Valtori is the big service provider, both TUVE and TORI / Third parties , and Traficom is certifying our products for confidential level and restricted level solutions. So here in our home country, we are really strongly networked to protect this country. Now, of course, we need to take it to other countries, and there's a big market opportunity, I think. Within maybe not so much in France and Germany. They have their own industry in this space, in encryption space. But if you take any country from Estonia down to Turkey, they don't, and they are on the borderline, like we are as well. So that's a market opportunity we are now starting to chase as well.
We have the technical competence coming back to the quantum safe. So we introduced quantum safe key exchange algorithms to our product, the encryption product, NQX, two years ago. So if Carlsberg says that it's probably the best beer in the world, we can say it was probably the first in the world with quantum safe encryption, already two years ago. Now, we have some companies, like the greatest post operator in Europe, upgraded their Tectia to Quantum Safe a few months ago. They just say, "Hey, we want to be ready. We want to—You guys have the technology. We'll convert to it." Just to be safe. And we got a nice award as well.
You know, we were driving, setting up and driving the PQC, post-quantum cryptography initiative in Finland, financed by Business Finland, which ended a year ago, and this was awarded the annual security award of the year as an initiative. Now hopefully we get the next phase of implement PQC. So Finland is in the forefront, like Juha was saying, in this space. For us, from marketing and sales point of view, this is kind of a door opener. You know, it gets us to the table. It's a meal ticket for us to talk seriously with big decision-makers at the biggest retailer in the US, as an example.
Communication security is the third leg in a way, and there are a couple of use cases for this, and this is kind of an interesting funnel. I'm gonna show you a funnel of security now. So first of all, normal crime doesn't pay off. Normal crime doesn't pay off. Cybercrime pays off. So we have helped the National Blood Service, so that when you input your data, it's secure, when you transmit it, it's secure, when you make your consent, it's secure, and when doctors use the data, it's secure. HR, but there was a big hack here when somebody got access of bank accounts, so my salary would have been paid to another bank account. Not nice. Protected.
Then I get insurance agreements, communication from the banks with using our secure mail infrastructure. Teemu already alluded to this one, so we have a funnel here that the Swedish police were actually got a reprimand, you know, complaints, slap on the wrist, that you cannot send customer data. You know, it's interesting, criminals are, of course, called customers. You cannot send customer data in a clear text in Google Mail. You have to protect the anonymity of those suspects better. So police needs to protect it better, and court, the courtrooms need to protect the documents that are being sent, and then when the customers are convicted and sent to jail, this is Hong Kong Correctional Services on the top bottom there.
You know, criminals are also customers in language, so their data has to be protected. So all the way from police, court system, to jails is where our PrivX technology and secure communications have been deployed. And now, what is new, as Teemu said, is that we are now announcing today, and publicly it will go out early next week, a new secure communications suite, 2024, which starts with a new mail, which is written with PrivX technology, and then instant messaging and other modern communication tools as well. Finally, about Zero Trust, these are some attack vectors that if you look at... Doesn't animate that way. On the left-hand side here, you see the threat sources, whether it's internal or external.
On the right-hand side, you see what are the risks, operational continuity, safety, or other stuff. When we do this kind of analysis with our partners, typically two things come out: wrong people have access to the right systems or wrong systems, so which is what we protect, and all the malware and ransomware is coming with files, right? So protect illegitimate file transfers, and these are the areas we can help protect. There are a couple of use cases there. This is a big bank in out of Britain.
They are changing with our automation tools, 1.5 million keys twice a year, and even that level of automation is not good enough, so they want to move to zero, completely Zero Trust, fully automated, which generate a short-lived certificate for 4 minutes, 5 minutes, and then the job is done, and no access is left behind. This semiconductor manufacturer, they have now, as Teemu mentioned, close to 1 million sessions per day happening through there at the moment. So highly automated access control, which could not be done manually. So what do our customers say about our solutions? So this is... Don't even try and read this. This is a color-coded screen. So on the left here, we have our solution.
This is a big software company, company, one of the leading in the world. The second column is one of the market leaders, number 2 on the market, you know, another 800-pound gorilla that we are trying to tackle. The third one is a new upcoming vendor, fourth one is a new upcoming vendor, and the fifth one is their own, "Let's do it ourselves," right? "Let's use open source and do it ourselves." So you can see PrivX is the only one which is fully green there. Okay, the legacy product from 20 years also is green, but not anymore on the second page, 'cause if you wanna deploy it automatically, like Teemu was talking about, containers and automation, we are the only ones who can do that. So technically, we have a win here.
Now, I just need to collect the cash. Here's another one. It's a managed service provider. Normally we say that, "Hey, let's promote three features of our products, the advantages." Well, these guys found five from here, quite a few from here, quite a few advantages that they thought PrivX offers them over competition. They chose us and bought us, by the way, so it's an existing MSP. They love the architecture, and they think it's really easy to use, right? And then we have plenty of other positive customer feedback as well. So to summarize, you can-- Those are all from our webpage, so you can see that there. So just to highlight and summarize here the strategy and execution.
From a strategic point of view, it's about focusing on the growth trajectories, Zero Trust, operational technology, and preparing for the quantum safe. From the sales and marketing execution part is sell more to the existing customers, land and expand, and cross-sell, especially to the whales. Increase the average deal size, as we started with, and replicate successes with other companies within the industries. People talk to people. We just won an energy company, and they talked to two of our customers, and that's why they chose us, not because of our technical.
They said, "Okay, if you trust them, we will trust them." And then we wanna help people to migrate from the on-premise to the cloud and partner with the systems integrators and managed service providers, just simply to become more meaningful, have a wider offering, get bigger share of their wallet altogether. And now, since I cannot sing qubit, which is the language of quantum computers, I can only sing, sing, sing digital zeros and ones, which is represented by Morse code. So here's a brain fart for you to try and understand.... Anyone got that? SOS, SSH helps. All right, thank you very much.
Thank you very much, Rami, and let's continue with the program, so we will have time for questions. Thank you for your activity in the chat. Next, we will have Catharina Candolin, SSH member of the board of directors and cybersecurity expert at OP Group. She provide insights on cybersecurity in our rapidly changing world. So please welcome Catharina.
So good afternoon. It's a joy and privilege to be here and talk about my favorite topic, and it is cybersecurity in a changing world. So basically, how did we get into this mess? Well, we can go back about 40 years to the happy 1980s, when things were still fun. Then we were young kids who basically, they had technical skills, and they had computers as a hobby.
What they wanted to do was basically not pay for games, so break the copyright protection or maybe write some malware to tease some other person, or maybe break into a server and leave a message to the administrator that, "Haha, I'm much better than you." So the idea was not so much to really do any harm, but it was mostly to have fun and to show off to others in the field that, "Hey, look how good I am." But then in the 1990s, things started to change, and this had a lot to do with the fact that the Soviet Union crashed. So what happened then was that there were a lot of technically skilled people, but there were not really jobs available, and somehow you need to put bread on the table.
What happened was that basically, organized crime started to work together with technically skilled people, and this gave rise to cybercrime. First of all, information security at that time, it was not on the same level as it is even today, so it was really, really bad. The criminals probably did not get caught, and even if they did get caught, the legislation was not up to date, so there was nothing to charge you for. This was really a golden era for cyber criminals to start to make a business out of cybercrime. Now, of course, nation-states also realized that cyberspace is an opportunity to build capabilities to promote your political, and financial, and military motives. A lot of nations started to develop cyber capabilities. If you're looking at the situation today, now the cyberspace is part of modern warfare.
So in 40 years, we have come from kids playing and having fun to actually modern warfare. So is this anything new in cyber or not? Yes and no. No, in the sense that this has been going on, but yes, if you look at the implication it has for our societies today, then a lot has happened. I wanted to mention also the term information operations, which is kind of a sibling to cyber operations. It's not the same. This has basically a lot to do with the fact that, well, we have always used information in warfare, so there's a term information warfare. But... and it has been about spreading propaganda or maybe fooling the enemy and so on.
But this has been giving a new rise in the 2010s with the advent of social media, because now we have new platform to spread information and disinformation, and for nations to affect the decision-making of other countries through information operations, and this is, for example, a lot what Russia is doing. Two concrete examples have been, for example, Brexit or the U.S. presidential election in 2016. So just as a term, I wanted to mention it. It's a sibling to cyber operations. I will concentrate on cyber operations in this talk, however. To give you a few example, and this is by no means a comprehensive list, but just about some cases that we have seen during the last 15, 20 years. If we go back to 2007, we had the Tallinn Bronze Statue.
This was the first major cyber incident that was really talked about globally. Technically, it was very simple. It was a denial-of-service attack that was addressed towards Estonia, and this had a lot to do with the fact that they wanted to move the bronze statue in Tallinn from one place to another place. Of course, there were protests, so there were riots in the streets, but at the same time, there were also riots in cyberspace. A lot of denial-of-service attacks were addressed at Estonia, and it was so bad that, for example, Estonia was cut off from the internet for over 24 hours. Some of the banks were hit pretty badly, government institutions, and so on. Of course, Estonia attributed Russia.
Russia denied everything, but, well, if it looks like a dog, barks like a dog, and walks like a dog, it probably is a dog. Very similar tactics used a year later in the, the Georgian War. Then in 2010, we saw something called Stuxnet. Stuxnet was a malware, a virus that was very much, I would say, tailored to work at one certain facility, and this facility was in Iran. And what this facility was doing was that it was enriching uranium. So what the malware did was that it attacked, it attacked the automation systems that were spinning the centrifuges, so that the centrifuge started to spin in different speeds, which led to that either the uranium that came out was not usable or these, centrifuges actually physically broke down.
This was the first time that there was physical damage caused by a cyber attack.... But why this also was a very significant attack was that it was quite obvious that there was a nation state behind it. Before this, cyber experts like myself, when we had been talking about things like this, we were told that we are nerds, we drink too much Coca-Cola and eat pizza and watch too much Star Wars, and we should probably go back into our basements and continue to do so, that this is a science fiction that we're talking about. Stuxnet showed, and it was also understood on the political level, that this is not science fiction. This is actually what happens, because in order to do something like Stuxnet, first of all, you need intelligence.
You need to know what facility to attack, what kind of systems do they have in that facility, which versions, what vulnerabilities are there? Then you need to actually produce the malware and be sure that it actually works there, and then you have to get it to the system. Now, this facility was not connected to the internet, so you had to go over the air gap and get that in. So it was obviously not a criminal group. Criminal groups usually want money. It was not some hacktivists. They might have had the motivation, but surely not the skill and resources, so it pretty much had to be a state. And pretty quickly, the eyes turned towards the US and also Israel.
Now, in 2014, when Russia invaded Crimea, there were also electrical power cuts, so this was an attack on the critical infrastructure and caused pretty bad blackouts during winter, which is... We all know, living in the Nordics, how it would feel if we would have no electricity, let's say, in January or February. It would be dark, it would be cold, it would be miserable, and this is what happened. In 2016, we saw another interesting cyber attack, and this is called the world's largest bank heist. Now, here we had North Korea. North Korea is an interesting state in a sense that it actually acts more like a criminal gang. Its motivation is to get money. Now, why so? First of all, there are sanctions against North Korea, which means that they can't do business like normal nations can do-
but they still want to develop their, their nuclear powers and their, their nuclear arms or their ballistic missiles. So where do we get money? From cybercrime. Great! Where is the money? Well, banks, that's a very good target, so let's start specializing in, in bank robbery. And in this case, they were able to break into the, the national bank in Bangladesh, and they got access to the SWIFT network and the account that was in a national reserve bank in the U.S., and they wanted to transfer $1 billion. They only managed to get a little bit more than $100 million, and the reason actually was that they made a typo in one of the, the requests.
So they were supposed to write fundraising, but they wrote fun raising, and some person in Germany caught this and thought that this is something suspicious and blocked all the, all the rest of the transfers. But anyway, some money was transferred, it was lifted from ATMs, and washed in casinos, and this is considered to be the largest bank heist today, to date. Then we had Petya, NotPetya, and WannaCry. These were examples of ransomware that also, Rami already touched about. So basically, ransomware, it decrypts your data, and then the attacker sits with the decryption key and says that, "If you don't pay me, I won't give you the, the decryption key," and then basically all your data is lost. Petya, NotPetya, Russia was behind them, and for example, Maersk, as we saw as one of the examples, was attacked by this one.
WannaCry, again, North Korea behind it. This was not as successful because North Korea actually never gave you the decryption key, so you lost your data anyway. And the rumors that spread that, "Don't pay because the data is already lost." Supply chain attacks, also one of the bigger threats today. So basically, instead of attacking an organization, you attack it somewhere in the supply chain. And typically, it can be pretty bad because if you are successful in one place, then that attack can spread to a lot of other victims. So, for example, SolarWinds in 2021, it affected Microsoft, Intel, Cisco, federal agencies, all that were using the SolarWinds product. Case Vastaamo, we also talked about already. So this was a company where security was badly neglected, so the data was stolen, and then the victims were actually...
Or they were trying to get, first of all, Vastaamo to pay, and then they tried to get the actual victims, the persons who were using Vastaamo services, to pay. Fortunately, the perpetrator has been caught, and there's a court case soon starting off, and actually, the CEO already got a sentence also from neglecting cybersecurity in Vastaamo, so this has been a very big case. And now also talking about the Ukraine war. So this is the first time that the cyber element is part of conventional warfare to this extent. Of course, even before the traditional military operation started, Russia had already conducted both cyber operations and information operations towards Ukraine. So the idea was probably to mess up the society and then come in with the military attack, and march to Kyiv, and get the resignation papers, but this didn't happen.
First of all, they were not so successful either with cyber or information operations, and we all know that they have not been so successful with the military operations either. But the main target was the critical, and is still the critical infrastructure of Ukraine. Now, why so? Well, first of all, this is pretty much in the doctrine of Russia and other nations as well, because the critical infrastructure is vital for our functioning societies to function. Without them, our societies don't work. So if you really want to mess up a society, then mess with the critical infrastructure. Why haven't they been successful so far or had more success? Well, first of all, Ukraine has been a cyber laboratory for Russia for quite some time, so they have had the possibility to develop their cyber defense capabilities.
They have been getting help from the West, they have been getting help also from the private sector, they have been moving services out of Ukraine, and they have been able to maintain their communication infrastructure. But what we can learn from this is that cyber and information element will be part in future wars as from now on, and the critical infrastructures will be the main target. So critical infrastructure, that include, for example, the power grids, the telecommunication systems, the financial sector, the water, the food, and agriculture. It also entails the logistics, so both land, air, and sea. It can say there's the governmental functions, the healthcare systems, which by the way, was very much attacked during the pandemic, and also hazardous materials, et cetera.
Not only is it vital to secure all of this infrastructure, one has to understand that these infrastructures are also dependent on each other. So for example, if the harbors are messed up, then we probably don't get the products into the stores. Well, maybe if we don't get them, but so what? Let's say that the financial system is down because the telecommunication sector is down. Maybe the telecommunication sector is down because the electrical system is down, and vice versa. So these infrastructures also depend very much on each other. So this is actually the hot potato when we are talking, for example, of cyber defense.
Of course, nations have realized that we have to do something to secure our societies, and it cannot be left to the governments alone, it cannot be left to the private sector alone, it cannot be left to the individuals alone. So we are all in the same boat, and this is why so many nations have a cybersecurity strategy, because now you bring all the stakeholders to the table to figure out what are we gonna do about it. So in Finland, for example, the first cybersecurity strategy came in 2013, and it talked about, well, protecting the infrastructure and about the role and mandate of the police, the role and mandate of the defense forces, about legislation, and so on and so forth.
So it was a good start, and we have done a lot of work, for example, with, well, preparing and, and securing, and so on, but there is still a lot to do. And this is really the big hot potato and open question to date: What does it mean to defend a nation also in cyberspace? We know what it means when we're talking about land, air, and sea, but what about, cyberspace? The logic comes from the fact that a cyber attack can be considered an armed attack if the consequences are comparable to that of a military attack or a traditional armed attack, and that means that the nation has the right to defend themselves. Now, if we would get a missile in our head, in the critical infrastructure, we would consider it an armed attack, and we would defend ourselves.
But if we could get the same thing to happen through a cyber attack, then so forth, the nations will be like, "We don't, we don't do anything, and it's up to the companies to take care of it." So it's... There's still this whole logic has to, has to be on level. So what does it require? It requires attribution, so we have the ability and political will to point out who was behind the attack. We need to have national cybersecurity situational awareness, we need to have operational leadership. We can't start then thinking that, "What should we do when the, the situation and so on?" This has to be defined and exercised. We need to talk about countermeasures, which on the softest end, can be diplomacy, on the hardest end, it can be military action. Big nations talk about answering with nuclear arms.
We need to have the legislation, and very important, international collaboration, where both the European Union and also NATO is very much in our sphere. Now, with NATO, one has to realize that cyber defense is part of NATO's collective defense, so that means Article 5 applies. So if any NATO nation calls for Article 5 after a cyber attack, we have to help them, or vice versa, if we get hit, we can revoke Article 5. So of course, NATO is working a lot on cyber defense, then NATO also works a lot with industry, because NATO has realized that this is not something they can do on their own. So this is, of course, also an opportunity. And this is also seen in the governmental program of Finland.
They are talking about developing a new cyber defense doctrine, about updating the cybersecurity strategy and the legislation. It's also addressing crypto issues and getting an equal status on quantum cryptography, and also seeing the opportunities for cyber in NATO and how Finland has to promote that, and not to forget EU, of course. Of course, whatever the nation is doing is fine, but we must not think that this takes away the responsibilities of companies. The companies still have the same responsibilities for managing their own cybersecurity as they have always had. So prevent and protect, to prevent the bad guy from doing any harm. If something would happen, you have to be able to detect and defend against it.
Then you have to be able to manage the crisis and recover from it, and then ensure business continue, which you do with management and development of these capabilities and exercising. Some of the challenges that we still have, for example, artificial intelligence, well, it can be used for defensive purposes as we are using, but it can also be used for offensive operations. So we are basically waiting that when will the first major cyber attack actually using artificial intelligence capabilities happen? Of course, ChatGPT has been on the radar. What can you do with it? But it's still not a silver bullet even for offensive operations. IoT security, OT, we have been touching upon quantum computing.
So basically, with quantum computing, it means that I can steal your data now, I can wait 30 years, and then decrypt it when we have quantum computers. So what you should do is protect your sensitive data now, so that it will not be possible. That is why we are talking so much about quantum cryptography. And ransomware attacks and supply chain attacks are also on the rise and seen as one of the main threats today. So this is basically where the SSH repertoire comes in, that we are able to answer to these challenges and address the threats that we see, both from nation-states that are actively really pursuing this as part of their doctrine, and also for criminals whose motivation is money, or be it hacktivists who have ideological reasons.
So basically, we have a portfolio to really be a major part in this puzzle. So thank you. This was a very quick overview, but...
Thank you very much, Catharina. It's very pleasure to listen you, as always. Following Catharina's presentation, we actually have now dedicated Q&A session, so and after that, Teemu will say a couple of words as a conclusion. But if I may have our leadership team joining here, and then I will start to ask couple of questions. But in the meantime, I have one question for you, Catharina, because I know that you have worked for NATO, and it's now hot topic here in Finland as we joined officially NATO alliance. What does this mean for private sector now that Finland has joined NATO?
Oh, thank you. That's a very good question. It means a lot of things, a lot of possibilities. First of all, NATO typically only purchases solutions or products from NATO countries. So even when we were an active partner, so no matter how good we were, the doors were still shut to us, but now we are inside the alliance, so this opens up a market. A second way that this is beneficial to us is that, especially with cyber, NATO works a lot with industry, because NATO has realized that it cannot do everything itself. It cannot build all the capabilities itself, so it needs help from the industry.
Now we are part of the gang, we are part of the club, so this opens up also a lot of opportunities to not only sell products now, but to also develop future products and be present in this. I think it's a very good opportunity for us. Thank you.
Thank you, Catharina. Well, gentlemen, couple of questions to you also. I will read from the chat, and dear guests here on site, you can write the questions in the chat, or raise your hand and I will address you, them. First question, I guess maybe Rami, talk about the partners. So how much of the revenue generation comes from partner network, and what is the outlook for revenue generation from partnership in future?
This is very quick, more than half and growing.
Thank you, Rami. Actually, second question is little bit the same. Do you plan to strengthen your presence in certain key countries through strong local partnerships? And if so, in which countries?
Well, I think Teemu covered that as well. I mean, you know, the U.S. is the biggest market, so we are a little bit underrepresented, even if we have a long history there. And in Europe, the biggest markets are obviously Germany, you know, DACH, Central European market. We also see a lot of opportunities next door in Sweden, so that's something we've been investing recently as well. But it... You know, we, it's those are maybe the obvious ones, but of course, we are present in most places.
Middle East, we have, we have gotten active partners waking up. And in Asia, we are doing a big change, because we were very dependent on Hong Kong and Singapore, and Hong Kong is not really the place for Western cybersecurity company. So we are reducing dependence on Hong Kong and going for Southeast Asia. We have new partners now in Thailand, Indonesia. We are talking with Australia, and that's basically the plan to get the partners up and running so that we can get Asia back on track.
Thank you. And then couple of questions have been also here circulating about the go-to-market actions. So which are our next go-to-market actions?
Well, I guess partnering is obvious. We have done a lot of customer visits now post-COVID. Actually, I just got from Marriott and updated this year, I have been in hotel 66 nights, so... And we have been at fairs, I think about 30 different fairs. OT has been a big topic that we've been a lot with the new partners in the OT space, which is. It takes about 10-12 months to get the partner up and running, so we want scale. We also... Lauri is leading our digital phase, and we've done a lot of content. Now we actually have too much content. Now we have to get people to read it. So if you have nothing to do in the weekend, just go to our website and read some stuff.
... Okay, thank you. And also videos and podcasts. Then I don't have more questions from the chat, but I have one question there. Could we have microphone there in blue shirt, mister? Foreigner.
Thank you. I have quite some questions, but I take the easiest one first, maybe. Can you talk about the price adjustments when a 3-year contract's to be renewed? I mean, how much do you bump up the price? It's like one, 5, 10%? And are there any change between the U.S. and European customers to accept the price change?
US seems to have been accepting it more. Our target has been 5%. A lot of our contracts and a lot of our customers want to tie it to OC, OECD index, so consumer index. But typically, we've gone for the 5%, and amazingly little pushback, more in Europe. US is faster in any decision-making anyway.
Okay, thank you. You don't guide on your sales now, 2023, but I mean, if the sector is growing around 13%-14%, you should beat that gross number, right?
That is my target, yes.
Okay. And this one is for Rami, I think. You talked about the average deal size, and we saw a picture of it as well. And how much is the, I mean, a larger deal size? Is it over EUR 100K or two-
Yeah, we talk about a deal when it's over EUR 250,000.
Okay. Okay. And on the other side of the same coin there, will it terminate very, very small customers?
We have actually moved, consolidated the partner network, so that we've moved the smaller customers and automated the invoicing and renewals with them through the partner network. So less touch from us. Of course, there's no reason to lose small customers either. We just need to, you know, optimize it.
Okay, great. And then the last question here. You talked about the products. They are pretty high technical levels. How is it? Are the customers up to speed on their needs, so to speak? I mean, are they as technical informed as you would like them to be? I mean, do they understand what they need?
Yeah, let me, let me answer that-
Yeah
... first. I mean, typical RFP for access management products has 375 questions, technical questions. So I guess so. I think it's an overkill. I think, you know, I would say if you can qualify for these 12 functionalities, it should be enough. But they have consultants helping them, you know, the Gartner groups, and they overdo it. So I would say the technical level people are very skilled. They know what they're talking about. I think even maybe overboard. But then when the question comes to the decision-makers, you know, CFOs or CIOs or even CEOs, then they couldn't care less. They just trust that, "Hey, this is right solution." Then the question is: What is the payback? What is the... what is the risk of not doing it?
There are two levels that we need to address.
Great. Thank you.
Thank you, and there we have next one.
[Foreign Language] Saako käyttää suomea? Onko kielletty?
[Foreign Language] Joo, ei viritä.
[Foreign Language] Okei, mä kysyisin tätä hallituksesta. Yksi hallitusjäsen menehtyi. Onko SSH:lla mahdollisesti sitten etsinnässä, että vois neljän sijasta olla taas se viisi hallitusjäseniä? Onks tää neljä jäseniä mahdollisesti pieni? Ja sitten ehkä diversiteetti siihen. Nyt on 100% ilmeisesti suomalaisia hallituksessa. Voisko esimerkiksi jostain isosta maasta, kuten Jenkkilässä, on isoja cybersecurity-yrityksiä, ehkä maan parhaat ja hienoimmat. Löytyiskö sieltä jostain jotain hyvää osaajaa SSH:n hallitukseen? Amerikkalaiset osaa myydä, ne on siitä tunnettuja, suomalaiset ei ehkä niinkään. Kiitos!
[Foreign Language] Ehkä tuohon vastaus tulisi paremmin hallitukselta. Mutta mun käsitys on niin, että meillä on seuraava yhtiökokous, ja me ei tätä varten hallituksen kokoonpanoa nyt muuteta. Meillä on historiassa ollut amerikkalaisia kaksikin hallituksessa, joka kuulemma siihen aikaan oli kohtuullinen haaste sitten aikavyöhykkeiden ja prioriteettien suhteen, vaikka olikin pre-Covid-aikaa. Mutta totta kai varmasti noitakin asioita hallitus miettii.
Just short recap, we had a question about the SSH board, and will we fill new members to the board, and about the diversity of the board.
Good point. Yeah, I, I didn't know if I answered you, Philip.
Do we have any more questions? There is.
I was wondering about the deal size here, too. Then, you seem to show that the maximum deal size is about EUR 1 million something, and I would assume that there are bigger companies here in the world. So why or what, what do you think about the deal size going forward? Either average deal size or the, how the customers will develop, because it seems that you still have quite big companies as customers. So I feel that, as I see the industry, they have deal sizes that are several EUR millions or even bigger than that. Then the other part here is that it used to be so, especially in, to my understanding, in the area of, of security products, that you were able to use like, different type of security providers at the same time....
Like firewall providers, you had two or three of them at the same time. So how does it change, or does it change with the Zero Trust or the current approach?
Can I, can I start with that? Yeah. Yeah, first on that, we have two about EUR 1 million-sized, you know, annual recurring revenue customers that are both very happy. We're now in negotiation of doubling the business with each of them. So that gives you maybe a lot of scale opportunity for, for OT customers. If we have sold 250,000 OT case, there's 250,000 IT case there as well. So that's kind of, kind of how we, how we see that. Then, then on the... So the, the other question was about, about consolidation or, or, or having multiple vendors.
Would you have the same time several vendors and-
Yeah, I think we are... If you look at PrivX as an example, we have, you know, you saw that one colorful chart where we are beating one of the 800-pound gorillas, the number two on the market. We have two customers that have come from market leader, CyberArk, from us, said that this is a monster infra, we're gonna change it. So we see customers actually changing, not adding. Maybe initially they add us, they add PrivX for a certain use case, maybe developers, OT, but then eventually the idea is that only one, only one vendor in this, in this space is needed. So there is kind of consolidation in that respect as well.
Customers want to have less vendors. That's the trend. Technically, they can have more, but they typically want to reduce the number of suppliers they have. And just on the bigger deals, there's of course always a bigger boat. But in 2020, our average PrivX deal size was EUR 70,000 subscription. Now, it's what Rami said, EUR 250,000. That's quite the change in three years.
Thank you very much. Now that we are running out of time, I encourage you to write more questions to us, for example, to me, and I will forward them to the leadership and so on. Now, I would want to ask Teemu for a conclusion of the event and the summary. A couple more minutes if you stay online, so you will then see the end of the event. I thank you for joining us on behalf of SSH. Thank you very much. Teemu, once more.
Thank you. Yeah, my daughter always says that things will be good in the end, and if they are not good, it is not the end. So what should you remember from us? We go for logo customers, we go for share of the wallet. PrivX technology enables Zero Trust, which is a journey to our customers. And of course, we are here to bring growth to the company further. Moving ahead, we want to be closer to customers. It's important innovation happens with the customers. And we want to improve our internal efficiency, both on the go-to-market and on the R&D, using more common tools, automating our own systems, getting now also the ISO 27001 certificate on the wall. So I would like to close with a slide, just a flashback to the previous CMD. Things have changed, and you don't have to read this, luckily.
We did quite a lot of changes during these three years. With these words, thank you for participating, and hope to stay in touch and see you next time. Thank you.