Business is booming for this secular industry

To put it all into perspective, the average number of cyber-attacks per company annually is 270, with just over 10% of these successful breaches (Source: Accenture State of Cybersecurity Resilience 2021). It’s a number that grows annually.

Realistically, anyone who uses the internet in some form should assume they’ve had their data hacked at least once before. 

The Optus hack exposed around 40% of the Australian population. Back when Facebook had a leak in 2019, 500 million people globally were exposed.

I’ll bet you might not even know if you’ve been hit – in fact, it’s only been more recently that companies have been pressured into contacting their customers directly about breaches. A quick way to check your data is the website Have I been pwned?

Breaches are hugely expensive to companies too. According to a 2022 report by IBM and the Ponemon Institute, the average cost of a data breach to a company is $US4.35 million covering legal, regulatory, and technical costs, brand reputational damage, customer turnover, and impact on employee productivity. That’s before you think of individual costs to customers exposed in a breach – replacing identification or credit cards, or even facing scammers committing identity fraud.

The new essential service

From this perspective, it all makes sense that cybersecurity has, to an extent, escaped some of the recent falls in the broader tech sector.

“Cybersecurity has become one of the most durable spending categories in corporate IT budgets, due in part to the growth in digital data and environments, and an increasing number of corporates concluding that investing in their cyber defences is a necessity”.

He points to a range of secular trends driving the industry including:

1. Accelerating consumer and corporate spend on data protection.
2. The increasing number of cyberattacks (it’s the fastest-growing crime in the US).
3. Growing costs from cyberattacks.

Clearly, cybersecurity is a growing and highly lucrative industry – and yet, how many companies in this space can an investor name off the top of their head? 

I’m betting not many. And I’ll take a further stab that asking for an Australian name will draw a complete blank. In fact, the Australian industry is so small that when I asked some of our valued partners for their insights, many told me that it is largely start-ups and microcaps. Not areas they typically cover.

The US industry on the other hand is massive. In fact, Gleeson says that only five holdings in the BetaShares Global CyberSecurity ETF (ASX: HACK) are domiciled outside of the US. The 19 biggest holdings are US based.

Why is this? Why are cybersecurity companies not household names?

Part of this comes down to the fact it is a growing industry that changes rapidly. In fact, I’m informed that everything we do on the cybersecurity front will be obsolete in a matter of years courtesy of the power of quantum computing. If we think it’s scary that hackers can create algorithms to hack our passwords in a matter of minutes today, take it to the next level when you consider the power of quantum computing.

There are a lot of small players in this space at this stage so it’s also fair that we don’t know the names of many cybersecurity companies. In the coming years, some of these companies will rise and flourish, while others will vanish as quietly as they appeared. On the flip side, the good news is that some cybersecurity companies are already big-name brands – you just didn’t realise they worked in this space.

The household names you know and love… in a different way

You might not think security if I say Microsoft (NASDAQ: MSFT) or IBM (NYSE: IBM) but both companies have flourishing cybersecurity offers.

IBM offers free IBM Cybersecurity training for professionals interested in pursuing jobs in that field ranging from basic training, a foundation course, and an analyst program. It has also committed to university programs for training cybersecurity specialists. From a product and service perspective, it offers a range of enterprise security solutions backed by the research of its IBM Security X-Force. It launched a data security solution called Guardium Insights late last year and acquired ReaQta which uses AI and machine learning in the fight against cyber threats. So far the IBM Security business growth has lagged industry growth, which is concerning at a time when its competitors are rising.

Amazon (NASDAQ: AMZN) is also growing on this front too with its Amazon Website Services (AWS) including cyber offers like AWS Security Hub to automate security checks and centralise alerts, Amazon Detective to investigate threats and issues, and Amazon GuardDuty to detect issues. It has partnered with FireEye Network Security across its products and services.

And the names you already think of when you think security…

If I say CISCO (NASDAQ: CSCO), Symantec (now known as NortonLifeLock (NASDAQ: NLOK)), McAfee (now private), Oracle (NASDAQ: ORCL), and Palo Alto Networks (NASDAQ: PANW), chances are you’ve heard of them, if not already used them in some way. Palo Alto and McAfee are also part of the Cyber Threat Alliance which includes Fortinet (NASDAQ: FTNT) and Symantec. The Cyber Threat Alliance is an agreement between these companies to share details on the latest threats and managing them. That’s right – a genuine corporate effort to act in the global best interests in improving methods of managing cyber threats.

By contrast, NortonLifeLock and McAfee are better known as consumer brands. You probably know them for their anti-virus software though their offers have extended far beyond this today. Slintel’s data tracking places Symantec’s global market share at 55.59% and McAfee at 24.78%.

The other names you should know about

Gleeson says the cybersecurity industry is a build-up of both leading and emerging companies and you can’t always predict tomorrow’s leader.

Some of the other companies held in the HACK portfolio he finds interesting are:

1. CyberArk (NASDAQ: CYBR) – an information security company focused on Privileged Account Management. The company’s technology is deployed worldwide – primarily in the financial services, energy, retail, and healthcare markets. Over 2,700 global businesses trust CyberArk to protect their highest-value assets, enabling them to master audit and IT compliance requirements.
2. Okta (NASDAQ: OKTA) – is a global leader in Identity and Access Management. It provides cloud software that helps companies manage and secure user authentication into applications, and for developers to build identity controls into applications, website web services, and devices. The company has solidified its competitive position through product breadth and innovation, as well as its customers increasing focus on enterprise security and digital transformation.
3. Varonis Systems (NASDAQ: VRNS) - an American software company, who are responsible for developing a security software platform to let organisations track, visualise, analyse, and protect their unstructured data. Varonis performs User Behaviour Analytics to identify abnormal behaviour and defend enterprise data from cyberattacks. Their software gives organisations more visibility into their data and protects their critical and sensitive information. Varonis’ customers include Coca-Cola, Toyota, L’Oréal, and SanDisk.
4. Crowdstrike (NASDAQ: CRWD) – provides cloud workload and endpoint security, threat intelligence, and cyberattack response services. The company has been a beneficiary of the acceleration of organisations switching from legacy antivirus-related platforms in favor of next-gen Endpoint platforms like Crowdstrike. The company has been involved in investigations of several high-profile cyberattacks, such as the 2015–16 Democratic National Committee attack.

Where does Australia stand?

As mentioned earlier, our cyber-security industry is tiny. There are a lot of start-ups out there. However… should you want a few listed small-cap names that are doing some interesting work, here are a few I uncovered.

• Tesserent (ASX: TNT)
  Tesserent is Australia’s largest listed cybersecurity company (still a small cap though) and has 1200 clients across small and medium enterprises, government, and critical infrastructure. It is a full-service cyber solution company offering protection services and monitoring, along with consulting and advice.
• Whitehawk (ASX: WHK)
  Whitehawk is known for offering online global platforms and software for end-to-end risk identification and mitigation – they are the world’s first cybersecurity exchange. It has won a key US federal government contract worth $5.9m back in 2020.
• Prophecy International Holdings (ASX: PRO)
  Prophecy is a software company known for its flagship cybersecurity product Snare which was developed with the Australian military and defense. It is a tool for logging and managing security events and is used globally.

What’s next in the world of cybersecurity?

According to Gleeson, one of the more interesting trends in this space is the growth in attacks on small and medium enterprises.

“Criminals are increasingly turning their focus to smaller businesses and individuals as these targets often generate less attention and tend to be easier targets.”

He notes that ACCC’s Scamwatch found a particular increase in hacks of property developers and real estate agents where buyers were convinced to transfer deposits and stamp duty payments.

Further to this, insurance is failing to cover cyberattacks – an opportunity perhaps for some providers but Gleeson says proper cybersecurity investment to prevent breaches is a surer bet.

The cybersecurity industry was valued at $US139.77 bn in 2021. It’s tipped to reach $US376.32bn by 2029. There’s a lot of growth coming, and a lot of opportunity for companies hungry for a slice of that pie.