Cybersecurity is the new 'recession-proof'. Here’s how you can invest.

Unless you truly live off-grid, it’s virtually a guarantee that at some point in time your data has been compromised. Perhaps you were affected by one of the multiple breaches on Facebook, or when Medibank and Optus were breached in quick succession a few years ago.

Cybercrime is one of the most significant issues of our times and Australians had yet another sharp reminder of this over the last week as a number of big super funds (AustralianSuper, REST, Hostplus, Insignia and CBUS) were affected by a co-ordinated cyberattack.

Company spend on cybersecurity is set to be the one business cost that won't get cut in the coming years, no matter how bad the markets get – the new recession proof if you like. Gartner Inc projected end-user cybersecurity spend to total $212 billion in 2025.

After all, the consequences of a breach are potentially enormous. For an individual, it could be loss of their identity or theft of their money. For a business, it could be large regulator penalties. For example, in Australia, the civil penalty for a failure is up to $50million and there are discussions globally about the extent that key company staff might bear liability for breaches in the future.

It's a lot to take in, but from an investment perspective, it’s a very attractive theme and a revenue generator. Why not generate a return from protecting your own data?

I spoke to Hugh Lam from Betashares, home of the only cybersecurity ETF on the ASX - the Betashares Global Security ETF (ASX: HACK) - for his insights into this theme and some of the exciting companies in this space.

The size of the opportunity and what the market looks like

Beyond simply looking at spend, Lam notes the total addressable market for cybersecurity is immense.

“It could potentially be as much as US$2 trillion, more than tenfold the current market size according to McKinsey,” Lam says.

The ongoing rapid innovation of global technology is seeing cyber threats become increasingly more sophisticated. Governments and organisations alike are having to invest defensively, not only to ward off existing threats but the threats of the future. AI, for example is expected to be the catalyst of around 17% of attacks in the future, and quantum computing could change the dynamics and challenges of protection in an instant.

Lam is seeing increased consolidation across the cybersecurity service space.

“Larger incumbents, such as CrowdStrike (NASDAQ: CRWD) and Palo Alto (NYSE: PANW) have expanded their service offerings across different areas of security as large companies prioritise spending by consolidating the number of vendors they use,” he says.

The original baseline of cybersecurity services focused on specific threats like anti-virus/malware software, trojans and hardware, while the new ecosystem covers end-to-end concerns. Think of things like endpoint security, identity and access management, security orchestration, automation and response.

Global names to watch

Lam points to Crowdstrike, Palo Alto, Cisco Systems (NASDAQ: CSCO), Broadcom (NASDAQ: AVGO) and Zscaler (NASDAQ: ZS) as some of the interesting holdings within the HACK portfolio. HACK tracks the Nasdaq Consumer Technology Association Cybersecurity Index. It is testament to the prospects of the industry and the quality of the firms in the index that HACK has delivered 17.88% p.a. since its inception in 2016.

He notes that some of the larger players in the space have their eyes out for solid acquisitions to expand their service offerings.

“Cisco purchased Splunk for ~US$28 billion in March 2024 in an all-cash deal, and Broadcom purchased Symantec’s enterprise security business for US$10.7 billion in 2019 to expand its cybersecurity portfolio,” Lam says.

Alphabet (NASDAQ: GOOGL) also expanded its cyber expertise with the purchase of cybersecurity firm Wiz (which also has a strategic partnership with Check Point Software Technologies (NASDAQ: CHKP)).

While these are fairly well-known names for cybersecurity capabilities, investors shouldn’t forget that the likes of Microsoft (NASDAQ: MSFT), Amazon (NASDAQ: AMZN) and Alphabet (as mentioned above) have security offerings too, so if you have existing holdings, consider cybersecurity an added bonus.

Microsoft recently launched the Cybersecurity Program for Rural Hospitals Program across America offering free cybersecurity assessments, training and security product discounts to rural hospitals. Microsoft has a range of cyber-related products and services, such as Defender.

Amazon offers cybersecurity services through its cloud service Amazon Web Services. It has a collaboration with SentinelOne (NASDAQ: S) for AI cybersecurity services.

The Australian space for cybersecurity

The Australian cybersecurity industry is quite small, particularly after Tesserent was acquired by French multi-national Thales Group (EPA: HO). It still operates heavily in Australia and New Zealand as a full-service cyber solution company. The following is by no means an exclusive list but includes some of the interesting names on the ASX. 

Bear in mind these are smaller businesses - some are micro-caps - so it's a riskier space. Do your research carefully if you intend to look on the ASX, or keep it simple by using an ETF like HACK to get your exposure internationally (primarily the US which is home to the largest cybersecurity businesses).

Senetas (ASX: SEN) is one of the largest cybersecurity businesses in Australia. It is a developer and manufacturer of certified, high-assurance encryption hardware, software-based network encryption and advanced encryption file sharing application. It is used in more than 45 countries and distributed by Thales Group. It recently sold its subsidiary Votiro to Menlo Security for US$37.5m.

Microcap Whitehawk (ASX: WHK) is primarily US-based. It offers online global platforms and software for end-to-end risk identification and mitigation – a cybersecurity exchange. It won a key US federal government contract back in 2020 and secured a contract with Tabcorp last year. In the last week, it announced the quotation of 59,500,000 ordinary fully paid securities on the ASX to boost its liquidity.

Prophecy International Holdings (ASX: PRO) is a software company known for its flagship cybersecurity product, Snare, which was developed with the Australian military and defence. It is a tool for logging and managing security events and is used globally. It partnered with Oracle in 2023 to market Snare and eMite (a real time analytics and dashboard service). It announced the quotation of 20 new ordinary full paid securities on the ASX in the last week too.

Firstwave Cloud Technology (ASX: FCT) is a global software company formed in 2004. The company is a leading provider of enterprise-grade network management, automation, audit and cybersecurity software, with over 150,000 organisations using FirstWave software across 178 countries. Clients include Microsoft, Telmex, Telstra, Claro and NASA. It announced in 2024 that it expects to be cashflow positive in FY25.

Archtis (ASX: AR9) is an information security provider with zero-trust capabilities. It extended its services earlier this year with the US$750,000 purchase of US business Direktiv which offers attribute-based access control and an event-driven orchestration platform. The business has positive prospects and made a deal with the Australian Department of Defence in 2024. In recent weeks, its CEO announced a licensing partnership with a Japanese multinational.

Protecting yourself from cybercrime

It wouldn’t be an article about cybersecurity without a few tips and tricks to protecting yourself online.

The first thing is a solid password. If you are still holding onto Password123!, now is the time to surrender and find something more secure. I personally find it exhausting remembering passwords so I have a password manager.

There are a few around, like 1Password and LastPass which will also kindly generate a randomised sequence for you based on what the particular site you are using requires. I’ve also been reliably informed that having a password phrase with a few special characters is a great way to increase your security and make it more memorable for you – instead of Password123!, think, Ih@tepa$$word123!

The gold standard for logins these days is to use multi-factor authentication. That is, your password and then a randomly generated secondary code or the like to enter. The code could be delivered through an app like Microsoft Authenticator or Google Authenticator, or you might receive a text to your phone or an email.

If your data has been breached, the Australian Signals Directorate (ASD) has some steps you should follow. As a summary, the below are a good starting point.

• Confirm what data has been affected and what the hackers have. The affected organisation should let you know some critical next steps as well.
• Watch out for scams: the hackers have your data and they’ve probably sold it on the dark web. You might receive phone calls, texts or emails encouraging you to click links. Some might even appear to be legitimately from an organisation you use – a legitimate organisation will never include a link for you to login to your account, they will always encourage you to use your apps or visit the website and login from there.
• Secure your accounts: this may mean ringing your bank account to freeze finances and arrange for new cards. It may also mean amending your password when possible. If you’ve used the same password in multiple places, you need to change it in all of those places.
• Secure your identity if sensitive personal information has been stolen by visiting IDCARE. Contact the ATO if your tax file number is likely to have been stolen.
• Monitor activity in all your accounts, including social media, in case of anything unauthorised by you.

If you’ve been hacked, this page from the ASD is also helpful: (VIEW LINK)

Stay safe and happy investing! Share your favourite cybersecurity investments in the comments below.