The Cybercrime Epidemic & ‘Defensive’ Investing

Jack Doughty & Samuel Subramaniam

‘They say there are only two types of businesses: those that have been hacked, and those that don’t know they have.’

Okay, let’s provide some context. Yes, it‘s probably a bit far-fetched to suggest that your local bakery has been victim of a DDoS attack. No one needs the secret recipe that badly. That being said, cyber attacks are indeed incredibly commonplace. Shockingly, ransomware assaults occur every forty seconds, jeopardising sensitive data and posing a major threat to national security when they do. We need look no further than the four consecutive bombardments on the New Zealand stock exchange in August this year to understand the scale of these security breaches. Now, consider the catastrophic implications if the next target were a hydropower facility, rather than the NZX. 

That’s where cybersecurity fits in. Cybersecurity firms provide organisations with the tools they need to defend their online networks against malicious attackers. Think of them as the ADF for the economy’s online security. 

With several tailwinds driving the sector, firms in the cybersecurity space are undergoing a cataclysmic point of inflection. Throughout the COVID pandemic, businesses have witnessed two years worth of remote work developments in two months, leaving plenty of vulnerable chinks in their armour. As a result, demand for sophisticated protection from cybersecurity professionals has skyrocketed in the private sector, up by over 65% in the US since February. 

Back home, the Australian federal government has also pledged to contribute a modest $1.35 billion investment to the cybersecurity sector over the next 10 years. This comes as no surprise, with geopolitical tension giving rise to a new front for warfare; state-sponsored hacking. Considering the untapped potential of 5G that is right around the corner, businesses are demanding reliable cybersecurity like never before.

We are in the midst of an epidemic. No, not the one you’re thinking of. A different one; a cybercrime epidemic. So, let’s talk about it.



We are all well aware of the transformation that businesses have been forced to undertake over the first half of 2020. Staggeringly, 32% of working Australians have made the switch to working from home, and in turn, firms’ online systems are desperately expanding in order to keep up.

Budget Changes in the United States (US), United Kingdom (UK), India (IN), and Germany (DE).

According to Microsoft, the remarkable urgency with which businesses have transformed their services online in order to adapt to their changing environment has catalysed two years worth of progress in two months. Michael Phillips, from Fortinet, goes even further: “cybersecurity was always going to become big, what COVID and WFH have done is accelerate that process by 10 years”.  It’s an incredibly challenging problem that can be made pretty simple: “every device is now a vulnerability”. 

State-Sponsored Hacking

Traditionally speaking, cyber crooks have looked for the most vulnerable businesses to exploit. It doesn’t really matter whose it is, they just want money and data. Deterring these cyber actors is pretty straightforward; develop your cybersecurity systems, and you’ll be less of a sitting duck. Unfortunately for us, state-sponsored hackers are a completely different breed of soldier to the cyber crook. They have substantial access to funding, greater technology at their disposal, and most importantly, a specific target. State-sponsored cyber actors are capable of launching an attack on major infrastructure from the other side of the globe, as we witnessed in the DDoS assault that toppled the NZ stock exchange in August. 

Cybersecurity is a critical component of national defence.

20% of global organisations recognise the “takedown of a country’s energy grid, transportation network or health service” as the number-one threat to national security. According to Michael Phillips, the greater this risk becomes, the more funding will be channelled into the cybersecurity industry to stop data from becoming compromised. Scott Morrison has already pledged to introduce $1.35 billion worth of funding into the sector over the coming 10 years, and the potential for mandatory nation-wide business cybersecurity is becoming increasingly likely. Given that government authorities globally are unlikely to outsource any cybersecurity projects, it would be worth exploring investment opportunities in nations with large amounts of planned government expenditure in the industry. 

5G Technology

If state-sponsored hackers are the new soldiers of the 21st century, 5G is the unexplored battlefield. 5G technology allows for speed and latency expected to be 100 times faster than what is currently available, and will likely completely transform the cyber landscape. This speed could allow for endless possibilities, from automated road networks to “remote robotic surgery”. As we have witnessed in the developments throughout the COVID pandemic, more devices mean more vulnerabilities. 5G will up the ante. 

Robert Spalding, US Senior Director for Strategic Planning claims that 5G is already being introduced from farm implements to airplanes alongside “all kinds of different things that can actually kill people”.  In short, “allow[ing] someone to reach into the network and direct those things to do what they want them to do”. On this new cyber front, public and private institutions alike will need reliable and sophisticated security. That is, unless we want our combine harvesters to go rogue.

Recent Performers

With these significant tailwinds in mind, let’s have a look at some individual investment opportunities.


Listed on the NASDAQ, Fortinet (NASDAQ: FTNT) develops and markets products that offer corporate clients end to end security. That’s a fancy way of saying they offer complete protection. Earnings have been consistently high over the past five years, growing at 61.8% over that period with a relatively high ROE (75.6%) compared to the industry average (11.0%); a great start. What’s more, the fundamentals are sound too, with a strong debt-free balance sheet, and profits with an EPS of 0.82 in Q2, up from 0.60 in Q1.

Furthermore, with a PE ratio of (47.3x), Fortinet looks relatively cheap compared to the US Software industry average (53.9x). Fortinet is undoubtedly focused on the long-term, investing heavily in R&D and possessing three times as many patents as any other competitor. FTNT has a competitive moat, alongside the size and capacity to continue developing various solutions such as FortiAI and Fortinet SIEM. 

Research & Development Expenditure

According to Yahoo Finance, analysts are pricing FTNT at $139.70, about 20% higher than its current quotation of $116.81. Emerging as an innovator, FTNT has solidified its position as an industry giant. 


Founded in 2011, CrowdStrike (NASDAQ: CRWD) was established to help companies, small and large, prevent cyber breaches with advanced endpoint protection (when you see endpoint, think phones and laptops). IT security can be thought of as a range of checkpoints, where each is a possible vulnerability. CrowdStrike focuses on protecting passage through that last checkpoint. Listed on the NASDAQ, CrowdStrike’s stock is up 175% YTD largely driven by increased sales triggered by the dangers that come with WFH. As is the case with many tech companies, CrowdStrike is yet to report a profit, with a GAAP net loss of $0.14 in Q2, up from a net loss of $0.40 in Q1. Priced on the higher side at 33x EV/Sales, markets expect demand and sales to continue to grow. CNN Business has reported that consensus amongst 22 analysts with a median price target of $150.00 and a range of $122.00-$172.00. Currently sitting at $136.39, NASDAQ: CRWD is certainly one to watch over the coming year. 


If you’re reading this and thinking: ‘what on earth is endpoint protection, and why does CrowdStrike sound like a 10-pin bowling centre‘, then perhaps an ETF is more your flavour – not to mention one with such a great name. In making an investment decision, investors should always consider their circle of competence and avoid investing in that which they do not understand. ETFs are a great opportunity to expose yourself to macro tailwinds in an industry without picking hairs between businesses that go beyond your circle. Investing directly in individual shares on the NASDAQ exposes Australian investors to various currency and international market risks; risks that can be partially negated through diversified ETFs. While astute investors can look to hedge these risks using financial products such as currency swaps, ETFs such as ASX: HACK provide exposure to a wide range of international cybersecurity equities, reducing the need to currency hedge (although not entirely). HACK’s holdings include Fortinet, CrowdStrike, and other global equities from the US, Japan, Britain and Israel.

HACK’s Top 10 holdings, excluding cash.

Market Outlook

Going forward, the view of those familiar with cybersecurity risks relating to COVID-19, state-sponsored hacking, and 5G technology is one of caution. While tailwinds create a strong outlook for the industry, it would be naive to ignore what created the cybersecurity industry in the first place: the hackers who thrive on others’ ignorance. Just as defensive technology advances, so does theirs. It’s a perpetual game of cat and mouse, and cybersecurity firms must always strive to match the hackers step-for-step. The importance of cybersecurity is increasingly vital in the modern business climate, Michael Phillips echoes:

“There is no such thing as cyber-risk. There is business risk. If your data is compromised, you have no security, you have no business.”


Michael Phillips, SA Account Manager at Fortinet

For more details on HACK’s holdings, fees and trading information:

Disclaimer: The views expressed in this article are solely that of the author’s, and do not necessarily reflect the position of UNIT nor the University of Melbourne. The advice given is general in nature and does not consider an individual’s personal financial circumstance. Transacting off this information is done so at one’s own risk, and individuals are encouraged to consult a finance professional before making investment decisions based off of this article.

Statements made by Michael Phillips are his own views and may not necessarily reflect the views of Fortinet.

Similar Posts