Hacking can cost businesses millions of dollars
Here's how to make money from cybersecurity by investing in the companies defending themselves.
This spring, the cyberattack that shut down the online store of Marks and Spencer for over six weeks is finally coming to an end. According to the company's May results, the ransomware attack, which was executed by a hacker collective identifying itself as Dragonforce, erased 300 million from M&S's 2025 - 2026 earnings. Customers were unable to finish their orders during the spring, which is typically the busiest time of year for clothing sales before summer.
Being the target of a well-publicized cyberattack is by no means unique to M&S. The share price of cryptocurrency exchange Coinbase dropped 5% on May 15th after it was revealed that cybercriminals had paid support employees to divulge customer information, costing the company £400 million. On May 19, a data breach at the Ministry of Justice in the United Kingdom revealed private data belonging to legal aid applicants that dates back to 2010. As of June 2025, the October 2023 cyberattack that may have cost the British Library up to £7 million has left some of its services inoperable.
It is depressing to read about the prevalence of cyberattacks. According to the Identity Theft Resource Center, 3,158 of the 600 million that Microsoft estimates occur daily were successful in compromising data in the United States in 2024. That number represents a nearly 320 percent increase over the equivalent of 754 in 2018. The expenses of becoming a victim are also increasing; according to IBM, the average cost of a data breach last year was £4.09 million, which is 10% more than the previous year.
The surge in cyberattacks has a geopolitical component. Some governments are increasingly using cyberwarfare as tensions and conflicts increase globally. Iran has successfully carried out cyberattacks against Israeli missile defense systems and Saudi Aramco, the country's state-owned oil company. "Pro-Iranian hacktivists are likely" to target US networks, according to a warning from the US Department of Patriotics.
Apparently, US allies are also at risk. Prime Minister Keir Starmer stated at a NATO summit on June 25 that the UK must be ready to fend off cyberattacks "on a regular basis" by Russian and Iranian actors. Perhaps it should come as no surprise that Poppy Gustafsson, the government's minister of state for investments, has experience in cybersecurity, having co-founded the Cambridge-based cybersecurity company Darktrace.
AI is a double-edged sword in cyberspace.
In many ways, Darktrace was unique since it was among the first cybersecurity firms to integrate artificial intelligence (AI) into its core offering. The majority of the top cybersecurity products on the market today use AI, demonstrating how far along that trend is. But there are two sides to that.
"A new era of cybercrime has been created by AI, lowering the barrier to entry for attackers," according to David Spillane, director of systems engineering at cybersecurity company Fortinet. "With AI, even those with no prior knowledge of coding or hacking can now create malicious code, and skilled threat actors can use it to carry out novel tactics." According to technology consulting firm Gartner, generative AI will be used in 17% of cyberattacks by 2027.
Ben James, chair of the Baillie Giffords US Growth Trust, says, "You need to fight fire with fire and have robots fighting back with really innovative tools in an agentic world where, essentially, robots are attacking you rather than humans." Fortinet and Cloudflare, two cybersecurity companies, are integrating artificial intelligence (AI) into their systems to combat these new and ever-changing threats. Among these solutions are "AI-powered threat hunting" and "hyper-automated incident response," which, to use Spillane's terminology, essentially automate the process of detecting possible breaches and starting fixes for any that manage to evade detection.
For the cybersecurity sector, AI is therefore both a challenge and an opportunity. Actually, investors benefit from the increased demand for protection, which favors the most creative providers, as a result of the proliferation of threats.
The most recent technology to affect cybersecurity in this way is artificial intelligence. AI is, in many ways, taking the lead from cloud computing.
The emergence of clouds also signaled a shift from a more secure world where data was kept on-site to one where, in theory, anyone in the world could access sensitive personal data and business-critical data. However, it also provides a fresh way to counteract the dangers that online criminals present to both individuals and companies.
Likewise, newer computing technologies are opening up even more possibilities. According to James, this accounts for a significant portion of Cloudflare's edge over competitors. It uses "edge computing" to deploy its system, which disperses data storage globally in contrast to the cloud.
James says, "Cloudflare aims to enhance performance and offer better services, not just be something you add to your computers and slows everything down." In essence, they construct mini data centers close to their clients, which speeds up operations, and they can then combine cybersecurity solutions.
Investment opportunities in cybersecurity.
Businesses are inevitably spending more on cybersecurity measures as a result of the growing threat of cyberattacks and the rising expenses of becoming a victim. The most recent report from Infosecurity Europe states that cybersecurity experts anticipate an average 31% increase in budgets by 2025. Twenty percent of the report's 231 respondents anticipate budget increases of at least fifty percent.
Gartner predicted last August that global cybersecurity spending would reach £212 billion in 2025, a rise of more than 15%. According to a recent Fortune Business Insights forecast, the industry is expected to reach a valuation of over half a trillion dollars by 2032, which would indicate an annual growth rate of over 14 percent during that time. Crucially, neither a war nor a recession will cause that investment to decline. Either of those situations, if anything, increases the incentives for cybercriminals, which in turn increases the need for businesses to invest in cybersecurity. According to a cybersecurity CEO he knows, "people will spend on cybersecurity regardless of the macroeconomic environment, and in fact possibly increase it," James states.
That might make cybersecurity stocks more defensive. With their stronghold on technology and consequent growth, these companies aim to sustain their revenue streams even in the event of market downturns. "Cybersecurity ranks very highly when asked what portion of your IT expenditure is the most resilient or what portion are you least likely to cut in the event of a downturn," says Jeremy Gleeson, Allianz Global Investors' chief investment officer of global technology equity. I always say that a lot of technology spending is arguably discretionary in a more difficult economic climate where businesses are trying to cut expenses. Spending can be postponed until you have more confidence in the world.
It seems impossible to put off cybersecurity unless you're prepared to jeopardize your company. Cutting the cybersecurity budget is not something you want to do.
"The majority of the top cybersecurity products on the market today use artificial intelligence."
Advice for stock investors in cybersecurity.
As Gleeson clarifies, there is a counterargument. "Defensive stocks generally have a high dividend profile when you look at the equity market as a whole. Even though their growth may be slower, they are typically trusted to be able to pay dividends every year. For the most part, this isn't true for cybersecurity stocks because the sector is still too young to have many dividend payers. Although many large, diverse tech companies, such as Microsoft, IBM, and others, have cybersecurity divisions, none of the top three cybersecurity companies by market capitalizationPalo Alto Networks, CrowdStrike, and Fortinetpay dividends to their employees. Gleeson asserts, "They're investing for the future, rather than thinking about returning capital to shareholders."
They are also priced far more like growth stocks than defense or value stocks. With both its forward and trailing price/earnings ratios hovering around 42, Fortinet is the most affordable of those three. This remains greater than the average of the Nasdaq 100 and the majority of the Magnificent Seven. However, it is nothing compared to Palo Alto, which has a forward p/e ratio of 56 and a trailing p/e ratio of 117. CrowdStrike, in particular, is trading at more than 400 times trailing earnings and 141 times forward earnings.
Cloudflare is currently trading at more than 230 times projected earnings, suggesting that it will become profitable in the upcoming year. Before these businesses can be considered defensive plays, they all need to mature a lot. However, when these companies start to appear more like dependable cash cows than expensive start-ups, growth-minded investors may see an opportunity.
Innovation is essential, but it has a cost. The majority of cybersecurity companies make money through the SaaS model, in which clients sign long-term agreements that generate annual recurring revenue, or "ARR." However, they also have to make significant investments in R&D, which reduces their profit margins.
"You're only as good as the last attack that you were able to stop or block as a cybersecurity company," Gleeson says. CrowdStrike, which rose to prominence last year after a routine software update caused a significant worldwide outage, serves as a warning about how much depends on reputation for cyber firms. Its shares dropped about 49% from their peak in the aftermath, and although they have since bounced back and surpassed their pre-outage level, their gains have fallen short of those of some of its rivals. In light of these spending requirements, investors choosing cybersecurity stocks ought to focus more on revenue growth than on profit margins or dividend payments. This emphasizes their current standing as growth stocks.
Instead of attempting to select individual winners from a still-developing market, it might be wiser to distribute your bets among several opportunities. The industry is targeted by a number of thematic ETFs, such as the Invesco Cybersecurity ETF (LON: ICBR), the WisdomTree Cybersecurity ETF (LON: WCBR), and the L&G Cyber Security ETF (LON: ISPY). In addition to the larger technology sector, Gleeson oversees the Allianz Global Hi-Tech Growth fund, which makes investments in cybersecurity stocks. As of May 31, Palo Alto Networks is among the top ten holdings in the fund, along with cyber companies SailPoint and CyberArk.
For those investors who favor a pure-play strategy, there is also a specific Allianz Cyber Security fund that is run by Erik Swords. CyberArk, Cloudflare, and CrowdStrike are among the top holdings. As an alternative, combined with other US growth stocks, Cloudflare is the fourth-largest holding of the Baillie Giffords US Growth Trust (LON:USA) as of May 31.
Leave a comment on: Why this could be a good time to purchase cybersecurity stocks