New frontiers: the future of cybersecurity and how to invest

It has been a busy year for large companies’ IT departments. Firms ranging from Marks & Spencer to Jaguar Land Rover (JLR) have seen their operations disrupted by cyberattacks. The incident at Jaguar is thought to have cost Tata (JLR’s owners) just under £2 billion. While not a cyberattack, the outage at Amazon Web Services in October also brought swathes of the internet to a halt, demonstrating that “when a single upstream provider experiences issues, the impact doesn’t stay contained; it cascades across industries”, says Fadl Mantash, chief information security officer of global pay-tech company Tribe Payments. Such cases are just the “tip of the iceberg”, according to Jonathan Frost, director of global advisory for EMEA at BioCatch. No wonder, then, that companies providing cybersecurity and resilience services are in demand.

Why cybersecurity is more important now than ever

The main reason cybersecurity and cyberresilience are so important now is that “an increasing amount of life is conducted online, with almost all our devices connected, in some way, including vacuum cleaners and washing machines”, says Marijus Briedis, chief technology officer at NordVPN. However, while people “still don’t fully realise how much data they are sharing and how much connectivity is happening”, there is a growing awareness that “they have to take care with their online activity and need some protection from the various threats… out there”.

This is particularly true of the post-Covid business world, “where people are increasingly working away from the office”, says Kate Steele, partner in the commercial dispute resolution team at Hill Dickinson. As a result, companies “are relying much more on technology, both in terms of remote working systems, but also things like AI”. And “all the various crime statistics suggest that there has been a huge increase year on year in every type of cybercrime, from data theft to online scams”, says Steele.

MoneyWeek

Subscribe to MoneyWeek today and get your first six magazine issues absolutely FREE

Get 6 issues free

Sign up to Money Morning

Don't miss the latest investment and personal finances news, market analysis, plus money-saving tips with our free twice-daily newsletter

Don't miss the latest investment and personal finances news, market analysis, plus money-saving tips with our free twice-daily newsletter

Sign up

BioCatch’s Jonathan Frost, who previously worked at the City of London Police, notes that in the 2025 National Crime Survey, 1% of all UK companies said they had been victims of ransomware, where servers are hijacked, legitimate users locked out and then cash demanded to hand back control. While 1% may not seem much, “this works out to 19,000 firms across Britain, and represents a doubling of attacks since 2024”.

What’s more, companies may not have a choice as to whether they protect themselves, says Hill Dickinson’s Kate Steele. This is because governments and regulators are now recognising “that companies need to take action to defend themselves, as such attacks not only harm them, but also hurt their customers, employees and other people in their care”. Witness the UK’s Cyber Security and Resilience (Network and Information Systems) Bill, currently going through Parliament, “which places an obligation on critical sectors to report major incidents within 24 hours, with large fines if they don’t”.

It’s not surprising, then, that over the last five to 10 years, discussions about such cyberthreats are no longer “the background conversation that only took place in certain industries and businesses”, says Brendan Gulston, co-manager of the WS Gresham House UK Multi Cap Income Fund. Instead, cybersecurity is “a board level discussion that is mentioned in almost every annual report of most of most businesses, irrespective of industry”, says Gulston. Overall, data from accountants PwC suggests that around 85% of businesses expect their cyber budgets to increase over the next 12 months, says Zain Javid, cofounder and chief technical officer of Citation Cyber.

The three key threats to cybersecurity

NordVPN’s Briedis thinks the increasing number of threats stem from three main sources. There are the so-called “script-kiddies”, the kids “playing around the internet and trying to figure out how to hack your neighbour”. However, there is also an increasing threat from cybercriminals, many linked to organised crime, who are targeting companies. They typically either try to steal commercially sensitive data or launch ransomware attacks.

Even worse, “in a growing number of cases many countries now have their own cybersecurity groups that specialise in carrying out attacks”, says Briedis. Jonathan Frost agrees, noting that Europe “is facing increased hostile activity across cyber, infrastructure and information domains from regimes such as Russia”. These so-called “hybrid conflicts” are “below the threshold of war but above the threshold of normal state relations”. For example, this year “the Dutch authorities identified a cybersabotage attack on the digital control system of a Dutch public service”, which they eventually traced back to the Russian state. Russia is also considered the prime suspect for the JLR attack.

North Korea, too, is “always at or near the top of the list of hostile states, as is Iran and China”, says Chris Gannatti, global head of research for WisdomTree. He points out that earlier this month AI start-up Anthropic claimed that Chinese hackers had launched cyberattacks against them in an attempt to co-opt Claude, their AI system, so that it could be used for sinister purposes. With such a close connection in the digital world between data and sovereignty, “it’s unsurprising that the rise in geopolitical tensions has coincided with the rise in cyberattacks against civilian or government infrastructure”, says Axel Belorde, head of business development for EMEA & Asia at VettaFi.

AI is ushering in a new era of cybercrime

Anthropic’s experience highlights the fact that, as nearly all the experts I spoke to agreed, AI is showing “the ability to expand cybercrime exponentially”, says NordVPN’s Briedis. With generative AI allowing for “vibe coding” – the ability to create programs by simply specifying what you want to create – even the least technically savvy hacker “can type something into ChatGPT and create a simple virus or malware in seconds”.

While many of the larger AI models are desperately trying to build in safeguards to prevent this, they may be too late – “for a few thousand pounds you can get access to your own bespoke AI system that won’t have any of these restrictions”, says Briedis.

As AI becomes ever more sophisticated, its use could expand beyond simply making it easier for hackers to write malicious code. AI could create “agentic” programs that can be sent out to wreak havoc on their own, without the need for constant human direction. Tom Kynge, portfolio manager at Sarasin & Partners, says that even before the Chinese attack, tech start-up Anthropic had done “some really interesting testing on this front, with results showing that AI systems can demonstrate behaviours such as deception, creative problem-solving and manipulation”.

AI-powered social engineering can make things worse

AI can also help hackers carry out what’s known as “social engineering”, where hackers persuade people to voluntarily hand over important security details by impersonating friends, family, colleagues or customers. This matters because, as security companies have become better at bolstering defences against viruses and security breaches, “cybercriminals are increasingly focusing on social engineering”, says Rupert Small, founder and CEO of Egregious, an analysis platform that aims to protect the internet from AI deception. He notes that in some cases, the latest models can “make us believe whatever they want us to… that completely transcends what any other human can do, including your own close family”.

Silver-tongued chatbots and deep-fake videos represent the cutting edge of social engineering. But more mundane AI tools can also pose a threat. Hill Dickinson’s Kate Steele says hackers are already using AI “to send out random emails to a large number of people at a much larger scale than they were previously able to”. What’s more, generative AI is ensuring that, “while the emails from fraudsters used to be easy to spot, as the grammar or spelling wouldn’t be quite right, they are now much more convincing”.

On a more positive note, there is evidence that AI can be used to defend us against security threats as well as create them. “There are many start-ups, many of them created in the UK, which are using AI to detect scams created by social engineering and phishing,” says Small. All the evidence so far is that AI “can be very good at detecting such scams at scale”. Those using AI for defensive purposes may be “a few steps behind” those using it for criminal purposes. However, “the defensive tools definitely exist, it’s just a question of getting them adopted”.

Cat McDonald, a partner at venture-capital firm AlbionVC, takes a similar view. Using AI to detect fraud can lead to false positives, yet AI can also “help find patterns that wouldn’t be visible to the human eye, allowing you to defend yourself far better and quicker than you would be able to do otherwise”. NordVPN’s Briedis notes that his company is already using its own machine-learning algorithms to combat phishing and scam sites. In the future, cybersecurity “is going to be increasingly AI versus AI”, says Briedis.

Threat from quantum computing

AI isn’t the only technology “shaping the next cyber battlefield”, says Citation Cyber’s Javid. Quantum computing is also seen as a threat. The exponentially faster computing speeds it promises mean it will become possible to break encryption systems that normally would take thousands of years to crack using today’s technology, rendering them “irrelevant”, says Tom Peirson-Webber, VP of engineering at Harbr. This future might be less distant than people think. The UK’s National Cyber Security Centre suggests that companies “should plan on being quantum-ready sometime between 2030 and 2035”.

IBM has predicted that by 2029, “we’re going to start getting useful outputs from quantum machines that are beyond the reach of classical machines”, notes WisdomTree’s Gannatti. Certainly, “there’s been a lot of talk in both the encryption and cryptocurrency communities about how to deal with this emerging threat, with several start-ups working on how to make encryption quantum-proof”. In a sign that the threat is being taken seriously at the highest levels, the National Institute of Standards and Technology in the US has published papers on how quantum-safe encryption standards could work.

However, even if quantum-proof encryption methods are developed in time, they will still need to be rolled out. While Peirson-Webber likens the problem to the millennium bug, where many people worried about the impact of the date change on computer systems, only for the transition to go relatively smoothly, this is not as reassuring as it might sound. After all, the millennium bug was only overcome “because people started planning for it in 1990, rather than leaving everything to the last minute”, a mistake he worries that some companies may be making. Another risk comes from “people stealing encrypted data today, in the hope that quantum will enable them to decrypt it in a few years’ time”.

Big winners in the growing demand for cybersecurity

So which type of companies will benefit the most from the boom in cybersecurity? AlbionVC’s McDonald thinks the industry is dominated by a “few, very large platforms offering a broad suite of services”. These platforms “have strong brands, established trust and are liked by the security teams of large organisations, who are completely overwhelmed by the large number of solutions out there and find that having a one-stop shop can be very helpful”.

However, she also notes that the recent wave of both security breaches and outages have shown the downsides of having too much consolidation “and made enterprises a little more cautious about having all of their eggs in one basket”. She also notes that many of the large platforms “have reached the stage where they are not able to innovate quickly enough”. This is creating opportunities for “a lot of very exciting early-stage cybersecurity companies, including many coming out of academia, that are looking for solutions that can help defend against new attacks”.

Similarly, VettaFi’s Belorde thinks the recent AWS outage “is a good reminder that there is rarely such thing as 100% reliability”. Companies need to “carefully assess their remedial plans”. In the case of security services, that means having multiple providers, while with regard to storing their data, it makes sense to ensure that cloud storage isn’t the only option used, with the most confidential data stored on properly secured physical servers. In short, the “growing need for more innovative cybersecurity solutions” will benefit an “entire ecosystem of companies”.

How to invest in the cybersecurity sector

The easiest way to invest in companies benefiting from the boom in the cybersecurity sector is through an exchange-traded fund (ETF) tracking a broad portfolio of cybersecurity firms, such as the WisdomTree Cybersecurity Ucits ETF (LSE: WCBR). WidsomTree has built a portfolio of 25 firms by asking experts who have worked at a range of organisations, including the US National Security Agency, to find companies that will benefit from what it sees as eight key themes, ranging from cloud security to cybersecurity education. The largest holding is Crowdstrike, which accounts for 7% of the ETF, with the top ten accounting for half the fund. It has a total expense ratio (TER) of 0.45%.

The third-largest company in WisdomTree’s portfolio is Akamai Technologies (Nasdaq: AKAM). Although its core business used to be providing a secure connection between the user and an internet site, it has recently shifted towards providing services for cloud computing, including cybersecurity. Unlike many companies in the sector, Akamai is not only profitable but also trades at a relatively modest valuation of less than 13 times expected 2026 earnings. Nonetheless, it has a consistent record of solid growth of around 6%-7% a year, with revenues rising 40% between 2019 and 2024.

Another major holding in WisdomTree’s portfolio is Qualys (Nasdaq: QLYS). Qualys provides a comprehensive set of cybersecurity services over a cloud-computing platform. It has a strong record of growth, nearly doubling sales between 2019 and 2024 while increasing its earnings per share over the same period. It boasts strong operating margins and a return on capital employed of more than 30%, which makes the fact that it trades at 21 times expected 2026 earnings seem more than reasonable.

One cybersecurity company that Tom Kynge, portfolio manager at Sarasin & Partners, deems one of the “winners” when it comes to firewalls (a barrier designed to prevent unauthorised people gaining access to a network) is Fortinet (Nasdaq: FTNT). Rather than just providing a single service, it offers a platform that provides a wide range of services, from secure networking to AI-driven security operations. It has nearly tripled sales since 2019, with earnings per shares increasing more than sixfold. That justifies a 2026 price/earnings (p/e) ratio of 28.

Another cybersecurity firm Kynge likes, and a major holding of HANetf’s Future of Defence Ucits ETF (Nato) – VettaFi’s Axel Belorde is also involved with this ETF – is Palo Alto Networks (Nasdaq: PANW). Its divisions include Network Security, Cloud Security and Security Operations. It also has a Threat Intelligence and Advisory Service. Even though the stock trades on a 2026 p/e of 47, revenue has more than doubled since 2021, and the group is expected to keep expanding strongly.

One smaller company that should also benefit from increasing corporate awareness of cybercrime in fraud is PCI-PAL (LSE: PCIP). PCI-PAL specialises in ensuring that a firm’s payment systems are secure, so they can take payments over the phone or online without risk of fraud. Brendan Gulston of the Gresham House UK Multi Cap Income Fund thinks that PCI-PAL is “a great example of a company that, while not seeking to provide cybersecurity directly, has developed a product that is in demand because of companies’ worries about fraud”. PCI-PAL is a riskier investment as it has only recently started to become profitable, but it has seen revenue grow fivefold since 2020.

This article was first published in MoneyWeek's magazine. Enjoy exclusive early access to news, opinion and analysis from our team of financial experts with a MoneyWeek subscription.