Jack Hammett & Luke Allen
- In Australia, a cybercrime is reported every 6 minutes with cyber attacks against individuals, businesses and government growing at a double digit rate every year
- Australia critical infrastructure is amongst the worlds most targeted (4th in some reports), and increased 111% in the last year
- Current themes include need for enhanced security around identity access and critical infrastructure, and the evolving impact of AI and quantum computing
- With heightened risk, boards and business owners need to be prepared, and there is increasing demand for specialist cyber advisory services
- Pemba first invested in the ANZ cybersecurity ecosystem with Ampion (2018), and last year invested in ctrl:cyber
State-sponsored cyber actors and cybercriminals continually target Australia with evolving tactics driven by the latest technologies and an expanding cyber threat landscape.
You will have seen the headlines with organisations like Qantas, Optus and Medibank. Large enterprise remains at risk as a potentially lucrative target for cybercriminals with long-lasting impact to brand, reputation and investor confidence. SMES are sometimes easier targets, often lacking robust or well-invested cyber defences.
In all, Australia has seen a double digit increase in cyberattack volumes, growing 16% yoy in FY24-25.
Key themes we are following
Identity access management (IAM) should continue to be a priority for businesses looking to minimise the risk of breaches. For businesses, email compromise (19%) (ASD) is still the most common cybercrime, including in those where attackers bypass multi-factor authentication (MFA). The adoption of a zero-trust model and phishing-resistant MFA (e.g. passkeys) can help to build resilience, but identity access remains a key risk, particularly with the proliferation of AI.
Indeed, you might have heard (!), but AI is everywhere in cybersecurity, used in both offence and defence. On the offence, AI can help develop malware that adapts in real time, phishing campaigns that outwit human intuition, and automated attacks that strike at machine speed. This can mean even seemingly Dickensian trickery like social engineering (data breaches involving impersonation and deception) can be very difficult to challenge. It is reported that the hackers involved in the recent Qantas breach used AI-generated voice deepfakes.
Rising threat to critical infrastructure. Whilst breaches of big airlines and banks dominate the headlines, we must not understate the risk on Australia’s critical infrastructure – those that use operating technology (OT) – think hospitals, power plants, utility providers and train operators. In FY2024-25, over 13% of cybersecurity incidents ASD responded to related to critical infrastructure, this grew at an alarming 111% from the prior year. Reforms to Australia legislation (SOCI) has forced OT stakeholders to demonstrate they are taking reasonable steps to mitigate threats.
The cybersecurity landscape in Australia
The cyber services market is high-growth (c. 18% to 2029) and varies greatly, reflecting the complexity of the market and differing needs of clients. Key players include major consulting firms, IT Managed Services Providers (MSPs) and specialist cyber providers.
In Australia alone, there are over 300 dedicated cybersecurity companies, and many more that offer cybersecurity as part of a broader offering, with 137,000 cyber security workers and professionals.
As well as specialists, we have seen the rise of non-cyber businesses move into cybersecurity, some with credibility but others with lower value products and services. Customers need to be aware of the track record and robustness of their cyber partner.
Indeed, customers are increasingly demanding trusted partners with deep integration into their organisation. High-level risk advisory is no longer enough, and there is a need for both implementation and continuous monitoring of defences.
The role of investors in ANZ cybersecurity
The role of private equity in ANZ cybersecurity is building, amidst a very active M&A and investment landscape (recent deals including The Missing Link, Sekuro and CyberCX).
Private equity investment can provide the capital but also the support on growth initiatives such as pricing and sales strategy, talent (e.g. recruiting and building out a sales team) and add-on acquisitions to name a few.
Pemba is one of the earliest investors in the ANZ cybersecurity ecosystem, with an investment in Ampion (through the combination of Shelde and Revolution IT) in June 2018. We continued to track businesses and founders in the sector and invested in ctrl:cyber in late 2024.
Based in Melbourne but with national reach, ctrl is a specialist cybersecurity firm that delivers services to mid-market customers through a productised, subscription-focused offering.
“Pemba’s grasp of the cybersecurity market is pragmatic and long-term. It’s a sector that attracts plenty of attention, but few investors understand its complexities as deeply as Pemba. That depth, combined with their insight into the operational and human elements of the market, is what sets them apart and has helped turn ctrl:cyber’s fast growth into long term, sustainable success.”
Steve Williams, Founder & CEO, ctrl:cyber
We aren’t operators (and don’t try to be), but if you are looking to exit and/or grow your cybersecurity business we can assist. The ANZ cybersecurity ecosystem is thriving, and we have been privileged to be observers to it.
If you are interested in finding out about how Pemba approaches the cybersecurity market and can add more than just capital – please reach out for a conversation.
Sources
Annual Cyber Threat Report 2024-2025 | Cyber.gov.au ACN SoTI 2024 | SoTI
