Customers of prominent companies affected by recent hack attacks would be unsurprised to hear that corporate cybersecurity is all about the art of compromise.

As Prophecy International (ASX:PRO) chief Brad Thomas told this week’s Australian Microcap Investment Conference in Melbourne, some of the lax practices are downright scary, such as one company that turned its protection off at 2am to save on server costs.

“For mid-to-large corporates, there is a trade-off between how secure you want to be and how much risk you are willing to accept and how much money you want to spend,” Thomas says.

As one of very few ASX-listed cybersecurity plays, Prophecy has a vested interest in scaring the pants off everyone.

But having been in the game for more than a decade and as a provider to the Australian, US, UK and Canadian military, the company has done the hard yards.

Prophecy was founded in 1979 and listed in 1997 and has had several iterations over that time. Thomas admits the $44 million market cap company has done so much over that time many investors have lost track of what it does.

Prophecy’s cyber business is built around Snare, a product acquired in 2011 via the purchase of Intersect Alliance.

Thomas says ‘perimeter’ security such as antivirus firewalls and anti-malware will only go so far.

“That’s because someone will do something stupid and the bad guys will get in,” he says.

“Many organisations are securing only what they consider to be important assets, but the breach is going to come from someone’s desktop or branch office in Timbuktu.”

As hacked companies such as Optus and Medibank Private would attest, what happens next is just as crucial.

“If you are a health department with confidential patient files, you want to know if there has been unauthorised contact and if they have added something or tinkered with the diagnosis or prescription,” Thomas says.

In its biggest cybersecurity win to date, Prophecy was awarded a $725,000 contract for the UK navy, via lead contractor Fujitsu.

The company expects to land an even bigger one with the UK army, via lead contractor BAE.

Prophecy also has a more mature call centre management offering, Emite, which contributes roughly equal revenue. While Thomas loves each division equally, he expects cybersecurity to gain more traction given the gaping unmet need.

Prophecy posted record revenue of $19.6 million in the year to June 30, 20 per cent higher. Of that turnover, 84 per cent was gleaned from overseas (mainly the US).

A key growth measure, annual recurring revenue surged 26 per cent to $23 million.

The company lost $2.5 million. Thomas flags an underlying profit this year but says management won’t scrimp on growth measures to achieve this.

“No one gets out of bed in the morning and says ‘we want a small business’. Both (the cyber and call centre) markets are huge and growing and we are scratching the surface of those.”

While there’s no shortage of unlisted cybersecurity rivals, there’s not much on the local bourse to choose from.

Tesserent (ASX:TNT) was taken over and delisted this month, leaving the $30 million market cap archTIS (ASX:AR9).

ArchTIS posted a 37 per cent revenue boost to $6.3 million in the 2022-’23 year, but with a $8.2 million loss the benefits are not translating to the bottom line.

A key growth impediment is attracting and retaining cybersecurity experts.

Thomas says a decent operator in Canberra can expect a base salary of $250,000.

What’s scarier than being sent to such a hardship posting is that “there’s still much more money on the dark side than the good guy’s side”.

This story does not constitute financial product advice. You should consider obtaining independent advice before making any financial decisions.

The views, information, or opinions expressed in the interviews in this article are solely those of the interviewees and do not represent the views of Stockhead. Stockhead does not provide, endorse or otherwise assume responsibility for any financial product advice contained in this article.