Like most criminals, cyber hackers want an easy life. Just as burglars prefer forgotten open windows over picking front door locks as a way in, so their digital counterparts are looking for targets that offer maximum return for minimum effort.
by Jason Elmer, Founder and CEO, Drawbridge
As such, while major corporations wise up to the threat of sophisticated attackers and invest in the sort of defences that limit the impact of bad actors, criminals are now turning their attention to potentially easier targets. And that includes businesses that are raising capital or those that recently announced funding – particularly when those businesses not only hold significant financial data but also potentially offer gateways, or open windows, to other companies.
It’s thus no surprise that ransomware attacks are increasingly targeting Private Equity (PE) firms and their portfolio companies (PortCos). As attacks increase, it’s imperative that investors become more aware of the risks they face and take swift action to protect themselves – and their portfolio companies.
Cyber vigilance as a differentiator
Cyber vigilance is increasingly becoming a differentiator for investors when considering companies to add to their portfolios. Gartner highlighted that “by 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements,” and in doing so noted that “Investors, especially venture capitalists, are using cybersecurity risk as a key factor in assessing opportunities.”
There’s also regulatory pressure to get houses in order. In February, the Securities and Exchange Commission (SEC) voted to propose a new set of cybersecurity rules to oversee how alternative investments or private capital firms manage risk, requiring clear policies and procedures to be put in place. In addition, advisers would need to report incidents that impact their firms, funds or clients.
Clearly, PEs need to be as rigorous in checking their own windows are closed as they are in running the rule on the security posture of target companies. For most, it means a wholesale change in their approach to cyber security. The question is, how do they begin to implement this new approach? Securing your own operations is hard enough – how do you extend that to other entities in your orbit?
Check your windows
First, it’s worth considering what open windows there could be. One of the most glaring yet overlooked open windows is the employees at PEs and their PortCos. This isn’t to suggest that everyone is maliciously trying to undermine their employer (though insider attacks do happen), more that too often an assumption is made that workers understand the ways in which they can be targeted.
The reality is that many people don’t realize how many cyber threats are designed to exploit people’s ignorance or naivety. From ransomware to phishing attacks, many of the major leaks we read about in the news can be traced back to individuals who didn’t realize they shouldn’t click on a link, open a suspicious attachment or download an app at work.
Like any good burglar- why would a cyber thief spend time trying to crack encrypted corporate networks when they could simply gain access by targeting unsuspecting employees? They wouldn’t. That’s why
the first step in any PE firm’s cyber security approach should be to focus on educating staff, starting with the PE firm itself and then extending out to its PortCos to ensure they are undertaking similar processes.
Similarly, it’s not too difficult for attackers to take advantage of a lax approach to updating software. Technology is constantly evolving, and changes to critical systems can bring immense business benefits and operational efficiencies – but can also create new gaps in defences. PE firms and their PortCos must ensure that they have a rigorous and consistent process to keep systems up to date and fix bugs as solutions are released to prevent attackers from exploiting any holes.
Sophisticated responses for new attacks
Those are just two of the windows that can be closed relatively quickly. But the fact is that attacks are becoming more sophisticated, which means the responses must too.
Only real-time cyber risk monitoring will enable firms to protect their most sensitive data and safeguard against internal and external threats. That means firms must have more than the traditionally adequate technical and logical controls – they need active, continuous risk mitigation solutions and reporting, and cyber programs that are tested using real-world scenarios that provide a clear picture of how the business would defend against and respond to an incident.
A case of when, not if
Ultimately, PE firms and their PortCos need to realize that it is a case of when, not if, they are targeted. Most businesses understand and accept it; what they will not accept is inaction, attempts to hide issues, or a failure to mitigate the impact.
That’s why the new SEC rules are pushing for incidents to be reported, and why the European Union’s General Data Protection Regulation (GDPR) has fines in place for companies that have not done everything they can to reduce the risk of data breaches. Those businesses that do not do everything in their power to respond appropriately to incidents will not only have to deal with the immediate fallout of the attack itself, but subsequent legal, financial and reputational consequences.
Close the windows to protect firms and PortCos
It’s one thing to be undone by a sophisticated attack that may be far ahead of any of your existing defences; it is quite another for an opportune bad actor to sneak in via an open window. Cybersecurity is challenging, and it’s only becoming more complicated as attackers become more sophisticated and geopolitical threats rise. It’s clear that if there was ever a time to pay attention to cyber risk and buttress your defences, it is now.
The best way for PE firms and their PortCos to protect their organizations is to make it as hard as possible for cyber attackers to gain access. Invest in the right real-time cyber risk monitoring, confirm all your systems are patched and up to date and have your comprehensive incident response plan tested and ready to go on a moment’s notice. Put simply: Don’t be an open window.