We spend a lot of time these days talking with private equity investors about the importance of cyber security for their target and portfolio companies. While there is general agreement that it is critical to identify and mitigate potential cyber security risks, those efforts often focus only on the most obvious targets—companies dealing in credit card data, personal financial information, or protected health information (PHI).
As attackers become more sophisticated, it becomes increasingly more difficult to narrow down the impacts of a particular breach: a breach can impact ALL data and ALL operations of an organization. All organizations are at risk, whether it is being held for ransom, for corporate espionage, or the mere exposure of employee passwords or social security numbers to be sold on the black market.
With the rise in number and sophistication of ransomware attacks and international organized crime, hackers are being less discriminating about who they attack. According to a recent Symantec Internet Security Threat Report (ISTR), attacks against small (1 to 250 employees) and medium (251 to 2500 employees) businesses are on the rise. These are the typical targets for private equity. Not only that, but ransomware has the potential for impacting all operations, regardless of organization type.
As we saw from WannaCry and other recent ransomware attacks, not only was data breached, but systems were taken offline. Recovering from a breach of this magnitude can require a rebuild of the entire environment, using backup systems that might have a low confidence of recovery. In addition, if employee usernames and passwords are taken, an entirely new Active Directory domain (or other user authentication system) may be needed. And finally, identity theft protection may need to be provided to employees if their social security numbers were taken. These are all dependent on the extent of the breach—which can be difficult to determine— and can increase the cost of remediation efforts.
Today, the stated norms are not “if” you will be hacked but “when”, so determining how to act and minimize the impact should be the top priority of a security strategy for private equity portfolios. In a recent survey of corporate executives and private equity partners conducted by West Monroe and Mergermarket, 40% of respondents said they had discovered a security problem AFTER a deal went through. Thus, focusing efforts outside traditional point-in-time toolsets such as penetration testing or vulnerability scanning is required. Instead, focus on a holistic approach that creates a culture of ongoing security awareness with incident response plans and regular review and monitoring tailored to each business and key threats.
Questions? Please leave a comment below, or read more about West Monroe’s Cybersecurity Assessment for Private Equity (CAPE).