There’s a lot hackers can do to wreak havoc for private equity and other investment firms – and it extends far beyond forcing users to change their passwords. In fact, with their roguish hands on the right information, the consequences can be downright destructive for a firm’s business operations and integrity.
Systems & Network Access
Of course, with stolen passwords and login credentials, hackers can gain access to company systems and networks – not an insignificant feat. Unfortunately, we’ve seen many cases over the years where users rely on reused passwords across multiple systems – meaning when a hacker deciphers a password, it’s a profitable gateway beyond a user’s individual email account.
That said, within that email account alone, a number of critical dangers await. For example, inside your email, a hacker can access, send and delete communications at will, potentially intercepting company sensitive material, financial data or personal details they can use to further infiltrate your network.
They can also easily decipher the corporate hierarchy and capitalize on relationships with those responsible for company payments and financials. For instance, they may send a phishing email to your CFO, posing as you, requesting a fund transfer to a provided bank account number – and depending on your role within the firm, this could be considered routine and easily executed upon.
Beyond email, if a hacker gains entry to your firm’s network, they may also get their hands on company files, personnel information, financial reports, and more.
Customer Information & Contract Details
A stolen or shared password could also unlock access to your firm’s CRM system, which may contain customer and potential customer information (company and personal), investor analysis, and sales forecasting data, among other details. Imagine if this data were sold to a competitor. It wouldn’t take long for them to start targeting specific clients and investors as well as submitting competitive bids based on your sales opportunity and contract information.
Private Equity Deal Flow
If you’re a private equity firm, there’s even more to be concerned about. With their hands on deal flow or portfolio acquisition information, there’s a chance hackers could disrupt M&As or deal agreements or leak company material in advance of confidential negotiations. With insider information, hackers could also look to make a profit by trading stock or hedging bets based on delicate corporate material they’ve intercepted. With poison at their fingertips, hackers position themselves for profit/fame/etc. by holding on to information of this nature until the right moment strikes. And when it does, the potential for negative investment impact for the private equity firm becomes all too real.
The motivations behind these cyber criminals may not always be obvious, and in many cases, their actions are purely the result of financial incentive. The black market for information is expansive, and that means hackers stand to profit significantly based on the information they’re able to access. Beyond a monetary incentive, many hackers hold malicious grudges towards previous employers and look to embarrass or shame them in public settings. Others try to influence corporate or market decisions. Regardless of the drivers, the sophistication of these hackers and the means with which they’re able to sell, proffer, and even influence information flow is greatly concerning to private equity and other investment management firms and should be, particularly if their cyber risk mitigation strategies are not yet fully formed.
IT Security Reminders
To prevent the above scenarios from taking shape and causing harm to your business, we’d be remiss not to share some actionable guidance for cyber risk management:
- Craft a password policy that requires users to change their passwords at least every 90 days and sets parameters around their construction
- Take advantage of file auditing tools such as Varonis’ DatAdvantage, which provide insight into when and by whom corporate files are opened, edited or shared
- Require users to complete regular information security awareness training that reviews current cyber threat actors and highlights IT best practices
- Train users in real time with phishing simulation tests