Below is an excerpt from our whitepaper, ‘Cybersecurity for Private Equity’. Click here to download the full whitepaper.
As private equity firms become more dependent on outsourcing and adopt new technologies to support operations, the number of threats they expose themselves to increases exponentially. It can be a daunting task to stay on top of the new and evolving risks at hand, but meticulous attention needs to be employed to mitigate these ongoing threats.
Today’s hackers and cyber criminals are not only targeting IT systems, but humans as well. Attacks vary in target, size and motive, but all pose serious risks to your firm’s wellbeing, thus it’s vital to be aware of common threat types targeting your firm and the broader private equity community. Here are a few to be mindful of:
Ransomware threats are growing in popularity, as they not only succeed in corrupting firm systems and networks, but also have the added benefit of occasionally lining the hacker’s pockets. Outbreaks such as WannaCry and Petya, which dominated headlines around the globe in 2017, may pale in comparison to what skilled hackers are able to accomplish by taking advantage of system flaws, legacy technology, and generally insufficient cyber programs
With the goal of deceiving and manipulating employees into actively divulging confidential data or simply leaving open a gateway to said information, social engineering schemes are more prevalent than ever. Email phishing remains the most common social engineering threat, however voice phishing (‘vishing’) and SMS/text phishing (‘smishing’) scams are also growing more widespread. According to the 2017 Verizon Data Breach Investigations Report:
- Social attacks were utilized in 43% of all breaches
- Almost all phishing attacks that led to a breach were followed with some form of malware
- 66% of malware was installed via malicious email attachments
- 73% of breaches were financially motivated
Your firm’s employees will either act as your strongest line of defense – or potentially, your biggest weakness. Comprehensive information security awareness training is most critical in mitigating social engineering threats.
Unlike via the cyber threat methods above, the goal of a hacktivist is not financial gain. Rather, business disruption is the ultimate goal – one that is motivated by political or social issues. Hacktivists may not be personally interested in your private equity firm’s data, but that doesn’t mean that they won’t leak your sensitive information to the public if the opportunity arises to draw attention to their cause of choice.
Upping the ante on hacktivism, another serious security threat – cyber terrorism – exists to incite fear within a firm and, of course, lead to a disruption in business operations. Cyber terrorism is considered a form of terrorism because they focus on provoking fear with little regard for collateral damage and have obvious ties to political or known cyber terrorist groups.
Of course, threats don’t always manifest themselves as traditional external dangers. In many cases, a firm’s own employees are directly responsible for security breaches. Whether acting unintentionally or maliciously, your firm’s users are a credible access point for hackers to gain entry into your systems and networks. Once hackers gain access to your network or data, there is a lot that they can do to wreak havoc for private equity and other investment firms – and it extends far beyond forcing users to change their passwords. In fact, with their roguish hands on the right information, the consequences can be downright destructive for a firm’s business operations and integrity.
More IT Security Reminders for Private Equity Firms:
- Get rid of dirty (i.e. incomplete, outdated and duplicate) data. Read how here.
- Keep track of cyber requirements with an implementation calendar. Get a 12-month plan here.
- Test users’ knowledge of cyber threats with simulated phishing tests. Learn more here.