Private equity firms hold a wealth of sensitive client and market information that make them a prime target for cyber criminals, who may see them as a ‘weak link’ to obtaining the information that they are after. The fall-out of a cyber attack can have devastating consequences for the client and the firm: it could lead to the downfall of a proposed client project – or even business - and the firm may be hit by reputational damage and vast potential fines.
Despite this, a recent survey of 100 international private equity firms showed that, while more than 70% of respondents believed cyber security was a high operational risk to their business, only 23% had a fully operational and compliant cyber security programme in place.
A frequent barrier to implementing an effective cyber security programme and policies is to know where to begin. However, a good starting point is to identify where the main threats are coming from. We’ve outlined the top risks identified in the government-led Cyber Security Breaches Survey 2016 – which covers both traditional on-premises systems and cloud solutions – and how best to guard against them
1. Viruses, spyware and malware
By far the greatest cyber security risks come from viruses, spyware and malware, according to the survey, with 68% of firms having experienced this type of attack in the last month.
Ransomware is the fastest growing form of malware, which restricts access to a computer system and blackmails users to pay money to remove the restriction and release the files. This threat not only affects desktop and laptop computers, but is increasingly used on mobile devices and can be hidden in mobile apps.
Spyware should also be of concern to private equity firms, as it can be used to secretly record what is done on your computer systems in order to capture data such as passwords, financial details and sensitive market data.
How to guard against this: Always ensure that your systems are up-to-date with the latest anti-virus, spyware and malware protection. Cloud solutions provide automatic updates based on the latest intelligence of newly formed threats. However, you also need a back-up plan for if a threat does materialise, which is where an IT provider can step in with proactive server and malware monitoring.
Moreover, staff training is perhaps one of the simplest and most overlooked areas in protecting against IT security, and your IT cloud provider should be able to run in-depth workshops to help your employees understand and protect your firm against risks – learning to identify potentially risky email attachments, for example.
1. Impersonation in emails or online
32% of those surveyed had been subject to online identify theft, often used as a method of stealing money or valuable information from clients.
How to guard against this: Documents containing sensitive information about the firm should be encrypted and kept only for as long as they are needed. You should also search for your firm’s name, partners - and even staff - regularly online to see if these have been used to set up a false office, checking any online search facilities for private equity firms and review the FCA’s list of bogus firms.
3. Online activism to cause downtime – DDoS attacks
15% had been subject to a concerted overloading of their servers with the aim of causing downtime – often by campaign groups or coordinated networks of computers hijacked by malware.
For financial firms, the direct consequences of downtime can include loss of data, loss of revenue and damage to business reputation.
How to guard against this: The FCA look for adequate protection capabilities to be in in place to determine if you have been attacked, and have advised that the most important armour of defence is Distributed Denial of Service (DDoS) website rescripting.
4. Unauthorised access to computers, networks or services
13% of businesses have suffered a hacking breach, which poses a significant risk of breach to confidentiality and financial details. Hackers can use simple methods such as guessing passwords to break into systems or access otherwise hidden areas of websites that may contain client information or private staff areas.
Another big threat comes from unsecured Wi-Fi, which gives hackers ample opportunity to inspect and compromise any data transferred via the network and then use it to their own ends. Shadow IT – whereby employees use their own unsecured devices and applications in the absence of officially sanctioned mobile and cloud technology – is another key area of risk.
How to guard against this: Staff training is again a key element in the fight against such attacks. Shadow IT shows the lengths that employees will go to when their technology needs are not catered to through the proper channels. Firms should therefore embrace mobile and cloud solutions, but ensure that adequate safeguards are in place and that staff are trained in how to protect the firm from hacking.
5. Money stolen electronically
13% of those surveyed had had money stolen electronically.
How to guard against this: Most attacks of this nature come in the form of malware and so similar precautions should be taken as set out in step 1.
Cyber risks can be daunting, but need to be addressed before they leave you and your clients exposed. If you need help with implementing an FCA-compliant cloud solutions approach to cyber security with added features such as mobile device wiping in the event of loss or theft, get in touch.
Find out more about how to ensure that your firm meets data protection and regulatory compliance issues, whilst staying ahead in a rapidly changing marketplace, with our guide: Modern workforce, modern security.