The top 7 cyber security risks for private equity firms

Private equity firms hold a wealth of sensitive client and market information that make them a prime target for cyber criminals, who may see them as a ‘weak link’ to obtaining the information that they are after.

The fall-out of a cyber attack can have devastating consequences for the client and the firm: it could lead to the downfall of a proposed client project – or even business – and the firm may be hit by reputational damage and vast potential fines.

Despite this, a recent survey of 100 international private equity firms showed that, while more than 70% of respondents believed cyber security was a high operational risk to their business, only 23% had a fully operational and compliant cyber security programme in place.

A frequent barrier to implementing an effective cyber security programme and policies is to know where to begin. However, a good starting point is to identify where the main threats are coming from. We’ve outlined the top risks identified in the government-led Cyber Security Breaches Survey 2016 – which covers both traditional on-premises systems and cloud solutions – and how best to guard against them

1. Viruses, spyware and malware

By far the greatest cyber security risks come from viruses, spyware and malware, according to the survey, with 68% of firms having experienced this type of attack in the last month.

Ransomware is the fastest growing form of malware, which restricts access to a computer system and blackmails users to pay money to remove the restriction and release the files. This threat not only affects desktop and laptop computers, but is increasingly used on mobile devices and can be hidden in mobile apps.

Spyware should also be of concern to private equity firms, as it can be used to secretly record what is done on your computer systems in order to capture data such as passwords, financial details and sensitive market data.

How to guard against this:

Always ensure that your systems are up-to-date with the latest anti-virus, spyware and malware protection. Cloud solutions provide automatic updates based on the latest intelligence of newly formed threats. However, you also need a back-up plan for if a threat does materialise, which is where an IT provider can step in with proactive server and malware monitoring.

Moreover, staff training is perhaps one of the simplest and most overlooked areas in protecting against IT security, and your IT cloud provider should be able to run in-depth workshops to help your employees understand and protect your firm against risks – learning to identify potentially risky email attachments, for example.

2. Impersonation in emails or online

32% of those surveyed had been subject to online identify theft, often used as a method of stealing money or valuable information from clients.

An impersonation attack is when cyber attackers pretend to be someone an employee trusts in order to trick them into sending money to their account, disclosing sensitive data, clicking on a fraudulent link, or something else designed to hurt their company.

While we’ve all seen emails where you can immediately see they’re fake (poor spelling, random email address, etc.), today’s cyber attackers may use more sophisticated methods to win trust. These could include gathering information from the employee’s social media to add a personal touch to their emails.

How to guard against this:

Documents containing sensitive information about the firm should be encrypted and kept only for as long as they are needed. You should also search for your firm’s name, partners – and even staff – regularly online to see if these have been used to set up a false office, checking any online search facilities for private equity firms and review the FCA’s list of bogus firms.

3. Online activism to cause downtime – DDoS attacks

15% had been subject to a concerted overloading of their servers with the aim of causing downtime – often by campaign groups or coordinated networks of computers hijacked by malware.

For financial firms, the direct consequences of downtime can include loss of data, loss of revenue and damage to business reputation.

How to guard against this:

The FCA look for adequate protection capabilities to be in in place to determine if you have been attacked, and have advised that the most important armour of defence is Distributed Denial of Service (DDoS) website rescripting.

4. Unauthorised access to computers, networks or services

13% of businesses have suffered a hacking breach, which poses a significant risk of breach to confidentiality and financial details. Hackers can use simple methods such as guessing passwords to break into systems or access otherwise hidden areas of websites that may contain client information or private staff areas.

Another big threat comes from unsecured Wi-Fi, which gives hackers ample opportunity to inspect and compromise any data transferred via the network and then use it to their own ends. Shadow IT – whereby employees use their own unsecured devices and applications in the absence of officially sanctioned mobile and cloud technology – is another key area of risk.

How to guard against this:

Staff training is again a key element in the fight against such attacks. Shadow IT shows the lengths that employees will go to when their technology needs are not catered to through the proper channels. Firms should therefore embrace mobile and cloud solutions, but ensure that adequate safeguards are in place and that staff are trained in how to protect the firm from hacking.

5. Money stolen electronically

13% of those surveyed had had money stolen electronically.

Cyber attackers often use a method known as Account Takeover Fraud to steal money directly from an organisation’s bank account.

It happens by fraudulently obtaining a company’s online banking login credentials (usernames, passwords, etc.), logging into their online account, and setting up a transfer to the attacker’s bank account. Alternatively, they might make unauthorised purchases using the company account. The attackers will usually change the company’s banking logins so they can’t log back into their accounts.

How to guard against this:

Most attacks of this nature come in the form of malware and so similar precautions should be taken as set out in step 1.

However, you should be vigilant for unusual activity on your organisation’s bank account, such as multiple failed login attempts or unexpected notifications for transfers or purchases. Change your login credentials regularly and ensure that only the right people can access your banking solutions.

6. Data Breaches

When it comes to cyber security private equity firms have to sit up and take notice. After all, they hold a vast amount of valuable data, including sensitive financial information on high-net-worth individual clients and their businesses. As a result, private equity firms are a frequent target for cyber criminals.

Data breaches in private equity firms can occur through a variety of means. As well as the methods mentioned in earlier sections (spyware is an especially prevalent way cyber attackers target private equity firms), you see examples of insider threats, where employees or third-party suppliers have access to sensitive data and use it maliciously.

The impact of a data breach can be devastating to a private equity firm. Financially, the average ransom paid is more than $1 million. However, you also need to consider the reputational damage. What company will want to partner with an investor who can’t keep their data safe?

How to guard against this:

To boost cybersecurity private equity firms should implement robust security measures, including firewalls, detection and prevention solutions. Ensure all sensitive data is encrypted so if a cyber attacker does get their hands on it, they can’t use it. Train your employees on the importance of cyber security and the best practices to follow.

7. Phishing and Social Engineering Attacks

Phishing – when cyber attackers send emails that look like they’re from a trusted source to deceive the recipient into clicking on a malicious link or sharing information – is a huge cyber security concern for private equity firms.

Today’s cyber attackers use more sophisticated tactics than the poorly spelled emails of the past, including social engineering. This is when they gather information about the organisation or the individual recipient (often from social media) and include it in the email to appear more plausible and win trust.

How to guard against this:

Private equity firms can combat phishing and social engineering by keeping their anti-malware software and email spam filters up-to-date. You should also train your employees to be vigilant against unsolicited phone calls, visits and email messages from individuals asking questions about employees or demanding other internal information.

Conclusion

An MSP can help you and your private equity firm with your cyber security strategy.

A managed service provider (MSP) can help you and your private equity firm formulate a cyber security strategy that safeguards your organisation’s digital assets and data. Then, they’ll help you implement it, continually looking for ways to improve your defences through new technology.

Cyber risks can be daunting, but need to be addressed before they leave you and your clients exposed. If you need help with implementing an FCA-compliant cloud solutions approach to cyber security with added features such as mobile device wiping in the event of loss or theft, get in touch with Doherty Associates today.

Find out more about how to ensure that your firm meets data protection and regulatory compliance issues, whilst staying ahead in a rapidly changing marketplace, with our guide: Modern workforce, modern security.