Private Equity Firms Shore Up Security After Experiencing Cyber Issues, Breaches
In 2016, 70 percent of private equity firms experienced no less than three cybersecurity issues. Not one or two. But three (or more). It’s one of the most jarring findings of our Private Equity CTO Survey, and it signifies just how imperative it is for private equity firms to implement sound and robust security measures to protect business assets, operations and reputations.
In the past 12 months, private equity firms indicated that they’ve experienced a wide range of cybersecurity issues, most notably malware, worms and viruses (1 in 3 firms), unauthorized access to corporate data (nearly 1 in 3 firms) and hijacking of social media accounts (nearly 1 in 3 firms). While the latter, in particular, may not seem like a concerning issue, it’s important to recognize that social media accounts are promising gateways for social engineering hackers. Information within these personal accounts can serve as the keys into corporate information systems – particularly if users are not diligent about maintaining unique passwords for various systems.
That nearly a third of firms have experienced unauthorized access to corporate data highlights a lack of control over an organization’s data and who has access to it. Without a detailed access control policy and ongoing monitoring in place, too often employees receive excessive data access privileges that introduce security risks.
In light of these experiences, our survey indicates firms will make significant changes to their IT budgets this year. When asked what percentage of their overall IT budget would be dedicated to cybersecurity in the next 12 months, respondents indicated a significant increase, as seen by the chart below. Only seven (7) percent of private equity firms will have cybersecurity budgets of less than five (5) percent, down from 24 percent currently. Increases are also expected in the budget range of 10 to 25 percent.
Future Cyber Focus Areas for Private Equity Firms
Data protection issues are most concerning to private equity firms in 2017, according to our survey respondents. The top cyber concern in the next 12 months? Unauthorized access to corporate data. This selection should not be surprising given that nearly 1 in 3 firms have experience with it. This risk can take many forms, however, most often it is unknowing employees placing company data in jeopardy. In an effort to reduce security gaps and protect firms from data loss, firms should implement tools to allow for file activity monitoring and auditing as well as employ the principle of least privilege to limit data access to only those employees who require it.
Other top concerns call attention to serious legal, reputational and relationship repercussions that could be suffered by the firm, including theft of client data and corporate identity theft. Social engineering scams have evolved beyond opening fake accounts, but hackers are also using social engineering tricks to entice employees into executing wire transfers worth millions of dollars.
It is worth noting that ‘malware, worms and viruses’, while the top issue experienced, fell in the middle of the pack for future concerns. This likely shows that IT executives today are comfortable defending against these types of security issues and are more concerned with sophisticated attacks or employee mistakes.