Everyone’s talking about cybersecurity, but are you doing anything about it?

Jarrah Lowe

Cyberattacks are a growing threat to businesses, following the Covid-19 pandemic. With millions of us now working from home, indefinitely, on domestic broadband routers (which aren’t designed to support prolonged at-home working for the masses) while also being physically (and perhaps mentally) detached from workplace security regulations, many businesses and their employees are becoming the targets of cybercriminals.

But cybercrime isn’t new. Pre-Coronavirus, cyberattacks were on the rise - up 11 percent since 2018 and 67 percent since 2014 (Accenture). And the costs are rising too. Globally, cybercrime damages are predicted to cost the world $6 trillion annually by 2021, up from $3 trillion in 2015 (Cybersecurity Ventures).

The new normal, remote working, away from trusted office networks means offline procedures move online and employees may not question emails requesting sensitive information. There has already been an increase in coronavirus-related phishing attacks aimed at unassuming workers; phishing attacks on healthcare have more than doubled in the last two months.

“Attackers are exploiting the situation, so look out for phishing emails and scams,” said cybersecurity agency ENISA.

And hackers are growing stronger. They’re becoming more sophisticated and relentless in their approach, attacking businesses and individuals every 39 seconds. Their ideal target is not the infrastructure itself, but the weakest link in the security system: humans.

No-one’s immune to cybercrime

So, who’s most vulnerable? In a word, everyone. Hacker’s don’t discriminate against individuals or businesses, of any size, in any industry. Their modus operandi: target the most defenceless, with the most to lose (and preferably the means to pay their hefty demands).

The most affected are SMEs, which account for 70 percent of attacks. Research by Hiscox, revealed a 40 percent spike in cyberattacks reported by UK businesses in 2019 compared to the previous year. The Hiscox Cyber Readiness Report 2019, which surveyed 5,400 small, medium and large businesses across the UK, Germany, Belgium, France, Spain, the Netherlands and the US, revealed that 55 percent of UK firms had faced an attack in 2019, with three quarters of firms acknowledging they were unprepared for breaches in the future.

According to a Ponemon Institute report, the most cyberattacked industries over the past 5 years have been healthcare, manufacturing, financial services, government, and transportation sectors. The hardest-hit industry being healthcare, with the average breach costing $6.45 million in 2019 (IBM). Comparatively, other sectors spend $3.9 million on average.

The energy industry is also increasingly susceptible to cyberattacks. In 2015, it happened in Ukraine, where phishing emails with hidden malware were used, causing a major blackout affecting 230,000 homes.

Higher education institutions, particularly in the US, are great targets too. They house swathes of personal information as well as confidential research, while also having deep pockets to pay ransoms.

Some recent high-profile cyberattacks you might recall include the 2014 to 2018 Marriott breach, where more than 500 million customer records were hacked, resulting in the UK’s privacy watchdog (Information Commissioner's Office) hitting Marriott with a £99 million penalty for breaching GDPR.

In 2014, Yahoo were attacked (the biggest data breach in history) where 3 billion user accounts were infamously hacked by Russian spies. It happened again in 2016 while Yahoo were in the process of being acquired by Verizon. As a result, they were devalued by $350 million.

LinkedIn have also endured two cybersecurity breaches, in 2012 and in 2016. The 2012 attack saw 6.5 million passwords stolen and posted onto a Russian hacker forum.

Increasing risk to private equity

Companies owned by private equity firms are also prime targets for cyberattacks. Hackers can easily identify newly bought companies, via press releases, and hit them with a ransomware attack. Leaving private equity houses to pay out in exchange for affected data.

The liability from a data breach, both financially and reputationally, could lead to a reduction in a portfolio company’s purchase price at exit.

PE firms and companies could also receive huge fines for breaking laws and data regulations, like in the case of Marriott International. Undeniably, the cost of getting GDPR wrong, along with probable reputational damage, has increased the focus on cybersecurity significantly in the private equity space.

Most private equity investors say cybersecurity is a high operational and commercial risk – so great you could lose the entire value of your investment - however only a few have a plan in place to assess their target investment’s cyber defences.

The same goes for many UK businesses. As mentioned above – three quarters of UK firms admit they’re unprepared for a cyber breach.

To successfully fight against cybercrime, its imperative PE firms and businesses alike, make cybersecurity a top priority. For private equity firms, understanding the cyber maturity of a target company, upfront, will help investors understand the extent of the security in place and the cost to close any gaps.

For businesses in general, the same mentality applies. By reviewing your cybersecurity and acknowledging any risks, you can start to plan and implement change and in doing so, protect your business for the future.

Do your due diligence

GDPR and Covid-19 have certainly got us thinking more about cybersecurity and how we safeguard ourselves, our clients and our employees.

For firms with portfolio companies in highly regulated sectors, like financial services and healthcare, cyber should be at the top of their agenda.

Firms with portfolios that meet these criteria, or where the core business involves technology, should be investigating a target’s cyber maturity and cybersecurity practices in due diligence. Ideally before the deal is made, to identify risks early.

Unearthing cyber vulnerabilities in due diligence, doesn’t necessarily mean the deal shouldn’t go ahead. In fact, it gives the investor an understanding of what needs to happen to rectify it.

Where data and regulation aren’t core the businesses offering, cyber will understandably be less of a priority. However, this shouldn’t mean it’s forgotten entirely. Firms should consider assessing a target’s cyber defences, even at a high level, as cyber poses an ever-increasing exit risk. Failure to assess cyber in due diligence either at a high level or more thoroughly, could jeopardise the entire deal.

Train your employees

Another way to mitigate against cyberattacks is to train your front-line workers. Your team is arguably your greatest asset in terms of security, and your greatest liability. Embedding awareness, prevention and security best practices into your team should be top priority for all business. This is especially crucial as home working becomes the new normal.

Download our Cyber Security Checklist to identify potential cyber threats to your business.

Download Checklist