Leaders of venture capital (VC) and private equity (PE) firms — and entrepreneurs helming the technology companies they invest in — know that effective cybersecurity is important to their success. But as with VC and PE firms focusing on portfolio performance, and tech startups focused on growth, cybersecurity sometimes falls lower on their priority lists than it should.
That’s started to change in recent years, however, as firms become more and more aware of cyber risks. A 2021 global survey by PwC found that 71% of CEOs say they are extremely concerned about cyber threat. High-profile cases are heightening awareness: In April 2020, news broke that three UK private equity firms had suffered a sustained cyberattack that led to £1.1 million (around $1.3 million) in fraudulent wire transfers; the incident came a year after a similar attack — in which a Chinese VC firm was scammed into transferring $1 million to cybercriminals.
- 71% of CEOs say they are extremely concerned about cyber threats
- Business email compromise (BEC) attacks resulted in $1.8B lost in 2020
- Are cybersecurity controls integrated into your strategic business plan?
With COVID-19 and the shift to work-from-home creating further risks, now is an ideal time for VC/PE firms and tech companies to revisit their cybersecurity efforts. In fact, the best cybersecurity practices are baked into the core of a business from the very start.
Integrating cybersecurity practices from the beginning of any strategic business plan is always a good idea. Otherwise, once an incident occurs and you need to figure out where you need to fix the processes, you have to start backpedaling. When cybersecurity practices are integrated from the beginning, it’s much easier to figure out where you need to fix processes or apply technical solutions.
Here are several keys to cybersecurity for tech startups and VC firms to prioritize.
Stay up to date on scams
The above-mentioned scams took the form of “business email compromise” (BEC) or “man-in-middle” schemes; in these scams, cybercriminals use spoofed email addresses and lookalike domain names to divert messages from intended recipients to fraudsters, and obtain more and more information, ultimately leading to fraudulent transactions. According to data from the FBI, these kinds of BEC (or EAC, for “email account compromise”) incidents are the costliest form of all internet crime: The FBI received 19,369 complaints of BEC/EAC in 2020, with victims losing a collective approximately $1.8 billion.
Email compromise in general is still the number one choice for attackers, followed by ransomware for tech and PE/VC firms.
Firms should also worry about timely, opportunistic scams that emerge all the time. COVID-19, for example, has created new risks around fake vaccination websites. For example, the FBI also recently advised everyone to watch out for “offers promising early access to a COVID-19 vaccine for a fee,” or for “callers requiring irrelevant personal or financial information to register for a vaccine appointment.”
Fake tech support calls are another common scheme. In this scenario, a cybercriminal may call someone—perhaps a private equity firm employee, claiming to represent a third-party IT firm and citing “anomalous behavior” with the employee’s machine. The cybercriminal will then request that the employee download remote access software in order to help the IT firm resolve the (fake) issue. Fraudsters will remote into the employee’s computer and pretend to fix something, then will leave that remote access software on the device so they can tap into sensitive information or data at a later time.
Implement best-practice controls and educate your team
VC and PE firms are especially ripe targets for cybercrime due to the high dollar amounts in which they frequently transact. Security is everyone’s responsibility, not just the domain of a firm’s IT department, and security awareness education is a necessity for all employees.
Cybersecurity awareness training helps to address one of the biggest factors in major security breaches: human error. By training employees how to recognize and respond to cyber threats, organizations can dramatically improve their security and cyber resilience.
Funding transaction protocol
When it comes to transactions, for example, employees must pick up the phone to verbally confirm all wire instructions received via email, especially those with last-minute changes. Such changes are red-flag indicators to move off email, due to the risk of BEC scamming, and communicate through verbal means to verify that the source of the change is legitimate.
Implement two-factor authentication
Additional best practices include requiring two-factor authentication (2FA) — that is, a second layer of security beyond a password — when individuals are signing into their business email accounts, as well as recommending 2FA whenever anyone signs into their online banking platforms.
Further, to protect firms from viruses, malware, and ransomware, keep your systems up to date, so you always receive the latest security patches from Microsoft or Apple, for the devices that you’re using.
Maintain regular backups
Whether you’re a tech startup or an established venture firm, it’s crucial to keep regular backups of your data, so that if you’re hit with ransomware, you can wipe your machines clean and revert to your backups to bring yourself back online.
Verify IT requests
Employees should be trained on how to interact with your IT department, including how to verify by phone that they’re working with the right parties before sharing their remote access or login credentials.
Review access roles and restrict privileges
To make sure that there's no theft or anything nefarious going on internally, review user access roles on a regular basis. Specifically, organizations should review both how they process transactions, and who is allowed to process transactions on an annual basis at minimum.
Limit the number of people who have administrative privileges that allow them to make changes to systems. Only a few people need this ability, and you don’t want a cyber thief to obtain the password of someone who has administrative privileges.
Develop and test an incident response plan
Another thing that needs reviewed (at least) annually is the incident response plan for a range of scenarios.
These are action plans an organizations should take when systems are compromised, or an incident occurs.
A cohesive incident response plan defines roles and steps in advance, so people know how to take action.
Enhance your cybersecurity efforts
Your bank should also be able to help your firm gain the knowledge to develop an effective security strategy and incident response plan. First Republic offers multiple services designed to enhance our clients’ cybersecurity efforts, including:
- Free cyber awareness sessions, in which we educate organizations on cyber risks and best practices.
- Our Internet Security Health Check service, in which a team of First Republic cybersecurity specialists conducts an assessment of all of the devices used for an organization’s online banking to help ensure they are secure and properly configured.
- Proactive domain monitoring, in which we detect lookalike domains (used in BEC scams) for our clients and give them early warning notices to take action according to their security policies.
Ultimately, solid cybersecurity strategies are a cornerstone of good business practices. The more central they are to your company’s or firm’s strategic business plan today, the better prepared you’ll be to handle the unknown risks of the future.