Leaders of venture capital (VC) and private equity (PE) firms — and entrepreneurs helming the technology companies they invest in — know that effective cybersecurity is important to their success. But as with VC and PE firms focusing on portfolio performance, and tech startups focused on growth, cybersecurity sometimes falls lower on their priority lists than it should.
That’s started to change in recent years, however, as firms become increasingly aware of cyber risks. A 2021 global survey by PwC found that 71% of CEOs say they are extremely concerned about cyber threat. High-profile cases are heightening awareness: In April 2020, news broke that three UK private equity firms had suffered a sustained cyberattack that led to £1.1 million (around $1.3 million) in fraudulent wire transfers; the incident came a year after a similar attack — in which a Chinese VC firm was scammed into transferring $1 million to cybercriminals.
With more employees working remotely since the pandemic, companies are more vulnerable to attacks. This makes it an ideal time to revisit your organization's cybersecurity efforts. In fact, the best cybersecurity practices are baked into the core of a business from the very start.
Are cybersecurity controls integrated into your strategic business plan?
Integrating cybersecurity practices from the beginning of any strategic business plan is always a good idea. In doing so, companies can greatly diminish the risk to valuable assets and information when an incident occurs. When cybersecurity practices are integrated from the beginning, it’s much easier to figure out where you need to fix processes or apply technical solutions.
Here are several keys to cybersecurity for tech startups, PE firms and VC firms to prioritize.
Stay up-to-date on scams
Business email compromise scams
The above-mentioned scams took the form of “business email compromise” (BEC) or “man-in-middle” schemes. In these scams, cybercriminals use spoofed email addresses and lookalike domain names to divert messages from intended recipients to fraudsters, and obtain sensitive, valuable information, ultimately leading to fraudulent transactions. According to data from the FBI, these kinds of BEC (or EAC, for “email account compromise”) incidents are the costliest form of all internet crime: In 2020, the FBI received 19,369 complaints of BEC/EAC, with victims losing approximately a collective $1.8 billion. These losses amount to nearly half of the total of $4.2 billion in losses racked up from all-around Internet crime in 2020.
Email compromise in general is still the number one choice for attackers, followed by ransomware for tech and PE/VC firms.
Firms should also worry about timely scams that occur during the holidays or tax season.
For example, with the new tax season starting, the IRS reminded taxpayers to be aware that criminals continue to make aggressive calls posing as IRS agents in hopes of stealing taxpayer money or personal information.
Tech support scams
Fake tech support calls are another common scheme. In this scenario, a cybercriminal may call someone—perhaps a private equity firm employee, claiming to represent a third-party IT firm and citing “anomalous behavior” with the employee’s machine. The cybercriminal will then request that the employee download remote access software in order to help the IT firm resolve the (fake) issue. Fraudsters will remote into the employee’s computer and pretend to fix something, then will leave that remote access software on the device so they can tap into sensitive information or data at a later time.
Implement best-practice controls and educate your team
VC and PE firms are especially ripe targets for cybercrime due to the high dollar amounts in which they frequently transact. Security is everyone’s responsibility, not just the domain of a firm’s IT department, and security awareness education is a necessity for all employees.
Cybersecurity awareness training helps to address one of the biggest factors in major security breaches: human error. By training employees how to recognize and respond to cyber threats, organizations can dramatically improve their security and cyber resilience.
When it comes to transactions, for example, employees must pick up the phone to verbally confirm all wire instructions received via email, especially those with last-minute changes. If an employee feels uncomfortable making a last-minute change over email, instruct them to communicate through verbal means to verify that the source of the change is legitimate.
Implement two-factor authentication
Two-factor authentication (2FA) provides an additional layer of security beyond a password, by ensuring that there are two points of verification, usually in the form of a code sent to another device or biometrics such as Face ID or fingerprints. As a best practice, individuals should be required to use two-factor authentication when signing into their business email accounts, bank accounts and their online banking platform.
To protect firms from viruses, malware, and ransomware, keep your systems up to date, so you always receive the latest security patches for the devices that you’re using.
Maintain regular backups
Whether you’re a tech startup or an established venture firm, it’s crucial to keep regular backups of your data and test restoration, so that if you’re hit with ransomware, you can wipe your machines clean and revert to your backups to bring yourself back online.
Verify IT requests
Employees should be trained on how to interact with your IT department, including how to verify by phone that they’re working with the right parties before sharing their remote access or login credentials.
Review access roles and restrict privileges
To make sure that there's no theft internally, review user access roles on a regular basis. Specifically, organizations should review both how they process transactions, and who is allowed to process transactions on an annual basis at minimum.
Limit the number of people who have administrative privileges that allow them to make changes to systems. Only a few people need this ability, and you don’t want a cyber thief to obtain the password of someone who has administrative privileges.
Develop and test an incident response plan
Another item to review at least annually is the incident response plan for a range of scenarios.
A cohesive incident response plan defines roles and steps in advance, so people know how to take action when an incident occurs.
Enhance your cybersecurity efforts
Your bank should make you feel confident that strong security defenses are in place. First Republic offers services designed to enhance our clients’ cybersecurity efforts, including proactive domain monitoring. This includes detecting lookalike domains (used in BEC scams) for our clients and giving them early warning notices to act according to their security policies.
Ultimately, solid cybersecurity strategies are a cornerstone of good business practices. The more central they are to your company’s or firm’s strategic business plan today, the better prepared you’ll be to handle the unknown risks of the future.