The breach began when a high-level executive opened an email marked “Urgent.” It looked like it had come from the accounts payable department. The subject line: “Did you OK this for payment?” He clicked on the attachment, too late realizing he’d activated ransomware, which soon began encrypting company files.
How to avoid this scenario was a key message behind a presentation to private equity (PE) firms led by Grant Thornton professionals. The gist was to help PE firms become more aware of cyber risks within their own companies and in their connections to vendors and third parties. You have to know not only your own vulnerabilities and preventive measures, but your partners’ as well.
“Data and advanced technologies are both an asset and a liability,” said Carlos Ferreira, Transaction Advisory partner and Private Equity Advisory leader, Grant Thornton. The proliferation of technology has left us with a repository of information, he said, which we may hold longer than we need to. “Unfortunately, our combined business and tech use can be used against us. A hacker can leverage something like social media to go after your business data.”
Understand your susceptibility
A first step to any cyber protection is to understand your firm’s susceptibility, by knowing answers to these questions:
- What personal data do you hold?
- What systems process sensitive data?
- What “threat actors” (individuals or groups that conduct malicious activities against an organization) are interested in you and why?
- What are a target portfolio company’s security measures prior to an acquisition?
- What kinds of risk do third parties pose?
- How do you monitor and respond to cyber risks?
- Who in your organization is responsible for cyber risk?
There was a time when companies thought they could be 100% secure and never experience a breach. Said Ferreira, “This is not an appropriate or realistic goal.” Sometimes the most effective path to safety requires minimal investment. Educating staff is a big one.
Without proper education and controls, authorized users can unintentionally initiate an event. “Not just IT professionals but all employees must take responsibility, as well as board members, contractors and business partners,” Ferreira said. “Cyber breaches may come from external sources, but internal actors or third parties now account for more than half of incidents.”
Common threat actors
As cyber threats have grown, so have techniques of attack, from hacking and phishing to malware and ransomware.
“Cyber criminals go where the money is. They are after financial gain via any means necessary.”
̶ Carlos Ferreira, Transaction Advisory Partner and Private Equity Advisory Leader, Grant Thornton
While “hacktivists” are motivated by a desire to gain recognition that may be social or political, cyber criminals go where the money is, said Ferreira. “They don’t want to be noticed and don’t want to be in the news. They are after financial gain via any means necessary, whether it’s selling intellectual capital or getting funds transferred to them. They will use phishing, money transfers, ransomware — whatever they can leverage to solicit payments from targets. You need to really understand your business and the technology being used and why, and learn what actions can help mitigate vulnerabilities.”
Due diligence is a key consideration for PE
Jeff Witmyer, senior manager in Cyber Risk at Grant Thornton, delved into the specific issues for PE firms and stressed the importance of acquisition due diligence. “Acquiring firms with cybersecurity issues can have a major impact on your company and an impact on the value of the firm you’re acquiring,” Witmyer warned. Upfront due diligence is the way to go, he said. “After-the-fact due diligence leads to risks that are unknown and can have an unexpected impact.”
“Who is responsible for implementing and managing cybersecurity controls, and responding to an incident once one occurs? Is it the PE firm or the acquired company?”
̶ Jeff Witmyer, Senior Manager, Cyber Risk, Grant Thornton
Added Witmyer: “A big question is, who is responsible for implementing and managing cybersecurity controls, and responding to an incident once one occurs? Is it the PE firm or the acquired company?”
Two of the biggest threats are business email compromise (BEC) and ransomware.
BEC was reported to the FBI 20,373 times in 2018, representing a 30% increase from 2017 and a 1,363% increase since 2014. Ransomware attacks accounted for $8 billion in estimated losses in 2018, with larger companies losing millions of dollars from downtime. PE firms are prime targets because of their large financial resources.
Common methods, common targets, heavy losses
BEC most often results from a “spoof email” seemingly sent from a company executive or a vendor. “Senders are taking advantage of human nature and errors. They are looking for the path of least resistance,” said Witmyer.
Three common targets are:
- The CEO, executives and upper management. The attacker may masquerade as one of these people, for example to approve a wire transfer.
- The CFO and financial department personnel. The attacker knows these people can easily access or alter financial records, such as making a change to payroll information and moving money.
- Procurement department. These attacks tend to be more sophisticated, involving forged communications from a third party or vendor that has been compromised. An attacker may request invoice payments that route to a fraudster’s bank account.
A fraudulent wire transfer can lead to both financial and reputational loss. A fraudulent request to change routing of paychecks can lead to employee anger and mistrust. Vendor fraud and client targeting can lead to all kinds of harm, among them a loss of money, trust and reputation, as well as sensitive or privileged data.
Avoiding the scam
BEC best practices are stressed by company IT departments. Common indicators to look for include:
- A sense of urgency in the request
- Unconventional requests (such as the purchase of gift cards as a payment method)
- Sparse or vague requests that use opaque language
- Unexpected requests originating from a strange domain
- Exertion of authority (law firm, government agency, etc.)
- Off-hours or inconvenient-time requests
- Requests for money movement or updates to sensitive information
To avoid becoming a victim, train employees to think thoroughly about such a request and verify it’s from a valid source, such as following up with the individual who allegedly sent it. “If something doesn’t seem right, it probably isn’t right,” said Witmyer.
When ransomware rears its ugly head
A ransomware attack is different from many other cyberattacks, said John Pearce, principal in Cyber Risk at Grant Thornton. “The goal is to inflict pain to elicit a payment.” How perpetrators go about this is through malicious email attachments, whereby malware encrypts internal files, or through “drive-by downloading,” where an attacker compromises a website or hosts its own site to embed ransomware on an unsuspecting user’s work station. These attackers usually demand bitcoin and alternative cryptocurrency as payment, as they’re easier to get away with.
“The FBI estimates that only 17% of businesses that pay ransom successfully decrypt their files.”
̶ John Pearce, Principal, Cyber Risk, Grant Thornton
“The sad truth is, the FBI estimates that only 17% of businesses that pay ransom successfully decrypt their files,” Pearce said.
Ransomware targets include:
- The CEO and upper management who have access to sensitive data so are more likely to pay
- Database personnel; encrypted databases can cripple a PE firm, which is likely to pay
- Lower-level employees who are less technical and unaware of security risks that could infect a network
Indicators of an attack happen fast and include the receipt of unsolicited email with suspicious attachments. “Once attached, you’ll see data encryption that begins to occur on every file or on specific ones,” Pearce said. “Antivirus and antimalware software will start to trigger. You won’t be able to access files. You will see it happen very quickly.” The losses can be huge.
So what defense strategies do you use to be sure this doesn’t happen to you?
Besides sending suspicious emails to the security team, patch any vulnerabilities, and make sure vendors and third parties do the same. In addition, monitor antivirus logs, and use advanced security measures like heuristics-based solutions that examine code for suspicious properties. Have a backup of all important files.
Important is to use common sense.
Hire the right people.
Security software engineers, cyber risk staff — these can be in-house or outside.
Know what you don’t know.
Make sure to inventory your assets. If you don’t know what you have, or what type of data you’re storing or collecting, how can you defend against it? To “baseline your security hygiene,” prioritize assets based on their criticality, increase security on your most sensitive systems, and make sure patches and security updates are done on a timely basis.
Invest in detection and response capabilities.
Have these in place so that you can respond quickly. Gauge inside and outside threats, and build an agile response system.
Increase the speed of containment.
Block attacks before they spread. Use network security zones as a way to discourage infection. “If you can detect ransomware quickly, you can more quickly respond,” said Witmyer. Containment includes gathering network traffic, collecting running apps and processes, and retaining and receiving application logs. Use security analytics to identify anomalies, and have an incident response team that can quickly contain intrusions.
For details and guidance, replay our webcast
Partner, Transaction Advisory Services
Leader, Private Equity Advisory Services
+1 212 542 9825
Principal, Cyber Risk
+1 703 637 4071
Senior Manager, Cyber Risk
+1 215 814 4053