A recent survey of global private equity firms found that half of all respondents were unhappy with their cyber security arrangements. This comes as no surprise since very few lower mid-market firms will have the expertise in-house or the budget to employ cyber-security consultants. But with hard-won reputations on the line, these survey results are a call to action.
Data security isn’t all about buying expensive bits of kit or paying large amounts for external support. If your defenses are breached, your existing human and technological resources must work together; both are part of a single ecosystem and both need to be fit for purpose. But where do you start when these resources are limited?
- Detect and define. It’s crucial to know the difference between harmless software malfunction, annoying spam and a red flag hack before you raise the alarm. Monitoring software can help detect unusual activity but so can staff, investors and stakeholders. Ensure staff and stakeholders can recognize and report incidents such as phishing scams. Invest in monitoring technology that enables you to take greater control rather than blinding you with science
- Communicate securely. If you suspect you’ve been hacked, use a secure method of communication to contact your system administrator and alert your incident response team. Never use the compromised system to report the breach. Remember to keep communications about a hack confidential and on a need-to-know basis. Choose business grade secure communication tools endorsed by trusted third parties that protect your conversations and your metadata over voice, video and email. Avoid panic, speculation and misinformation.
- Launch your incident response procedure. This plan should define action around threats of different magnitudes and indicate how quickly you will need to respond. Free resources such as Crest’s incident response guide are worth a look. Every member of your response team should be well-trained, know what their role is and know how they fit into the overall structure. Legal advisors can be a useful source of advice and support. Successful plans should assess risk based on a thorough understanding of the IT ecosystem and how it delivers core functions. Response plans should isolate the breach while avoiding total system shutdown – the latter can be costly and mean that you lose important diagnostic information. Incident management procedures should also deploy a back-up system (not connected to the main system) that ensures core services and functions can be maintained throughout the crisis.
- Report the breach. Private equity firms in different countries are subject to distinct and often multiple reporting requirements. Europe’s data protection regulations give companies 72 hours from the moment they become aware of a breach to report it. Those in the US will need to be aware of state and federal laws. You may also need to inform the police, lawyers, board members and others. Familiarize yourself with reporting guidance so you know what to report, when, to whom and how. Assign key responsibilities to trained, named individuals with appropriate authority. Inform affected parties as soon as possible and explain how they can protect themselves (for example by changing passwords or recognizing phishing scams). Explain what action you are taking and keep stakeholders informed.
- Restore, review, rebuild, renew. Learn from your mistakes and reinforce your defenses. You may need to retire legacy technology that is no longer supported with security patches. Consider enforcing higher security standards when buying new technology, merging or doing business with other firms. Be mindful that security standards vary from country to country and it’s vital that you comply with local regulations.
Controlling staff use of the internet and mobile devices is also important. Online gambling and gaming, linking to untrusted Wi-Fi, downloading uncertified apps and failing to update devices all create vulnerabilities.
Prevention is, of course, better than cure. Don’t wait for an attack to test the vulnerability of your systems. Raise awareness, ensure everyone in your response team is appropriately trained, carry out regular penetration testing and drills, and move towards making your systems secure by design. Take control and never stop learning.
Phil Chambers is chief operating officer of Metro Communications, which provides IT and communications technology services.