Today, stories abound of industrial espionage, state-sponsored hacking and massive data breaches. And, sadly, these tales are generally accompanied by descriptions of the technical flaws that were exploited to allow these acts to occur in the first place. In fact, a much greater percentage of cybersecurity risk can be successfully managed than has historically been the case as an integrated part of a private equity firm’s overall risk management strategy.
The integration of cyber-risk prevention into a firm’s overall risk management strategy is the key to strengthening the weakest link in the cyber-defense chain. The goal of risk management, including cyber, is to reduce the impact and likelihood of negative or unexpected events, by involving the entire organization in the risk management process in advance of an adverse event.
And that is especially so with the implementation of the General Data Protection Regulation in May. US-based firms that do business in the EU must comply with those set of rules in securing data of their employees, clients and users, and need to know what steps should be taken.
Cyber-risk can be managed through a five-phase process that is naturally scalable based on the particular nature of the organization.
Identify: Consider the systems or data that you employ or store in your organization, and consider the impact if it were obtained by a third party. Private equity firms often hold extremely sensitive information, all of which could be embarrassing if exposed to the public. Understanding the sensitivity of the data in your possession is critical in the formulation of risk management plans.
On the technical side, identify the systems and devices used to store or access this data and your technical support team as well.
Protect: These tasks are based on the systems and devices identified in the first step and includes key tasks such as patching and updating systems promptly, upgrading equipment at end of life, developing and assessing procedures to assign access rights, and training users about cyber-risk and their role in managing it.
It is important to ensure that all systems and devices are considered in the plan. Some systems will update themselves on a regular schedule, while others will require intervention to apply a patch.
Education, training and continuous updates for all users in the environment are essential.
Detect: The longer intrusions go unmitigated, the more damage they can cause. Detection activities are designed to identify potential intrusions as quickly as possible, and they involve both the technical staff and the user base.
Systems maintain log files of significant events, and these should be reviewed by the technical staff on a regular basis.
Respond: Effective cyber-response plans that are developed in advance are much better positioned to drive the desired results. This includes identifying key advisors, rapidly correcting the issue, assessing the compromise and managing the perception of the incident. Many cyber-incidents require notification to customers, clients, employees and regulators.
Recover: The recovery phase is a longer term process and is primarily focused around a series of proactive initiatives to win back lost trust and relationships.
Many organizations erroneously believe that cybersecurity and the related risk management processes are solely an information technology issue. They are not. Cyber-thieves don’t think in silos, and neither should private equity firms.