Private equity security and risk: The ever-changing threat landscape

Utilizing automated, on-demand and AI-driven techniques, cyber-attackers have found new methods to zero in on PE firms, writes Chris Hueneke, who leads the Security Practice at RKON.

This article is sponsored by RKON.

It is no secret that the portfolio companies of private equity firms are continually targeted by cyberattackers. The primary reason for this is that these assets provide an attractive return on the time they invest in them.

Just a few years ago, these financially motivated attackers only targeted the obvious financial institutions – credit card companies – for their customer data (with an estimated ROI of $1 per credit card number sold on the dark web). Then they moved on to the healthcare sector, rich with personal information (providing an ROI of about $100 per identity stolen). Manufacturing business followed as hackers advanced to intellectual property theft ($10,000 per design). As their successes piled up, they continued to expand their target pool.

Now, thanks to ransomware (which can reap hackers $14 million per system they infect) and wire fraud (around $400,000 per transfer), every industry is a target, from Fortune 500 companies right down to small family-owned manufacturing businesses with 20 employees.

In this article, we will examine the latest methods attackers use, how they target PE firms and their portfolios, and the protective security measures that firms can use to mitigate the risks created by the evolving threat landscape.

The ideal target

Attackers are finding new ways to target PE businesses, using automated, scalable, on-demand, and AI-driven techniques to launch many sophisticated attacks against a high volume of targets. Mid-size portfolio companies are an ideal target due to the following factors:

  • Availability of public information in press releases and social media;
  • Lack of experienced security ­resources or no security team;
  • Lower security awareness or no ­security leadership;
  • Lack of mature IT security controls and risk governance;
  • Misconfigured and exposed cloud environments;
  • Higher use of infected personal ­devices with company data.

Press releases announcing mergers and acquisitions provide a steady stream of new targets for hackers. These public announcements give these bad actors awareness of new ­companies to target across the globe. Think about what often accompanies such deals at the newly acquired companies: new leadership, attrition, new business applications, new banks, new employees, and so on. Such changes lead to opportunities for hackers.

“Press releases announcing mergers and acquisitions provide a steady stream of new targets for hackers. These public announcements give these bad actors awareness of new ­companies to target across the globe”

Private equity firms and their assets are also at risk before a deal is closed, since large amounts of money are transferred between banks and companies that haven’t previously established working relations. Low to mid-­market private equity firms may have less ­sophisticated cybersecurity ­processes, protocols and systems, and would be highly impacted when targeted for ­financial wire fraud, ransomware, and theft of employee personal information such as user accounts, passwords and social security numbers, which hackers can then sell on the dark web.

The techniques

Hackers have two favorite techniques for attacking such PE firms:

Business email compromise includes attackers attempting to gain access to the C-suite or board level company email accounts. This can be ­accomplished by either leveraging
previously compromised account information that is for sale on dark web forums, or by tricking the user with phishing techniques to have the target executive disclose their email account username and password.

Phishing or whaling attacks have identical techniques, with different targets. Phishing attacks target the company’s employees, while whaling attacks specifically target high-level executives. In both instances, hackers attempt to get the target to click on a malicious web link, or to open an ­attachment that downloads spyware on their computer.

These attacks allow them to gain access to the target’s email account via applications like Microsoft 365 or Google Workspace, or to access their computer to remotely initiate attacks. Once access is achieved, the attacker can continue impersonating the employee or executive, gaining access to sensitive documents or tricking other employees into unwittingly engaging in malicious ­activities. These sensitive documents can include tax forms with Tax IDs, financial records with bank account and routing numbers, or even employee W2 forms with employee information and social security numbers via the company’s human resources department.

The goals

Along with stealing highly valuable information about employees and the companies they work for, which can then be sold on the dark web or used for identity theft, hackers have two other primary goals once they’ve ­gotten in the door via BEC or phishing/whaling attacks:

Financial wire transfer involves the attacker attempting to have funds wire-transferred to them, either leveraging the compromised email account or creating a fake account to spoof the CEO or CFO, for example. This fake account is generally created with a look-a-like email user account using a public email provider or an email domain that is similar to the target email domain. For example, if the target is Jane.Doe@sampleco.com, the attacker can create a Gmail account such as Jane.Doe@gmail.com. Alternatively, they can create a new email domain, such as sampleco.co or sampleko.com, mimicking the legitimate domain.

The fake email account is leveraged to deceive an accounting professional into thinking the CEO or CFO is giving them instructions to wire ­money – usually with great urgency – for a recent or prospective transaction, with the attacker’s bank account on the receiving end.

Ransomware involves attackers encrypting critical data, thereby rendering systems useless until they receive a payment and decrypt it, or until IT is able to restore the data from a recent backup. Notable ransomware breaches of numerous government municipalities, a critical pipeline and a large meat processor have all made recent international headlines.

Being prepared, managing risk and responding correctly

Security leaders need to ensure that security controls remain intact, as devices, files, systems and data are migrated during M&A. Having a robust incident response plan is more crucial than ever to properly address continuous attempts to spoof executives like the CEO and CFO after a public announcement, such as an IPO or the addition of a new investor.
Remediation strategies are all about reducing the impact and likelihood of a cybersecurity breach. Organizations that integrate proactive security, governance, risk and compliance disciplines with continuous advisory and operations improve their ability to protect their businesses.

There are three main pillars of a good remediation strategy:

  • Preparedness – Position the organization to meet its strategic imperatives for expense management and growth. Manage risks and issues appropriately to ensure the survivability of the organization. For example, a strong threat protection platform should be in place, preparing the organization to be able to block threats across the entire attack surface of the business – endpoints, perimeter, datacenter and cloud. The goal is to make it as hard as possible for the attacker to gain access. By reducing their return on time spent, they’re more likely to move to other targets.
  • Assurance – Provide a guarantee that the organization has appropriate and cost-efficient measures implemented. Ensure the measures meet regulatory and industry requirements. For example, a strong vulnerability scanning platform should be in place to identify and remediate all infrastructure, application and cloud vulnerabilities. The goal is to prevent a vulnerability from being exploited if a hacker gets past the threat protection layers.
  • Response – The organization must be primed to manage incidents with a prompt response to assess and remediate the risk. Ensure the remediation and recovery strategies are the most appropriate and cost-efficient. For example, a strong security monitoring platform should be in place to maintain visibility and detect security incidents instantly – you can’t manage what you can’t see. The goal is to respond quickly to an incident by following a tested incident response plan for containment of the threat, its eradication, and the recovery of lost data.

Private equity firms and their portfolio companies should seek a trusted security partner to implement effective and efficient security and a risk management system in order to:

  • Integrate an innovative governance framework into the IT and security program to leverage the direction set by executives, company policies, ­regulations and best practices.
  • Facilitate risk analysis with key business, IT and vendor stakeholders, identifying security posture at all levels of the organization from projects, services and suppliers, and mapping to regulatory compliance requirements.
  • Deploy and maintain seamless, ­sustainable and secured architecture solutions that meet control requirements and protect the viability of the business.
  • Provide a consistent format for reporting top IT risks, compliance status, security architecture maturity and operational security metrics.

In summary, many companies, especially small manufacturers, online retailers and health clinics, for example, require more than just anti-virus software and firewalls. They need to start with security policies that provide guidance to users and IT staff as to the security measures they are responsible for and why they are needed.

Next, advanced threat protection needs to be implemented for the endpoints, perimeter, datacenter and cloud architectures to ensure strong blocking and tackling. Vulnerability scans need to be performed across these architectures, ensuring the vulnerability is taken out of the risk equation. Security monitoring of logs and events is needed to ensure full visibility and detection of anomalous user or attacker behavior.

And finally, proper governance, with security policies, guidelines and incident response plans need to be in place and tested regularly to ensure proper handling of security incidents and technology disasters.

Chris Hueneke leads the Security Practice at RKON responsible for Security Architecture, Security Advisory and Security Operations services. He has over 25 years of information technology and security experience.