Cybersecurity: The best defense never rests

July 31 2017
New York

Cybersecurity threats are constantly evolving, which means the best programs adapt continuously. 

Private equity firms have long since accepted that cybersecurity is a core issue. One recent industry survey finds that 56% of PE firms consider cybersecurity the number one priority of their IT investments. It’s not that no one is paying attention; it’s that the technical nature of the problem makes it hard to know when any firm has spent enough time or money to be safe. 

The reality is that there’s no way to shrink that risk to zero, especially given that risks are constantly changing as bad actors learn to break through today’s defenses. Therefore, the best cybersecurity programs never stand still. They are making regular assessments and updates throughout the year, but how often is sufficient? Here’s a calendar that several cybersecurity experts agree can minimize any firm’s vulnerabilities. 

And for those private equity firms utilizing or considering outsourcing to a fund administrator, the GP should ensure that the administrator employs these vital steps.  They are necessary to ensure best-in-class protection for GP and LP data.

Weekly/Daily
Stay current with software patches and antivirus/malware updates.  Employees are the first line of defense against most threats out there right now.  So, ensure that the proper applications are installed on all desktops, laptops and server.  Software updates should be systematically deployed for all antivirus, malware, software security patches and host-based intrusion detection systems.

Quarterly
IT administrators should enforce the systematic change of passwords for network and application access. It sounds excessive, but it can also serve as a helpful reminder to staff that the firm takes cybersecurity seriously. Testing remote access to the networks is also vital, though the nature of most private equity firms will find partners accessing the network from their homes or while traveling for business. Administrators should make a point of implementing standards for complex passwords and using dual-factor authentication for remote access users.   

Semi-Annual
Conduct a phishing exercise to test if any staff would click on the wrong email, and use the test to further remind staff of the dangers when opening anything sent from an unknown source.  Phishing is the most predominant social engineering technique used and the most prevalent threats impacting firms today.   This can be done by a service provider or if available, the in-house IT staff.  Additionally, as part as of a Security Awareness program, communicate to staff about the latest industry threats and reinforce how employee should report incidents.  Reinforcement and training are key elements to a successful defense against today’s threats.  

Annual
Conduct a vulnerability assessment that includes both internal/external tests and an IT risk assessment by a third-party service provider, as internal IT staff knowledge can sometimes lag the latest developments because their mandates frequently go beyond the cybersecurity program. The firm should also test all disaster recovery systems. Employees should be trained in the latest threats and protocols at least once a year. 

Part of this annual training should be “fire drills” where senior management and the incident response team go through protocols and procedures to ensure that the governance aspect of any cybersecurity program is updated as well. The senior partners should be aware of any changes to the program and any IT vendor should be aware of any changes to the nature of the firm’s business. 

For example, if the firm is ramping up a new fund in a new asset class or geography, this is the time to ensure that the cybersecurity staff is prepared for any threats that arrive with the new vehicle. Because to paraphrase an old spy cliché, the security program has to be right every day, while the hacker only has to get lucky once.