Exposure to hacking risk isn’t just a threat to reputation: increasingly, it’s undermining business valuations. But if compliance and regular audits offer no guarantee, how can business leaders hope to protect the value of their business?
When private equity firms prepare to make an investment in a business, one element of the company’s operations comes under particularly detailed scrutiny.
“Cyber security is one of the biggest due diligence pitfalls in any deal at the moment,” says Adam Rudd, a director at Beech Tree. “We are very focused on this when we make our initial investments but we are seeing more and more scrutiny in this area when we come to exit our investments whether that be to trade or large private equity firms.”
The issue has soared up the due diligence agenda over the past five years since Beech Tree started. Quarterly compliance checks via penetration testing and cyber essential (plus) have instead given way to 24/7 security, ensuring any business assets have the right level of cyber security posture.
“A focus on 24/7 monitoring to protect the assets of a firm is critical,” says Rudd. “After all, one ransomware attack can stop a business trading for months and also impede its payroll payments. There is the corresponding reputational risk, too.”
Compliance does not mean secure!
Being able to tick all the regulatory boxes isn’t necessarily an indication of watertight infrastructure. That’s obvious in the number of firms accredited to ISO 27001 or PCI DSS who have nevertheless suffered data breaches.
Brendan Kotze, our head of development at Performanta, puts it plainly: “Compliance does not equal security.”
Even audits don’t provide a guarantee. It’s not as if there’s a shortage of ways to assess cyber risk. Indeed, the sheer range of penetration tests, vulnerability scanners and external risk assessors is part of the problem, according to Kotze. With no standard system, businesses are free to opt for the cheapest service. They welcome the resulting report that shows no vulnerabilities – and move on.
Too often, this type of result is what Kotze calls “watermelon reporting: green on the outside, red on the inside”. And even where a red report is returned, it might not reach the top of the organisation because of a perceived blame culture.
“A lot of organisations are getting hit because the real situation isn’t being presented to the board and enabling them to make the appropriate risk-based decision,” Kotze says.
Assuming the C-suite are fully in the loop, are they sufficiently motivated to act? “The challenge is not the assessment but the organisation’s willingness to take the burn to fix the problems,” Kotze says. “That doesn’t necessarily mean buying a new piece of kit: it’s the willingness to adapt and change processes, especially when it comes to legacy systems.”
Cyber security was once viewed by boards as an IT problem. Thanks to media coverage of data breaches, businesses have become much more savvy. However, Kotze says security is often still seen through the lens of an IT cost.
In fact, if cyber security affects business valuation, it has a direct correlation to profitability and the firm’s very ability to function, he argues. “That is not a topic for a CFO or somebody in the organisation that is concerned about spend. It links directly to strategy, which is the responsibility of the CEO.”
As things stand, too few organisations weigh up the potential cost of a data breach against investment in upfront protection. “Security has always been a grudge purchase, rather than being seen as a business enabler,” Kotze says.
Failed by the system
Business leaders don’t shoulder all the blame for poor protection. Alongside the regular assessments, they put their faith in cyber insurance – but that’s often another tick-box exercise. Furthermore, this insurance will become harder to access as several large cyber insurers are now starting to suffer huge loss ratios due to these policies.
Kotze’s dreams of a system where cyber insurers carry out real-life audits on businesses and offer premium offsets to reward those equipped with robust security may now come to fruition.
He also has sympathy for businesses faced with a cyber security industry that he sees as too focused on heavily-marketed technology products. Most businesses outside the Fortune 1000 fall below the “cyber security poverty line” and are unable to afford the latest high-end tech.
“I think that’s detracting organisations from focusing on what is important – which is establishing a good and solid security foundation, doing the basics right, and focusing on people, process and technology,” says Kotze.
A fully rounded approach to cyber security needs to address employee and procedure risks in tandem with technology. As Kotze points out, even the SolarWinds attack – hailed for its complexity – was made possible by the easily-guessed password of an intern.
While SolarWinds’ links to government clients grabbed the headlines, hackers’ motives are more commonly financial. Beech Tree’s Adam Rudd sees financial services and retail, with their stacks of personal data and cash access, as the current prime candidates for cyber attack.
As Rudd knows from experience, quarterly penetration tests provide a snapshot, but can’t scrutinise the day-to-day cyber security of a business, which remains Beech Tree’s focus on entry.
“If you want to maximise your value as a business and be seen as the market leader, you can’t neglect your security posture,” he concludes. “Having that safety net around you illustrates the robustness of your business process and will inevitably add to its valuation.” Enjoyed reading this feature article and keen to know more about how cyber risk impacts company valuation? Register and join our upcoming webinar.