Significant data has recently provided insight into the identification and causes of technology security breaches, and the resulting impacts to the business.
• Building materials company – estimated 56m credit cards and 53m customer email addresses
• Media – tens of thousands of internal documents and emails
• Home goods retailer – 40m credit cards, 70m contact records
Studies indicate 50% – 60% of companies have experienced an incident in the past year.
Common themes have emerged through these, and numerous additional breaches:
• Lack of management attention to systems and infrastructure – including network design, data segregation, database/HTTP best practices, and encryption
• Lack of capital investment in technology to securely support operations
• Poorly conceived server and system naming conventions – creating a roadmap for hackers
• Lack of cultural awareness of the risk of phishing attacks
While each organization had a different specific vulnerability exploited, all of these breaches have had two things in common:
1 – A lack of attention to security damaged the value of the company and imposed material cash outlays on the company.
2 – All of these companies had a security program in place. The key item to note here is that an incomplete or inadequate security review can create more risk; by providing a false sense of security, leading to inappropriately designed and poorly followed policies.
Every private equity investor should understand that this is not just a large corporate issue.
Any company that handles health, credit card or personally identifiable information needs to be aware and proactively address the risks. Three questions should be considered during both technology diligence and when holding a portfolio company.
1 – What is the likelihood of an incident? (A technology diligence guide can be found here.)
2 – How material are potential damages? (Recent studies have placed a value of $145 per record of data)
3 – What is in place to mitigate the risk of occurrence and damages?
When assessing risk, companies often overlook data that is collected without consent, and information sharing with third parties.
When determining if your investment is at risk, remember to consider the context of the vulnerability, likelihood and size of outcome, and remediation costs.
While security vulnerabilities can have a material impact on an investment, smartly developed policies and procedures can improve long-term operating performance.
Sophisticated security policies and procedures balance security with usability, align with corporate risk management practices, enhance customer experience, improve operating efficiencies, and align with the organization’s value drivers – ultimately maximizing value for the company and the investor.
An independent third-party advisor can often expedite implementing appropriate policies and procedures, and rapidly develop a plan to address technology security issues.
