Cybersecurity is a concern for all industries, but some, like venture capital and private equity, are more attractive targets due to the nature of the data they collect and process. Investment firms work with highly sensitive financial data on a daily basis, and its confidentiality is essential for the smooth running of their business operations.
Financial institutions have the second-highest data breach costs of any industry. As a consequence, data breaches can severely impact a venture capital or private equity firm’s bottom line. Lost business is the biggest contributing cost factor and includes business disruption and revenue loss from system downtown, loss of existing and new customers, as well as reputational damage.
But venture capital and equity firms need to worry about their own cybersecurity and that of vendors and portfolio companies. Venture capital and equity firms are therefore expected to not only ensure that third-party vendors handling sensitive information can provide an adequate level of cybersecurity before hiring them but also perform cybersecurity due diligence to determine the cyber maturity of a target investment and identify potential cyber risks that could impact the parties involved in the transaction. A company’s stronger cybersecurity infrastructure, leads to higher the value assessed to the organization.
If due diligence was about assessing the financial health and market potential of a target investment in the past, venture capital and private equity firms could no longer ignore the crucial role cybersecurity plays in the success of their merger and acquisition operations.
When it comes to sensitive data, venture capital and private equity firms also need to be aware of their regulatory obligations. Failure to comply with their requirements can lead to heavy fines and penalties that can severely cripple business operations.
The danger of insider threats
When it comes to venture capital and private equity, insider threats can be the most dangerous. Data exfiltration can be particularly tempting for employees looking to move on to another company or that are looking to engage in insider trading. A solid cybersecurity framework can safeguard data from outsider threats but fail to protect data from employees that have direct access to it.
At the same time, due to the sensitivity of the data involved, negligence can be just as disastrous for venture capital and private equity firms. Data leaks can destroy months of work and cause deals being negotiated to completely fall through.
One way to address insider threats is to use Data Loss Prevention (DLP) solutions that allow sensitive data to be defined based on a company’s needs. DLP tools come with predefined profiles for common types of protected information such as PII and intellectual property but also allow for customizable policies to suit a firm’s requirements. Once sensitive data is defined, DLP solutions monitor and control its transfer and use.
By monitoring sensitive data and logging and reporting any attempts to violate policies, DLP solutions allow companies to identify suspicious user activity. DLP technology can block files containing sensitive information from being transferred to personal email addresses or cloud storage services and even prevent confidential information from being printed or copy-pasted into the body of an email.
When applied on the endpoint, DLP solutions such as Endpoint Protector by CoSoSys can also ensure that its policies remain active on a work computer whether it is in the office, used remotely, or not connected to the internet.
Controlling the use of removable devices
Another common exit point for data is removable devices. Easy to use, hide or lose, USBs, in particular, have long been a data security blind spot and have been the root cause of massive data breaches in the past. However, they can also be useful tools for employees to easily take data with them when they go out for meetings or conferences.
Venture capital and equity firms can use DLP solutions to control the use of peripheral and USB ports as well as Bluetooth connections. In this way, only company-approved devices can be connected to work computers. Firms can thus ensure that employees only use company-issued secure devices and easily monitor which employees are copying sensitive files.
By enforcing enforced encryption, firms can ensure that all files copied onto removable devices are automatically encrypted with 256bit AES CBC-mode encryption. No one without a decryption key can access them. Passwords can be reset in case they have been compromised, and devices can be wiped remotely. Easy to use and highly efficient, such solutions ensure that any USB stolen or lost will not be accessed by third parties.
Addressing the risks of data at rest
On an average, a financial services employee has access on average to nearly 11 million files. Many of them can contain sensitive company data and information protected under data protection legislation. Venture capital and equity firms must ensure that such files, when no longer used, are not simply stored in unprotected locations where they can easily be stolen in case of a data breach.
Companies can use DLP data discovery tools to identify where data is being stored locally. This can be done automatically from the DLP dashboard across the entire company network. Some solutions also offer administrators the possibility of taking remediation actions to delete or encrypt sensitive data when it is found in unprotected locations.
DLP content discovery can also be useful in the case of compliance auditing. Venture capital and private equity firms can perform content discovery scans and generate reports that prove they secure sensitive data, cutting down on the time needed for the auditing process.
Views expressed in this article are the personal opinion of Mr. Filip Cotfas, Channel Manager, CoSoSys