In light of an increased threat of cyber-attacks from Iran, Risk Officers at private equity firms are questioning how prepared their portfolio companies are for international cyber-attacks. The elements these companies need to focus on are rooted in the fundamentals, or as we like to call it brilliance in the basics.
The next seven areas are what I recommend companies prioritize, which are aligned to the highest threats identified by the Department of Homeland Security and New York’s Department of Financial Services. Overall, effort needs to be on preventing access and protecting systems and data from destruction or denial of service.
- Vulnerability Management: Companies should identify and address vulnerabilities that can be exploited externally. Knowing what these are requires an external vulnerability scan and understanding if they can be exploited may require a penetration test. I would also include blocking all unnecessary inbound firewall access such as blocks on specific geographic locations of hostile nations such as Iran, North Korea, etc.
- Multifactor Authentication (MFA): Enable MFA for all externally accessible systems. MFA can prevent access if passwords are compromised.
- Restricting Administrative Access: Administrative access on all systems should be restricted. No users should be using administrative access for general daily use and all should have standard user accounts. The ability to install software and run applications like PowerShell should be limited to an as-needed basis.
- Backups & Tested Backup Restoration: Backups are the single best way to recover from a ransomware attack. Threats from Iran may mirror ransomware attacks by encrypting data, but then fail to offer a means to pay for decryption, leaving the data permanently inaccessible. Make sure all critical data and systems are backed up and that the backup restoration has been tested. Also make sure backups are protected against malware through network segmentation or offline copies. Many portfolio companies were forced to pay the ransom when their backups were on the same systems or network as other critical systems and fell under the control of attackers.
- Awareness Training (+Phishing): Properly and regularly train employees on the indicators of phishing in emails and what to do and not do when they encounter these signs.
- Incident Response: Create and regularly test an incident response plan so the company knows what to do when a cyber incident occurs. Confirm appropriate personnel will be alerted to indicators of an attack or compromise, especially outside of normal business hours.
- Distributed Denial of Service (DDoS) Attack Protection: The impact of DDoS attacks varies depending on the type of business, but the risk increases significantly for any company with ecommerce or a critical web presence. Knowing how susceptible your company is to a DDoS attack is crucial. I recommend services like Akamai and Cloudflare, which provide DDoS protection to offload and handle the massive number of requests that fuel a DDoS request.
Agio is the preeminent cybersecurity partner for private equity firms and their portfolio companies. We live and breathe this space, and guide and support firms when it comes to compliance as well as portfolio company cybersecurity risk management. If we can elevate your cyber-strategy in 2020, contact us. We’d love to help.