Any visitor to a private equity industry event is bound to observe dealmakers frantically tapping away on their devices as soon as there is a coffee break. Buyout partners like to stay on top of things and smartphones provide an ideal way to get work done, even when away from the office.
A survey by managed services provider Doherty Associates and Real Deals on how private equity is managing cyber security shows that the use of devices and email to share confidential data and work remotely is indeed ubiquitous. All respondents said their firms allow professionals to access work documents and email on phones when out of the office, and all permit employees to send confidential information using email attachments.
“Our team want to have access to their email and data at all times. You can’t turn it off because otherwise you are falling behind the competition,” the finance director of a European private equity firm who participated in the poll said.
“We have been hauled into the new world. We are not a technology firm, but we have to find a way to manage technology’s expansion when we are not experts”
But although firms recognise the benefits of digitalisation for the productivity of their dealmakers, general partners are concerned about keeping up with technology that has taken sensitive commercial information out of the safety and control of the office environment and onto devices that can be used anywhere that there is signal or a wifi network.
“We have been hauled into the new world. We are not a technology firm that is leading development in the space, but technology cannot be ignored and we have to find a way to manage its expansion when we are not experts,” one private equity firm chief operating officer who responded to the survey said.
The Doherty Associates/Real Deals survey results suggest there is good reason for caution. Only ten per cent of respondents said they could see who had opened and viewed attachments once sent and less than a fifth (19 per cent) said they could wipe a document remotely if it was found to have fallen into the wrong hands. With regards to the security measures firms had in place in the event of a device with access to work data and email being lost, 90 per cent of those polled said they had procedures in place. Of that 90 per cent, however, 15 per cent were using basic passwords on phones and apps as the only security measure. Only around a fifth (21 per cent) were using a combination of passwords and the ability to wipe phones remotely.
Terry Doherty, Doherty Associates’ founder and chief executive, says mobile devices and electronic communications have added further complexity to securing valuable data and that the pace of change has made it difficult for companies, especially relatively small, partner-led businesses like private equity firms, to keep pace with the rate of change.
The fact that information is now accessed across a much wider environment by a greater number of people also makes it difficult to identify exactly what risks firms need to mitigate. “In general the use of devices and security is not something that people really think about. “Email is the first part. Users do not consider the risks that come with using email until asked a pointed question,” Doherty says. “Do you send sensitive information via email or in attachments? Do you use a mobile device to send that information? The answer is usually yes. But when you ask what happens if that device is lost or stolen, the procedure for protecting that information is often unclear.”
Doherty says that the way technology has developed has changed the way firms should approach IT security. Keeping cyber criminals out is not enough anymore. It is equally important to keep an eye on what is going out.
“The natural way to approach cyber security is to look at a location – usually the office – and then take steps to lock that location down and put up the best firewall possible. There is almost a paranoia about stopping bad stuff coming in, but often what isn’t taken into account is how to protect data going out,” Doherty says. “You can have the best firewall in the world in place, but if you are sending out emails and attachments you are vulnerable because once that information leaves your system you lose control of it.”
Findings from the survey, which show that although 71 per cent of respondents say that they take security precautions to protect attachments, 50 per cent of them are only using passwords to protect confidential documents sent out to third parties, illustrates how firms can think they are doing what is necessary when in fact they still have major exposures.
“Putting a password on a document is better than nothing and shows that people are thinking about security, but passwords can be cracked and once the document is opened by the recipient, even if a password has been sent separately, you have still lost control of that document,” says Caleb Mills, technical director at Doherty Associates. “Once on the other side it can be downloaded, stolen, posted, forwarded or made public.”
How to control valuable data and documents
Mills says there are range of technology options that firms can use to address this exposure. “There are rights management tools available that can give organisations control of their documents once they leave the company server,” he says. “You can set who can view a document and how long it is available for. You prevent the document from being saved or printed and block copying the document or taking screenshots of it. You can revoke access at any time and tell if the document has been opened in an unexpected location.”
Doherty adds that it is also important to take the increasingly heavy burden of cyber security management off the shoulders of the chief operating officers and finance directors at private equity houses who usually end up managing a firm’s security measures on top of their core roles.
“No CFO or COO at a private equity firm has the time to check the firewall logs each day or keep an eye on every email and attachment going out of the organisation,” he says. “There are products and services that can help to mitigate risk, highlight the risks that firms don’t know about and take the burden off senior people who have other responsibilities.”
In an increasingly complex and demanding cyber security landscape, private equity firms are likely to welcome any help
For more information on managing cyber risk visit: www.doherty.co.uk/private-equity