The Cybersecurity threat landscape continues to evolve and change at pace. Threat actors have increased their level of sophistication, especially around the use of Ransomware attacks. These have been prolific and have evolved to be ‘double knock’, in that the attackers have combined data theft with environment encryption to maximise the impact and therefore their extortion attempts. There are well publicised attacks from around the world in this space, with ransom payments reportedly hitting the $40 million mark for an individual payment in addition to generating considerable business interruption impact. This is a material change from only six years ago, where the largest disclosed ransomware payment was less than $65k.

Highly organised criminal gangs have gained access to malicious tooling that would previously have only been in the domain of a Nation State. This has been a key enabler for the level of sophistication increase mentioned above. In addition to Ransomware there have also been a number of publicly disclosed large scale ‘Supply-Chain’ attacks. These attacks have infiltrated well known and ‘trusted’ software providers that have considerable deployed footprints within many customer locations. The attackers have demonstrated patience, breaching the software provider many months before deciding to execute their attacks. Given the ‘trusted‘ nature of the maliciously engineered software deployed, these attacks were initially very successful in bypassing typical defences that existed in many companies. These attacks confirmed the need to have solid foundational protective measures deployed – such as patching, and further emphasised the need for organisations to improve their ability to detect and respond quickly to anomalous events.

Unfortunately, Cyber has also now been weaponised and deployed during conflict between countries. These Cyber warfare attacks have been designed to infiltrate military or National Infrastructure organisations and/or generate wide-scale infrastructure disruption and impact.

As Hg is a software investor, cybersecurity is one of the biggest risks for us. Hg takes this matter very seriously and has built a Technology & Cybersecurity team with deep expertise in this matter. In early 2017, the team launched its Cybersecurity Risk and Maturity Assessment Programme for both prospective investments and existing companies within the portfolio. Over 250 assessments later, Hg has learnt from experience and evolved with the ever-changing threat landscape to make cybersecurity a true organisational strength.

The threat of cybersecurity impact to any business is very real, is ever increasing, and is becoming more and more sophisticated through automation. There should not be an assumption that attackers are only interested in big enterprises/corporates as the wide scale automation capabilities deployed by attackers enable them to indiscriminately find weaknesses in any company that is ‘online’ regardless of scale. An effective understanding of cybersecurity, from the boardroom through every employee, is the cornerstone of a successful defence. This then needs to be supported with an investment in, at a minimum, the ‘hygiene’ technical elements of a successful and layered cyber defence strategy – for example, advanced malware protection, data encryption and multi-factor authentication. Supply chain attacks are also becoming more prevalent. It is important to consider not only the services you use, but also those you provide and to whom. An attacker might be more interested in who they can get to through you, than what they can get directly from you. A mindset of how well protected we are, how quickly and well can we respond WHEN we are attacked, rather than IF we are attacked, is recommended.”

Jason Richards Head of Portfolio Technology and Cybersecurity

The assessment, which is based on Hg’s standard cybersecurity framework, leveraging ‘industry standards’ such as NIST V1.1 and CIS V8, begins during the early stages of due diligence for prospective investments, then continues for the entire ownership lifecycle as and when a company joins the Hg portfolio. The framework follows five key aspects:

  1. Identify – capturing and quantifying main cybersecurity risks and threats.
  2. Protect – standards, processes and systems to protect the business against these risks.
  3. Detect – ability to detect an attack as quickly as possible.
  4. Respond – well-defined cross-functional incident response plan, supported by an external expert security company.
  5. Recover – robustness and protection of data backups for critical IT systems.

Focused on action and operating on a model of continuous improvement, the programme ensures that every portfolio company is assessed on a rolling basis, with frequency of assessment determined by their individual risk and maturity score. The goal is that every company is assessed at least annually, with low-scoring companies undergoing much more regular checks.

Hg’s Technology & Cybersecurity team is also able to provide support and guidance, not just issue a report of recommendations, in how to address the recommendations. In partnership with the portfolio company Cybersecurity stakeholders, the Hg cybersecurity team can assist in creating a pragmatic and prioritised action plan for remediation, unique to each individual company.

Cybersecurity case study