Cybersecurity isn't just a concern for large corporations. Increasingly, small businesses are the targets of cyberattacks designed to capture sensitive data and wreak havoc on the organization's IT infrastructure.
But despite the prevalence of attacks, many small business buyers are oblivious to cybersecurity risks. That needs to change. By properly vetting the cybersecurity of candidate acquisitions, buyers can prevent data breaches and other post-sale catastrophes.
Cyber Threats Against Small Businesses Are Increasing
In 2015, more than 430 million new unique pieces of malware were unleashed against companies and individuals, according to Symantec's 2016 Internet Security Threat report. Even more concerning, the report showed that 43 percent of all attacks in 2015 targeted small businesses. If the news is any indicator, 2016 didn't fare much better.
Small business owners can no longer stick their heads in the sand and hope that fraudsters won't notice their companies. Cyber threats are real and criminals are targeting small companies at unprecedented levels.
One of the most common types of attack is called spear-phishing. This type of attack targets the workforce with emails that appear to be from an individual or company the employee already knows. By simply opening the message or clicking on a link in the body of the email, an employee can expose the organization's confidential data to unauthorized access.
According to the Symantec report, spear-phishing attacks against employees increased by a whopping 55 percent in 2015, undoubtedly because it has proven effective for gaining access to protected information and systems.
Malware and other attacks also present significant risks to small businesses, partially due to the prevalence of mobile technology and Bring Your Own Device (BYOD) policies in the workplace. Although mobile and BYOD have improved productivity and collaboration, they have amplified the risks for small businesses, especially when employees are allowed to access and share protected information via their personal devices.
Evaluating Cybersecurity in a Potential Business Acquisition
As a business buyer, the time to evaluate cybersecurity is now, before you finalize a deal and inherit a problem that exposes your business to the negative consequences of cybercrime. Although fraud-based risks are constantly evolving, there are a few common issues to consider before you commit to an acquisition:
- Employee Training. Data breaches are most commonly the result of employee error or an inside job, according to the ACC Foundation: State of Cybersecurity Report. Employee training is the heart and soul of robust cybersecurity. In addition to educating employees about spear-phishing and other attacks that gain access through employee behaviors, the best small companies train their workforces about the use of strong passwords, BYOD policies and the sharing of protected information.
- Updated IT. From a cybsersecurity perspective, it's a good sign if the business owner has taken steps to keep IT software and hardware up-to-date. Recent versions of software and security patches can prevent exposure to malware - but only to the extent that updates have been installed on all of the computers and devices that access company servers. Be sure to thoroughly review the company's IT software and hardware, and IT investments during the due diligence process. Major vulnerabilities or the need for extensive IT investments should be brought up during negotiations and could ultimately help lower the sale price.
- Data Security Policies. Regardless of size, all companies should have documented policies for the handling of customer information and data storage. It's surprising how many data breaches occur through seemingly innocent employee behaviors that could have been prevented if the company had developed and enforced simple data security policies. Ask to review their security policies during the due diligence process, and inquire into how the owner currently enforces such policies. Make sure the company has considered third-party/supply chain vulnerabilities.
- Payments Technologies. Retail operations, restaurants and other businesses that collect payments at the point of sale face additional cybersecurity concerns. Many of these businesses have already migrated to robust point of sale (POS) systems that integrate payments with inventory management and other functions. But at a minimum, make sure potential acquisitions have secure and updated credit card payment technologies that accommodate EMV (Europay, MasterCard and Visa) chip payments.
- Technology Plan. Ideally, the business you acquire should have a technology plan in place to address current cybersecurity threats and describe how the organization will respond to evolving risks as they occur. The lack of a technology plan may indicate that the business is vulnerable simply because the seller has ignored technology concerns.
When it comes to cybersecurity, even small vulnerabilities can provide opportunities for fraudsters. By taking a little extra time to consider the cybersecurity of candidate acquisitions, you can protect your investment from the devastating consequences of a cyber breach after the sale.