If you are hiking with your friends in the woods and a bear comes, you do not need to be faster than the bear, you need to be faster than your friend.
This cruel adage has long been true in the case of cybersecurity. Years ago, hacking was an intellectual pursuit. The best hackers would publicise their exploits and how they cracked the most advanced security.
Today, for-profit hackers are engaged in a business, and these businesses are about cash, not intellectual trophies.
Rather than seeking to crack the toughest security, hackers are looking for the easiest way into companies. They are looking for the slow hiker, and mid-cap companies represent that opportunity.
Even with the best intentions, mid-cap companies cannot spend the type of capital on cybersecurity that larger companies can spend. They mostly do not need to as many have lower risk profiles than larger companies, which are often meatier targets to hackers.
However, when those mid-cap companies become the acquisition targets for larger companies or private equity companies, their risk profile suddenly changes.
They are now cash-rich due to recent funding from the PE fund and their name is in the press, making them known to hackers and subject to broader fears about their reputation.
A third, less appreciated risk factor is also at play as an acquisition is announced. Hackers have long been known to attack companies that are targets of acquisition. They breach the target company when a potential acquisition is announced and dwell there for months.
They will use the acquisition target as a Trojan horse, leading them into a broader network of the larger company if and when a system integration occurs. Such patience and strategy were once thought of as reserved for nation states.
But today, we know that sophisticated organised crime hackers also play the long game, and their profits are an indication that their strategy is paying off.
Barriers to cyber protection
So why are mid-market acquisition targets not doing more to protect themselves? The short answer is that investing in cybersecurity requires time and money.
For companies still in early growth phases, time and money are in short supply. Even for those companies that are willing to invest time and money, hiring a qualified executive to oversee cybersecurity, for example a chief information security officer (CISO), is easier said than done. In the cyber sector there is a war on talent for these types of executives, and even those companies that find one are lucky to retain them for more than a year or two.
Perhaps an easier alternative is for the PE company to have their own CISO help in the due diligence work pre-acquisition and to drive the portfolio company’s security post-acquisition. This too is tricky.
PE companies often want to oversee their portfolio companies but not manage their day-to-day operations. Portfolio companies are typically wary of too many attempts by their investors to meddle in their operations.