When assessing a scale-up firm, we imagine (and hope for) robust technology, impenetrable security, and digital product mastery. Yet, as our tech due diligence reveals, there are often unforeseen narratives beneath the surface.
Investment and Cybersecurity: More Connected Than Ever
The connection between business success and its digital weaknesses is inextricable. It’s not just about the business’s direct profitability but the sustainability of that profit in an increasingly digital realm.
Below are some informal/internal notes of a previous cyber-security assessment. I hope sharing these will give you an understanding of severity without veering into technical jargon.
In addition to platform security, we tend to find many firms have weak measures protecting their internal IT. As per this FT article, employees’ logins were ‘hacked and traded’ on cybercriminal forums for firms like Wells Fargo, WPP, Experian, Diageo, Wayfair, Epic Games and Adobe.
Hence, IT leaders at portfolio firms must protect the platforms they create and the internal IT systems simultaneously. Yet, it is rare that we meet teams that are good at both.
An outside-in cyber assessment
The results below are from a firm’s ‘Outside In’ assessment. I’ve used the engineer’s informal notes instead of a polished report.
What is an outside-in cyber assessment?
This is a service where we check the cyber security defences and general information about the firm as if we were a nefarious attacker. Note that we utilise publicly available material and do not attempt to ‘test’ (or hack) the systems.
This information helps buyers understand how the firm looks from an attacker’s perspective:
Overall: Developed by someone who thinks the world is a safe place.
This is a jovial/throwaway comment, but the sentiment is serious. If the development team realised how advanced attackers are, they would invest to protect their business.
In the report, it appears the masterminds of this system were not up to date with today’s cyber risks.
- Mininal indication the business has focused on cyber: Their compass for modern InfoSec hints at a disconnect with the current cybersecurity landscape.
- Unaware of How vulnerable they are: Collecting vulnerabilities, leaving an opening for cyber attackers.
- Old perspective on cyber: Their tech perspective is charming but perhaps out of place in today’s fast-paced digital world.
- Ports to their database and APIs are open: An open-door policy that might be too generous.
- Critical IP exposed to the Internet: A treasure exposed, beckoning risks that are too great to ignore.
Overall – he gave them a Grade – C+ for their InfoSec Stance. A sign of potential but a clear indication that there’s a risky road ahead without some work.
Investment and Cybersecurity: Deciphering the Implications
Whilst these are light-hearted observations, the underlying seriousness cannot be overstated. Investment and cybersecurity are closely intertwined. When a firm’s IP stands exposed, it’s not just a technical glitch but a significant investment risk.
For the discerning investor, it’s essential to understand that cybersecurity isn’t just a tech challenge; it directly influences a business’s valuation, growth potential, and long-term viability. As digital threats evolve, the costs of financial and reputational breaches can be monumental.
Final Thoughts for Investors
Joking aside, one thing is clear – robust digital defences are as crucial as a healthy balance sheet. It’s not just about immediate profits but ensuring those profits can withstand the myriad challenges of the digital age.
In the investment landscape, consider cybersecurity not merely as a checkbox but as a cornerstone of sustainable growth. 🌐🔐📈