How Security Impacts Company Value

It’s widely known that recovering from a cyber-attack can be costly to small businesses, but many entrepreneurs do not realize that their security measures can actually impact their company’s valuation.

It’s understood that if two companies are discussing a merger or acquisition, the potential buyer will perform due diligence from a financial and legal standpoint. However, integrating cybersecurity due diligence into the M&A process is essential for identifying risks that could inform decision-making and negotiation.

Why Security Impacts Company Value

For many startups, especially in the tech space, IT Infrastructure is a core component of the business. If that core is not secure, it raises a red flag for a potential buyer, as it indicates they will need to make investments beyond the acquisition cost.

You might think of it as inspecting a house before making a purchase. If the inspection reveals cracks in the foundation, a buyer is likely to walk away from the deal. 

The same is true in business. If an assessment uncovers weak points that could be exploited by a hacker, it may cause the deal to fall through.

What to Expect from Cybersecurity Due Diligence

When a potential buyer performs a cybersecurity due diligence assessment, they will likely explore the following areas:

Data Inventory

An evaluation of:

  • all the data a company has
  • where data is stored
  • how data is transferred

This provides insights into data security and privacy risks, as well as identifies gaps. 

Prospective buyers do this to understand their risk exposure, especially as it relates to regulatory compliance standards and privacy legislation.

Cybersecurity Risk Assessment

Understanding an organization’s cybersecurity tools and practices has become a standard practice of the M&A process. 

These assessments:

  • inform decision makers on gaps in compliance 
  • identify threats and vulnerabilities to information assets 
  • develop a mitigation plan to prioritize and remediate each risk

Third-party Risk Assessment

The way a company interacts with vendors, suppliers and service providers impacts the overall security of a business. 

Penetration Testing

Professional penetration testing teams carry out simulated attacks to examine systems for exploitable vulnerabilities, as well as social engineering exercises to gauge employees’ security awareness. 

These tests provide measurable insight into the real-world risks an organization faces.  

Wells Mason often helps perform these assessments for potential buyers, which means we are also in a position to advise startups on how to improve their security measures and make their businesses more attractive to buyers. 

Contact us to learn more about how we can help in the merger and acquisition process. 

Digital Transformation

Digital transformation is the latest buzzword in the corporate lexicon, which means that many people may not actually understand the real goal behind it.

Simply put, digital transformation is the process of adopting new technology to improve business processes and evolving business practices to unlock new operating models, increasing customer value.

Once a company has digitally transformed, both consumers and employees gain the ability to utilize multiple platforms to interact with the company.  Regardless of the time of day, or device they are on, each user will have the same experience.

Digital Transformation v. Cloud Computing

Cloud computing leverages online resources to make certain computing processes accessible anytime, anywhere. When a business moves to the cloud, that may include changing how employees store files, and access business software or databases.

While cloud computing plays a role in digital transformation, the overall process goes beyond just migrating to the cloud. 

Digital transformation is the process of evaluating the entire business landscape and finding ways to use technology in order to enhance everything you do. This ranges from operations to customer engagement and can help:

  • drive efficiencies
  • improve customer experience
  • adapt to change 

Digital Transformation and Company Culture

Covid has accelerated the need for digital transformation and has made it an absolute necessity to survive the pandemic period. The shift to remote work has forced many companies to update policies, streamline processes, and enhance data security controls to enable employees to work from anywhere.

As we’ve seen recently many companies have gone fully remote and, in many cases, remote work has now become table stakes to attract and retain top talent. 

This means that traditional network boundaries, such as requiring employees to be in the office to access information, are a thing of the past. 

Cybersecurity is a Part of Digital Transformation

Cybersecurity goes hand-in-hand with digital transformation efforts. As companies transform their infrastructure to support work from any device, integrating zero trust principles into business processes is imperative to securing its data, people, and assets. 

It’s worth noting that employees may be resistant to the changes this brings. Working in a zero trust environment requires employees to continuously authenticate their identity as they work with different software and systems.

This can feel like a hassle for some people, and it may be viewed as a barrier for speed and efficiency. That’s why it’s important for company leadership to buy into the process, lead by example, and promote the message that security is everyone’s responsibility.

Wells Mason can help businesses be mindful of security as they evaluate ways that technology can help improve their business model. Contact us today to discuss your options.

Impacts of a Data Breach

The costs of a data breach are rising.

According to IBM’s 2021 report, the average cost of a data breach has risen to $4.24 million – the highest average ever. They also found that compromised credentials were the most common way hackers gained access, and that remote work has been a large factor in both the frequency, and the costs of an attack.

If you’re struggling to understand how these numbers add up, let’s break down what actually happens when a business’s security is compromised.

What really happens during a data breach?

When a business is identified as a potential target by a cybercriminal, they start with reconnaissance on the employees and systems, and launch an attack using any weaknesses they find.

Once inside the network, their goal is to keep their activity hidden while avoiding detection. The longer a hacker has access to a network, the more havoc they may cause, which results in more costs for the business.

It’s terrifying to think that on average, it takes a company on average 197 days to detect a data breach.

Imagine the impact to your business when a criminal is hiding inside your network for 8 months, without being detected, modifying, destroying, or stealing sensitive information about your company and customers.

Breaking down the costs of a data breach

Once a breach is discovered, there are both short-term and long-term cost impacts that you may or may not have considered.

Short-term costs

Professional Services

Dealing with a data breach will require cybersecurity professionals to perform a technical investigation to understand the full extent of the hackers activity, as well as guide the organization on a recovery plan, and security measures to protect against future attacks.

A public relations and legal team will also need to be engaged to help manage the fallout.

For businesses that don’t have employees able to perform these duties, outside contractors will need to be brought in at a substantial cost.

Loss of productivity

When a data breach happens, it requires all hands on deck to recover:

  • C Suite
  • Communications
  • Finance
  • Legal
  • IT / Security
  • Customer service
  • Business units

When a team has to concentrate on the fallout from an attack, they are unable to focus on their regular activities, and the things that make the company money.

Also worth noting is that many companies react to a data breach by essentially pulling the plug on their servers, in order to stop the inflation. If there are no system backups, or employees have not followed procedures to save their files on the cloud, they may struggle to recover their work (presentations, past records, strategic plans, etc.) and have to redo many tasks.

Loss of sales

The news of a data breach can erode trust in a company, which often results in a loss of customers, and quickly dries up a sales pipeline.

Perhaps worse, is losing customers who leave because of non-performance (employees are dealing with the data breach instead of supporting customers).

Long-term costs

The long-term impacts from a breach could linger for years and include:

  • Operations disruption or loss of business
  • Litigation, fines, fees or liability claims
  • Loss of customer trust relationship
  • Loss contract revenue
  • Deficit spending

On average it takes 69 days to contain a breach, but it often takes years to recover revenue, and return to normal growth levels.

It’s clear that the recovery process is costly in both time and resources.  The good news is organizations can prevent many cyber attacks by taking proactive and preventative measures such as:

These cost-effective measures can mitigate security risks and save an organization from many problems.  If you’d like to discuss how to leverage them for your business, please contact us for a free consultation.

  • risk assessments
  • vulnerability management
  • least privilege practices
  • awareness training and tabletop exercises

5 Steps to a Cybersecurity Risk Assessment

It’s no secret that cybersecurity breaches are increasing in both frequency and complexity. Ransomware attacks are regularly in the news, and the 2020 Thales Data Threat Report found that:

49% of US companies have experienced a data breach

26% of US companies have experienced a data breach within the last year

Despite these sobering numbers, most of us still believe that it won’t actually happen to us. This false sense of confidence means that many of us haven’t done our homework and performed a cyber security risk assessment, and so we may not be aware of an attack when it’s happening.

Consider this: on average, there are 4,800 websites compromised every month with form-jacking code, which allows a hacker to capture credit card information as it’s entered on your website.

While this attack allows criminals to steal millions of dollars, your website continues to function without any problem. Unless you actively perform vulnerability scans on your site for malware, test code updates and monitor activity you might not even realize your business has been compromised.

The Value of a Cybersecurity Risk Assessment

Performing a cybersecurity risk assessment will give you greater knowledge and understanding of the potential threats that exist, and how they can harm your business.

Risk assessments can also help you:

  • Reduce costs
  • Avoid financial loss
  • Strengthen your reputation with clients, vendors and business partners

Step 1: Take Inventory of your information systems

Start by making a list of all the systems your organization uses, including:

  • CRMs
  • Accounting software
  • Payroll systems
  • Website hosting and management
  • Credit card processors
  • Email systems
  • File / document storage
  • Cloud storage
  • SaaS apps or systems

Note: Small businesses should examine their entire operation, but larger organizations may need to narrow their scope and focus on specific business units, or functions (i.e. payment processing).

Step 2: Assess the risk to each system

Now that you’ve identified your information systems, it’s time to think through how they are accessed, and where a threat exists.

Ask yourself the following questions for each item on your list:

  • How is the system accessed?
    • Is it available online, or software that must be accessed through a company portal?
    • Is it connected to other third party apps? (i.e. your credit card processor is likely connected to your website)
  • Who has access?
    • Are there multiple users, or do several people share access through a single login?
    • Do any outside vendors have access to the system?
    • Can anyone in the company access the information/files, or do different users have different permission levels?
  • How are passwords stored or shared?
  • Do any security measures exist, such as a VPN, firewall or double authentication?
  • Are there backups of the information?
    • If so, where are they stored, and who has access?
  • What type of information is stored that could present a risk?
    Do any systems store personal information such as:
    • Social security numbers of employees or clients
    • Birthdays of employees or clients
    • Credit card information
    • Bank account information for ACH transfers/payroll

Step 3: Consider the threats

Now it’s time to consider the threats to each of your systems. Many companies tend to focus on external threats, but a study by Verizon found that a third of data breaches are caused by internal actors.

Internal threats, whether accidental or intentional, may have the same devastating impact on a business.  A comprehensive risk assessment should identify all risks to a business, both internal and external.

External threats include:

  • Ransomware
  • Malware
  • Viruses
  • Phishing

Internal threats include:

  • Human error
  • Employees accessing information through insecure devices (i.e. personal computers or mobile phones)
  • Data theft

Don’t forget the risk of a natural disaster or structural failure – if your building burned down, could you continue to operate?

Step 4: Prioritize your response

By now you should have a comprehensive picture of your information systems, and the threats that exist. This allows you to take steps to protect yourself.

In an ideal world, you would secure everything immediately, but the reality is your budget may require a phased approach, so it’s important to prioritize the biggest threat.

  1. What is the likelihood of the threat?
    An attack on your website could be very likely, while a natural disaster is less likely.
  2. Determine the severity of the threat, its impact and cost.
    If your clients’ credit card information is compromised, what will it cost you to address the breach? Be sure to include the impact to your reputation, as well as potential fines or lawsuits.
  3. What is the effectiveness of the control?
    If you require employees to use a VPN to access company systems, will that contain the risk?

Step 5: Review annually

As your business evolves, it’s highly likely that you’ll add, or upgrade, the systems you use. Your team will change, and as we’ve found with the COVID pandemic, work habits will change.

All of these factors make it important to document your risk assessment, and review it annually to adapt to changes in your organization.

At Wells Mason, we believe every business – no matter how big or small – should be protected against cyber threats. That’s why we offer cost-effective strategies to operate in a secure, and efficient manner. Contact us today for a free consultation to find out if we’re the right choice for you. 

Cybersecurity: A Problem too Big for Small Businesses to Ignore

It seems like every day there is a new story of a data breach or cyber-attack reported in the news. As more and more of our activities take place online the threat of cybersecurity increases.

Despite this, few small businesses take steps to protect their systems and information from cyber-attacks. In fact, studies show that 54% of small businesses believe hackers aren’t interested in their company because it’s “too small.”  If you happen to fall into that category, consider these facts:

  • 43% of cyber-attacks target small businesses
  • 60% of those companies don’t recover and go out of business.

Yes, you read that correctly. More than half of small businesses that suffer from a cyber-attack will close.

If that’s not enough to spur you into action, chew on this: the risks of insecure information include:

  • Loss of revenue
  • Loss of customers
  • Loss of productivity
  • Loss of contracts
  • Financial penalties
  • Lawsuits

So what can you do?

The first step is gaining an awareness of the cyber-threats you face, in order to protect against them.

Top 3 Cyber Threats to Small Businesses

#1 Ransomware

I am sure by now everyone is familiar with Ransomware.  It is a specific type of malware that encrypts a victim’s files and makes the device where they are stored inoperable.  Once the malware is on your system, the attacker demands to be paid a ransom from the victim to restore access to the encrypted files.  The most recent and largest-known attack occurred just last week on U.S. energy infrastructure, Colonial Pipeline

Ransomware can be disastrous for a small business. Without access to systems and data, business operations will be severely limited.  Paying the ransom does not always guarantee that the files will be restored.  Recovery can be both timely and costly

#2 Phishing attacks

The most common method of attack, phishing, is the fraudulent attempt to steal sensitive information, such as passwords, credit card numbers, or other personal details by pretending to be a trusted source. Since the onset of the pandemic, there has been a 600% increase in phishing. 

While there are several types of phishing, email phishing is the most common method.  Email phishing is a method used by hackers to trick you into providing sensitive information such as login credentials or back account information.  The spoofed email appears to be from a legitimate source, such as a supplier or, even someone within your organization.  Once they gain access to your information, they will attempt to install malware on your device or steal data.

#3 Remote Workers

The increase in remote workers has also increased the threat of cyber-attacks, as workers use home networks and personal devices that may be vulnerable.

This type of threat is often overlooked because it involves an employee or business partner.  Even if you have taken steps to secure your systems, an unsecured personal device, such as a cell phone, could be used as a gateway to allow sensitive information about your business to be leaked or stolen.

Why Small Businesses are Targeted

Cyber criminals have learned that small businesses are less likely to have strong security measures implemented.  Criminals go after weaker targets because it will yield results with minimal effort. 

Hackers may also use small businesses as an attack vector to target a much larger company.  While large companies have the resources to defend against a cyber-attack, they may inadvertently be compromised because of an attack on an insecure small business in its supply chain. This is just one of the reasons for the DoD’s new CMMC requirement for federal contractors. 

At Wells Mason, we understand that cybersecurity is a challenge for small businesses. Beyond the expense of implementing security measures, it may feel onerous to go through the steps required to keep information secure. Yet, when done right, cybersecurity can increase productivity, enhance product integrity, and improve the customer’s experience. 

If you’d like to understand what a cybersecurity plan would look like for your business, contact us today for a free consultation. T

Get In Touch

Are you ready to chat about your organization’s cybersecurity initiatives? Tell us more about your organization and its needs and let’s start the conversation.