Recently, a Sequoia employee was the victim of a successful phishing attempt. This is just the beginning and continues to prove that anyone is vulnerable to an attack. Hackers are targeting the venture capital industry as a nice gateway into the funds, investors, and portfolio companies that they are connected with. I’m going to talk about why VCs are becoming a target for phishing attacks and what we can do together to help prevent future cyber incidents just like this one.
Why do VCs need security awareness training?
Almost every business has now recognized that their employees need to be educated on basic cyber security principles, such as phishing. For venture capital firms, this presents an interesting target for those firms that choose to ignore that security awareness training and phishing simulations are now a basic operational business requirement. A single mistake from an employee can be a costly mistake for the entire future of the firm.
VCs are based on managing financial risk and growth for their limited partners (LPs), investors, and other stakeholders. Hundreds of billions of dollars are poured into private and public companies to help grow startups, fund businesses, and provide wealth for a variety of those involved. When a bad investment is made, no big deal we write it off as a loss. It’s part of the algorithm of risk. Select many, and few succeed. When they succeed, they cover the losses and growth for the entire portfolio. But what happens when a loss happens across the company holding their entire portfolio — that’s something to take notice of.
A few years ago I spent quite a bit of time talking with this industry as Curricula was on the market to raise capital. We eventually found the right fit with RCP Equity, our Series A private equity investors that aligned best to our business model. But believe me, I saw all kinds of whacky ways that VC firms were asking for our data without any accountability behind what they were going to do with it. Immediately we were being asked for customer lists, sensitive financial info, and complex details about our business before even having a real conversation. Call me old-fashioned, but we don’t give our data out on the first date!
This was really concerning for me to go through this experience, especially as a security awareness training company that focuses on doing the right thing. Every time I met with a VC and tried to help educate them on why we don’t do that for a handful of reasons, they got upset, put more pressure on the process, and were just overall rude about it.
This has got to stop.
VCs shouldn’t be requesting sensitive information out of the gate. Why? Well, it doesn’t belong to you! Instead, lead the conversation with founder teams about the importance of taking their customer data seriously and have them anonymize anything that could be sensitive. Show them that you take data protection seriously.
With so many analysts running around trying to find the next big thing, it’s no question that the risk is high. So instead of ignoring that risk and hoping an analyst or other employee doesn’t click on links, teach them why they shouldn’t. Show them what can happen. Run simulated phishing tests against them to train them. But above all else, don’t lose faith in the fact that security is part of a business and mistakes will happen. It’s how we learn from those mistakes and make process changes that drive us forward.
How should VC firms take action in security awareness?
This is not a compliance filing
Security awareness is not a legal signing, this is a cultural attitude change. You need to treat it as a way to get employees involved in protecting the firm, not just as a check the box exercise. Think about all of the cultural elements that make up the firm and apply it to this training. You need to be invested in your employees if you want to see results.
It’s like picking an investment
All investments are not treated equally. You know that. So look for the things that stand out. Most importantly, does the training content resonate with employees? If it doesn’t then you will just be wasting their time. Is the software easy to use, can you track what’s going on, and can you get the results you need to build a security culture?
Set an example for your portfolio companies
You should be leading by example for your portfolio companies. You are trusting them with your money, so they should trust you with doing the right thing. Your VC firm has a wealth of experience and advice. You should be connecting the dots to get all of your portfolio companies connected and protected with a security awareness training and simulated phishing program designed to fit their culture. Then hold them accountable for staying protected.
Phishing simulations are critical
If you haven’t started simulated phishing training with your employees, you are already behind. Phishing training is going to help expose the current risks you have and help educate employees about how to defend against the attacks we just saw. The more you practice, the better your entire employee base will become. Continuous phishing training is a key to success.
Recognize you’re a target
Above all else, if the management team doesn’t recognize your firm will be targeted, wake up. Do you really want to be in the news or have to play cleanup to a data breach? Probably not. So the sooner you get started by working towards a safer and more secure employee base, the sooner you can make your investors, LPs, employees, portfolio companies, and other stakeholders trust you are doing the right thing.
Curricula is here to help. We’re all in this together.