Chairman's Thoughts
We at Falls River Group have been advising clients and prospects for the past six months that it was a seller’s market because Private Families, Private Equity and the Strategics were all awash with cash looking for good companies to buy. (And there were not enough of them coming to market, supply did not meet demand.) The dynamic that I now see is that the momentum has shifted from being a seller’s market to more of a buyer’s market.
Why? Multiple reasons, but primarily a fear of a massive increase in capital gains meaning that people who were on the fence about selling have made the decision to sell. (We think supply is now meeting demand, but process constraints limit closings.) What does this mean for anyone who has not yet hired a banker to explore their options? They may not be able to sell in time, in 2021 because of the high demand for law firms, accounting firms, (and other service providers in the process), and because the buyers now have the luxury of selecting opportunities from a much larger pool. Our current “Intel” regarding Capital Gains tax rate increase is that the rate will go to 28% and effective date could be as early as after Labor Day or Mid-October, when the bill is introduced to the Ways and Means committee.
The key to this M&A revival is the momentum of the recovery. What could go wrong? Anything! Political gridlock over issues such as voting rights, the new green economy, lingering pandemic concerns, immigration and the infrastructure battle have brought a divisive and toxic tone to the recovery. The biggest concern is how to pay for it all. The word “taxes” keeps getting thrown around as the solution to all the debt being incurred. Increasing taxes will only slow our economy. Government is simply not efficient at spending. It is wasteful. The national debt is over $28 trillion. Congress is happily kicking the proverbial “can” down the road, maybe they think they are recycling it? If you factor in the Fed stimulus and Washington “recovery sugar,” inflation is bound to rear its ugly head.
In this newsletter I felt it would be useful to touch on one of the most significant issues businesses are forced to deal with, Cybersecurity. There are many risks we face daily in our personal and business lives, but cyber-predators are a very serious threat.
Get Ready to be a Victim, Cyber Criminals are Coming for You
If someone told you there was over a 50% chance you would get in a wreck every time you drove your car, would you still get behind the wheel? Most people would probably opt to never drive again. Or maybe you are a risk taker and don’t mind the odds? What about your business? Are you willing to take a chance that your business won’t be victimized by a cybercriminal attack? Over 50% of small to mid-size businesses reported suffering at least one cyber incident in the last year, averaging $1 million per event to restore business operations from a successful attack.
Over this past 4th of July weekend, the Russian affiliated hackers known as REvil claimed responsibility for locking down thousands of devices by compromising Kaseya, a software company that helps companies manage basic software updates. Because Kaseya customers manage internet services for other businesses, the damage was much more widespread. The ransom demand is $70 million which is far short of what they could potentially get if each of the devices required payment of the $45,000 initially requested to unlock them individually. REvil actually under-estimated the extent of the damage because the potent ransomware tools used had not been deployed in a mass attack before. Kaseya has almost 40,000 clients.
It is estimated the cybersecurity damages worldwide will be over $6 trillion dollars in 2021 and rising. It is no wonder, given that there are over 200 billion devices and objects talking to each other via the “Internet of Things” 24/7. Most companies take nearly 6 months to detect a data breach, even major ones compromising social security numbers, passwords and credit card details. The FBI has reported a 300% increase in cybercrimes because office work has moved to personal homes and hackers have leveraged the opportunity to attack vulnerable networks. There is an enormous demand for top talent in the continuing fight combating these cybercriminals and not enough people to fill them.
Quite simply, cyber-attacks are malicious activities on digital systems or networks by people who want to steal your money, intellectual property and disrupt your business. Why? Because they can! What are some of the notable ways that cyber-attacks can ruin your business? (The following are a few from Splunk’s Top 50 Security threats).
Ransomware: Ransomware is a form of malware that is an attack wherein an infected host encrypts a victim’s data, holding it hostage until a ransom is paid. Since the arrival of cryptocurrencies, which simplify anonymous transactions, the general population is at greater risk of ransomware.
Account Takeover: The attacker poses as a customer or employee gaining entry into the accounts of people they are impersonating. Banks, major marketplaces and financial services like PayPal are common targets and the personal information is sold on the black web.
Business Invoice Fraud: Business invoice fraud attempts to trick you into paying out on a fraudulent (but convincing) bill addressed to your organization. In reality, the funds you pay will go to imposters mimicking your suppliers.
Compromised Credentials: By leveraging a trusted account within a targeted organization, a threat actor can operate undetected and exfiltrate sensitive data sets without raising any red flags.
Credential Dumping: Credential dumping simply refers to an attack that relies on gathering credentials from a targeted system. Recycling passwords is key because the information can be sold for future attacks.
Insider Threat: An insider attack is a malicious assault carried out by insiders with authorized access to your company’s computer system, network and resources. They can be insiders in your company with bad intentions, or cyberspies impersonating contractors, third parties or remote workers and will sell your data to your competitors.
Shadow IT: As software as a service (SaaS) applications have become increasingly quick and easy to use, employees can now download solutions onto their workstations to help them get the job done. Shadow IT refers to IT applications and infrastructure that employees use without the knowledge of the IT department. Gartner estimates a third of all enterprise cybersecurity attacks was from shadow IT resources in 2020.
Masquerade Attack: In December 2013, Target experienced a massive credit card breach which affected over forty million customer accounts. The states’ investigation into the breach revealed that attackers stole the credentials of Target’s customers. Attackers got access by spoofing login domains or using keyloggers to steal legitimate authentication credentials. Weak authentication methods that can be duped by external parties are usually the source of the problem.
Spear Phishing: Spear phishing occurs when cybercriminals selectively target you with a specific, personalized email message to trick you or your employees into giving away financial or proprietary data or unlocking access to your network. The targets are individuals who either have access to sensitive information or are weak links in your organization.
The most shocking statistic is that simple employee negligence, or occasional malicious employee acts, accounted for two-thirds of cyber breaches (Willis Towers Watson). Just 18% were directly driven by an external threat, and extortion accounted for a measly 2%. The cyber goons always go to the weakest link and that is rarely ever the IT department.
What can be done? Start by addressing the following:
· Are your employees being properly trained about the risks of cyber-crimes? They are the first line of defense! Phase one is as simple as continually having a password manager (1Password, Dashlane, LastPass, etc.) generate unique gibberish and not allowing the same passwords to be used on multiple devices. Attacks happen because of lack of protocol, poor communication and insecure default configurations.
· Use Multi-factor Authentication: (MFA) means using a service (Google Authenticator, DUO, etc.) to generate access codes to use after submitting passwords. Employees can use a cell phone number or e-mail as an added verification step.
· Hire a specialist to identify the gaps in your cybersecurity programs and assess your company’s vulnerability.
· Buy cyber liability insurance. The goal is to transfer some of the risk of a security breach over to insurance, rather than bearing the losses alone.
· Consider that attacks have occurred in your industry that may compromise your business? You need to worry about the entire chain to include your customers, suppliers and companies you do business with.
· Do you have content security tools (next-gen firewalls) that offer better visibility, threat detection and data protection tools?
· Have you established an appropriate incident response program that creates resilience against cyberthreats?
You need to assume that your business, or you personally, will suffer an attack or an attempted one. It is not a question of if, but when. Plan how you will respond.