Jason Lemkin answers his own questions

Have you ever assessed cyber risk before doing a due diligence?

1. Data management risks

Before the actual due diligence check, experts have to carry out a sourcing and structuring process in which the most important documents are selected and filtered. A data room shouldn't contain all of the company's records - excessive information doesn't make sense because it drives stakeholders crazy and increases costs for the seller. When choosing the most valuable data, it is important to consider where the most relevant information comes from and where it is kept in order to capture potential cyber threats.

2. Technical Risks

If data is stored in an Internet environment, an IT audit must be carried out in which the security of the software and applications can be measured. Data encryption and all other systems used for data security should be carefully analyzed.

3. Risks from the company

Companies share their data with third parties and contractors. Who has access to this data? Which channels does the data pass through? Any outside organization that has information about the company must be secure enough to prevent data leakage.

4. Employee risks

How many employees in a company have access to valuable information? Could the number be reduced? This is likely because it is usually not necessary for so many people to have insight into the most important company information. An audit with a view to reducing the number would be advisable, also because employees - as we described in one of our last posts - are still the largest source of data leaks.

5. Past experiences

Has there already been a data breach in the company? If so, when and through which channels? Companies should record such incidents in order to take preventive measures against data breaches of all kinds.

Small businesses run bigger risks

Not only large companies are exposed to risks, but small start-ups in particular are easy targets for cyber criminals because they have smaller data security departments. Many of these companies may not even be able to see the real risks looming over them, or even spot attacks that are already affecting their networks. Therefore, the cyber risk vocabulary and potential sources of attack must be defined before carrying out your own assessment.

As Jason Lemkin, founder of SaaStr, writes:

“Your first security audit is inevitable. Don't roll your eyes. Don't shrug your shoulders. Don't let your team postpone it. Here's the trick, the twist - it's a gift. A detailed, written security audit. Because that is your roadmap into your necessary and better future. The first of these audits will be 20 pages and hundreds of questions. You will fail with many of them, while others will only pass with woe. That's not OK, but that's the way it is. If there are 200 questions and you can only answer 20 of them with a clear “yes”, use the remaining 180 as part of your product roadmap towards a better future ”.

At this stage, the best option might be to hire a CSO - Chief Security Officer.

Countless advantages speak in favor of being on the cyber-safe side. If you buy a company with a security problem, you buy the problem too!