2021 Microsoft Breach: What the Attack Means for PE Firms and Portfolio Companies

We are consumed by our emails every day—on our laptops, our desktops, our phones—and Microsoft is the preferred email platform for many companies nationwide.

And for an estimated 60,000 of these companies, this ‘key player’ was the target of a massive data breach that provided cyber criminals with remote control over emails earlier this month. The very tool that keeps our organizations running each day cost small businesses, large corporations, government entities, and hospitals time, money, and in many cases, sensitive information.

What Happened in the 2021 Microsoft Data Breach

In short, the most recent Microsoft data breach was focused on organizations running email through the Microsoft Exchange Server. While Microsoft was feverishly working to update holes, hackers were one step ahead, implementing web shells which provided them access to computer servers through the holes they found within the Microsoft system.

While the initial breach reportedly started in early January, the hackers kicked into high gear once they realized that Microsoft was working on its latest patches to fix known errors – which, simultaneously, makes their systems more vulnerable and easier to access. The result? Massive data breaches for thousands of businesses who had not yet updated their systems per the latest Microsoft Exchange Server update.

Implications of the Microsoft Breach for PE Firms

Fred Purdue, Infrastructure Practice Manager at Performance Improvement Partners, advises PE firms to be aware of the implications data breaches can have on portfolio companies and strongly encourages them to take care of technical debt (the cost of re-working or making small updates to outdated systems vs. replacing them entirely in a longer, more secure approach) now.

“Technical debt can’t be put off forever. If you do, you will create significant cyber liabilities for your company, putting yourself, employees, partners, and business at-large at even greater risk for cyber-attacks and security breach incidents.”

-Fred Purdue, Infrastructure Practice Manager, Performance Improvement Partners

And for PE firms, the risks are already much higher than for independent businesses. In this situation, the saying “a chain is only as strong as its weakest link” is especially relevant – if one PE-backed company is taken down by a cybersecurity breach, it has the potential to infect the dozens of other companies within the firm’s portfolio. Taking care of technical debt across the portfolio now will reduce risk for a breach entirely, in addition to the subsequent ripple effect.

How to Keep Your Firm and Portfolio Protected

As cybersecurity statistics continue to prove, no one – including Private Equity – is  immune to cybersecurity breaches. Be proactive and set key systems in place now around cybersecurity and data protection to mitigate risk and avoid long-term costs of a data breach.

1. Get rid of your technical debt

Choosing an easy solution now results in events like the 2021 Microsoft Data Breach later. Don’t put off the need to alleviate technical debt. For example, Purdue advises companies to replace a third of computers every three-to-four years, to start, as well as defining lifecycles for equipment and software updates.

2. Invest in a good cybersecurity program

Investing in a solid cybersecurity program up-front will uncover weaknesses in infrastructure and applications. It is a C-suite and board issue, not just an IT issue. With cyber breaches costing U.S. companies upwards of $8.64 million, planning ahead is non-negotiable.

As demonstrated in the 2021 Private Equity Guide to Cybersecurity, companies with an incident response team and extensive testing of response plans save an average of $2 million.

3. Solidify component infrastructures

Review your equipment protocols, bring your own device (BYOD) policies, laptops, desktops, and phones. In the ever-changing work-from-home atmosphere, a nearly foolproof remote work cybersecurity policy around devices and general equipment infrastructure is needed more than ever as employees are working outside of office settings and within their own networks.

4. Patch your systems

Regular cybersecurity reviews and ongoing system monitoring is a continuous need. Of this most recent attack, Microsoft said, “it had detected a new family of ransomware targeting Exchange customers who hadn’t patched their systems, adding to the mounting threats.” Do not put off updates; have a system in place to approve those in real-time as needed.

5. Build a human firewall

In the words of famous cryptographer Bruce Schneier, “Only amateurs target machines; professionals target people.” With 90% of data breaches caused by human error, employees are not only your greatest threat, they are also your biggest risk when left without the proper tools, procedures, and training.

Find out the baseline activity every employee – at your firm and portfolio companies – must take to protect your investments in the complimentary Private Equity Cybersecurity Workshop, only available to PE Firms and their portfolio companies.

Learn more

Personnel threats and secure information leaks can also be instigators of security breaches. Ensure that your leadership team, IT department, and HR department are regularly meeting and collaborating to keep company policies around sensitive information, employee expectations and NDAs up to date.

PIP is here to help. Let us help protect your mission-critical data and minimize your investment risks as your cybersecurity advisor. Speak with a PIP advisor today to learn more about protected, or get started with your private cybersecurity workshop, recognized by ACG Middle Market Growth.

Talk to a PIP Advisor


MORE INSIGHTS ON DIGITAL BUSINESS TRANSFORMATION