Three Cybersecurity Red Flags Investors Should Look Out For

By Bob Eckel, CEO, Aware

Cybersecurity incidents have been on the rise for a number of years across a multitude of industries and, unfortunately, this trend isn’t slowing down. These events don’t discriminate; they impact organizations of all sizes, shapes, and sectors, and cost U.S. businesses and their investors millions in damages yearly. A recent example is the 2022 T-Mobile data breach, which cost the company $350 million in customer payouts alone.

When it comes to investing in companies, there are several cybersecurity red flags that investors should keep an eye out for as these warnings may indicate potential risks or issues that could ultimately impact the operational and financial performance of a portfolio company. As you consider your investment options, here are three cybersecurity red flags to look out for.

Frequent Cybersecurity Incidents

If a company has a long track record of frequent data breaches or security incidents, that’s a major red flag. Any company worth investing in should have robust security measures in place to protect and safeguard its systems and data. Cybersecurity events are not uncommon, and have been known to impact even those companies with a high level of security; that is why you should review the organization’s cyber incident history before investing. Repetitive security incidents can indicate weaknesses in the company’s infrastructure or a lack of adherence to basic cybersecurity best practices.

These unfortunate attacks may have far-reaching consequences, including reputational damage and financial losses, and can also impact the company’s long-term viability of the company. In fact, according to the U.S. National Cyber Security Alliance, 60 percent of small businesses fail within six months after falling victim to a data breach, as hackers tend to view small- and mid-sized businesses as lower-hanging fruit.

Lack of Transparency or Disclosures

Transparency is crucial, and if any organization is opaque about their cybersecurity practices, that’s also a red flag. Investors should be wary if a company is not forthcoming with information about security practices, technology, or the measures they are taking to protect against cyber incidents. Without transparency, it becomes difficult for investors to assess the company’s cybersecurity capabilities and defenses and make informed investment decisions.

It’s important to know that even if an organization does not provide disclosures, that does not necessarily translate to a higher number of cybersecurity incidents, although it may contribute to an environment that’s more at risk. Conversely, companies that choose to prioritize transparency and proactively disclose their security practices to investors, and regularly evaluate and update those practices, can be seen as a sign of greater vigilance, and can provide investors with a greater sense of comfort.

Insufficient Employee Training and Awareness

Human error and social engineering attacks are the most common avenues for cyber threats. When it comes to reviewing disclosures, if a company fails to provide adequate cybersecurity training programs to employees, that’s another red flag.

At a minimum, employees should be educated about common cybersecurity risks, such as phishing, password security, and social engineering techniques. They should also be educated about mistakes that can lead to cybersecurity risks. Without proper training, employees may unwittingly become a weak link in a company's security defenses, making it easier for bad actors to inflict harm.

Cybersecurity incidents as a result of employee errors or negligence are, unfortunately, relatively common. In 2016, an attacker pretending to be Snapchat’s CEO tricked an employee into emailing over the payroll information of over 700 current and former employees. And the infamous Equifax breach – which revealed the sensitive data of nearly 146 million Americans – was caused by a single employee’s mishap where this individual failed to “heed security warnings and did not ensure the implementation of software fixes that would have prevented the breach," according to an article in The New York Times.

Researchers from Stanford University and a top cybersecurity organization also found that approximately 88 percent of all data breaches are caused by employee mistakes. In fact, human error is still very much the driving force behind an overwhelming majority of cybersecurity problems for many organizations.

With the ongoing prevalence of cyber attacks and the devastating impact they can inflict on businesses, it is vital for investors to consider evaluating the cybersecurity measures and practices of the companies they may be evaluating for investment. Analyzing a company’s track record and frequency of cybersecurity events; the level of transparency and its commitment to employee training are all excellent starting points when considering whether or not to invest in the firm.

The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.

Other Topics

Investing