How to Stay Private When Your Company Goes Public
Despite global economic uncertainty, last year was a record year for IPOs, and this year looks likely to be just as busy. The result of countless hours of work, sacrifice and more than a few decisions gone right, having a company you’re invested in get acquired or go public can be a capstone career highlight. However, alongside positive developments, like a significant financial windfall, companies on the verge of an initial public offering attract a wave of attention for shareholders and founders—not all of it positive. While renewed interest from investors, and for the most part, the media, can be great, the hype surrounding an acquisition or IPO can also attract attention from less welcome sources like short-selling naysayers, hackers and criminals.
It doesn’t help that many companies in this position are still comparatively small. Even though an organization might have valuable IP and an investor valuation to match, a pre-acquisition or pre-IPO business may still effectively be a startup. As a result, with only a few hundred employees and without the robust IT security infrastructure or expertise that longer-standing public corporations might possess, outsized publicity can increase both organizational and personal risks for those involved. Fortunately, with a little bit of planning and preparation, it is still possible to achieve the upside of an IPO while minimizing the personal damages or company threats that come from the negative attention.
The Personal Impact of an IPO
A major source of vulnerability for companies engaged in public offerings—or any kind of high-profile merger or acquisition activity—is short-term relative visibility. While making headlines sounds nice, media buzz is not an unmitigated benefit. Business leaders that were once operating in relative obscurity are often propelled into fame they’re ill-prepared to deal with, sometimes overnight. Unfortunately, rather than just being annoying, a more public profile can come with dire consequences. Publicity can resurrect disgruntled former employees, jealous people on the internet, individuals who “lost out” on the deal in some material way or just scammers/criminals looking to target high-profile individuals. As a result, any individual involved in a company IPO can suddenly find they have a target on their backs.
The most obvious target is visible leadership. That being said, other people involved in the deal—like investors—might be targeted as well once news of their involvement makes headlines. At best, they could have to deal with slander, online harassment and cyberstalking. At worst, these threats can become real, in-person problems that threaten both individuals involved and their families. You don’t have to look far to find stories of business leaders being kidnapped and held for ransom due to their corporate success and personal wealth.
IPOs Make Companies More Vulnerable to Cyberattacks
Personal attacks on business leaders and investors aside, IPOs can also have a serious cybersecurity impact on companies looking to go public. The number and frequency of cyberattacks on companies have been growing rapidly, with cybercriminals paying particular attention to small and medium-sized businesses, in large part because few are prepared to defend themselves.
In the past year, we have seen steady growth in cases where hackers specifically target senior leadership. C-suite execs are 12 times as likely to be personally targeted compared to other employees within an organization. In 2020, Jeff Bezos’ mobile device was compromised via a phishing attack using WhatsApp; 100 high-ranking officials at German companies (including Bayer and Volkswagen) were recently targeted by cybercriminals after an announcement they would receive government funds for COVID-19 PPE procurement; late last year, Russian cybercriminals offered for sale the personal email addresses and passwords for hundreds of senior executives around the world. Known as “whaling,” these kinds of attacks are often prompted by high-publicity news around specific business figures.
Companies that list their shares on a stock exchange also present a ripe opportunity for ransomware attacks. In 2021, it is predicted that there will be a ransomware incident every 11 seconds, up from every 19 seconds in 2019. For companies preparing for an IPO, bad publicity associated with a data breach presents excessive risk they can’t afford, making them more likely to pay a ransom. Trend Micro estimated that two-thirds of companies targeted pay ransomware demands, often without notifying police, customers or the general public.
Small startup companies preparing for an IPO are also more vulnerable to various forms of identity-spoofing. For example, in a crime known as “deal spoofing,” scammers may pretend to be company representatives in order to rip off investors, or alternatively, pretend to be wealthy investors interested in a firm.
Executive and Employee Personal Information Is the Critical Piece to Protect
Regardless of whether they are looking to harass or exploit an individual or launch a cyberattack on an entire organization that’s about to go public, for cybercriminals and other threat actors, a successful attack often starts with finding personal executive and employee information. Unfortunately, this is not hard to do. According to Privacy Rights Clearinghouse, there are currently over 230 data brokers with detailed personal information on 99 percent of all adult Americans. Although this might not present security risks for most, for leadership at high-growth, high-profile companies, it’s a reality few have accommodated for.
While there are numerous technical methods of conducting a cyberattack (like phishing emails including malware-loaded links), the thing most share in common is employee vulnerability to social engineering. Simply knowing a given target’s name, job title/role, personal email and—in particular—cell phone number can be sufficient to initiate attacks.
Common defensive measures against cyberthreats tend to focus on the IT side of the equation: data-backups, email scanning, domain-filtering, etc. On the other hand, the “human security” component is often relegated to an HR role, where compliance education is the sum-total of effort protecting against employee error or misuse of credentials.
Increasingly, companies—particularly those with public-facing personnel—are making stronger efforts to provide key persons with additional privacy protection that helps prevent identity theft exploits, social engineering attacks and harassment and stalking. This protection can take the form of reputation management services or privacy services that help find and remove employee personal identifying information available in public places online.
This kind of data scrubbing of online profiles may initially be done for compliance or PR purposes but is progressively being recognized to have real security benefits for firms. These benefits often apply not just to key workers themselves but their families as well, as personal data tends to be commingled with members of a household.
When companies take the first steps toward public ownership, the stakes involved rise rapidly, and data security often receives less attention than capital raising. However, it is important that businesses are aware that with increased sources of financing, the risks business leaders and companies themselves face will escalate rapidly.
The potential threats to a company expand as public awareness of it does, and it is people, not hardware, that remain the most vulnerable resource for the majority of organizations on the verge of going public.
Rob Shavell is CEO of Abine / DeleteMe, The Online Privacy Company. Rob has been quoted as a privacy expert in the Wall Street Journal, New York Times, The Telegraph, NPR, ABC, NBC and Fox. Rob is a vocal proponent of privacy legislation reform, including the California Privacy Rights Act (CPRA).