As part of the due diligence process, private equity investors are increasingly focusing on the security of the potential investment’s technology infrastructure and critical business information. However, that same scrutiny is often lacking when investors look at the systems and processes of companies already within their portfolio.
Most frequently, security gaps exist at a company’s fringe activities. For example, a company that services warranties of its products might do a great job at handling the servicing of the warranties, but does not realize that it’s storing credit card information in unencrypted documents.
4 Commonly Overlooked Areas of Portfolio Security
The most common information and infrastructure security holes occur in four areas where employees make incorrect assumptions or take things for granted. Let’s examine these four areas, identify the most common mistakes, and highlight how to correct these mistakes.
1. Disaster Recovery (DR) and Business Continuity Planning (BCP)
A disaster recovery plan or business continuity plan outlines the steps a company must take to get its IT systems back up and running after any type of unforeseen, business-altering event occurs.
The mistake: Failing to test a DR/BCP before a disaster occurs.
The solution: Regular testing allows the business to identify the problems and shortcomings with a plan and identify ways to streamline the recovery process. As an example, we performed due diligence on a software provider with great infrastructure and architecture, as well as strong backup and recovery plans. This company conducts four different tests throughout the year that focus on system failure, recovery and business continuity. Because the business deals with financial transactions, they need to be up and running as soon as possible after a disaster. The company’s management understands the importance of business continuity and provides the IT team with the resources to conduct these tests.
While most businesses should conduct these tests on a more regular basis, business continuity planning and disaster recovery tests should be performed on an annual basis at the very least.
2. Payment Card Industry (PCI) Compliance
Any company that handles customer credit cards should be in compliance with the PCI Data Security Standard (PCI DSS).
The mistake: Companies without a robust retail presence or ecommerce platform may not realize they are exposed to credit cards or neglect to get third-party validation of their compliance.
The solution: Having a third party examine your business’s PCI processes will help identify compliance holes (such as credit card information written on sticky notes or emailed between employees) and develop new protocols. One of our recent diligence engagements for a client with no retail or ecommerce presence revealed they were handling credit card information in a non-compliant manner. Having a third-party information security consultant validate their PCI compliance would help the company to avoid this mistake.
3. Network Monitoring
Most companies have basic network monitoring tools to ensure the system is working as expected and to notify IT administrators if any hardware or software issues cause outages or other system failures.
The mistake: Many businesses fail to monitor their network for human threats, both external and internal. These can include hackers attempting to gain unauthorized access to the system as well as authorized users, such as employees, attempting to steal or misuse sensitive company information and data.
The solution: Enlist a third-party to conduct periodic penetration testing or consider instituting network monitoring technology that can provide alerts in terms of unusual or nefarious activity.
4. Demilitarized Zone (DMZ) Networks
A DMZ separates a company’s publicly accessible computer servers from other company servers. This adds a layer of security to the business’ internal systems and helps protect critical business and client data from external threats.
The mistake: Historically, many companies have opted out of using a DMZ because of the cost.
The solution: Today, the cost of instituting a DMZ configuration has fallen dramatically. Given the proliferation of attacks on corporate information and technology infrastructures, businesses with publicly accessible servers should consider this architecture. In another of our recent engagements, an evaluation of all of the company’s open ports for monitoring identified a subset of ports that were active and high priority. This assessment helped the client isolate various applications from being accessed if the network was breached.
Addressing Your Business’s Information Security & Tech Infrastructure
A company’s information and security management processes should include regular audits to help identify shortcomings in its systems. If you don’t have staff capable of running these audits, third parties can be hired to help. The goal is to evaluate the strengths and weaknesses of your business’ infrastructure relative to the company’s objectives for managing risk. That is, identify the vulnerable areas and have company management decide which risks should be addressed. There are service and product providers that can address each vulnerability.
For more information on how cybersecurity consultants can protect your business, our experts are just a phone call away!