Part 2: The implication of IT security on your investment decision
Consider this, businesses need to get their security practices right 100% of the time to defend against data breaches, while a hacker or rogue employee only need one successful attempt to cause damage resulting in monetary damages and significant reputational risk. The odds certainly are not in favor of businesses handling sensitive data; however, there are a number of practices and technologies that can help tip the scales back.
A good place to start securing your investment is to ensure a senior-level executive is responsible for overseeing the organization’s security architecture. Furthermore, companies should follow data security standards (such as PCI-DSS), which involve a set of protocols and guidelines for building and maintaining secure data networks, protecting cardholder data, controlling access to the data, monitoring and testing networks, and ensuring that information security policies are enforced and revisited regularly.
Successful security diligence efforts should focus on a number of areas:
- Regulatory compliance (PCI/HIPAA/FISMA/GLBA/NERC-CIP): Non-compliance can result in large penalties, potential damage costs, and/or reputational risks.
- Infrastructure security (vulnerability management, network monitoring and controls, intrusion detection): Poor infrastructure security can result in system exposure, breaches, and outages.
- Application security (data encryption, logging, vulnerability management). Poor application security can result in data exposure and outages.
- Data handling processes: Good data handling practices include segmentation of sensitive data, periodic data purging, data masking, and encryption of data in motion and at rest.
To give you a sense of the spectrum of security practices at companies that are good, bad, and downright ugly, a few examples of telltale signs are provided below;
The good: A company with high volumes of payment card transactions (e.g., e-commerce or retail companies) or with significant sensitive intellectual property (e.g., specialty chemical manufacturers or high-tech manufacturers) that:
- Engages third parties to conduct comprehensive penetration testing or ensures payment card industry data security standards (PCI DSS) compliance regularly
- Has robust security tools to monitor for intrusions and network traffic anomalies
- Has dedicated staff to stay abreast of the latest regulatory/industry security risks and security frameworks and to work closely with the business and IT function to raise awareness of these potential dangers
- Has programs and training in place to education employees on security policies and procedures
The bad: A healthcare claims processing company that is aware of the need to encrypt and protect data but does not invest in adequate security resources and tools. Indications of a bad situation:
- Conducted penetration testing three years ago and did some work to tighten security, but has not retested or revisited the issues identified in testing since then
- Has never invested in intrusion prevention (IPS) or intrusion detection (IDS) systems to monitor for potential network traffic anomalies and malicious attacks
- Does not have processes in place to monitor network traffic and manage privileges/permissions
- Is not compliant with regulatory compliance, or was compliant in the past but has not proven compliance recently
The ugly: A company that believes it isn’t a target for hackers or subject to a malicious attack and, therefore, does not invest in security tools and resources. Tell -tale signs of the ugly include:
- Failure to conduct vulnerability testing or any sort of security audits
- Rarely or never engages third parties to evaluate network security strength
- Lacks basic defined security policies (password policies, internet usage, encryption/monitoring of users devices, etc.)
- Has not set up a demilitarized zone (DMZ) on the network with firewall(s) to segregate external users from the internal network
- Lack of ownership and neglect for regulatory compliance needs
Finding a good partner with robust security capabilities is essential to identify potential security issues, negotiate coverage of potential exposure, and develop an action plan with time, effort and cost to remediate identified issues before ink makes it onto the purchase agreement.
The third segment will focus on what to look for and consider when the company’s “secret sauce” is a home grown, proprietary system that is material to business operations.
The Good, the Bad, and the Ugly blog series is based on a chapter Matt Sondag, Keith Campbell, and I co-authored for The Operating Partner in Private Equity Volume 2 – providing valuable insight to private equity firms on how best to acquire value from an IT operating partner.