Coming out of the height of COVID-19, how are portfolio companies moving forward? The reality is that most of them don’t have the resources in place to call out gaps in security as people and devices return to the office. That means it’s crucial for private equity firms to assess how portfolio companies identify, mitigate, and manage risk during the transition from remote to office.
Here are three areas to stress to your portfolio companies as they move forward.
1. Asset Management
As employees move back into the office, portfolio companies should have a fundamental process for scanning and reviewing devices before allowing them into the office.
Users often have multiple devices as well as access to software or data to do their jobs, but have portfolio companies kept a strict inventory? Do they have records in the form of inventories and data maps of who has access to specific data, networks, and software? Is there a scan and review process or checklist for employees that ensures devices are healthy?
At a minimum, a reliable device scan and review will
- Scan for viruses and malware
- Ensure patching is up to date
- Change passwords
- Check for unapproved software and third-party apps
- Set, reset, or remove permissions due to role changes
Does your portfolio company have an offboarding process that allows them to retrieve all assets, revoke access, and ensure all loops are closed? While offboarding is a function of HR, there’s often an IT component that may not be fully fleshed out. Similarly, access to department-specific cloud-based software (like an application used by finance or HR) may not be listed in the systems to review during offboarding. Formalized, secure onboarding and offboarding processes should be airtight.
2. Cybersecurity Refresher Training
Phishing is the primary way bad actors try to gain a foothold into portfolio companies. Even if a portfolio company has consistently communicated how to avoid risk while working remotely, now’s the time to refresh employees’ knowledge of cybersecurity basics.
Agio’s phishing protection service is AI-driven and detects sophisticated attacks that filters may miss. Our technical and security teams are ready in case any malicious emails need to be escalated and remediated.
3. Validation and Testing
Any portfolio companies that take credit cards can’t ignore the requirements of the Payment Card Industry Data Security Standard (PCI DSS). If the portfolio company is re-opening a brick-and-mortar store, make sure they validate their point of sale (POS) systems:
- Run checks to make sure nothing’s been tampered with.
- Ensure inventory controls as they relate to their card processing systems—do they still check out?
- Focus on PCI compliance areas as they relate to POS systems.
- Validate that no one has inserted a card reader or changed out hardware while no one was looking.
We recommend a penetration test after any major enterprise change—COVID-19 transitions sit under this umbrella. Companies should also run internal/external scans, and make sure everything is still compliant and secure, and that no new vulnerabilities have been introduced.
If any portfolio companies don’t have these processes in place, we’re a prime partner. Agio’s PCI service offers a full security assessment, social engineering testing, incident response testing, PCI penetration testing, and more to strengthen security.
Are Portfolio Companies Ready?
Managed detection and response (MDR) is the number one service portfolio companies lack. We understand that portfolio companies are focused on growth and may not have allocated resources to security, but we don’t agree that it’s the right way to go. Agio’s suite of cybersecurity and managed IT services monitor and mitigate threats—during pandemics and beyond—ensuring your portfolio companies are ready to move forward with minimal risk. Contact us for more information.