The in-house saboteur

Securing a private equity firm's data requires sophisticated technology and five minutes of every executive's time.

Every IT professional at a private equity firm imagines his or her own version of the apocalypse. One would surely be a virus that cripples the network in the heat of an auction, just as GPs put the finishing touches on their final offer. When network security is compromised, the fallout can be severe, and irrevocable.

Data security is already a priority for the IT team, but ultimately everyone in the firm has a role to play. Securing servers and networks is a complex enough process that even IT professionals rely on outside experts to match?if not beat?the savvy of today's hackers. Data security is often designed as a series of concentric ?walls? around the main server, each meant to catch what elements that might slip through the one before it. But what few investment professionals realize is that they are the last line of defense; the partners, associates and analysts well outside the IT department all play a key role in securing the firm's data.

The perimeter is the outermost region where outside data first approaches the system. Vendors that offer ?managed security services? coordinate the effort to scrub emails of harmful attachments such as viruses and spam, before allowing them to pass into the network. Download restrictions are set at this layer; these halt users from downloading data from external websites with inappropriate or potentially harmful data.

The next security checkpoint is at the gateway layer, the point where the internal network communicates with external resources. ?The Blackstone Group provides access to various portfolio and market data services in a separate demilitarized zone which is stored away from the main network to diminish chances that such high traffic areas may jeopardize the system as a whole,? says Jaime Padilla, VP of technology infrastructure at the New York firm.

At the gateway layer, many firms use a service from VeriSign to monitor ?malevolent activity? that could be damaging to a system. The service will notify clients of any potential trouble by phone, regardless of the hour. Most firms will scrub incoming emails again at this point. GPs and LPs who want to access the system will do so remotely through a second verification process before accessing the system, even one that is set aside from the main server as a high traffic zone.

The next point is the core, where internal networks and servers are located. Security solutions catered for this layer are robust, such as McAfee's that offers ?zero day? protection, which means that their blockades are updated daily. Some firms have their own private internal networks for interoffice communications where not only data, but voice and video flow over this secure channel. Security solutions often issue weekly or monthly patches that upgrade their protection offering for ever evolving intruders.

The servers are backed up relentlessly. Tapes are encrypted and shipped off-site, with another set remaining on site. This way, the backup tapes remain on hand, so that IT staff do not have to rush off to a second location if the servers face internal difficulties; they can simply rely on a back up tape to recover.

Most IT professionals run quarterly intrusion tests, where an outside vendor or the internal staff will try to break through the security boundaries. One private equity CIO suggested that COOs and CFOs should feel free to approach their IT staff with the possibility of an intrusion exercise by an outside vendor, since staff should feel confident enough to welcome the test.

The end point is the individual desktop computers and laptops used by the executives. Each is outfitted with its own security solution. Some firms employ a service called WholeSecurity from Symantec that has ?zero hour? protection, with updates arriving hourly. Laptops are encrypted and rely on guarded remote access channels to enter the system, so lost equipment doesn't mean compromised security. But what can compromise security, what can render all those firewalls and email scrubbing meaningless, is something left in the hands of the least tech savvy of the team: passwords.

When an executive uses ?password,? ?1234,? their name or birthday as passwords, they're leaving the door ajar for the world to access their emails?and their firm's data. Many hackers looking to break into systems will play with the most obvious passwords to gain access to a system. Experts suggest that passwords should be two things in equal measure; easy to recall, and unexpected. For example, the name of a favorite song is easy to recall, but an unexpected choice. Some mix of letters and numbers also diminish the chances for a stranger's guess to strike gold. Furthermore, passwords should change quarterly, specifically those entered into a web browser to gain remote access.

Passwords seem trivial, but they are keys in every sense of the word. In the hands of the wrong person, even the most impressive security systems will fall open. IT professionals can send out reminders and create thick barricades, but in the end, it's every executive's responsibility to take five minutes of their time and use ?balderdash67? instead of ?johndoe.?