infosec audit

Infosec audit every VC should perform before investing

Ashwani Paliwal
July 2, 2023

If you are involved in venture investing, you are aware that each investment you make carries a calculated risk. Every startup thinks its concept has a huge chance of success, but the Small Business Administration reports that only about half of all new enterprises survive five years or more and that survival chances for venture-backed startups are significantly lower. While there are many elements that influence a startup's capacity to grow and be profitable, the quality of the code, the maintainability and scalability of the system, and the general health of the DevOps infrastructure and application design are crucial.

The two assets that cybercriminals find most alluring are the vast amounts of money and priceless data that venture capitalists handle. Therefore, It is no longer an option to take no action to safeguard yourself as a VC or your portfolio investments. 

However, despite the fact that VC firms are strengthening their own defenses to counter the threat that cybercriminals represent, due diligence is insufficient when determining an investee company's cyber liability. Which generates unacceptable levels of risk.

Following is the Infosec audit checklist every VC should perform before investing

1. Review security policies

Companies' security policy tells a lot about their thought process toward security and how crucial it is for them within the environment. 

It will help you to identify the security measures the company is taking to protect their as well as your data, and how they will manage any security breach if it occurs in their environment, you will get an idea of how often they scan their systems for vulnerabilities and what tools they use for this purpose.

2. Check whether the organization performs annual cybersecurity audits

It will make your task much easier if as an investor you already know that the company you are willing to invest in already performs cybersecurity audits yearly.

This practice makes an investor have trust in the company as this company is taking measures to have the highest level of assurance for the system you have in place for managing cyber risk. It also ensures that the company is assessing and improving its security management.

3. Malware/Ransomware protection

In the Data Breach Investigations Report, the malware was a factor in about 24% of the occurrences. Therefore as a part of your infosec audit, You should confirm that the business you wish to invest in follows the following things:

  • Disables macros
  • Examines for unauthorized traffic
  • Monitors endpoint security
  • Regularly updates devices

4. Cloud Security

Most companies use cloud-based ecosystems for managing their workloads and containers and by only relying on code, a single error could expose a poorly configured cloud location to the public, posing a cybersecurity risk.

As a part of the infosec, an audit makes sure that the company you are interested in investing in is continuously monitoring for misconfigured cloud resources and using proper tools to manage their cloud security.

5. Web Application Security

According to the Data Breach Investigations Report, web application attacks were the most frequent breach type. Prior to investing in a web application software, confirm that the company has implemented procedures to reduce risk, such as

  • Scanning websites for vulnerabilities
  • Regularly perform security patching
  • Have proper security plugins
  • Following file type verification protocols
  • Have a proper Content Security Policy (CSP)

6. Source code review

Today's developers hardly ever create an entire application from start. Applications are made up of code fragments that come from various sources and are pieced together to form the final product. This results in development that is extremely dynamic and nimble, but it also has some inherent hazards. Each component will have a variety of characteristics, such as its version and the way it is licensed making it vulnerable to many attacks.

Therefore as an investor, you must perform a source code review by an independent third-party specialist in this area of expertise. 

7. DevOps and Deployment Environments

The technical foundation of your codebase is provided by the DevOps configuration. Effective deployment procedures ensure that your software is well-documented, easy to upgrade, and has solid fallbacks. Fragile deployment techniques can waste time, increase the risk of deployments, and result in application downtime.

Therefore, it's important to include checking DevOps and Deployment Environments in your infosec audit and make sure they have the following things in place:

  • Deployment procedure
  • Backups
  • What happens when something breaks
  • Documentation

8. Access control measures

When investing in any small or large organization it's important to have information about their access control policy. When reviewing this policy look for the following measures are taken by the company or not:

  • All users have only minimum data access required to do their jobs.
  • Highly sensitive systems have a strong password protection system.
  • Implemented Security layers

9. Social engineering

Social engineering is still a major danger vector, whether it's through a text message, social network private message, or email. So when performing infosec audit make sure that:

  • Whether employees receive social engineering training
  • What a “passing score” for the training is
  • How often the company trains its employees
  • How the company enforces its policies

10. Cyber risk insurance

If a company has cybersecurity insurance it gives a surety that the organization will recover from the damage. 

As part of your due diligence, you must examine the possible investment's cybersecurity risk insurance policy to evaluate whether it provides coverage of:

  • Data compromise response expenses
  • Identity recovery services
  • Data re-creation
  • Network security liability

SecOps Solution is an award-winning agent-less Full-stack Vulnerability and Patch Management Platform that helps organizations identify, prioritize and remediate security vulnerabilities and misconfigurations in seconds.

To schedule a demo, just pick a slot that is most convenient for you.

Related Blogs