Performing IT due diligence involves conducting a comprehensive review of the target company’s IT systems, infrastructure and processes.
The goal of the exercise is to assess the state of your IT infrastructure, identify potential risks and opportunities, and evaluate the company’s ability to meet its business objectives.
But performing IT due diligence is more complex than ticking off boxes. It should assess how your staff interact with IT systems and infrastructure, respond to external and internal communication and adhere to compliance. It’s a process that requires specialised expertise and knowledge.
To emphasise my point, I’ll use the example of data privacy. Given that every business is bound by GDPR, it’s a complex issue that is or should be at the forefront of every business owner’s mind.
Let’s face it, no business is immune to cybercriminals. Hackers target small to medium-sized businesses more often than large companies. The simple reason for that is because SMEs are less prepared to defend themselves and this is an easier target.
Other key areas where businesses are failing at IT due diligence are software integration, leaking intellectual property and staffing considerations in your IT team.
The short story is that failing to perform IT due diligence can result in a loss of profits. This may either be due to a loss of productivity or damage to your reputation.
If you want to longer story, strap in.
Why You Should Perform IT Due Diligence
- IT due diligence can help assess the value of a company’s IT assets, such as hardware, software, and networks. This can help determine the potential return on investment and the impact on the overall valuation of the company.
- Verify that a company’s IT systems and processes are in compliance with relevant laws and regulations, such as data privacy laws or industry-specific standards.
- Identify opportunities for improvement by assessing your company’s IT infrastructure. You should be looking for technologies that enable you to improve the performance of your business and deliver the best results for customers. This often involves assessing whether and how technology is used to create or modify goods or services, but can also include technologies that help to leverage sales, track inputs and outputs, and manage human resources.
- During your research, you should expect to find valuable insights which enable you to make informed decisions about the company’s IT infrastructure, risks, and opportunities for improvement, which can help inform the acquisition or merger decision-making process. By performing IT due diligence, you can make more informed decisions about the potential benefits and risks of the transaction.
Where do you start with IT due diligence?
When starting IT due diligence, it’s important, to begin with, a comprehensive understanding of the company’s IT infrastructure and how it supports the business’s operations. Here are some steps to consider:
Identify the scope of the due diligence
Determine the extent of the IT systems and infrastructure you need to examine, including hardware, software, applications, data, network, and security systems.
Gather relevant information
Collect all relevant information about the company’s IT infrastructure. This information can come from the company’s IT staff, third-party vendors, or other sources such as financial statements, official reports and media. This should include the following:
- Financial statements
- IT policies and procedures
- Security Protocols
- Network topology
- System logs
Evaluate the IT systems and infrastructure
Identify potential risks and vulnerabilities in the company’s IT infrastructure. This can include cybersecurity risks, system failures, and other potential threats.
Review IT policies and procedures
Evaluate the target company’s IT policies and procedures, including security protocols, disaster recovery, and business continuity plans, compliance with regulations and standards, and data management practices.
Assess the IT team
Review the IT team’s expertise, capacity, and effectiveness in managing the IT systems and infrastructure. Evaluate the team’s qualifications, training, and experience, and assess their ability to support the company’s business objectives.
Identify potential risks and opportunities
Analyse the findings from the due diligence process to identify potential risks and opportunities. Evaluate the impact of these risks and opportunities on the target company’s business objectives, financial performance, and reputation.
Based on the findings of the IT due diligence process, develop a set of recommendations to address any risks and opportunities. Prioritise the recommendations based on their potential impact and the cost and effort required to implement them.
10 IT Due Diligence Action Points
IT due diligence requires action and consideration in several areas. As a bear minimum, businesses need to show that:
1. Every employee has a unique login. Furthermore, the Information Commissioner’s Office will penalise companies that do not ensure their employees create complex passwords that cannot be decoded by sophisticated cybersecurity tools. In addition, it is advisable to install two-factor authentication. We also recommend training your staff to be cyber aware and educating them on how to protect passwords and authentication systems (that doesn’t mean writing their password on a post-it note and sticking it to their computer monitor.
2. All your key systems should have a process in place for regular data backup. The specialists at MicroPro recommend a 3-2-1 backup strategy. It’s straightforward:
3 —Keep three copies of your data.
2— Store one on a separate cloud platform and the other two on different devices, e.g. a high-speed, easily available local Network Storage Device and
1 — For disaster recovery, an offline/offsite backup. The simple reason for the third option is that hackers cannot compromise systems that are not online unless they get direct access to the device on which you’re storing your data.
3. Ensure that you patch and update, applications, systems, firmware, and security consistently. Centralised management of your business network helps with this as not being up to date across all your technology leaves gaps that can be leveraged by cybercriminals and malicious software. Ignoring update reminders and waiting for the next release is a risky business.
4. Install endpoint antivirus software and make someone accountable to manage them from a central location. If you don’t do this, you may not know your computers are infected or lacking in performance until it’s too late. Be proactive and ensure you have the right alerts in place.
5. Enable email filtering. Filters such as Microsoft Advanced Threat Protection and Mimecast help protect your business from spam, malware, phishing, impersonation protection, and other threats. These must be configured correctly, or effectiveness can be reduced dramatically.
6. Install firewalls to lockdown, secure, monitor and control ingoing and outgoing network traffic. These can be hardware devices such as Cisco / Meraki, WatchGuard or special software, multiple layers are essential for robust security.
7. Set access permissions and only authorise your staff to log into the files, documents and software applications they need to do their job. It is critically important for compliance reasons to limit employee access to data and systems. Rather than giving everyone full access, set access levels based on role and responsibility. This approach minimises the potential breadth and depth of a breach and limits the risk of a data breach.
8. Some companies also have to consider the physical security measures to limit access to your office environment. Possibilities include installing security cameras, biometric access devices, and perimeter fencing, and require RFID scanning in critical security areas such as comms rooms, basements and control panels. Staff should be trained to challenge or report people who they do not recognise in the office or who are found in areas they shouldn’t be.
9. If your business lets staff use personal phones, laptops, or tablets, a Bring Your Own Device (BYOD) policy is in place. Having company-wide mobile device management software installed is essential as it’s so easy to lose a phone or install something malicious.
10. Audit and test your security regularly. You can’t rely on a set-it-and-forget-it approach to securing IT Infrastructure and systems. Quarterly testing will help you identify risks, detect and patch vulnerabilities, and ultimately protect your business and your clients.
Demonstrate You Are Being Diligent
When performing IT due diligence, it’s important to document the steps taken and the results obtained to demonstrate that the process was thorough and comprehensive.
Compliance officers and the ICO (in the event of a data breach) will want to see that you have taken adequate steps to protect your business. Demonstrating you have performed due diligence can help to mitigate or avoid any punishment.
- You should keep copies of all relevant research, documentation and training provided. In addition:
- Ensure employee handbooks are updated regularly.
- Keep your organisational chart up to date, so people know how to escalate effectively;
- Vet your contractors and suppliers just like staff, research them thoroughly before engaging them or providing access; have a policy and process in place to quickly deny access to any former employees;
- Keep an inventory of all devices connected to your network, make someone accountable and get alerts for unexpected additions. There are systems available for real-time network monitoring.
- Develop a detailed checklist of the IT due diligence steps you plan to take, including specific questions to ask and information to gather.
- Keep detailed records of your findings and recommendations, including any issues or risks identified and suggestions for improvement.
- Produce a summary report of your IT due diligence findings and recommendations, including an overview of the company’s IT infrastructure, any risks or vulnerabilities identified, and suggestions for addressing them.
- Schedule a meeting with the company’s IT staff to review your findings and recommendations and discuss any questions or concerns they may have.
- Seek input and advice from external IT experts or consultants to validate your findings and recommendations.
- Monitor the company’s progress in addressing any issues or risks identified during the IT due diligence process and follow up regularly to ensure that they are being properly addressed.
How IT Specialists Can Help You Expedite Due Diligence
IT specialists can play a critical role in expediting the due diligence process. There will be some areas in which their expertise and knowledge of the IT landscape are critical.
If you don’t have the level of expertise in your in-house IT team, particularly, in cloud computing and cybersecurity, it is highly advisable to consult an outsourced IT support service provider.
The highly trained and knowledgeable IT professionals at Micro Pro will collaborate with your due diligence team and help you to go through the legal and financial aspects as and when they arise.
The first step is to help you to conduct a preliminary assessment of your company’s IT infrastructure. This includes a comprehensive analysis of your existing hardware, software, networks, servers, and applications, to provide a high-level overview of the company’s IT landscape.
From this, we can identify potential risks and vulnerabilities and help you to prioritise them based on their potential impact on the business. This is particularly important for IT systems and processes that are required to be compliant with relevant laws and regulations, such as data privacy laws or industry-specific standards
Micro Pro also send you documentation containing technical information about the company’s IT infrastructure, such as network diagrams, server configurations, and software licenses. This saves your in-house team a lot of legwork when the compliance officers come knocking.
If required, we can also assist you with data migration, together with installing and configuring cloud applications. This ensures any upgrade to your IT infrastructure is a smooth and seamless transition.
By leveraging our expertise and collaborating with other due diligence teams, our IT specialists can help expedite the due diligence process and provide valuable insights to support the acquisition or merger decision-making process.
For more information, contact us today and speak with one of our senior consultants.