Why IT Due Diligence is Important
To most the words “due diligence” drum up images of TV legal dramas or perhaps company buy-outs. Confidently, you say, that’s something only lawyers and legal bods need to worry about? right? unfortunately not. Due diligence in IT is something your Business must adopt to stay safe and avoid disaster. Does your business stand up to the test? Or is it bumping along, unprepared in a dangerous world of cyber threats?
Due diligence, in this case, is about being cautious and taking care of your day to day business operations. It’s how your staff interact with IT systems and infrastructure, respond to external and internal contact, as well as how you manage your technology and infrastructure. Perhaps you think you’re immune to the fall out from a data breach or cyberattack, that your business isn’t ‘big enough’ to be of concern, but scammers and cybercriminals target companies, regardless of business size or industry sector.
Many industries have compliance or regulatory laws to follow. We all have GDPR to comply with and most everyone, from clients, to staff to insurance providers expect a certain standard of security from you. Reputational damage, remediation, lost business and productivity losses means the costs associated with cyber incidents are increasing and should not be underestimated. Do not leave your business vulnerable.
IT due diligence and what it involves
IT due diligence requires action and consideration in several areas. Usually, a business would need to show that:
- Every employee has a unique login, which requires complex, distinct passwords and for many critical systems and greater security has two-factor authentication enabled. Also, your team should be educated to protect passwords and authentication systems (e.g. not write them on post its or leave them lying about on desks).
- All Key systems from office 365 Email and SharePoint data, to your file server and databases to your endpoint devices, should have a process in place for regular data backup. We recommend a 3-2-1 backup strategy. Keep three copies of your data. One on a separate cloud platform using an easily automated low maintenance system, with the other two on different devices, e.g. on a high speed, easily available local Network Storage Device and then for disaster recovery another offline and offsite backup should also be maintained. Hackers and Viruses struggle to compromise things that aren’t plugged in or online.
- Across your Business, you ensure that you patch and update, applications, Systems, Firmware, and security consistently. Centralised management of your Business systems helps with this as not being up to date across all your technology leaves gaps that can be leveraged by cybercriminals and malicious software. Ignoring update reminders and waiting for the next release is a risky business.
- You’ve installed endpoint antivirus software. Unless you make someone accountable to manage and monitor this centrally You may not know your computers are infected until it’s too late. Be proactive and ensure you have the right alerts in place.
- Email filtering should be enabled. Filters such as Microsoft Advanced Threat Protection and Mimecast help protect your business from spam, malware, phishing, Impersonation protection, and other threats. These must be configured correctly, or effectiveness can be reduced dramatically.
- You should have installed firewalls to lockdown, secure, monitor and control ingoing and outgoing network traffic. These can be hardware devices such as Cisco / Meraki, WatchGuard or special software, multiple layers are essential for robust security.
- You provide staff the least amount of access required to do their job, you must limit employee access to data and systems to only what is necessary. Rather than giving everyone full access, set access levels based on role and responsibility. This approach minimises the potential breadth and depth of a breach and limits risk.
- There are physical security measures to limit access to your office environment. You should consider the installation of security cameras, Biometrics, fencing a perimeter, and require RFID scanning in critical security areas such as comms rooms, basements and control panels. Staff should be trained to challenge or report people who they do not recognise in the office or who are found in areas they shouldn’t be.
- If your Business lets staff use personal phones, laptops, or tablets, that a Bring Your Own Device (BYOD) policy is in place. Having company-wide mobile device management software installed is essential as it’s so easy to lose a phone or install something malicious.
- You regularly audit and test your security, too. You can’t rely on a set it and forget it approach to securing IT Infrastructure and systems. Quarterly testing will help you identify risks, detect and patch vulnerabilities, and ultimately protect your business and your clients.
To demonstrate that you are being diligent you can:
- Keep copies of any relevant training provided and ensure employee handbooks are updated regularly;
- Keep your organisational chart up to date, so people know how to escalate effectively;
- Vet your contractors and Suppliers just like staff, research them thoroughly before engaging them or providing access;
- have a policy and process in place to quickly deny access to any former employees;
- Keep an inventory of all devices connected to your network, make someone accountable and get alerts for unexpected additions. There are systems available for real-time network monitoring.
With the right advice and mindset, IT due diligence will reduce risk and protect your business. Meeting or exceeding these security standards will lead to peace of mind and savings vs the potential costs of a breach, and ultimately preserve your brand reputation, something which is hard to build and easy to lose. Demonstrating your Cyber Awareness credentials such as the Government back ‘Cyber Essentials’ scheme and talking about it with your clients helps build confidence in your brand, and it also helps you avoid the potential fallout of non-compliance-related GDPR regulatory fines and gives you the tools needed to fight litigation. In the event of legal action, perhaps from a client, staff member or a governing body, your business will want to prove the efforts made and protections and policies employed to reduce risk. So, as you implement, be sure to thoroughly document all your Businesses IT security efforts.
With Micro Pro acting as your trusted IT partner, IT due diligence doesn’t have to be difficult. Our expert team has been helping Businesses develop best practices and deploy and manage the right solutions for over a decade.
Sometimes in Business, a little risk leads to rewards, but that doesn’t extend to your IT, if it can happen it will – eventually, are you prepared?