In any industry, the quality of advice provided varies – the IT field is not any different. Through my daily interactions with Irish businesses I have had the pleasure of dealing with excellent, professional IT departments, providers and consultants. Equally, I’ve had my fair share of situations where the IT standards leave a lot to be desired.
Two types of services I offer are IT auditing and gap analysis. I regularly find major gaps and risks in an organisation’s infrastructure or operations. In most cases when these shortcomings are flagged, management say that they were simply not aware of the issue. It can be quite disconcerting to discover that there are companies handling sensitive personal and corporate data in a manner that is simply not compliant to best standards.
There are plenty of times where an organisation fails to act on good advice. However, more often than not, the IT advice provided to management is incorrect, incomplete or simply non-existent. Below I list seven common situations that can lead to data breaches.
Usually a one-man-band or very small enterprise – IT comprises of little more than a laptop, printer, smartphone and free email address. They are usually oblivious to the cyber risks that exist and they live to the mantra “I’m too small to get hacked” and “who’d be interested in what I have on my laptop” – They stick their heads in the sand until it’s too late. These users are usually victims of ransomware and unexpected data loss to lack of data backup procedures.
Your family friend
Sometimes, particularly with smaller companies, IT is handled by a friend of the owner who is considered IT savvy. The tasks are usually completed sporadically, out of hours and under time constraints. Although the friend is best-intentioned, they often do not have the time or expertise to put a plan in place or think “big picture” when it comes to an overall IT strategy or security. They are less inclined to notice or even mention required upgrades as it may lead to more unwanted work for them.
Meet John. John runs his own company with 3 staff. He completes his own tax returns, writes his own employee contracts and takes care of his own IT. John thinks he doesn’t need an accountant, solicitor or IT guy. John thinks he knows it all and John learns the hard way.
A freebie-er is someone who will never pay for software and will only use free software. Networks are built on AVG Free, Dropbox, OpenOffice and Skype. Whilst there is a place for Freeware and OpenSource software, there are times when investment must be made in order to adequately perform or secure a business process. It is impossible to build a robust business IT infrastructure on free software.
I must preface this point by saying that most internal IT departments I liaise with are over-worked and under-resourced. Most IT departments somehow manage to work wonders with little time, resources or budgets. However, there are some cases where the IT department comprises of staff who have not up-trained or stayed up to date with today’s world of technology. These should not be the people who are advising on where and how the IT budget is spent or are responsible for protecting the business from cyber attacks.
Does your IT guy wear a cape? Your hero swoops in, fixes the IT problem and escapes out the door again. Does this sound familiar? The nature of the IT world, competition, low price-point and work-load can lead to little or no face time with your IT contact. When is the last time you had a sit down with your IT provider and talked through pro-active actions, future plans, risks to the organisation etc. Perhaps you only ever speak to your IT contact when there is a technical problem. Is there time for maintenance, resource or security planning or are all resources tied up in firefighting? Up-time is critical – does security takes second place?
Are you constantly suffering IT outages? IT issues are inevitable but can you get proper answers from your provider as to what happened, why, and how the issue has been addressed so that it doesn’t happen again? Do they measure, test, audit and report on each system? Have you true confidence in your provider’s ability to protect your organisation? If the answer is no, you should start talking to other providers who are better equipped for your needs.
So, as a business manager what are you to do? After-all, it is you as the business owner or company director who is ultimately responsible in the event of a breach – not your IT department or out-sourced provider. You must satisfy yourself that the IT infrastructure, policies, procedures and documentation are adequate to the data you hold and are aligned to industry standard. You must get involved, ask questions and push back. Whilst you don’t need to know the exact technicalities or intricacies, at a basic level you should know how your organisation is protected. Start by asking: Is it secure? How is it secure? What protection is in place? How do we measure it? How do we test it? What if it fails? What are the risks to our organisation? Are we complaint to the regulations (HIPAA, GDPR, PCI)? What risks have we mitigated, When did we last test our Disaster Recovery Plan?
Then ask the difficult questions: What risks have we accepted? There are always risks and gaps in any organisation and no business is 100% secure – You need to know where your vulnerabilities exist and what is being done to address to them. If your IT contact can answer your questions confidently you are likely to be in a good position. If after reading this you feel a third party assessment is required, feel free to contact me.