Importance of IT audits for small businesses
No one has to tell us how vital financial audits are when managing a business. Who of us would ever purchase a stake in a business venture without a formal audit of the organization’s financial viability? Audits give give us the hard numbers we need evaluate the actual state of the business; its financial health, and potential risks. It can also identify potential opportunities that may not be readily visible. If that is sound advice for our financial wellness why is it so difficult to get businesses to audit their IT software, security, and information systems?
You don’t have to look far to see that as a culture we have terrible data security habits. Just this week the U.S. Department of Defense secured a server which has been “spilling internal U.S. military emails to the open internet for the past two weeks.” The problem in this case was that the server password had not been set. This is a fantastic example of what an audit can expose can correct. If you are you a small business owner looking to improve your operations, protect your organization from cyber threats, and increase business continuity then an IT audit is something to look into. This is not meant as a how-to guide to conduct your own audit but rather an outline of what IT audits are, what they can encompass, and a description of how business continuity can benefit from having a regular scheduled audit.
What is an IT audit?
At it’s heart and IT audit is a formal and systematized evaluation of all IT infrastructure and information systems that are related to business operations. IT audits cover a wide range of areas within an organization’s environment, including hardware, software, data management, user management, network security, and disaster recovery.
Information security is not an accident. It is the outcome of a sound process. The goal with an audit is to expose systems, procedures, or processes that are out of compliance with received data security practices, or compliance requirements. Think of it as a very detailed checklist that looks at every process, every system, and every person in the organization to see if it is compliant with accepted safety standards. In the case of the Department of Defense example mentioned above, a simple checklist would have exposed that unsecured server very quickly.
What needs to be audited?
The scope of your IT audit will depend very much on the nature of your IT systems and processes, and the members of your IT team. Start by creating a high level checklist. This will come in handy when you begin to plan regular audits. If you rely solely on outside IT providers like an MSP, or MSSPs then they will likely already have a checklist that you can customize.
Keep in mind that not all audits will examine the same services in the same detail. In the initial stages of planning it’s good to think in terms of critical systems first. For instance a basic checklist can begin with:
Network security
Endpoint security
Data backups
Disaster recovery plans
User accounts and passwords
For each of these points mentioned above several sub-points can be included. For instance, under the topic of network security you can include:
checking that firewall is updated according to a schedule to prevent or detect intrusions.
checking that and intrusion detection systems are functioning
If your organization receives alerts from security systems that are sent via email make sure that they are reaching the intended contact. Too many times system alerts are misconfigured or end up in spam before the anyone can intervene on an impending issue.
Your checklist will grow and change with time. Always remember that “perfect is the enemy of good”. It’s better to get started with a small checklist than wait until everything is perfect to proceed. If you want an example of fantastic checklist see this Zapier article by Amanda Pell with a downloadable checklist.
Benefits of conducting IT audits
Increased security and protection against cyber threats
IT audits help identify potential vulnerabilities and weaknesses, and security threats in your organization’s IT systems and processes. By conducting periodic assessments, you can proactively address any security gaps, and protect against data loss. It’s important to note that many attackers gain access to systems and then remain quite for one or many months before acting. An audit can reveal their activity before they have time to do permanent damage.
For example, let’s say you run a small online retail business that processes customer payments through a third-party payment gateway. During an IT audit, it is discovered that the payment gateway has some vulnerabilities that could potentially be exploited by cyber-criminals. By addressing these issues immediately, you can protect your customers’ sensitive payment data and avoid the reputational damage that could result from a data breach.
Increased efficiency and data recovery
IT audits can also help optimize your IT processes to reduce possible down time. The words ‘business continuity’ are on everybody’s lips these days. By examining your IT installations and procedures, the audit can identify any inefficiencies or redundancies in your operations. This can lead to better customer service, increased employee satisfaction, and ultimately, a more profitable business. It can also ensure that your business continuity plan functions when you need it to.
Lets look at an example of a small manufacturing business that relies on multiple software applications to manage operations. During an IT audit, it is discovered that some of these applications are redundant, causing delays and errors in production process. By streamlining the software tools and automating certain tasks, efficiency can be significantly increased while simultaneously reducing overhead.
Risks of not conducting IT audits
At this point the advantages of conducting audits of our IT environment and security controls should be evident. We don’t need to spend too much time covering the disadvantages, but looking at several of the most prominent ones does increase our appreciation for the effectiveness of these audits. The most serious consequences have to do with cybersecurity risk.
Not auditing it infrastructure can lead to:
Increased vulnerability to cyber threats
Non-compliance with regulations and industry standards
Downtime and lost productivity due to IT issues
Damage to business reputation and customer trust and loss of important data
How often should small businesses conduct IT audits?
The frequency of IT audits for small businesses depends on a multitude of factors, such as the size of the business, the complexity of IT systems, and the level of risk involved. It will also depend on number of employees available to conduct such an audit. As a general rule of thumb, a small businesses should conduct IT audits at least once a year. However if conducting the whole audit at one time is too labor intensive then the company can break it up into small regular tasks. For instance, test restores of backup processes can be conducted to make sure the disaster recovery plan is fully functional.
Some processes can be automated (like backup test restores) but should not be forgotten. The results of those automated tests should be included in regular audits so they can be reviewed and accounted for.
When to conduct out of band audits.
In some cases, small businesses may need to conduct IT audits more frequently. When there are significant changes to IT systems or processes, or when there is a high level of risk involved ad hoc audits may be arranged. For example, if contractors were given remote access to internal software for the purpose of collaboration or installation an ad-hoc audit of remote access systems might be scheduled after their departure. This would ensure that no persistent remote access tools, VPN accounts, or network accounts remained active after the contractor had completed their work.
Ultimately, the frequency of IT audits for small businesses should be determined based on the specific needs and risks of the business. It’s essential to consult with IT professionals or auditors to determine the appropriate frequency for your business. In 2021 Colonial Pipeline infrastructure was attacked and compromised via an old VPN account that was no longer in use, but was nonetheless active on the system. The attack has significant impact on the fuel distribution system and was the cause of some serious disruptions at airports and filling stations.
Conclusion
Admittedly, getting this process going won’t be easy. Generating internal support for such a project requires educating staff and stakeholders about the benefits of the undertaking. It’s good to remember that a single important discovery can make up for all the investment. In some of the best known data breaches attackers were able remain undetected on company systems for months or even years. Data breaches of that length almost certainly cause permanent damage to the organizations they impact.
But fear of security threats should not be the guiding motivation of organizing and implementing IT audits. The benefits far outweigh the simple stakeholders peace of mind. Properly implemented audits will not only detect data breaches but also highlight procedures that can be adjusted to make overall stability much more robust. Audits can find hardware that is prone to catastrophic failure before such failure happens, they can inform us of user or client accounts that have more privilege than is necessary, and they can even highlight on premise equipment from outside vendors that have been compromised or badly configured.
Companies that establish a regular schedule of comprehensive inspections like this create a secure environment for their clients and technology. In his book, Atomic Habits author, James Clear says, “Too often we convince ourselves that massive results require massive action.” This is true of audits as well. When we set a regular schedule of even simple audits to begin with it will give us both tangible results, and reinforce in our minds the notion that we can identify and overcome the inherent risks that come with operating a business in our time.
