No one has to tell us how vital financial audits are when managing a business. Who of us would ever purchase a stake in a business venture without a formal audit of the organization's financial viability? Audits give give us the hard numbers we need evaluate the actual state of the business. This include its financial health, and potential risks. It can also identify potential opportunities that may not be readily visible. If that is sound advice for our financial wellness why is it so difficult to get businesses to audit their IT infrastructure? Software, security, and information systems need to be audited for business health?
You don't have to look far to see that as a culture we have terrible data security habits. Just this week the U.S. Department of Defense secured a server which has been "spilling internal U.S. military emails to the open internet for the past two weeks." . The problem in this case was that the server password had not been set. This is a fantastic example of what an audit can expose can correct. If you are you a small business owner looking to improve your operations, protect your organization from cyber threats, then an IT audit is something to look into. This is not meant as a how-to guide to conduct your own audit but rather an outline of what IT audits are, what they can encompass. We will also describe the steps of an audit and of how business continuity can benefit from having a regular scheduled audit.
At it's heart and IT audit is a formal and systematized evaluation of all IT infrastructure and information systems. IT audits cover a wide range of areas within an organization's environment, including hardware, software, data management, user management, network security, and disaster recovery.
Information security is not an accident. It is the outcome of a sound process. The goal with an audit is to expose systems, procedures, or processes that are out of compliance with received data security practices, or compliance requirements. Think of it as a very detailed checklist that looks at every process, every system, and every person in the organization to see if it is compliant with accepted safety standards. In the case of the Department of Defense example mentioned above, a simple checklist would have exposed that unsecured server very quickly.
Conducting an IT audit might seem as daunting as climbing Mount Everest, but breaking it down into manageable steps makes the process not only achievable but also incredibly rewarding. Let’s walk through each step with relatable examples to show how even the uninitiated can understand and implement an effective IT audit.
First things first, you need a plan. Think of this as mapping out a road trip. You wouldn’t just hop in the car and drive aimlessly (unless you’re after some epic adventure). You’d decide on your destination, figure out the best route, and maybe even plan a few pit stops along the way.
In the context of an IT audit, planning involves defining the scope and objectives of the audit. Ask yourself: What do you want to achieve? Are you focusing on network security, data management, or maybe user access controls? Once you’ve identified your goals, outline the resources and timeline needed to achieve them.
Example: Suppose you own a small retail business and want to ensure your customer data is secure. Your objective might be to assess your data storage and encryption methods.
Next up is gathering information. Imagine this step as collecting clues for a detective case. You need to gather all the relevant data about your IT systems and processes. This means compiling lists of hardware, software, network configurations, and user accounts.
Example: If you're auditing network security, gather information on your firewalls, routers, switches, and any network diagrams you have. You might also include data on who has access to your network and how they’re authenticated.
With all your information in hand, it’s time to evaluate. This step is akin to a mechanic inspecting a car’s engine. You’re looking to see if everything is running smoothly or if there are any parts that need fixing.
During evaluation, compare your findings against industry best practices and compliance standards. Identify any weaknesses, vulnerabilities, or areas where your IT practices fall short.
Example: While evaluating your data management practices, you might discover that sensitive customer information isn’t encrypted properly. This is a red flag that needs addressing.
After the deep dive, it’s time to report your findings. Think of this as giving a presentation of your detective work or the mechanic explaining what’s wrong with your car. Your report should be clear, concise, and actionable. Highlight the key findings, potential risks, and recommended actions.
Example: If your audit revealed outdated antivirus software on several computers, your report might recommend updating the software and scheduling regular updates to prevent future vulnerabilities.
Finally, the follow-up. This is where you ensure that the recommendations from your report are actually implemented. It’s like the follow-up visit to your mechanic to make sure your car is running perfectly after the repairs.
Example: If your audit recommended strengthening password policies, the follow-up might involve checking that employees have updated their passwords according to the new guidelines and that multi-factor authentication is in place.
Conducting an IT audit doesn’t have to be an insurmountable task. With proper planning, thorough information gathering, detailed evaluation, clear reporting, and diligent follow-up, you can ensure your IT infrastructure is secure, efficient, and resilient.
Remember, the goal is not to reach perfection overnight but to establish a consistent process that evolves with your business. Like any good habit, regular IT audits will become second nature over time, and the benefits will far outweigh the initial effort. So, start with a simple checklist, build from there, and watch as your business’s IT health improves.
The scope of your IT audit will depend very much on the nature of your IT systems and processes, and the members of your IT team. Start by creating a high level checklist. This will come in handy when you begin to plan regular audits. If you rely solely on outside IT providers like an MSP, or MSSPs then they will likely already have a checklist that you can customize.
Keep in mind that not all audits will examine the same services in the same detail. In the initial stages of planning it's good to think in terms of critical systems first. For instance a basic checklist can begin with:
Network security
Endpoint security
Data backups
Disaster recovery plans
User accounts and passwords
For each of these points mentioned above several sub-points can be included. For instance, under the topic of network security you can include:
checking that firewall is updated according to a schedule to prevent or detect intrusions.
checking that and intrusion detection systems are functioning
If your organization receives alerts from security systems that are sent via email make sure that they are reaching the intended contact. Too many times system alerts are misconfigured or end up in spam before the anyone can intervene on an impending issue.
Your checklist will grow and change with time. Always remember that "perfect is the enemy of good". It's better to get started with a small checklist than wait until everything is perfect to proceed. If you want an example of fantastic checklist see this Zapier article by Amanda Pell with a downloadable checklist.
Increased security and protection against cyber threats
IT audits help identify potential vulnerabilities and weaknesses, and security threats in your organization's IT systems and processes. By conducting periodic assessments, you can proactively address any security gaps, and protect against data loss. It's important to note that many attackers gain access to systems and then remain quite for one or many months before acting. An audit can reveal their activity before they have time to do permanent damage.
For example, let's say you run a small online retail business that processes customer payments through a third-party payment gateway. During an IT audit, it is discovered that the payment gateway has some vulnerabilities that could potentially be exploited by cyber-criminals. By addressing these issues immediately, you can protect your customers' sensitive payment data and avoid the reputational damage that could result from a data breach.
Increased efficiency and data recovery
IT audits can also help optimize your IT processes to reduce possible down time. The words 'business continuity' are on everybody's lips these days. By examining your IT installations and procedures, the audit can identify any inefficiencies or redundancies in your operations. This can lead to better customer service, increased employee satisfaction, and ultimately, a more profitable business. It can also ensure that your business continuity plan functions when you need it to.
Lets look at an example of a small manufacturing business that relies on multiple software applications to manage operations. During an IT audit, it is discovered that some of these applications are redundant, causing delays and errors in production process. By streamlining the software tools and automating certain tasks, efficiency can be significantly increased while simultaneously reducing overhead.
At this point the advantages of conducting audits of our IT environment and security controls should be evident. We don't need to spend too much time covering the disadvantages, but looking at several of the most prominent ones does increase our appreciation for the effectiveness of these audits. The most serious consequences have to do with cybersecurity risk.
Not auditing it infrastructure can lead to:
Increased vulnerability to cyber threats
Non-compliance with regulations and industry standards
Downtime and lost productivity due to IT issues
Damage to business reputation and customer trust and loss of important data
The frequency of IT audits for small businesses depends on a multitude of factors, such as the size of the business, the complexity of IT systems, and the level of risk involved. It will also depend on number of employees available to conduct such an audit. As a general rule of thumb, a small businesses should conduct IT audits at least once a year. However if conducting the whole audit at one time is too labor intensive then the company can break it up into small regular tasks. For instance, test restores of backup processes can be conducted to make sure the disaster recovery plan is fully functional.
Some processes can be automated (like backup test restores) but should not be forgotten. The results of those automated tests should be included in regular audits so they can be reviewed and accounted for.
In some cases, small businesses may need to conduct IT audits more frequently. When there are significant changes to IT systems or processes, or when there is a high level of risk involved ad hoc audits may be arranged. For example, if contractors were given remote access to internal software for the purpose of collaboration or installation an ad-hoc audit of remote access systems might be scheduled after their departure. This would ensure that no persistent remote access tools, VPN accounts, or network accounts remained active after the contractor had completed their work.
Ultimately, the frequency of IT audits for small businesses should be determined based on the specific needs and risks of the business. It's essential to consult with IT professionals or auditors to determine the appropriate frequency for your business. In 2021 Colonial Pipeline infrastructure was attacked and compromised via an old VPN account that was no longer in use, but was nonetheless active on the system. The attack has significant impact on the fuel distribution system and was the cause of some serious disruptions at airports and filling stations.
Admittedly, getting this process going won't be easy. Generating internal support for such a project requires educating staff and stakeholders about the benefits of the undertaking. It's good to remember that a single important discovery can make up for all the investment. In some of the best known data breaches attackers were able remain undetected on company systems for months or even years. Data breaches of that length almost certainly cause permanent damage to the organizations they impact.
But fear of security threats should not be the guiding motivation of organizing and implementing IT audits. The benefits far outweigh the simple stakeholders peace of mind. Properly implemented audits will not only detect data breaches but also highlight procedures that can be adjusted to make overall stability much more robust. Audits can find hardware that is prone to catastrophic failure before such failure happens, they can inform us of user or client accounts that have more privilege than is necessary, and they can even highlight on premise equipment from outside vendors that have been compromised or badly configured.
Companies that establish a regular schedule of comprehensive inspections like this create a secure environment for their clients and technology. In his book, Atomic Habits author, James Clear says, "Too often we convince ourselves that massive results require massive action." This is true of audits as well. When we set a regular schedule of even simple audits to begin with it will give us both tangible results, and reinforce in our minds the notion that we can identify and overcome the inherent risks that come with operating a business in our time.