Most companies undergo risk assessments on an annual basis, and they are typically associated with insurance coverage or are financial in nature. Historically managing enterprise risk was done in this manner. Today, there are exponential increases of significance in the reliability of IT systems and the information they process. They have become the lifeblood of all organizations, and yet they aren’t equally assessed.
Many small to mid-sized businesses with $500 million in revenue or less, and typically under 500 employees, are at the greatest risk of systems failure or data breach. These organizations typically spend more resources on growth and maintenance than on risk and prevention. Their IT operations tend to be lean, reminiscent of when the organization was small, and spend less than 2.5% of their revenue on IT budget. These companies also have the most to lose, because given their size they tend to be very competitive and should their business systems become compromised by failure or malicious intent; they will lose their business to the competition.
Therefore, it is critical to perform a regular risk assessment on your IT environment to ensure reliability and security. Some of the most common mistakes companies make in their IT operations include the following:
Not maintaining standard operating procedures (“SOPs”) – This is not technical at all, but is typically a root cause to problems in operating an effective systems environment. How are employees on-boarded and terminated? How is customer data handled and managed? Are the employee’s competencies tested and validated as part of their performance evaluation? Do you enforce policies and procedures and terminate people for non-compliance? These are just some of the common questions that should be answered and documented, along with repeatable processes in place because it sets the tone for internal control. This also lays the ground work for how systems and security should be setup and configured.
Business continuity is established and tested – This will very based on a company’s industry. Companies operating with critical 24/7/365 operations with a need to access data/information, should have redundant data centers and failover measures in place. In addition, those procedures need to be tested in the form of regular drills. Well too often, we find companies operating with off-site backups of data, but lack any form of data restore test to validate that the backups are being processed correctly. Otherwise, in the event of a “disaster” they might find that the backup data might not be restorable, and then they truly face a data-loss incident. In addition, lack of available configured hardware will automatically introduced days of downtime if not weeks.
Connection Redundancy – Often companies operate with only one internet service provider (“ISP”). Inevitability there will be downtime either by the providers failure or an unplanned disruption in the network caused by construction in the street, a storm, etc. Having two ISP connections is critical in business today. Secondary connections are often non-wired and via satellite/microwave. Another common mistake related to redundancy is not standardizing network switches/routers and firewalls, or having spares on-hand. These devices will fail and not having a spare, which could cost $1200+, could stop operations for a few days to get the failed equipment replaced. Many would agree the extra cost is less than the downtime.
People are your weakest link – Well too often a poorly trained workforce or a “non-tech” savvy employee base creates the biggest challenges to company security and/or equipment failure. It is important to recognize that just because you hold a one hour class on phishing scams, information security, etc. your people are not going to be more diligent. Solid training requires continuous real-time development, with on-line testing of the employees skills. If an employee fails a test, their training is increased. If they continually fail future tests they should be terminated. All of this cannot take place unless the company places a focus and importance on employee development, testing and follow-up. In addition to employees, is the risk of contractors, because they are a potential risk and gateway to your data and information. The legal challenge becomes when you provide them with your own company tools, they are no-longer “independent” and you can be in violation of employment tax laws.
Setting an appropriate perimeter of controls – Security will vary based upon the industry which you operate and the regulatory requirements you face. Security can be as tight or lax as a company wants, and the tighter the security often runs into the higher level of “inconvenience” of doing your job. So, what is the price of inconvenience? The biggest mistake companies make is they never perform a proper risk assessment, which is specific to their business. Companies often implement new security measures or controls after an event has occurred. This is the difference between a proactive company and a reactive one. Company leadership often states they have to focus on marketing, sales and delivering goods and services to the customer and don’t have time for a risk assessment until it is too late. Assessing risk looks at your industry, data you are handling, what type of workforce you have (mobile or stationary), do you operate internationally, who are your customers (governments, hospitals, financial services), etc. Once a risk assessment is complete, there are a variety of tools and applications which can be deployed that align with the risks of your operations. Some of these include: Multifactor Authentication, Mobile Device Management, Encryption, etc.
Passive vs. active controls – Small to mid-sized companies often deploy passive controls. These controls are typically policy requirements but not always enforced and even though made mandatory it is left to the discretion of the employee to follow the policy. So, ask yourself if you always come to a complete stop at a stop sign! Some examples of passive controls are requiring all employees to upload their files and documents to a shared drive. On the contrary, an active control is deploying software which will automatically sync the employee’s hard drive to an off-site server. Another example would be requiring multi-factor authentication or encrypted email but not enforcing the policy with the application software and subsequently finding the Chief Legal Officer or the CFO not using the applications, defeats the purpose and is a passive control.
Assessing your systems environment risk goes beyond typical Sarbanes Oxley or insurance reviews. Systems risk should look at reliability, security and the processes you have in place related to the context of how your company conducts business and your regulatory requirements. Companies should perform this review on an annual basis and our experience has shown that most companies from small to mid-sized don’t do this at all! However, they have the most to lose!
SAGIN is a professional services firm which provides full-service IT Managed Services to its clients including 24/7/365 helpdesk support, network infrastructure management, server maintenance and security assessments. SAGIN is a Microsoft Gold Certified Partner as well as supports clients in AWS, and Google platforms. You can contact us at www.saginllc.com or +1.312.281.0290