How to Complete a Basic IT Self-Audit for Your Business

Cybersecurity is one of the most important aspects of running a business, especially if your business falls under the financial or healthcare industries. Why? Because cybercriminals don’t commit cyberattacks just for fun, they do it because they know gaining sensitive personal information and company data is a very lucrative business, albeit illegal.

Before you keep reading, we want to acknowledge that information technology (IT) is a complicated topic for even the best of us. The goal of this article is to gauge how well your current IT security efforts protect your IT assets and then determine what options you have to fill any gaps in security. But if we’re being realistic, sometimes it’s just easier to talk about this in real-time with an expert. So, if that’s more your style, start a chat with our IT team. The rest of us will get started with how to complete a basic IT self-audit.

Step 1: Define a Security Perimeter

This first step sounds a lot more complicated than it is. Defining a security perimeter simply means making a list of IT assets that are valuable to your company. IT assets will fall under two different categories: equipment and data. Your equipment is valuable in itself because of the price your paid for it, but also because it stores valuable information and data. Anything that falls under those two categories is within your “security perimeter.”

Examples of equipment you’ll want to protect:

• Computers
• Monitors
• Servers
• Printers
• Wired or mobile phones

Examples of data you’ll want to protect:

• Customer personal health information (PHI)
• Customer and company financial information
• Proprietary information (intellectual property and trade secrets)
• Operational and inventory information

Step 2: Make a List of Possible Threats to Your Data

After you know what you need to protect, you need to determine how those devices and systems can be hacked. At this point, it’s good to make a list of all threats to your data, whether you think your company is protected from the threat or not. Here’s a list of the top threats to data security for small or local businesses.

Employee Negligence:

Cybercriminals often target employees because they’re usually the easiest way to gain sensitive information. Criminals will send malicious attachments and links over email, hack accounts with weak passwords and/or use targeted advertising with malicious links.

Old or Unmonitored Systems:

Businesses need to regularly update and monitor their operating systems and software to maintain security measures. Just like you patch up a pair of jeans, you can patch your software. If security patches aren’t up to par, a cybercriminal is going to exploit that and target your systems with ransomware or malware.

Bring Your Own Device (BYOD) Policies:

Many small businesses will rely on their employees to use their own computers and mobile devices for work. This means that employees are storing and sending important data from devices that your company has very little control over.

Improper Access to Data:

Small businesses also tend to grant all employees the highest level of access to all of their data storing systems. The more employees who have access to data, the likelier you are to have employee negligence that leaves the company vulnerable to cyberattacks.

Step 3: Calculate the Risks

Now that you’ve identified the possible threats to your equipment and data, it’s time to calculate the risk. Or in other words, estimate the financial loss a cyberattack would have on your business.

The formula for calculating risk isn’t actually a math equation but a logic equation:
Risk = Threat x Asset

To define your threat and asset variable ask yourself two questions:

1. How likely is it that this threat will occur?
2. How valuable is this asset to me?

Let’s walk through an example with employee negligence over a phishing attempt as the threat and the asset being attacked is the employee’s computer login information.

Side note: phishing is when a cybercriminal pretends to be someone within your organization to extract sensitive data from you.

1) How likely is it that your employee will be targeted with phishing?

We don’t like to throw this around a lot but... 100%. Anyone with an email is going to receive a phishing attempt. It’s very simple to impersonate someone within your company and easy to include information in the email to make it sound convincing. This means that your risk is very high.

2) How valuable is a computer login?

While this will vary with every employee and every company, login information for your computer is very valuable. Think about everything stored on your computer and how much information a cybercriminal has access to:

• Email accounts
• Customer information
• Billing information
• The list goes on...

We’re not trying to be dramatic here, but if you don’t have the proper IT security in place, the damage can be catastrophic for any company.

Step 4: Develop an Implementation Plan

After you’ve calculated the risks for possible threats to your IT hardware and systems, it’s time to develop an implementation plan. So, what IT security measure will your team put in place to protect the company?

A few examples include:

• Email encryption
• Penetration testing
• Virus protection

If you don’t have an IT security specialist on staff to help you develop an implementation plan, we’re here to help! Partnering with an IT vendor like VGM Forbin is a cost-effective way to support your staff. It’s less expensive than hiring another full-time employee with benefits and we have multiple people working together for your company, so we never take off on vacation! The best part? Our IT team is available for 24/7 support for our partners. Get a free consult from our team by filling out the form below! One of our IT experts will reach out to you soon to help.

TL;DR
(too long didn’t read)

• IT hardware and systems = IT assets
• Make a list of IT assets your company needs to protect and if/how they are vulnerable to cybersecurity attacks
• Determine how likely it is that your assets will be vulnerable to different cybersecurity attacks
• Decide how your company will protect assets

Or you can make it easy on yourself and reach out to us for a consult! Fill out the form below because sometimes it’s just easier to have a real conversation with a real person.