By Paul Birch, Forensic Technology Consultant, BDO
There is a time in a business’s evolution when IT systems get out of hand. Once a company employs more than a dozen people or so, it becomes easy to lose track of devices and data. Company information gets stored in odd places in the cloud or shared around personal devices. You would think tech companies would be all over their IT systems, but this isn’t always the case.
This is rarely perceived as a problem until something goes wrong. Someone serves a Data Subject Access Request (DSAR) on your company, for example, and you realise that you don’t know where all the data is. Or you find that your intellectual property has somehow been handed over to a rival.
Such events can turn into major financial and reputational problems, but they are rarely viewed as IT risks. Much effort rightly goes into securing systems from attack by hackers and malware, while the consequences of poor data and IT infrastructure management go largely unremarked.
This is unfortunate because reducing these risks can be relatively easy. And once some basic measures are in place, risk reduction need not take much time or effort. Here are six things that you can do straight away to make sure your house is in order, IT-wise.
1. Keep an asset register
It is remarkable how many businesses have no real knowledge of the IT assets they hold. And we are not just talking about spare smartphones and laptops here: in one forensic engagement we were involved in, we found an entire server that nobody knew about.
To make sure machines holding vital data don’t go missing and are properly maintained — and ensure the true value of your capital assets is reflected in your accounts — create an asset register and update it at least once a year, or preferably whenever an IT device is bought or discarded.
2. Build a data map
As with devices, very few companies have a complete view of what data they keep, and where it is. Nowadays, pockets of information are increasingly spread across multiple systems, sites, and the cloud. This can create compliance problems in the event of a DSAR, litigation or a similar matter.
To overcome the problem, it is important to have a map that shows where different types of data are housed and how they are connected. Building a data map, and updating it every year, can help reveal vulnerabilities and inefficiencies in your data architecture, helping you to cut costs and reduce risks.
3. Manage authorisations
In smaller scale-ups particularly it is not unusual for anyone in the company to have access to everything on the corporate network. This is an open invitation for intellectual property theft and other problems but can be easily remedied by putting the correct levels of access in from the start.
Technology tools can help restrict how data flows around the business, so that — for example — important documents cannot be copied onto a pen drive without the say-so of an authorised individual. Tight data access helps prevent leaks and identify culprits if information does end up going astray.
4. Make data management a human resources issue
Anything to do with data is usually viewed as an IT affair. But when it comes to incidents such as intellectual property theft, the issue really lies with human resources. For this reason, it is important that information management is covered in areas such as employment contracts, training and onboarding.
Staff should be made aware that their employer takes data issues seriously and expects employees to do the same. A culture of respect for data and IT systems will lessen the likelihood of problems and make it easier to enforce policies regarding the use of personal devices, email accounts and cloud storage for example, all of which may increase data risks for the company.
5. Carry out exit interviews
Companies are understandably picky about what skills and capabilities a new joiner can bring into the business. But less care is taken about what an employee might carry out with them when they leave the business. Restricting access to key data, as mentioned previously, can reduce the chances of theft.
Another effective measure is to carry out exit interviews where data protection policies are restated, and leavers are asked to give an assurance that they are not in possession of company devices or information. This won’t stop a determined criminal but might put off a casual theft and may be helpful if an issue is identified in the future and you wish to pursue legal action.
6. Get experts in
Somebody who really wants to steal your data will eventually find a way. But as with cyber security, the key to reducing other IT related risks is to make things so difficult that 99% of would-be offenders will be put off and casual mistakes simply won’t happen.
Putting the appropriate measures in place can be relatively straightforward but at the outset a forensic IT audit can assess what risks you are exposed to and what you should do to counter them effectively. Your route to lower risks starts with a phone call.
For further information please contact Desiree McHard,
Managing Director, BDO Gibraltar:
Desiree.McHard@bdo.gi
www.bdo.gi