The Hidden IT Risks in Your Small Business
Whilst many IT risks are fairly obvious, there are some that remain hidden to the average user. Whilst most business mitigate the obvious risks it may well be the less obvious risks that can cause the most damage to your business.
Here we look at 5 IT risks that you may not have thought of but should be part of your thinking.
General Data Protection Regulations (GDPR)
The biggest current risk isn’t ‘hidden’ but comes under the ‘burying your head in the sand’ category of risks!
From May next year new, more stringent data protection rules come into play in the UK. Whilst the GDPR is an EU regulation it will be adopted by the UK and EVERY UK-based business will need to implement new processes and procedures for processing data.
One of the main changes is that the penalties for breaches are much more severe. Businesses found in breach can expect fines of up to 4% of annual global turnover or €20 million – whichever is greater.
There are loads of people jumping on the GDPR bandwagon and offering advice, documents and consultancy etc. Our advice would be to stick to official and trusted sources – our Overview of the GDPR is a good starting point for some basic information and we’d also suggest visiting the site of the Information Commissioner’s Office – https://ico.org.uk/ – The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. There Overview of the GDPR and 12 Steps to Take Now documents are essential reading.
You may start by focusing on collecting and processing data you will also need to consider how you secure it. You’ll want to make sure you are using a multi-layered approach to cyber security, along with a strong data backup regime.
The Internet of Things
With an increasing number of electronic devices connected to the internet the level of risk is increasing at pace. The Internet of Things is the term used for this myriad of connected devices. From fridges to iWatches, there are so many things connected to your network it is hard to keep up.
A growing area of concern is that these devices create novel ways for cyber criminals to hack into networks. Whilst companies know how to protect against common methods of attack, there is now a whole new world of connected devices and therefore potentially unsecured entry points to your network. Even the IoT-connected vending machine in the corporate kitchen can be the backdoor entryway for cyber criminals to hack into the company’s network.
The danger here is that some devices may be viewed as unimportant and may not even be on IT’s radar. According to a HPE Internet of Things Research Study, 60% of IoT devices tested raised security concerns with their user interfaces. Passwords for items such as printers and scanners are rarely changed, undermining even the strongest password protocol.
It’s important to remember that your security is only as good as the weakest link, so you should be ensuring that proper protection is in place for EVERY device that connects to your network. Staff training is a huge part of a multi-layered security approach and staff need to be educated on the risks of IoT devices not only to the business but also to their personal data.
Bring Your Own Device (BYOD)
Closely linked to IoT, BYOD presents many of the same risks. Properly managed, BYOD can reduce costs, lessen stress on IT systems and support and increase employee satisfaction. However, ‘creeping BYOD’ is the term used when individuals start to use their own devices without the proper systems and processes in place. This often starts with someone wanting to access their emails on their own phone, tablet or laptop and employing a DIY system to do so. The individuals’ device may have limited security and could then be a portal for malware to enter the businesses systems.
In order to control risk firstly you need to know exactly who and what is connecting to your networks. This can be done via an audit either internally or by your IT Support Provider. Once you know what’s connecting you should then look to introduce a BYOD policy, possibly integrated with an IoT policy.
Stopping staff using their own devices is generally not an option, so you need to look at tightening up policies. Forcing users to use pins, passwords or fingerprint recognition on phones and tablets is a good starting point. You should also look to employ encryption across your system and ensure that you can erase company data from devices if an individual moves on.
Recent virus attacks have highlighted some of the security issues around outdated software. The Wannacry virus specifically targeted weaknesses in older, unpatched and unsupported software such as Windows XP & 7 or Windows Server 2003. However, this might not just be a software issue. Outdated hardware will not be able to run the latest versions of some software.
In addition to security one of the major risks of older technology is hard drive failure. Hard drives are potentially the weakest points of any IT system as they contain moving parts. A high-quality back-up solution will help if the worst happens but this should only be a last resort. Back-up will also not guard against a loss of productivity whilst data is restored. Once you add in strategic issues linked to outdated technology such as reduced speeds and responsiveness, reduced flexibility and a loss of competitiveness then it’s easy to see why a proper programme of hardware update and upgrades should be at the forefront of any businesses IT strategy.
Outdated or poorly configured user accounts
Staff changes are common place in any small business and these leave behind redundant user accounts. Accounts that are not needed should be deleted but, unfortunately, this is often forgotten. Whilst there may be a cost implication – some IT services, such as emails, may use a per account basis for pricing – the main issue is one of security. These accounts may open a back-door to your IT Systems. Especially as passwords will not have been changed since the individual left the business.
However, it isn’t just redundant accounts that can cause issues. You also need to be aware of what you are granting people access to. It is just common sense to restrict access to crucial information such as bank accounts and HR systems. However, you’d be surprised how often these restrictions are poorly implemented. Account management should form part of your everyday IT arrangements. If possible, you should put in place a regular auditing process to ensure users have the correct level of access.
Managing Your IT Risks
You want to run your business not an IT department. Whilst IT may not be at forefront of your thoughts it should never be completely out of site. If you are not aware of the risks then you won’t be able to do anything about them. Therefore, the first item on any action plan should be an audit. You could do this in-house, however many Managed Service Providers – ourselves included – will undertake a network audit for you. This will help you identify your issues and decide what further actions you want to take.
To talk about a network audit, or find out how we can help your business call us on 0115 8220200.