Small businesses across Australia are often lacking dedicated IT departments or support services. This doesn’t mean, however, that they don’t use or require (sometimes complex!) IT solutions to get the best of their business.
As a result, we all too frequently see managers and owners frustrated, confused and sort of unsure as to what they’re even using and how or even where to begin.
If this is sounding a little too familiar, hopefully our IT auditing checklist will help you to get a better understanding of what technology you really need – and what you don’t.
Why do I need an IT audit?
As businesses grow and new software and other technology is released, things can get a little… messy.
Not only can this become an administrative nightmare for you and your staff, but it can also open your business up to new and evolving cyber threats.
Regular auditing ensures that any flaws in your IT security are found and fixed, that you are able to work as effectively and efficiently as possible, and that you aren’t wasting money on technology or software that isn’t serving you the way it should.
So what do we have in our IT auditing checklist?
Use of MFA (multifactor authentication)
Is everyone in your business using some form of MFA?
A password alone won’t protect your data.
Whether it’s by human error or sophisticated hacking techniques, passwords can, and are, cracked or leaked daily – exposing potentially sensitive information to the highest bidder.
According to Alex Weinert, Director of Identity Security at Microsoft, the use of MFA reduces the chance of an account being compromised by 99.9%.
Common forms of MFA include:
- Phone call
- One-time Password (OTP)
- Push notification
- FIDO (Fast Identity Online) key/ passwordless
Each of these methods have their own advantages and disadvantages, but we’ll leave that one for another post.
Who has privileged account access?
How many people are using accounts with access to critical information – and who are they?
Having an inventory of who is able to access and potentially update things like payment information and employee details should be high on the priority for any business owner – however the fogginess of the online world can often see this being overlooked.
Having an understanding of what each user role is capable of in your specific systems is also of great importance as roles such as ‘admin’ may restrict some activities in one platform, but allow access to everything in another.
What hardware devices are connected to your network, and who uses them?
All someone needs to gain access to your network and private company information is one unmanaged or unpatched device.
Having an up-to-date inventory of all the devices that connect to the company network (including phones and laptops of staff), ensures you have oversight over who is connecting to your network and why.
The rise of WFH and BYOD (bring your own device) has definitely created more of a challenge for businesses trying to manage the devices connecting to their networks – making a complete and current inventory all the more important.
Software Inventory & Patching
What software is installed (or able to be installed) and being used, and is it up to date?
Hackers are always on the lookout for vulnerabilities in commonly used software, scanning targeted organisations for anything out of date that could provide entry to the network. Ensuring each device has the latest versions of any software installed will mean that any bugs or vulnerabilities can be patched and removed.
Seemingly innocent software may also contain malware and other means of gaining access to business networks, marking the importance of knowing what software can, and is, being installed on devices accessing your networks.
Having an in-depth overview of what software is being used also comes into play when planning for backups and disaster recovery. If you don’t know what exists and where, you can’t restore it!
The first steps are always the hardest and boldest ones you can take. Knowing what you have (hardware, software) is essential otherwise you may be investing in something not relevant or putting out the wrong fires. Once a picture of business technology can be painted, protecting the identities that control hardware and software through multifactor authentication and privileged account management will assist in keeping systems compliant to that businesses’ expectations and reduce the impact of shadow IT.
Undertaking an IT audit doesn’t have to be a complicated – or expensive – ordeal. We would always recommend having experienced IT service providers assess your environment as the kind of insights and experience gained can be invaluable.
Looking for that IT auditor you’ve always dreamt of?
We’re here to help! Get in touch with us or book a call to chat more about making sure your systems are up to scratch.