Effective IT Risk Management for Small Businesses

Transcription

1 Effective IT Risk Management for Small Businesses A Small Business Gets Some Lessons in IT Risk Management Although large and publicly traded companies often get the most attention, small, private, entrepreneurial businesses really contribute to driving the Canadian economy in a significant way. Small businesses make up 98.2% 1 of all Canadian businesses. As with the majority of companies today, most rely to a great extent on information technology (IT) to support their business back office and operations, and to enable them to have a greater presence than their size in delivering competitive goods and services to local customers, or to enter global markets. Managing IT risks therefore becomes critical to their survival and success. Many small business owners have embraced technology, but some are still discovering the risks involved. Come join Gabriel Schmidt, our fictional owner of a small business, as he deals with an IT crisis and learns valuable lessons along the way. Gabriel Schmidt is a successful entrepreneur who has passionately grown FSG Inc. into a company with annual earnings of $2.5 million. FSG, which stands for Fire Safety Gear, manufactures special safety equipment used by firefighters. He started his business five years ago and currently has 15 employees. Gabriel s business has been growing rapidly, and he was recently listed as one of the top 250 Canadian entrepreneurs in a popular business magazine. Gabriel was looking forward to the gala dinner, where he would be presented with an award in front of all his peers. After a profitable year of hard work, he was even thinking 1 Industry Canada, Small Business Statistics August 2013 report: 1

2 2 Effective IT Risk Management for Small Businesses of taking a vacation in the Caribbean with his wife. As Gabriel was contemplating his company s success, an urgent call came from his operations manager, Carlos Santos, who wanted to meet with him immediately. As Carlos explained the emergency, Gabriel s optimism began to evaporate. The company s main servers had crashed early that morning. The servers that supported all operations including manufacturing, purchasing, finance and customer service had all failed. Even was unavailable. Carlos and his team had been trying all day to fix the problems. Gabriel asked Carlos about his plan to recover the systems. Surely the data had been backed up and could be loaded onto new servers, and the company would be back in business within hours. Carlos revealed that the data might not have been backed up. The IT contractor in charge of the servers had left FSG a month ago because he was unhappy that he had not been given the rate increase he wanted. His replacement had just been hired but would not be starting until next week. Gabriel was speechless. How was it possible that they had suddenly lost all their computer operations and data? His mind reeled with questions: What could have caused the servers to fail? Was it a virus? Or was it a cyber-attack from his competition? Since the magazine article about his company had been published, he had been getting a lot of congratulatory calls, some of them from his competitors. Could they have had a hand in this? Was it possible that the new intern they had hired from the technology college had gone in and tinkered with the servers, either intentionally or accidentally? Was it possible that the disgruntled IT contractor had compromised the server files? FSG had not changed the passwords to its remote access system since the IT contractor left last month. How about backups? Why had the operations team not been diligent about making sure there were adequate and regular backups? Hadn t staff figured out a business continuity plan for FSG? Gabriel felt guilty about this. He had heard about the importance of business continuity planning in the last small business conference he had attended; however, he had gotten so busy that he had failed to mention it to his operations department. How was he going to continue operating his business, or follow up with his customers, or pay his staff? How would FSG compile the financial data needed for tax purposes, or for supporting workers compensation premiums, or for the banks as part of their regular debt covenant reporting?

3 Gabriel needed help. He wanted to know what he should do to fix the immediate problem, and he wanted to know how to go about making sure that an IT crisis never happened again. Gabriel knew that RRJL, his local accounting and consulting firm, had CPAs specializing in the technology area. So he called the firm, told them about the problem, and asked them to assist. The firm assigned its top two consultants to assist Gabriel. After reviewing the situation, the consulting team met with Gabriel to discuss the following recommendations. Immediate Recommendations 1. Meet with key staff to gather as much information as possible about what might have happened, and to determine the immediate impacts of this situation, both internal and external to FSG. 2. Bring in a specialized technology team to examine the FSG servers and determine if there is any possibility of retrieving or re-creating the data. The team should work with the supplier of the servers and software to identify possible solutions. If retrieval of the data is not possible, then it will be necessary to re-create transactional records based on the last good backup, using whatever paper trail there may be. If this situation arises, the consulting team will provide detailed steps in a separate memo. 3. Should the servers and systems become functional, certain steps should be taken to manage any current risks. These actions would include keeping the systems off-line from external access, performing a review for viruses, changing passwords on all access points, and then carefully restoring connectivity when sufficient assurance has been obtained that systems and data are restored, tested and operating as expected. 4. If necessary, develop a communications plan to notify affected parties about what has occurred and what actions are being undertaken to reassure them that FSG has things under control. Response from the Server Manufacturer Gabriel got in touch with the supplier of the servers, who sent his technicians to start working on the issue immediately. Fortunately, the technicians were able to find a solution. They found that the servers had been configured to create an automated backup to a separate disk on the server every night. In the past, this data would then have been backed up to removable media and taken off-site. Once it could be estimated at what time the good data existed, it would be possible to segregate and retrieve the good data for recovery purposes. After further investigation, it was found that the data was fine the previous night up until 10:17 p.m. The servers were then restored back to that time. Since there had not been any transactions over night, FSG staff had been able to capture today s activities on paper and could now input the transactions into the recovered systems. Gabriel finally breathed a sigh of relief. Effective IT Risk Management for Small Businesses 3

4 4 Effective IT Risk Management for Small Businesses Call for Advice for the Future Gabriel now wanted to take proactive steps to prevent a similar incident from happening again. He asked for guidance from the RRJL consulting team about what IT risks he should be aware of, and what measures he should consider to better manage and mitigate these risks. The consultants provided Gabriel with the top seven issues that he should attend to in order to manage his technology risks. They qualified their recommendations by stating that there is no guarantee that the following strategies would prevent any incidents from happening again. They would, however, help Gabriel and FSG better mitigate the potential risks, and be more prepared to deal with such incidents if they ever did happen in the future. Gabriel specifically requested that the consulting team keep the recommendations simple and actionable so that he and his staff could easily understand them. Top Seven Issues and Recommendations The consultants presented Gabriel with the following issues, potential risks and implications of these issues to FSG and other small businesses, and recommendations or possible solutions to help mitigate these risks. 1. Having a Business Continuity Plan is Essential The issue: As the server crash incident indicated, FSG did not have a proper IT Disaster Recovery Plan (DRP) to support business continuity. The operations department may have lacked the sophistication to develop and maintain a DRP that sufficiently reflected the company s system availability requirements, or it may not have planned adequately to ensure such availability. The risks: There is a risk that a business may not be able to continue if a system disruption happens due to any of the following reasons: 2 Equipment failure Disruption of power supply or telecommunications Application failure or corruption of the database Human error, sabotage or strike Malicious software Hacking or other Internet attacks Social unrest or terrorist attacks Fire Natural disasters The solutions: For the initial draft of a DRP, FSG may benefit from engaging a professional who can help it determine what its needs are and develop procedures that can readily be acted upon. These procedures should include a cycle of backups of key systems and data. After the initial draft, FSG operations personnel could then keep the plan up to date in-house. Responsibility for performing these procedures needs 2

5 to be specifically assigned, and a senior employee needs to check periodically to ensure that they are being performed and kept current. FSG may consider outsourcing backup processes to an external cloud service provider, who will be able to back up data through the Internet. Business continuity planning is not only the responsibility of the employees responsible for systems; in order to make it work, key employees in all business areas have to engage at some level with the plan. 2. Effective Management of IT Vendors is Needed The issue: Small businesses tend to rely too heavily on the assistance of contractors or third-party vendors to perform IT functions and support for them. This is true for FSG. The risks: With such arrangements, there is sometimes the risk of an inadequate legal contract to communicate expectations, service level agreements, policies and standards to meet the organization s requirements. This includes protection if the vendor is developing software specific to its customers and either stops operating or terminates the contract, and the customer does not have the original software (source code) to be able to further maintain it. Without proper professional review of new contracts, a company may get locked in to a vendor with no easy termination. There may also be too much trust and reliance placed on individual contractors, and this creates a risk that if a contractor leaves, the company may not have sufficient capacity or cross-training of IT in place to support its activities until a replacement is found. There can also be a lack of understanding of what contractors are doing and not doing, and unfettered remote access may be provided to the vendor without proper access and change controls in place. The solutions: Possible steps to undertake include the following: Before signing the contract with the vendor, have it reviewed by a lawyer who specializes in such contracts. Determine your service delivery expectations and find out if the preferred vendor can meet those expectations, including required internal controls. Do a reference check, and find out whether the vendor can deliver on your service expectations. If utilizing a sole proprietor, ensure that internal oversight personnel are knowledgeable enough to oversee the contractor s work and can potentially fill in for a short time if the contractor were to leave. Maintain a list of backup contractors, just in case the main contractor decides to leave. Put appropriate controls in place to monitor remote access to your systems. Effective IT Risk Management for Small Businesses 5

6 6 Effective IT Risk Management for Small Businesses 3. Data Security Needs to be Actively Managed The issue: FSG may not have the awareness or funds to implement appropriate data security mechanisms. The risks: Managing data security risk should take into account the potential for accidental loss or display/release of data; intentional/unintentional theft or destruction of data; loss of intellectual property; and lack of compliance with regulatory authorities. The cost of addressing these considerations must be weighed against the direct impact on the bottom line and cash flow. The solutions: There is value in obtaining professional assistance in reviewing your security posture, and helping to ensure that you are taking advantage of the security features provided in your existing software and network. Implementing security will be more successful if you develop minimum policies and standards that provide direction on how much security you want; again, professional one-time assistance in this area could be valuable. Another possible solution is to outsource security monitoring, as this could be more cost effective than hiring or training someone internally to be your security advisor. Also, it is prudent to communicate expectations defined in your policy through a general annual security awareness and training program. Finally, you should think about the balance between technical security controls and the strength of your business process and review controls to detect and correct any events that slip through your technical controls. 4. Updated Anti-Virus and Anti-Malware Controls are a Must The issue: FSG may not have invested in appropriate virus and malware prevention and detection software, or if it has, it may not have kept the software current. The risks: If malware or a virus affects the systems, there is a potential for data loss, data theft or data corruption. The solutions: Acquire and install anti-virus programs through a major virus protection vendor (McAfee, Norton) that will perform virus prevention/detection activities and notify FSG of any new updates. It is important to make someone at FSG responsible for making sure that updates are being applied on a regular basis, and that maintenance fees are kept up to date based on the number of users. 5. Access Needs to be Controlled The issue: FSG does not have a sufficient number of employees/contractors to enable appropriate segregation of duties and to control users with privileged access to the system.

7 The risks: This increases the risk of processing errors, fraud or lost data. The solutions: Effective controls are needed to ensure that proper approvals are required for any new requests for system access, and that immediate steps are taken to remove the access of individuals who no longer require it. Furthermore, periodic reviews of access should be conducted to ensure that only approved and current employees/contractors have system access. Individuals should be given access only to system functions and data that they require to do their day-to-day work. Logs should be maintained for certain key activities within the system, such as failed log-on attempts (three or more), the activities of privileged users, use of certain key commands (adding users, changing access) and updates to specific critical files (payroll, employee information, credit card numbers). Periodic review of these logs should be performed by someone independent of these functions, or by peers in similar functions. If this segregation isn t possible, consider creating special user IDs for activities that only need to be performed periodically so that the additional access can be more readily logged and reviewed, or outsource the monitoring activities to an external security monitoring firm. Consider asking a professional to help you develop the guidelines around segregation of duties. 6. Cyber Threats Need to be Considered The issue: We don t know what caused FSG s servers to go down, but the threat of cyber security risks can t be ruled out. With all of the media coverage of cyber attacks, most prudent CEOs are actively trying to understand the implications for their own organizations. The risks: You may question how many potential threats are actually out there given you are a small business and there are bigger and more interesting targets to be pursued. However, you must understand that your small business could be viewed as an easy target, or an opportunity to use your unprotected network as an entry point to your customers or suppliers. The solutions: Consider obtaining a professional security advisor to work with you in understanding the potential adversaries and resulting threats against your business, including the threats that are typical in your particular industry. This process would go beyond your financial systems, and would identify the various access points into your systems through the Internet, your website, your different physical locations, and your customer and supply chain partners. You would also want to examine the strength of security controls in any business partners that you allow to access your systems, as they may be the route of attack. Then at least you would know where to direct your limited funds for security. Effective IT Risk Management for Small Businesses 7

8 8 Effective IT Risk Management for Small Businesses 7. IT Risk Mitigation Strategy Should be Deliberate The issue: Many smaller businesses believe they are successful because they are smaller, more nimble, and not impeded by time-consuming bureaucracy and formal policies. Owners of these companies believe they can effectively manage and stay on top of all activities through their own involvement and the business savvy that led to the success they currently enjoy. The risks: The risk that comes with an informal approach to IT risk mitigation is that the owner cannot do it all. Staff may not be aware of the risks, and without a formal plan to develop mitigating controls and keep staff informed about them, the company is at risk of lost data, unavailability of systems, errors in processing transactions, and susceptibility to attack from either internal or external parties. The solutions: As they evolve in size and complexity, companies need to be thoughtful about understanding their IT risks, developing their mitigation strategies and documenting them in a way that can be communicated and understood by staff. Besides this basic IT risk register, every business needs to document and communicate certain key positions on how it will address risk through simple policies and procedures that staff can understand and comply with, and that are then monitored by the owner and senior staff. Conclusion As the owner of a small business, Gabriel learned the hard way that he needs to be vigilant about understanding and managing IT risks. This time he was fortunate that things worked out for him, but if he doesn t pay proper attention to IT risks, his hard-earned success could be jeopardized in the future. Following the recommendations he was given will help him better manage his company s IT risks. During his discussion with the RRJL consultants, Gabriel noted other IT areas that he would like to discuss with them after his immediate concerns are resolved. These areas include making decisions related to new systems; development of an IT strategy aligned with the business strategy; and compliance with technology-related regulations such as privacy requirements. Prepared by: Robert Reimer, CPA, CA and Jodie Lobana, CPA, CA DISCLAIMER This publication was prepared by the Chartered Professional Accountants of Canada (CPA Canada) as non-authoritative guidance. CPA Canada and the authors do not accept any responsibility or liability that might occur directly or indirectly as a consequence of the use, application or reliance on this material.