How Do You Know What You DON’T Know About Your IT Assets?

September 6th, 2012

Many business executives who come to me for help don’t have an in-depth understanding of how their networks are configured, or who inside – and external to -- the organization has access to what information and programs. In fact, while most of these executives are well aware of the possibility of EXTERNAL threats from viruses (malware, phishing scams and the like) they don’t even think twice about the very real access their employees have, and the damage that they could potentially inflict on the company – whether by design or inadvertently.

Your IT department holds the keys to your organization’s sensitive data.

Your IT administrator holds the IT access keys to your company that are as precious – or more so – than the financial keys held by your accounting department. When you think about all of the sensitive information that is stored on your servers and individual computers – including company financial data, customer records, employee personnel information, business and personal email correspondence – it’s all there for the taking, to be manipulated, stolen or destroyed.

Checks and balances - not just a concept for government, or your accounting department.

It’s not just a matter of whether or not you trust your current IT administrator. Even well-intentioned and honest IT pros make mistakes and can inadvertently leave the door open for others to gain access to information that you don’t want them to see or have.  Just as you have specific procedures, controls, regular checks and reports on your company’s financial position and systems, you should be asking for and receiving the same for your IT position and systems.

A network assessment helps companies uncover their IT vulnerabilities.

That’s why we recommend that every business with a network, no matter how small or simple, regularly run a simple network assessment scan – at least on a quarterly basis. You should have your assessment performed by a qualified network technician who will be able to analyze the results and quickly cure any deficiencies, vulnerabilities and improper network settings.

Inside or Outside Job?

Who should be responsible for assessing your system?  Here are some considerations from both sides of the aisle:

Internal Reviewers

-          Will already know any specifics and the “whys” of the current design

-          Can usually save you some money, since they are already paid staff

-          May know key data repositories and assets better than an external source

-          May understand company workflow better than an external source

External Reviwers

-          Will have a better eye for distinction (they don’t look at the design all day)

-          They see other designs and may be able to make better comparisons

-          Usually have access to more vendor and industry materials and training

-          More often have a structured approach and deliverables

-          Have more practice (multiple reviews vs. a single attempt)

-          May have more knowledge of various compliances

-          May have more of a wealth of specialist skills available (vs. onsite staff who may have broader duties)

...Who do you think should be responsible for regular network assessments – internal staff or independent third parties?

 


Leave a comment!

Your email address will not be published.