Advancing Your IT Strategy: How to Identify Critical Vulnerabilities and Points of Failure
In a recent blog, we looked at the five steps required to develop an effective IT strategy. In this article, we will take a deeper look into one of these key stages: how to identify critical vulnerabilities and points of failure.
Your IT environment is only as strong as its weakest link.
Identifying critical vulnerabilities and points of failure will show you where these weak links are and provide you with an opportunity to strengthen the chain.
This can be a particular problem for organisations which don’t have an established IT department, or which have grown rapidly – creating conditions where there hasn’t been the necessary oversight over IT systems and processes.
Whatever your situation, it is never to late to look for points of vulnerability in your IT set-up. It is these points that will be most vulnerable to hackers and other malicious attacks – and can, therefore, pose a significant risk to the organisation.
To identify these weak spots, you will need to have a thorough understanding of your IT infrastructure and the interdependencies between individual elements. We’ve noted in an earlier blog that the first step in IT strategy development is conducting an IT audit, so if you’ve moved on to looking for critical vulnerabilities and points of failure, we anticipate you have already mapped your infrastructure.
Identifying vulnerabilities will mean delving a little deeper. For example, you will need to question:
• Are your operating systems running the latest version?
• Have software applications been updated to the latest version and patched with appropriate security updates?
• What firewalls do you have around critical infrastructure, whether in-house servers or in the cloud?
• How old are the servers and end user devices being used?
• Is other equipment nearing its end of life?
• What will be the implications of failure for each piece of equipment?
• What will this mean to the business? Who will be affected?
• How would an outage in connectivity affect your business?
• What is the status in terms of “shadow IT”? i.e. have users installed unapproved apps that expose the business to risk?
In addition to the computer hardware and software used within and by the organisation, there is another important factor to consider: people.
Questions to ask here include:
• Who controls passwords and access to systems?
• Who has knowledge of key administrative processes?
• What levels of access and privileges are in place?
• Do all staff understand their responsibilities around IT security?
• What policies are in place to safeguard data in relation to the use of mobile devices and third-party networks?
• Who has responsibility for IT troubleshooting? What happens when there is a failure or security breach?
Your answers to these questions will enable you to identify the areas where you are weakest and most at risk. Understanding this will help you to develop policies and an action plan to mitigate or avoid the associated risks to the organisation.
Policies will need to reflect both the source of the potential risk and the likely effect on the organisation’s operations. For example, if Internet connectivity is an essential operational requirement, you may need to explore options for a second provider/ cable into the building. If you have critical data stored on a single server, you will need to explore options for automated off-site backups that provide for swift disaster recovery or business continuity. If there is a single member of staff who controls admin access and password changes, you may need to task line managers with co-responsibility over access control for their staff.
The people element is often overlooked but needs to play a critical role in your thinking and planning. If only one person has the detailed knowledge of or access to business-critical systems, this represents a single point of failure for your organisation. What happens when they go on holiday, leave the company, or get run over by the proverbial bus tomorrow?
Effective knowledge management is key to minimising risk to the organisation – whether about your IT systems or any other business-critical knowledge. Getting the right systems in place and ensuring that no one person holds all the keys is important – no matter how uncomfortable it may make you feel. Always ensure that at least two individuals are fully trained on each IT procedure and/or that solid documentation is in place.
Once you have developed strategies to mitigate such risks, you can begin to implement them. However, bear in mind that none of this process is a one-time only deal. Auditing, strategy development, implementation and testing is an ongoing process. Your IT infrastructure is evolving all the time as you add new phones, laptops, equipment, apps and people to your business operations. And, as you remove them too! Your IT strategy needs to keep up with all this change.
In addition to upgrading infrastructure and software on a regular basis, your strategy needs to include processes for keeping your people up to date too. Regular reviews of knowledge management, processes, and application and security training should be included in your schedule.
This doesn’t have to mean a lot of additional work – provided you keep on top of it.
And, of course, keeping on top of these vulnerabilities and potential points of failure helps to ensure they don’t ever become a serious problem to the organisation – thereby saving you an enormous amount of reactive work in the case of a problem.
If you’d like help with either the scoping exercise to identify potential vulnerabilities and points of failure or in the implementation to address these risks, Grant McGregor has a proven process and the expertise to help.
Make a start today by downloading our free five-step guide to developing an IT strategy – which includes essential information about critical vulnerabilities and points of failure.
Or get in touch with our team on 0808 164 4142 for a an initial, no obligation chat.