IT Security Audits & Assessments

Why is an external IT audit so important?

17 December 2021
Get in touch

Share on social..

Author: Richard McBarnet
Chief Executive Officer, Lumina Technologies

Internal Audit Vs External Audit

To put it bluntly, you don’t know what you don’t know. Therefore, if you do not have an adequate understanding of IT and cybersecurity, how can you be certain that your IT and cybersecurity is appropriate for your business and that your business is safe? This is why an external IT audit is essential.

In our experience, a company’s board members typically do not give much thought to their company’s IT until there is a security breach. Law firms are the number one target for financial fraud. For example, one of our clients, a law firm, was targeted as a result of the IT systems of one of its clients having been compromised. The law firm was asked to transfer £65,000 of funds, but when it came to light this was fraudulent, all traces of the correspondence disappeared from the client’s computer system, which showed the hacker had control of their system.

All too often, I find that directors and board members are unaware of what is happening with their company’s IT. Often, they are nervous of taking on the responsibility for IT because they do not understand it and find it too complex. But given that they are accountable for these areas, and the high risks associated, it surprises me that they do not take this on.

What an IT audit discloses

I have often struggled to pin down law firms’ managers to talk about the technology and infrastructure risks, and how their business could be compromised. Yet an audit will expose those risks and identify the threats your business might face, enabling us to advise on ways of preventing any potential future issues.

Different types of IT audit

Technical audit – the basic level which shows what IT assets you have, if they are still under warranty and how they are performing.
Security audit – this audit looks at all levels of exposure and risk. A security audit needs to be done at least annually. It also involves a visit from an auditor who will assess the human side of cybersecurity.
Operational audit – this is the most detailed audit, and it looks at your IT operation as a whole to assess its maturity, fitness for purpose, and whether or not it delivers and supports the business’s strategy. While an operational audit will cover cybersecurity risks, it is actually designed to get an understanding of how users work and how they can do their job properly. Operational audits only need to be carried out once every two to three years and will drive your strategic planning and your IT road map.

What we look for in an audit

Business owners often don’t understand what can happen and tend to be blasé about it. Time and again I expose poor practices such as totally inappropriate hardware, licencing compliance issues, massive cyber exposure, data exposure, and lack of adequate backups.

Recently I undertook an audit for an architectural practice. I asked the IT manager for a list of the company’s assets. They emailed me a spreadsheet listing the assets with the administrator access passwords in the next column. This immediately raised concern, so I investigated further and discovered that the spreadsheet had been stored on the file server and was available to everyone in the organisation. It was not password protected or in a restricted area. This definitely posed a cyber risk.

The same organisation has a centralised data storage system, which means that all its data sits on the one server. While the company bosses were aware that the data was being replicated off-site they did not know that because their network speed was so poor, when the replication was running it slowed the entire system down. IT had taken the decision that they would only run the replication at the weekend.

However, there was so much backlogged data that the replication was still running into Monday afternoon, interrupting work on Monday mornings. And by not running the replication until the weekend, the company risked losing the entire week’s data. This was a huge risk that the business’s directors were completely unaware of.

In another audit for a manufacturing company, I asked the incumbent IT company for access to the IT firewall. They refused access and simply told me it was secure. If we had accepted them at their word and something had gone wrong, we would have taken a massive reputational hit. Because, in fact, when I did eventually get access, I discovered a hacker had been trying to gain access to the company’s internal database which had been externally published through the firewall; the database was being attacked 24/7 by brute force attacks originating from China trying to guess the password – at a rate of over five guesses per second!

As an independent external auditor there is no conflict of interest

Audits are all about identifying issues and risks, but should also serve to educate businesses. Unlike most IT auditors, we will tell clients what the problems are as well as making recommendations as to how they can fix them. We believe that an external auditor must be totally objective, which means we work as an independent auditor removing any risk of conflict of interest by leaving it to the client to independently implement our recommendations.

Prevention is better than cure

Unfortunately the reality is that whenever someone approaches us to undertake an audit, they already know they’ve got a problem. Something’s happened to show that something has gone wrong or there is a nagging suspicion that things are not right, so they’re generally expecting bad news.

Thankfully more business owners and directors are becoming aware that IT audits are worthwhile exercises that need to be done on a regular basis. Indeed, IT cybersecurity risks need to be treated in the same way that your company treats a fire risk, such as putting preventative measures in place that minimise risks, carrying out regular fire alarm tests, and holding regular fire drills so your staff know what to do in the event of a fire.

What I strive to achieve with business audits is to expose the weaknesses within the business and give clients tools to start equipping themselves with better safety measures and more productive systems. As an example, one of our clients had concerns that their company’s financial data was not adequately secured.

I confirmed their fears because although the company had generic IT security, there was no security segregation of the company’s financial data. They wanted to engage an external consultant to look at their financial data and were quoted £65k from one of the “big four”. Whilst having the kudos of the big name may be important to the business, in reality a much more pragmatic and detailed audit can be achieved at a far more affordable cost.

It is becoming more critical that companies have clean bills of health when it comes to IT and cybersecurity. As I said in my introduction, you don’t know what you don’t know. An IT audit will expose deficiencies in technology, software, and human practices and will prevent your company from sleepwalking into disaster.

What our customers say

Lumina Technologies have taken the time to understand the requirements of our business and work as our strategic IT partner, enabling us to concentrate on delivering a high quality service to our clients and focus on our growth strategy. They have delivered a 100% cloud solution to our business with no underlying infrastructure costs or maintenance, which gives us scalability for our planned growth. It also means our business critical applications and data are securely accessible from virtually all our user devices. Lumina’s professional approach and strategic expertise is highly valued and their management of our IT – based on their in-depth knowledge, leaves us confident that our systems are available 24×7.

Luke Harrison
Keidan Harrison LLP

Lumina have supported us so well through the difficult circumstances of 2020.  They worked extremely hard to ensure we were able to work remotely and continue to operate our business successfully. The support team are very friendly and knowledgeable, and have excellent response times.

The team have also enhanced our cyber security which is so important in the legal sector, and they continue to provide high quality advice to help us move forward with our IT goals.

Robin Illingworth
Managing Partner, Adams & Remers LLP

The quality of IT Support provided by Lumina Technology is of the highest standard and is complemented by effective client liaison with impressive response times. Trap Oil Group plc has no hesitation in recommending Lumina as a dedicated and specialist group of IT professionals.

Martin David
Technical Director, Trap Oil Group plc

Richard and his team are a real inspiration to anyone who meets them and I have watched Lumina’s growth over the last few years with interest and admiration. Richard has been an amazing supporter of the Hospice of St Francis, being a Gold member of the Corporate Partner Network for almost two years. He takes an active interest in the community and is passionate about his company and his town: nothing is too much trouble, he is always willing to help, to give up his time and to provide business advice when asked. Lumina is an inspiration to any company wanting to set up business in Hertfordshire.

Carolyn Addison
Corporate Fundraising Manager, The Hospice of St Francis

Lumina Technologies Prism Hosted Desktop has allowed our business to centralise our global corporate data, allowing much faster access for all our staff – regardless of their location. We have also been able to simplify and reduce our infrastructure and management overhead. With the new Prism Hosted Desktop solution all staff now have simple and secure access to corporate data using any device they choose. Prism Hosted Desktop has increased the productivity of our staff and given us a single, consistent and familiar experience for all users from any device, in any location, 24/7.

Katherine Roe
Chief Executive Officer, Wentworth Resources PLC

The commercially sensitive and regulated nature of Lambert Energy Advisory’s business requires an IT provider able to maintain the highest levels of integrity and confidentiality, Lumina Technologies has consistently been unimpeachable in this regard over the nine years we have employed them.

Patrick Agar
Lambert Energy Advisory

It has been a great pleasure working with Lumina Technologies over the past two years. They have fully committed to being involved in the local community with volunteering and with professional advice and commitment, helping many local charities along the way. As a growing company it proves that being involved in the local community is helping them attract and retain a talented workforce and I look forward to working with them well into the future.

Cindy Withey
Connect Dacorum

Hawkstone Management Services Ltd is a small company for which IT Outsourcing is realistically the only viable option. Lumina Technologies have successfully performed this role for over fifteen years. They also provide innovative solutions to keep pace with technological progress. I would have no hesitation in recommending Lumina to similar sized businesses.

Stephen Pembury
Hawkstone Management Services Ltd

Charles Douglas Solicitors LLP have been using Lumina Technologies for a number of years now and continue to be impressed by the technical know-how and contemporary knowledge of their senior management, who provide a timely, efficient and friendly service. Whether it is a small issue with one computer, or a strategic IT decision, they maintain a current knowledge of available technologies. Lumina are always at the other end of the phone to help resolve issues and minimise business interference. The technical knowledge of Richard and his senior team means that there has not been a problem that they can’t solve to date. I am sure we will continue to use them in the years to come.

Charles Douglas
Managing Partner, Charles Douglas Solicitors LLP

The team at Lumina Technologies have made the Amoun Travel & Tours office IT transition seamless and problem free. The office set-up has been vastly improved and the IT Support services are flawless. No issue goes unresolved, which is extremely reassuring.

Adam Helmy
Amoun Travel & Tours Ltd

Lumina Technologies has been Salamander Energy plc’s IT provider since start-up in 2005 and has supported us in London during our expansion across operational offices in SE Asia. Their professional approach, strategic advice and close co-operation have been essential in making this a success.

John Bell
Group Technical Director, Salamander Energy plc

Richard and his team at Lumina have provided Perrett Laver Limited with high quality strategic and practical IT Services for over ten years. During this period, Perrett Laver has grown from 10+ colleagues based in London to nearly 100 colleagues located in six offices across the Americas, EMEA and Asia-Pacific. Richard and the Lumina team have not just been responsive to our ‘everyday’ IT needs, but have proactively sought to work with us on developing an infrastructure suitable for the type of operation we are today, and are planning to be months and years down the line. I would not hesitate to recommend Richard, especially for small to medium size business with growth in mind.

Clementine McKinley
COO, Perrett Laver Limited

Society Limited has been supported by Lumina Technologies since our earliest start-up phase. From large logistical challenges like an office move, through to smaller fiddly issues like fixing a faulty e-template, we know we can count on their support and advice. They’ve also been able to engage with us strategically on the challenge of scaling-up our infrastructure as the firm continues to grow and evolve. We always feel confident going to Lumina with a problem, since we know they genuinely care about sorting things out and helping us to get on with our core business.

Simon Lucas
Managing Director, Society Limited

The Vita Group HQ staff have worked with Richard McBarnet and Lumina Technologies for over 9 years, with Lumina providing all our PC, server, phone, and software support. The services have included C-level executives based in London, Manchester, the US, as well as supporting home office IT as well. The service provided and intellectual capabilities are outstanding and we would highly recommend Richard and his Lumina team.

Joe Menendez
CEO, The Vita Group

We worked with Lumina on a GDPR Audit. Richard was knowledgeable and professional throughout, and did the best he could to bring a dry topic to life through lots of real life examples and analogies. We were so impressed with the service Lumina provided and the value we got from partnering with them on this project – we couldn’t recommend them enough.

Holly Cottingham, Vintec Laboratories

Discuss your business needs today

Get in touch Schedule a call