Effective IT Risk Management

for Small Businesses

A Small Business Gets Some Lessons

in IT Risk Management

Although large and publicly traded companies often get the most attention, small, private,
entrepreneurial businesses really contribute to driving the Canadian economy in a significant
way. Small businesses make up 98.2%1 of all Canadian businesses. As with the majority of
companies today, most rely to a great extent on information technology (IT) to support their
business back office and operations, and to enable them to have a greater presence than
their size in delivering competitive goods and services to local customers, or to enter global
markets. Managing IT risks therefore becomes critical to their survival and success. Many
small business owners have embraced technology, but some are still discovering the risks
involved. Come join Gabriel Schmidt, our fictional owner of a small business, as he deals
with an IT crisis and learns valuable lessons along the way.

Gabriel Schmidt is a successful entrepreneur who has passionately grown FSG Inc. into
a company with annual earnings of $2.5 million. FSG, which stands for Fire Safety Gear,
manufactures special safety equipment used by firefighters. He started his business five
years ago and currently has 15 employees. Gabriel’s business has been growing rapidly, and
he was recently listed as one of the top 250 Canadian entrepreneurs in a popular business
magazine. Gabriel was looking forward to the gala dinner, where he would be presented with
an award in front of all his peers. After a profitable year of hard work, he was even thinking

1 Industry Canada, Small Business Statistics — August 2013 report: www.ic.gc.ca/eic/site/061.nsf/eng/02804.html

1
 of taking a vacation in the Caribbean with his wife. As Gabriel was contemplating his compa-
ny’s success, an urgent call came from his operations manager, Carlos Santos, who wanted to
meet with him immediately.

As Carlos explained the emergency, Gabriel’s optimism began to evaporate. The company’s
main servers had crashed early that morning. The servers that supported all operations 
— including manufacturing, purchasing, finance and customer service — had all failed. Even
email was unavailable. Carlos and his team had been trying all day to fix the problems.

Gabriel asked Carlos about his plan to recover the systems. Surely the data had been
backed up and could be loaded onto new servers, and the company would be back in
business within hours.

Carlos revealed that the data might not have been backed up. The IT contractor in charge
of the servers had left FSG a month ago because he was unhappy that he had not been
given the rate increase he wanted. His replacement had just been hired but would not be
starting until next week.

Gabriel was speechless. How was it possible that they had suddenly lost all their computer
operations and data? His mind reeled with questions:

• What could have caused the servers to fail? Was it a virus? Or was it a cyber-attack from
his competition? Since the magazine article about his company had been published, he
had been getting a lot of congratulatory calls, some of them from his competitors. Could
they have had a hand in this?

• Was it possible that the new intern they had hired from the technology college had gone
in and tinkered with the servers, either intentionally or accidentally?

• Was it possible that the disgruntled IT contractor had compromised the server files? FSG
had not changed the passwords to its remote access system since the IT contractor left
last month.

• How about backups? Why had the operations team not been diligent about making sure
there were adequate and regular backups?

• Hadn’t staff figured out a business continuity plan for FSG? Gabriel felt guilty about this.
He had heard about the importance of business continuity planning in the last small
business conference he had attended; however, he had gotten so busy that he had failed
to mention it to his operations department.

• How was he going to continue operating his business, or follow up with his customers,
or pay his staff?

• How would FSG compile the financial data needed for tax purposes, or for supporting
workers’ compensation premiums, or for the banks as part of their regular debt covenant
reporting?

2 Effective IT Risk Management for Small Businesses 

 Gabriel needed help. He wanted to know what he should do to fix the immediate problem,
and he wanted to know how to go about making sure that an IT crisis never happened again.

Gabriel knew that RRJL, his local accounting and consulting firm, had CPAs specializing
in the technology area. So he called the firm, told them about the problem, and asked them
to assist.

The firm assigned its top two consultants to assist Gabriel. After reviewing the situation,
the consulting team met with Gabriel to discuss the following recommendations.

Immediate Recommendations
1. Meet with key staff to gather as much information as possible about what might have
happened, and to determine the immediate impacts of this situation, both internal and
external to FSG.

2. Bring in a specialized technology team to examine the FSG servers and determine
if there is any possibility of retrieving or re-creating the data. The team should work
with the supplier of the servers and software to identify possible solutions. If retrieval of
the data is not possible, then it will be necessary to re-create transactional records based
on the last good backup, using whatever paper trail there may be. If this situation arises,
the consulting team will provide detailed steps in a separate memo.

3. Should the servers and systems become functional, certain steps should be taken to
manage any current risks. These actions would include keeping the systems off-line from
external access, performing a review for viruses, changing passwords on all access points,
and then carefully restoring connectivity when sufficient assurance has been obtained
that systems and data are restored, tested and operating as expected.

4. If necessary, develop a communications plan to notify affected parties about what has
occurred and what actions are being undertaken to reassure them that FSG has things
under control.

Response from the Server Manufacturer

Gabriel got in touch with the supplier of the servers, who sent his technicians to start working
on the issue immediately. Fortunately, the technicians were able to find a solution. They found
that the servers had been configured to create an automated backup to a separate disk on
the server every night. In the past, this data would then have been backed up to removable
media and taken off-site. Once it could be estimated at what time the good data existed,
it would be possible to segregate and retrieve the good data for recovery purposes.

After further investigation, it was found that the data was fine the previous night up until
10:17 p.m. The servers were then restored back to that time. Since there had not been any trans-
actions over night, FSG staff had been able to capture today’s activities on paper and could
now input the transactions into the recovered systems. Gabriel finally breathed a sigh of relief.

 Effective IT Risk Management for Small Businesses 3

 Call for Advice for the Future
Gabriel now wanted to take proactive steps to prevent a similar incident from happening
again. He asked for guidance from the RRJL consulting team about what IT risks he should be
aware of, and what measures he should consider to better manage and mitigate these risks.

The consultants provided Gabriel with the top seven issues that he should attend to in order
to manage his technology risks. They qualified their recommendations by stating that there is
no guarantee that the following strategies would prevent any incidents from happening again.
They would, however, help Gabriel and FSG better mitigate the potential risks, and be more
prepared to deal with such incidents if they ever did happen in the future. Gabriel specifically
requested that the consulting team keep the recommendations simple and actionable so that
he and his staff could easily understand them.

Top Seven Issues and Recommendations

The consultants presented Gabriel with the following issues, potential risks and implications
of these issues to FSG and other small businesses, and recommendations or possible solu-
tions to help mitigate these risks.

1. Having a Business Continuity Plan is Essential

The issue: As the server crash incident indicated, FSG did not have a proper IT Disaster
Recovery Plan (DRP) to support business continuity. The operations department may
have lacked the sophistication to develop and maintain a DRP that sufficiently reflected
the company’s system availability requirements, or it may not have planned adequately
to ensure such availability.

The risks: There is a risk that a business may not be able to continue if a system disrup-
tion happens due to any of the following reasons:2
• Equipment failure
• Disruption of power supply or telecommunications
• Application failure or corruption of the database
• Human error, sabotage or strike
• Malicious software
• Hacking or other Internet attacks
• Social unrest or terrorist attacks
• Fire
• Natural disasters

The solutions: For the initial draft of a DRP, FSG may benefit from engaging a profes-
sional who can help it determine what its needs are and develop procedures that can
readily be acted upon. These procedures should include a cycle of backups of key
systems and data. After the initial draft, FSG operations personnel could then keep
the plan up to date in-house. Responsibility for performing these procedures needs

2 www.sans.org/reading-room/whitepapers/recovery/introduction-business-continuity-planning-559

4 Effective IT Risk Management for Small Businesses 

 to be specifically assigned, and a senior employee needs to check periodically to
ensure that they are being performed and kept current. FSG may consider outsourcing
backup processes to an external cloud service provider, who will be able to back up
data through the Internet. Business continuity planning is not only the responsibility of
the employees responsible for systems; in order to make it work, key employees in all
business areas have to engage at some level with the plan.

2. Effective Management of IT Vendors is Needed

The issue: Small businesses tend to rely too heavily on the assistance of contractors or
third-party vendors to perform IT functions and support for them. This is true for FSG.

The risks: With such arrangements, there is sometimes the risk of an inadequate legal
contract to communicate expectations, service level agreements, policies and stan-
dards to meet the organization’s requirements. This includes protection if the vendor
is developing software specific to its customers and either stops operating or termi-
nates the contract, and the customer does not have the original software (source code)
to be able to further maintain it. Without proper professional review of new contracts,
a company may get locked in to a vendor with no easy termination. There may also be
too much trust and reliance placed on individual contractors, and this creates a risk that
if a contractor leaves, the company may not have sufficient capacity or cross-training
of IT in place to support its activities until a replacement is found. There can also be
a lack of understanding of what contractors are doing and not doing, and unfettered
remote access may be provided to the vendor without proper access and change
controls in place.

The solutions: Possible steps to undertake include the following:

• Before signing the contract with the vendor, have it reviewed by a lawyer who
specializes in such contracts.
• Determine your service delivery expectations and find out if the preferred vendor
can meet those expectations, including required internal controls.
• Do a reference check, and find out whether the vendor can deliver on your service
expectations.
• If utilizing a sole proprietor, ensure that internal oversight personnel are knowledge-
able enough to oversee the contractor’s work and can potentially fill in for a short
time if the contractor were to leave.
• Maintain a list of backup contractors, just in case the main contractor decides
to leave.
• Put appropriate controls in place to monitor remote access to your systems.

 Effective IT Risk Management for Small Businesses 5

 3. Data Security Needs to be Actively Managed
The issue: FSG may not have the awareness or funds to implement appropriate data
security mechanisms.

The risks: Managing data security risk should take into account the potential for acci-
dental loss or display/release of data; intentional/unintentional theft or destruction of
data; loss of intellectual property; and lack of compliance with regulatory authorities.
The cost of addressing these considerations must be weighed against the direct impact
on the bottom line and cash flow.

The solutions: There is value in obtaining professional assistance in reviewing your

security posture, and helping to ensure that you are taking advantage of the security
features provided in your existing software and network. Implementing security will be
more successful if you develop minimum policies and standards that provide direction
on how much security you want; again, professional one-time assistance in this area
could be valuable. Another possible solution is to outsource security monitoring, as
this could be more cost effective than hiring or training someone internally to be your
security advisor. Also, it is prudent to communicate expectations defined in your policy
through a general annual security awareness and training program. Finally, you should
think about the balance between technical security controls and the strength of your
business process and review controls to detect and correct any events that slip through
your technical controls.

4. Updated Anti-Virus and Anti-Malware Controls are a Must

The issue: FSG may not have invested in appropriate virus and malware prevention and
detection software, or if it has, it may not have kept the software current.

The risks: If malware or a virus affects the systems, there is a potential for data loss,
data theft or data corruption.

The solutions: Acquire and install anti-virus programs through a major virus protection
vendor (McAfee, Norton) that will perform virus prevention/detection activities and
notify FSG of any new updates. It is important to make someone at FSG responsible
for making sure that updates are being applied on a regular basis, and that mainte-
nance fees are kept up to date based on the number of users.

5. Access Needs to be Controlled

The issue: FSG does not have a sufficient number of employees/contractors to
enable appropriate segregation of duties and to control users with privileged access
to the system.

6 Effective IT Risk Management for Small Businesses 

 The risks: This increases the risk of processing errors, fraud or lost data.

The solutions: Effective controls are needed to ensure that proper approvals are
required for any new requests for system access, and that immediate steps are taken
to remove the access of individuals who no longer require it. Furthermore, periodic
reviews of access should be conducted to ensure that only approved and current
employees/contractors have system access. Individuals should be given access only to
system functions and data that they require to do their day-to-day work. Logs should
be maintained for certain key activities within the system, such as failed log-on attempts
(three or more), the activities of privileged users, use of certain key commands (add-
ing users, changing access) and updates to specific critical files (payroll, employee
information, credit card numbers). Periodic review of these logs should be performed
by someone independent of these functions, or by peers in similar functions. If this seg-
regation isn’t possible, consider creating special user IDs for activities that only need to
be performed periodically so that the additional access can be more readily logged and
reviewed, or outsource the monitoring activities to an external security monitoring firm.
Consider asking a professional to help you develop the guidelines around segregation
of duties.

6. Cyber Threats Need to be Considered

The issue: We don’t know what caused FSG’s servers to go down, but the threat of
cyber security risks can’t be ruled out. With all of the media coverage of cyber attacks,
most prudent CEOs are actively trying to understand the implications for their own
organizations.

The risks: You may question how many potential threats are actually out there given
you are a small business and there are bigger and more interesting targets to be pur-
sued. However, you must understand that your small business could be viewed as an
easy target, or an opportunity to use your unprotected network as an entry point to
your customers or suppliers.

The solutions: Consider obtaining a professional security advisor to work with you
in understanding the potential adversaries and resulting threats against your business,
including the threats that are typical in your particular industry. This process would go
beyond your financial systems, and would identify the various access points into your
systems through the Internet, your website, your different physical locations, and your
customer and supply chain partners. You would also want to examine the strength
of security controls in any business partners that you allow to access your systems,
as they may be the route of attack. Then at least you would know where to direct your
limited funds for security.

 Effective IT Risk Management for Small Businesses 7

 7. IT Risk Mitigation Strategy Should be Deliberate
The issue: Many smaller businesses believe they are successful because they are
smaller, more nimble, and not impeded by time-consuming bureaucracy and formal
policies. Owners of these companies believe they can effectively manage and stay on
top of all activities through their own involvement and the business savvy that led to
the success they currently enjoy.

The risks: The risk that comes with an informal approach to IT risk mitigation is that the
owner cannot do it all. Staff may not be aware of the risks, and without a formal plan to
develop mitigating controls and keep staff informed about them, the company is at risk
of lost data, unavailability of systems, errors in processing transactions, and suscepti-
bility to attack from either internal or external parties.

The solutions: As they evolve in size and complexity, companies need to be thoughtful
about understanding their IT risks, developing their mitigation strategies and docu-
menting them in a way that can be communicated and understood by staff. Besides
this basic IT risk register, every business needs to document and communicate certain
key positions on how it will address risk through simple policies and procedures that
staff can understand and comply with, and that are then monitored by the owner and
senior staff.

Conclusion
As the owner of a small business, Gabriel learned the hard way that he needs to be vigilant
about understanding and managing IT risks. This time he was fortunate that things worked
out for him, but if he doesn’t pay proper attention to IT risks, his hard-earned success could
be jeopardized in the future. Following the recommendations he was given will help him
better manage his company’s IT risks.

During his discussion with the RRJL consultants, Gabriel noted other IT areas that he would
like to discuss with them after his immediate concerns are resolved. These areas include
making decisions related to new systems; development of an IT strategy aligned with the
business strategy; and compliance with technology-related regulations such as privacy
requirements.

Prepared by: Robert Reimer, CPA, CA and Jodie Lobana, CPA, CA

DISCLAIMER
This publication was prepared by the Chartered Professional Accountants of Canada (CPA Canada) as non-authoritative guidance.
CPA Canada and the authors do not accept any responsibility or liability that might occur directly or indirectly as a consequence of the use,
application or reliance on this material.

8 Effective IT Risk Management for Small Businesses