Originally Published - 2/20/15
Poor process, lack of documentation, limited training and favoring convenience over security are all examples of Technical Debt at an infrastructure level.
During due diligence you have
Limited Time
Limited Expertise
Limited Information
to reduce the risk of the acquisition. How can you tell if you should be concerned about the targets level of Technical Debt?
Obtaining the following information (examples of poor process, limited training and convenience over security) can be identified in a short ammount of time, with limted expertise.
5 – Operating Sytem Versions, Patching & Anti Virus Definitions
Ask end users what operating system they use ? (Windows XP / 2000 and 2003 are no longer supported and represent big risks)
How are systems patched ? (Desktops, Laptops, Servers, Firewalls, Manufacturing systems). Systems that have not been patched against years old vulnerabilities, represent a big Technical Debt and an enormous risk.
Ask an employee to tell you the date on their Anti Virus Definitions, anything more than a few days old indicates a process problem.
Old operating systems and poor patching processes are examples of Technical Debt that frequently exist.
4 – Wireless Networks
When you went on site, were you able to connect to a company wireless network without entering a password?
Was it identified as a guest network?
Ask the folks you are meeting with whether they use the wireless network, and if so what can they access with it (the internet, internal data, production systems)?
Insecure Wireless networks indicate that the target values the convenience of a wireless network without realizing they are exposing their data and increases your risk of the acquisition.
3 – Access to Internet from Shop floor or access to the shop floor from the Internet?
Walk around the facility and note computers on the shop floor or in shared offices,
ask what they are used for
ask if employees can access the internet using them,
ask if those machines can be accessed from other places in the building or from outside the building.
Another example of convenience over security, shared machines are freqeuntly unowned, and easy causes of Technical Debt.
2 - How is important data identified and then secured?
Ask the finance folks, design team, or the HR folks that you meet with, where their data is stored and who has access to it, if they don’t know or can’t answer, that’s an example of poor process and represents a big risk.
1 – End User Security 101 Training
Ask the folks you meet when the company offered Information / Cyber security training to all the employees…Poorly trained and un-informed end users are a key source of compromise and risk….
Technical Debt leads to business risk and the greater the debt, the greater the risks. If your potential acquisition has any of these “top 5”, bring in MXL Consulting to look deeper, quantify the risks and develop a plan to Pay down the Debt.
Photo by Allef Vinicius on Unsplash