Ask (the right) questions

Years ago, I asked my CPA how could I know if he was doing his job?  His answer was “Ask Questions.” At first, I thought “I don’t know what to ask.” But as he gave some examples of questions I should ask, I began to understand.  Frankly, I had engaged a CPA because I was told I should in order to make certain my tax returns were prepared properly.  As time went on, he gave me recommendations on matters affecting my business and personal finances.  He taught me to ask him how changes in my business, the economy, tax laws, and the competitive landscape would affect my business strategy and financial decisions.  I learned that in order to maximize his value to me as an advisor, I needed to ask the “right “questions.  

As the leader of a business whose success depends on information technology, are you asking your IT advisor the right questions?  What about now?  If the rapidly changing technology landscape was not enough to make business leaders curious, the Covid-19 pandemic has added another weight on your shoulders.  Have you had employees working from home over the past month or so?  Have they been working securely from an IT perspective?  Hopefully, you haven’t had any IT security issues, but just because you haven’t noticed any doesn’t mean there aren’t infections in your system ready to show themselves when the right triggers are pulled.  Just like COVID-19, your IT infrastructure can be infected without immediately exhibiting symptoms.  

If you are concerned about IT security under these work-from-home conditions, what questions should you be asking?  For starters, you should ask your IT advisor what changes were made to the security services in preparation for moving to work-from -home status.  The questions should be very specific, and you should require the answers to be in language you understand and responsive to your concerns.  Set expectations up front; no industry jargon, no hurt feelings if the answer leads to another question, because you want the business to be safe.

Here’s how it might go.

You:  If some of our employees took their company issued computer home with them, what service did we implement so they could access our network at the office?

IT:  We set up a VPN.

You:  What’s that?

IT: Virtual Private Network

You: Can family members or visitors use the VPN to access our network?

IT:  Only if they can log in to that computer.

You: What prevents them from doing that? 

IT: We (can) set up MFA, whoops – I mean multifactor authentication (beginning to sweat)

You: What’s that? 

IT: Sorry again. (sweating more) It means in order to log in, you have to verify that you have the authority to do so in more than one way.  

You: Such as?

IT: When someone enters the password to log in, they are required to provide additional information that identifies them.

You: What additional information do we require? 

IT:  They have to provide their mobile phone number and a code is sent to it.  If they enter the code correctly in the computer, they are allowed in.  

You: So if they leave their cell phone unattended, someone could use it to work around our security?   

IT: Yes, but if the cell phone uses facial recognition, that would make it more difficult.  Do you want me to look into a even more secure option?

You: Now we’re talking.  Yes, give me some options and the pros and cons of each by COB Friday.  By the way, COB stands for close of business.  (both chuckle).

Other sets of questions in this scenario might be

• If some of our employees are using their personal computers to access our network, how have you secured them?
• Have we implemented different security plans for accessing our cloud services?
• Are the WiFi routers used by our home workers secure?
• Are we following the same security patch updating protocols for the computers being used in homes? 
• Are we following the same antivirus and antimalware protocols?
• Is our data being backed up as before?
• Do we have a plan to continue business if home users cannot access our network or our cloud services?

What value has been attained by asking questions such as this?  First, you either have more peace of mind about your work-from-home IT security plan, or you have discovered you may need better technology advice.  Also, you have set new expectations with your IT advisor regarding communication and accountability.  And, you have increased your knowledge about one of the most important aspects of running your business.

By the way, it wasn’t long until my CPA began to insist on regular meetings with me and started to ask me questions that resulted in my having to ask fewer ones! 

Is your technology advisor meeting with you regularly to help you stay productive, secure and competitive?