What to expect during IT due diligence
In our previous post, we offered a general overview of what to expect while going through due diligence. The focus was on the company structure, competition, financial information and legal matters. There are two other areas that will be part of due diligence and require intense scrutiny for both the buyer and seller. The first, covered in this post, is information technology (IT). The second, which we will cover in the next post, is insurance.
One important reason why we share this information is so that business owners can begin to identify areas where they can make improvements and be better prepared for a sale.
Let's dive in.
IT due diligence is going to cover a wide variety of topics from software to hardware to monitoring to data storage and backups as well as other relevant items. We will briefly discuss each of the most common areas of interest.
Software
Buyers need to understand what software you, business owner, use to run your business. Will they need to convert your business to a different software set? If so, what will that transition look like? Depending on the software involved, those conversions can take months, if not years to complete. And rarely is it a fun experience. Some specific, and often most critical, software concerns include:
Accounting system(s): This includes your basic accounting software (e.g., QuickBooks) and any other ancillary software packages you may use for things like generating quotes or managing inventory.
Customer relationship management (CRM)
Enterprise resource planning (ERP)
Network: During diligence, buyers will want to know what software you use to manage your network and how tightly controlled it is.
Virtual private network (VPN): If you use a VPN to access the network remotely, it will be important to know how good and secure that software is to protect against hacking into your critical business information.
Antivirus: This should go without saying, but you need to have a quality antivirus program on your network and each computer and make sure it is turned on!
Cloud-based applications: Many organizations use cloud-based applications for a variety of reasons (collaboration, ease of access, data storage, etc.); however, concerns will arise related to the security of those applications, who actually owns the data and how easy it is to transport it to another software program or application.
Licensing: Are you current and properly paying for all of the software that is licensed to your business? It is not uncommon for companies have deployed software inappropriately creating a large potential liability for the buyer. Do yourself a favor and conduct an internal licensing audit for all of your software and correct any deficiencies in advance.
Software updates and patches: Even if you are not intending to sell your business anytime soon, please please please make sure you install all of the software updates and patches available. Beyond having the newest features, those updates and patches usually address any new security concerns and will help protect against theft of your data.
Data Storage and Backups
How you manage your data is critical for the ongoing management of your business and will receive a significant amount of attention during the diligence process. In particular, you should look closely at the following things:
Do you store your data on a server in your office?
Do you co-locate your data at an offsite facility?
If so, how frequently do you update the data at that facility (instantly, hourly, daily, etc.)?
What is your process for backing up your data?
What software do you use?
How often are you doing backups?
Where are the backups stored?
How many copies of your backups do you maintain and for how long?
If your systems were to go down, how long would it take to be back up and running and what impact would that have on your business? Your customers? Your production?
Bring Your Own Device (BYOD)
Many companies have opted to allow their employees to use their own devices for work. This includes laptops, tablets and phones. While this can be effective as a cost-saving move, it exposes the business to multiple issues, not the least of which is:
Ensuring security in the networks
Ensuring all licensing is in order
Managing and monitoring the hardware/devices for damage and defects
Compatibility issues
Controlling data access and use
Vulnerabilities to hackers
If you are going to allow your employees to use their own devices for work, you must ensure that your network and data are absolutely secure.
Monitoring
Further assurance that your data is safe and your systems function properly comes from proper monitoring. Whether your IT team is in-house or outsourced, it is imperative that you have effective monitoring in place, looking specifically for:
Malware: Applications designed for the purpose of doing bad things to your data or systems
Denial of service attacks: Using other computers or programs to overload your servers so that they cannot function when you need them
Ransomware: Applications designed to hijack your computers or your data until you pay a ransom (literally), and even then, the hackers may not release what they hijacked
Phishing: You know what this is...those fake emails that trick people into giving their login credentials
Web-based attacks: Your computers are attacked as users access certain websites or web applications or your websites/web applications become malicious
Trojans: Pieces of malware or other software intent on doing harm embedded as code in another software program or application
Software failures
Hardware failures
Your effectiveness in monitoring and protecting against each of these will be a key component to the IT due diligence process. Obviously, the better you are, the less of a concern this becomes.
Incidence Response Plan
To be honest, there is a pretty good likelihood that something is going to go wrong. There is going to be a successful hack or a data breach or some sort of system failure. Count on it. What will matter in any of those instances is how you respond. So, it is important to have an incidence response plan that covers:
Who is responsible for what
What legal implications may be involved and how you will handle them
What will be communicated to whom and when
Having this plan in place before something happens will prevent any unnecessary headaches and will prove to buyers that you are properly prepared.
Social Media Use
This involves understanding what social media platforms you use, what gets communicated on each one and who has the ability to post on each platform. Establishing strict usage of your company accounts is vital to protecting your brand.
Separately, it is also important to establish good guidelines for how your employees use their personal social media while on the job. To be effective in establishing these guidelines requires you to be open in your communication with your team such that you and they are able to understand each side's respective desires and concerns.
Policies
Intimately related to everything we have discussed thus far and items still to be covered in this post, is the establishment and enforcement of policies. These policies will be scrutinized in depth during a buyer's IT due diligence.
If you are not sure where to start, simply use what we point out in this post as a reference. A good IT consultant, if you don't have an experienced person on staff, should be able to fill in the details and identify best practices as they related to your specific business.
WiFi
Admittedly, having a WiFi network in the office makes life a lot easier. You don't have to connect with an Ethernet cable. It's pretty easy (but not perfect) to move from place to place within the office and still be connected to the network. At the same time, it is an easy target for hackers to gain access to your network and your data. Make sure your WiFi network is secured and robust enough to handle your employee base and use.
Hardware
When it comes to IT due diligence, there are a few key things related to hardware that really matter. Everything else is an offshoot of the hardware you have deployed. In evaluating your hardware, buyers will look at:
The types of hardware you have in use and are actively supporting across the organization and on the network
The age of the hardware you have in place and your replacement schedule for each item
How well you maintain your hardware
Other Items
There are several other items that will be evaluated during an IT due diligence process. Namely:
Your password management and whether you require users to change there passwords on a periodic basis
How your email is setup and protected against hackers
Your website and its security as well as who has authority to make changes and what that process involves
How you collect and protect customer information
Your process for handling employee terminations (who receives their emails going forward, how you ensure they have not held on to any of your data, etc.)
What % of revenue you spend on IT and what % of your IT budget you spend on security
Whether you have cyber insurance to cover your costs in the event of a data breach or some other IT-related attack
In this post, we sought to give business owners insight into what to expect during the IT portion of due diligence. Even if you are not looking to sell your business, what we have discussed here should give you an excellent starting point for ensuring your IT is top notch and well protected against attacks.
A hat tip goes to Rich Fennessy of Trace3 for providing important insights included in this post.