How to perform an IT risk assessment

When it comes to IT, most businesses are dependent, yet many do not place technology high enough up their list of priorities and as a result, put themselves at unnecessary risk.

IT risk management is largely common sense, but it is crucial that you seek the right IT professionals to help guide you through the possible scenarios and the solutions.

Get it right, and the result is a well-balanced solution which protects your business from the biggest risks, without costing you an arm and a leg. Get it wrong, and not only could you end up out of pocket, but out of business as well.

To help you on your way to a more secure IT infrastructure and long term peace of mind, here’s my 3-point guide on how to perform an IT risk assessment.

Step One – The Importance

The first question to ask when conducting this type of assessment or audit, is how important IT is to your business.

If IT is vital, and you cannot accept any associated risk, then you need to ensure that you are protected if things go wrong.

Ask yourself for example, how your business would continue to run if your IT systems were destroyed through fire, flood, theft or system failure. Could you get back up and running quickly and easily? Would you lose data? How quickly could you perform a data backup restore?

If the answers to these questions set your pulse racing, you could answer the above question fairly easily…… IT is VERY important to my business!

You should however, try to remain impartial as setting a goal of no risk is unlikely to be reached, and will have considerable cost implications.

In reality, I never ask this question. Nor is it one I expect an answer to. The answer is more of a feeling that builds up as the discovery process unfolds. Once I’ve assessed and analysed a business, I am able to tailor any solution relevant to risk versus cost, as it is nearly always a balance of these two factors.

Step Two – The Risk

Next, you should compile a list of all your physical and software assets and assess the risk on each individual piece.

Think about everything you use on a daily basis – servers, desktops, laptops, netbooks, telephone handsets, mobile phones, routers, switches, databases, software, business applications, bespoke software etc. Next, assess the effect of each item from the list below and the possible knock on effect to the business and its continuity:

  • Theft (physical security)
  • Fire or excessive heat
  • Water or excessive damp
  • Equipment failure or damage
  • Theft of data (through poor data security or a disgruntled employee being malicious)
  • Software failure (be it a business database or other application)
  • Accidental data deletion or corruption
  • Data being unavailable due to physical equipment failure
  • Data security (who can access what and from where)

By looking at these two key areas you will be able to form opinions about importance and risk. What are the chances (or risk) of a fire or a flood? What about theft? And what impact would this have on your business, both in the short and long term?

Step Three – The Decision

We now have to attribute the chances of these incidents occurring, and decide upon the percentage of that risk are you willing to accept. This decision will in turn expose the likely cost implications that will arise in order to meet the requirements.

So, if you think your business premises are at particularly high risk of theft, and you decide to accept that theft is a possibility, then you are almost certainly going to need to bolster physical security and ensure that you have a robust backup solution that takes the data off site. Both of these simple sounding solutions could however, attract considerable cost.

If you decide that your business cannot survive without telephony, you might want to consider investing in an IPT (IP Telephony) system to ensure the flexibility of seamless continuation of service from alternative premises in the event of a disaster. But again, there may be some cost implications to this.

If your data is crucial and you need access around the clock and from any location, you may be wise to consider a cloud solution, giving you to option to up sticks and work from alternative premises if your offices become unusable or you lose connectivity.

The average SME will have tight financial constraints that mean they have to accept some risk. They have to deal with the reality of day to day risk, which normally presents itself as data loss through hardware failing, data corruption or accidental data deletion.

So, to summarise;

  • Identify assets and which are critical
  • Identify and assess threats
  • Assess the vulnerability of critical assets to specific threats
  • Determine the risk
  • Identify ways to reduce those risks
  • Prioritise risk reduction measures

The Top Tips

Here are some suggestions to a simple blanket solution that turns a blind eye to the more exceptional risks, but covers the likely events:

  • Ensure all hardware – particularly servers – has good manufacturer’s warranties. Typically this would be three years cover with a four hour response or next business day at least.
  • Ensure all business critical software has support from the suppliers and be clear what the support offered actually includes.
  • Protect all vital physical equipment from theft.
  • Protect key equipment from electrical surges or outages – a regular occurrence across the UK.
  • Backup key data. This is a complete subject in its own right, but a good disaster recovery plan is vital and it must be multi layered (i.e. don’t rely on one system). Remember though, a backup is only as good as the last restore!
  • Protect system administration. Ensure that you either have qualified professional IT staff, or use an industry certified outsourced IT support company, who can maintain system integrity and security to ensure no risk is presented through viruses, spyware, hacking or incorrect access to data. Ensure you have a service level agreement with your IT department – whether in-house or external, so you know the likely response times in the event of things going wrong.
  • Consider Cloud Computing solutions. By placing critical data and systems in the Cloud – a highly available, secure, fire protected environment – you almost completely eliminate the traditional low percentage chance but high risk losses like fire, flood and theft.

In 2001 Graham Fern founded Axon IT along with business partner Mike Agutter, with a limited budget and zero investment. Within just a few months the company had won major accounts including Tarmac and British Gypsum, and in the 9 years since, the business has grown successfully to boast a turnover of more than £800,000 and 12 employees.