IT risk assessments are dull affairs, aren’t they? Ordinarily they read like an accountant’s shopping list. They’re just columns of risks, percentages, and impact scores. Does anyone outside compliance read them? Too many people see it as a box-ticking exercise.
Now we’re not going to make this an exciting affair, but we can press the urgency of the task. Realistically it’s not a case of ticking as many empty boxes as possible; it’s the difference between your systems ticking over like they should or your business smashing the headlines for the wrong reasons.
So, how do you make a risk assessment that is actually useful?
Step 1: Identify What You’ve Got to Lose
Let’s start with your IT assets. We’re talking about what actually matters to your business: data, servers, apps, networks, and the people that access them in your organisation. Ask yourself one very important question:
If these all disappeared tomorrow, how far up the creek would we be?
It might sound like a strange exercise; however, this is your priority list. You can begin to understand what your business would look like without certain processes. Is Terry the accounts clerk the only person who understands how to use that dull package that you use for invoicing? This is important information for the next step.
Step 2: Identify the Threats
It’s time to be brutally honest with yourself. “This could never happen to us” is a sort of jinxed Murphy’s law that can bite you back. Hard. In all honesty, the universe has no shortage of ways to ruin your day.
List threats like hackers, disgruntled employees, ransomware, floods, hardware failures, or a break in. Understanding the threats is a solid step towards shoring up those defences.
Step 3: Pin Down Vulnerabilities
Every IT infrastructure has vulnerabilities to some degree. So assess where you are weak.
Do you have outdated software or unpatched systems? Does Linda the customer service agent insist on using Password123 for every software package she accesses? These are the gaping chinks in the armour. Threats are external; vulnerabilities are the ways in which you leave the door unlocked.
Step 4: Assess the Impact
If the worst happens, what is the fallout? Are we talking a loss of customer data? Are we talking annoying fines from pesky regulators? Downtime that costs a small fortune per hour?
Your risk assessment needs to demonstrate that you understand the actual consequences. Avoid vague fluff like “loss of reputation.” Whilst that might be true, qualified statements need to be quantified.
If you want management to care, translate it into pounds, hours, or lawsuits.
Step 5: Rank and Prioritise
A major part of conducting any risk assessment is combining the likelihood and impact. A meteor smashing into your server room is very unlikely but would be catastrophic. Does that need your attention?
Realistic small risks with catastrophic costs are as deserving of your attention as that frequent annoyance that chips away daily. The point is to come away with a hit list to work with, not a wall of pretty but meaningless charts.
Step 6: Mitigation and Monitoring
This is the bit a lot of people choose to skip. It cannot be stated strongly enough, however, that it is not enough to say, “Yes, this risk exists.” The point is to decide how to mitigate the risk it represents. You need to ask yourself exactly what you can do about it.
Patch that system. Add multi-factor authentication. Write a policy that people will actually follow – and then check it regularly. Remember that risks evolve faster than your policies.
Mitigate Risk and Avoid Disaster
An IT risk assessment does not have to be a soul-crushing spreadsheet ritual. It should be a clear look at the ways your business might break. It should also inform your disaster recovery plan, as well as informing you of the ways you can avoid bad things happening to your infrastructure.
Do it properly and you will sleep easier. Skipping it could end up with you explaining to the board how a teenager in another post code now owns your customer database.
If you need help with making an IT Risk Assessment, let us know. Call us on 01327 300 311, or email [email protected] with your enquiry.
Share this post: