Most UK businesses are working in an environment they are not used to. Before the COVID crisis, less than 5% of us worked remotely. That number is now just below 50%.
So your work habits have changed and so will the technology your business is using. But is it safe and secure to use?
The best way to answer that question is to run an IT risk assessment. Now, this can be a daunting proposition, so we have put together a guide to help you run a successful IT risk assessment.
Why should you perform an IT risk assessment?
An IT risk assessment ensures all vulnerabilities and shortfalls are discovered and managed correctly. As we continue through this uncertain period that understanding of what is working and what is not is even more vital.
Risk assessments are essential to helping companies gain visibility into existing and emerging risk that threaten their critical business assets. IT risk assessments are particularly important for security and they should be performed regularly.
An additional benefit to risk assessments is the cost of fixing something now is lower than fixing something after it has broken or gone wrong. For any business saving money right now is important.
Define all possible vulnerabilities
An IT risk assessment needs to start with a degree of admin. Create a document detailing all the possible vulnerabilities and risks that can emerge in your business.
Focus on the possible threats to your IT network (that might be ransomware, phishing attacks, or the loss of physical data storage). Provide examples so you others in the business can understand the threat.
Noting all the possible types of attacks your business could fall foul to, will help people outside of IT understand the importance of the risk assessment.
Risks can be interconnected and unexpected events can trigger a snowballing effect. Cybersecurity starts as a security issue but it can quickly affect other areas such as your compliance or the productivity of your business.
For each risk you identify you will then need to do a review of the threat. Keep in mind real-life scenarios as a way of explaining the possible consequences for the business.
Then conduct a vulnerability assessment to highlight any areas of weakness that should be classified as at risk. For example, you might want to test how employees deal with a phishing email, to understand how much of a risk they are to your business.
Your assessment should document the current IT security solution protecting that error. Continuing the phishing email example, you might have in place anti-spam software to limit the number of phishing emails that hit inboxes.
Communicate your plans
An IT risk assessment is useful for the whole business. If all your staff use technology within the business the assessment will affect them.
A risk management procedure will be easier to implement when the correct people within the business are involved. You can set up a committee if you work in a larger organisation but for most businesses, clear communication between departments should be enough.
Give everyone an overview of the assessment. Include what the aim is, how the information will be gathered and how the results will be communicated. Make everyone aware that this might cause some disruption as you collect your data.
As well as keeping all departments updated, you should keep key people involved in the whole process and report your findings throughout the assessment. Communication is key to ensure information isn't lost or misunderstood.
Collecting your data
Your IT risk assessment will start with a review of your current infrastructure. You will need to assess both your hardware and software for strengths and weaknesses. Any assets with security risks should be noted and assessed.
Data is also an asset and has it's own compliance issues. Legislation such as GDPR and industry-specific rules will need to be considered. Data covers a wide range, including HR records and any data you have on your customers.
The results will form the basis of a review covering the purpose, scope, data flow and responsibilities expected in the risk assessment.
Any areas of risk discovered need to have a strategy put in place to protect against the worst-case outcome you identified in the first step.
The specific vulnerability, the threat to it and the probability of it occurring should all be analysed for each area of risk.
Aspects to look out for include the likelihood of any unwanted access to the systems and amount of damage that will cause.
Recommendations and review
The resulting recommendations of an IT risk assessment should then be listed in a report and issued to all the relevant members of the business. Include the findings from those conducting the assessment and the selected response strategy to any areas of risk.
Each department that receives the report will be expected to review the risks it describes. They should then devise their own strategy to reduce or avoid the dangers based on the nature of the business and the specific risks.
Risk mitigation plan
A risk mitigation plan will help you plan on how to reduce the areas of risk found in the assessment.
Your planning should include timescales to follow when implementing the changes required to reduce risk.
Any risk mitigation plan should also take into account third party relationships, partnerships and integrations, especially when data is involved over which you don’t have direct visibility into.
Your IT risk assessment policy will guide planning for future controlling of risk. This will cover how to eliminate the possibility of incidents occurring and the effects they can cause.
The impact on third parties such as insurance companies and warranties should also be included. Each department is responsible for ensuring compliance, and should review findings at least annually, and whenever a new risk emerges from changes to systems.
Review and maintenance
You should regularly assess the risk mitigation plan to ensure it is comprehensive and effective. Each step on the plan needs to be reviewed and approved. Further additions or modifications can then be made if required.
A proactive approach to risk management will build the most effective barriers to threats, so any resource using IT resources should be reviewed for dangers periodically.
A typical timeline for repeating the risk assessment involves a review of the policy at least every two years.
By following these steps you should be able to perform a successful IT risk assessment. This assessment will show you how secure your business is whilst you work remotely.
If the assessment shows lots of areas of risk, or you don't have the time or resources to do a full assessment Infotech can help. Let us know your concerns and we can see how we can help you. Contact us here, email firstname.lastname@example.org, or call us on 01634 52 52 52.