To a lot of businesses, IT security is a big and scary thing. What level of security do you need and what should you be securing? Often the hardest part is knowing where to start. Of course, you want the best security possible but with a limited budget what should you prioritise?
The first step you need to take is to conduct an IT security risk assessment. Trust me that is not as scary as it sounds! To start with you can keep the assessment really simple and it will help you understand what comes next.
To help you we've made a really simple IT security risk assessment checklist to get you started.
The checklist aims to help you:
- Understand Your Data
Whenever you're thinking about cybersecurity you first need to understand your data. That means looking at the current data you keep. Then deciding if you still need that data or not. Criminals can't steal what doesn't exist, so if you don't need the data then don't keep it.
To fully understand your data you will need to know where the data is stored, how long it is kept for, and who should have access to it. Note that it is who SHOULD have access to it and not who HAS access to it. They are two different things.
- Understand your risks
In this step, you are looking to understand all the risks to your data. They can be put into 3 categories.
Threats - Something that can harm your business. This can range from a cyberhacker to physical threats like fire or flood damage.
Vulnerabilities - This is any gaps in your security that potentially allows the threats you have identified to harm your business. For example, the lack of a firewall would be a big vulnerability.
Risks - This is the likelihood that one of the threats you identified can exploit a vulnerability. For example, what are the chances of a virus infecting your network if you don't have a firewall?
By thinking about your data and your business in this way you will get a better idea of how well your data is protected.
IT Security Risk Assessment Checklist
Document where your data lives
- Speak to data holders, management, other employees. Where is all your data stored? Remember to include physical items as well as digital data.
Think about what data can disrupt your business if lost
- What data is critical to your business. What data could your business not be able to work without? Do you have customer data?
- What is used for day to day operations?
Find all valuable assets across the business
- How many servers do you have?
- Does your business have a website or multiple websites?
- Client/customer information (contact details, credit details etc)
Identify potential consequences
- Legal consequences - If someone steals your data you will incur fines and potentially other legal costs for failing to meet data protection legislation. For example, under GDPR the fines you receive can be very high.
- Loss of business - 71 per cent of customers say they would take their business elsewhere after a data breach. Paying fines, loss of reputation and the inability to work will all lead to you losing business.
- System or application downtime - How much money will your business lose if you can't work for a day? or a week? or it can be even longer than that.
Determine how bad these things are for your business
- Consider the upfront cost, level of fines, loss of reputation
Identify threats and their likelihood
- Natural disasters - floods, fire and even hurricanes and earthquakes (depending on your location)
- System failure - The age of your system, how well is it maintained, is it made by a recognised brand name.
- Accidental human interference - perhaps the biggest threat to most businesses. Mistakes, like deleting important files or clicking on malicious links, can happen at any time.
- Malicious humans - they are out there and they target all businesses no matter the size.
What controls are in place for each system
- Do you have security policies?
- Do you have employee security training?
- Anti-Virus or other software?
Now you have a better idea of your data and the potential risks to that data it is a good time to evaluate your business technology as a whole.
The InfoTech discovery session is a more in-depth and detailed review of your IT security and your whole IT systems. From the free session, you will find out the good, the bad and the ugly of your business technology. We also deliver to you a step by step plan on how we can help you fix and improve each area. We can also help prioritise what is most important to your business.
There are also some basic steps you can take now you have this information from the checklist.
Install anti-virus software
- And keep it updated!
Create clear security policies for employees
- And keep them updated!
Have a documented plan for disasters and security incidents
- Yes, and keep that updated!
Implement MFA (multi-factor authentication)
Educate your employees on how to recognise phishing attacks
This checklist makes an excellent start point for businesses trying to improve their cybersecurity. This will help you understand where your data is and how much of it you have. It will also make you think about the threats to that data and where you might be vulnerable.
Of course, that is just the start point. You might be able to identify some vulnerabilities but the likelihood is there are more in your IT than you are aware of.
That is why we created our discovery session. It allows you to have an expert look at your IT setup health check it for you. You then get a report that we will talk you through that shows you what is working well and what isn't. You will also be able to see all the vulnerabilities that exist in your system. Then we can work on fixing them for you.