Performing an IT security risk assessment should be an important part of your IT security precautions. It helps you understand and quantify the risks to IT in your business – and the possible consequences each could have
Graham Fern, technical director of axon IT, a Cheshire-based IT provider, explains how to perform an IT security risk assessment.
Carrying out an IT security risk assessment will help you understand the key risks facing your business and decide which threats you need to take action against.
IT security risk assessment: where to start
IT security risk management involves a lot of common sense, and there’s plenty you can do for yourself. However, it is crucial that you seek professional advice to help guide you through possible IT security scenarios and their solutions.
If you lack IT expertise in-house, find a reputable IT supplier to help you. Your IT security risk assessment is important, so it’s worth making a small investment in time and money to ensure your precautions are adequate.
Get your IT security risk assessment right, and the end result will be a well-balanced set of security precautions which protect your business from the biggest risks, without costing you an arm and a leg.
However, get your IT security risk assessment wrong and not only could you end up out of pocket, but you’ll be at risk as well. You need to balance the costs of security with the level of danger – that’s why your IT security risk assessment is important.
There are three main stages to performing an IT security risk assessment.
IT security risk assessment step one: understand the importance of IT
The first question to ask when conducting an IT security risk assessment is: how important is IT to your business? If it is vital, and you cannot accept any associated risk, then you need to ensure that you are thoroughly protected if things go wrong.
For example, ask yourself how your business would continue to run if your IT systems were destroyed by fire, flood, theft or system failure. Could you get back up and running easily? How quickly could you restore lost data from backup copies?
If the answers to these questions set your pulse racing, you already know the answer to this question: IT is very important to your business!
However, you should also consider each aspect of your IT individually, and establish how vital it is to your business. For instance, you might conclude that it would be nearly impossible to run your business without your server and broadband connection, but that your computer printers are not essential.
In reality, you may not question the importance of your IT directly. The answer tends to be more of a feeling that builds up as you work through the rest of the IT security risk assessment process.
IT security risk assessment step two: assessing the risks
Think about everything you use on a daily basis: servers, desktop and laptop computers, netbooks, telephone handsets, mobile phones, routers, switches, databases, software, business applications, custom software and more.
Assess how the risks listed below would affect each item you identify, and consider what the knock on effect to your business could be:
- Theft or loss of hardware - could you cope without key equipment?
- Fire or excessive heat - what would happen in the event of a fire? How quickly could you replace damaged equipment, software and data?
- Water or excessive damp – it doesn’t mix well with IT equipment and if your premises were flooded it is likely that you would have to replace everything.
- Equipment failure or damage – like a broken server or dropped laptop.
- Data theft, loss or disclosure – perhaps due to poor data security, loss of data-containing equipment or a disgruntled employee – which could result in a significant penalty from the data commissioner.
- Software failure – like your business database or another application.
- Accidental or deliberate data deletion or corruption – it’s all too easily done if proper security measures are not in place.
Doing this will help you form some opinions about importance and risk. What are the chances of a fire or a flood actually happening? What about theft? And what impact would this have on your business, both in the short and long term?
IT security risk assessment step three: taking action
Your next task is to estimate the chance of each incident occurring, and then decide what percentage of that risk you are willing to accept.
This is where some expert knowledge really comes in; it’s hard to understand the likelihood of a software crash or accidental data loss without previous experience. So make sure you consult an IT expert at this point.
You should end up with a list of scenarios on a scale – from those that you are not willing to risk at all, through to those where you feel the risk is acceptable. Your IT budget will dictate how much you can reasonably tackle but you should ensure you focus on those risks you cannot tolerate.
This list forms the substance of your IT security risk assessment. It gives you the key understanding of each risk and its consequences, ordered by priority. Then all you need to do is consider the security precautions you need to address each risk – starting at the top of the list.