A bit of housekeeping for you! Have you carried out an IT risk assessment recently? Yes, it’s another job to add to that ever growing ‘to do’ list but one that shouldn’t be ignored. Since your last IT risk assessment things have inevitably changed. Even if you haven’t changed anything internally to your IT infrastructure and systems (although most organisations will have), external threats will have evolved as hackers and cyber criminals look for new ways to exploit vulnerabilities.
In fact, it is highly unlikely that your IT estate has remained static. New applications and devices may have been added – some may be unknown to you if staff have installed apps on corporate devices or BYODs without your knowledge. And the volume of data your organisation manages will also have changed – potentially increasing the risk of a breach.
Security experts advise that an IT risk assessment should be conducted every time a change is made, or ‘regularly’ if nothing new has been implemented. With the volume of paperwork involved in the average IT risk assessment you might not like the idea of regular reviews, but once you have the foundations in place regular risk assessments should be relatively straightforward.
Below are a few tips to streamline the process.
Tips for conducting an IT risk assessment
#1: Identify every potential risk
By documenting every threat and vulnerability your organisation may face you can identify the areas that need additional security measures and raise awareness of threats with other stakeholders. For example, if a potential risk is a vulnerable member of staff (such as through social engineering) you can put appropriate programmes and policies in place to help protect them and your organisation’s IT systems from attacks.
#2: Use real life scenarios to envisage the consequences of each risk
Disaster planning should always include role playing the consequences of an attack or IT incident (such as a power outage) to determine the impact on the organisation and what remedial actions need to happen. The aim is to protect critical systems and get business operations running as quickly as possible to reduce the impact of downtime on business.
#3: Involve key stakeholders in all areas of the business impacted
Who’s on your team if your organisation is attacked or an incident occurs? As well as IT and security team members, involve managers or leaders in each department or area of business that might be impacted. By getting them on board you can a) reduce risks by raising awareness of vulnerabilities and b) reduce the impact of an IT disaster by ensuring they understand their role in that event.
#4: Share your disaster recovery and business continuity plans
Similarly, make sure all key stakeholders have copies of relevant recovery and continuity plans so they understand what the process is should an incident occur.
#5: Document all assets with security risks
Review all IT infrastructure and document all assets with security risks and vulnerabilities. This should include a full inventory, such what the asset is, what security measure are in place, who’s responsibility it is, the probability of a threat occurring, what happens if the asset is exposed (the impact on the business) and disaster recovery procedures.
#6: Review and make recommendations
Having collated all necessary documentation and the current state-of-play, review the risks and the tools and processes in place to identify, protect and prevent threats. Also review recovery procedures and make recommendations based on the impact to the organisation and the probability of the threat occurring to improve protection and recovery processes.
#7: Develop a risk mitigation plan
From all the points above develop a risk mitigation plan that aims to reduce vulnerabilities, protect IT from potential threats and minimise the impact of an incident on the organisation. With a clear picture of all IT assets, the consequences of a threat and the likelihood of a risk materialising, you can prioritise the areas of the organisation that need the most protection and resources.
While there’s no denying that an IT risk assessment takes time, a positive outcome of conducting one is that (as well as managing threats and risks appropriately) there are opportunities to drive efficiencies and reduce costs. You may discover areas of the business where you can save money and make IT work harder and more effectively.
It also highlights the importance of maintenance and a backups. Many organisations are vulnerable to threats because patches have not been applied. A risk assessment will help you determine whether this is the case and put the right IT maintenance and management processes in place.
If your organisation is or has migrated to the cloud, our Cloud Usage and Risk Analysis may be useful. Download your copy here.