We know. You’ve heard it all before.

Cyber security is important. We don’t half go on about it. But that’s because it is so important.

In fact, the failure of your IT infrastructure or the danger of a cyber-attack is probably one of the biggest threats to the longevity of your business.

As such, performing an IT risk assessment should be a key part of running a business.

It’s the difference between an IT incident being a minor hiccup and it flooring your entire business in a time when you may not be able to afford to be out of action.

We appreciate you might not really know where to start so we’ve put together our top tips for completing a successful IT risk assessment.

First off…

NO. 1 – DO IT.

This may sound stupid but the best thing you can do is to just do it.

Making time to get it done is a big step forwards. An IT risk assessment can easily get put on the back burner.

If everything in the business is going fine and you’re tied up with other tasks, something like this can seem like a waste of time.

Don’t put it off any longer.

Who knows when the next attack or failure could be? It’s much better to have the peace of mind that you are well protected. Also, should anything go wrong, you’ll be up and running in no time.

So, get it in the diary. Make plans for how you’re going to conduct it and then get it done.

But what should you be looking for?

NO. 2 – THINGS TO LOOK FOR

Obviously, you need to know what you’re looking for. What areas of risk are you assessing?

These are some key areas to cover.

HOW DO PEOPLE RESPOND TO PHISHING EMAILS?

• Looking into how many phishing emails you actually get and how aware people are of the dangers of clicking on a dodgy email, is your first port of call.

WHAT SECURITY SOFTWARE DO YOU HAVE IN PLACE?

• You of course should have some software in place but it may be that you have something which isn’t fit for purpose.
• If so, what are the barriers to you getting better security software in place, on your network and individual computers?

ARE YOUR PHYSICAL SERVERS AT RISK OF FAILURE?

• If you have physical servers which are getting on a bit or are rarely looked at or maintained it’s probably a good idea to check what condition they’re in.
• After a while physical hardware can deteriorate, especially if it’s not kept in ideal conditions.
• As a result, it’s at risk from failing. If it does it could be costly and time consuming to get your data back.

There are of course more things to cover, but these are good places to start.

NO. 3 – IT RISK NOW INCLUDES GDPR

A big consideration when doing your IT risk assessment is GDPR. Although not directly to do with cyber security, how you handle data should be something you look at.

Assuming your data is digitised it is at risk in the event of a breach. That includes info you keep on customers and your HR records.

If this data gets into the wrong hands it would spell a lot of trouble for your company. Particularly if it shouldn’t be in your records anymore.

For example, do you still hold data on people that no longer work for your company and haven’t done for some time? Having their consent to keep data is essential and otherwise it should be removed at the earliest opportunity.

This is a good thing to cover in your risk assessment.

NO. 4 – GET EVERYONE ON BOARD

Getting everyone in your business on board with this IT risk assessment is pivotal to its success.

Communicate the benefits to all members of staff before you conduct checks and look at where there might be vulnerabilities. Involving them in the assessment also has the benefit of reminding them that they need to stay vigilant.

Once you pull together your report, make sure the findings are communicated to everyone. Risk assessments like this shouldn’t just be an executive level exercise but a companywide activity.

NO. 5 – IMPLEMENT AND REVIEW

Obviously once you’ve assessed the risks, you need to implement changes where necessary (or leave things be if you’re in a good position).

Part of implementation will be delegating tasks to individuals and reminding them of their responsibilities.

But don’t just leave it there. Having a risk assessment on a recurring basis is especially important with IT.

New threats arise all the time, software changes and malfunctions happen. Although you might be watertight now you don’t know where you’ll be in a year’s time.

We’d recommend running one of these at least every other year, if not every year.  

TALK TO PEOPLE WHO KNOW WHERE TO LOOK

Hopefully those pointers will get you started. You can run your risk assessment however you like, or you could get an external team to do it for you.

At Reality Solutions, we are happy to do a review of your IT infrastructure to make sure your business is secure. If you think that’s something you need but don’t know where to start looking, give us a shout.