To many businesses, IT security is intimidating and it’s difficult to know where to start. What level of security do you need and what should you be securing? The first step you need to take is to conduct an IT security risk assessment. To start with, you can keep the assessment really simple and it will help you understand what comes next.
To help you, we’ve made a really simple IT security risk assessment checklist to get you started.
The checklist aims to help you:
- Understand your data
Whenever you’re thinking about cyber security, you first need to understand your data. That means looking at the current data you keep and deciding if you still need it or not. Criminals can’t steal what doesn’t exist, so if you don’t need the data then don’t keep it.
To fully understand your data, you will need to know where it is stored, how long it is kept, and who should have access to it (as opposed to who does have access to it).
- Understand your risks
In this step, you are looking to understand all the risks to your data. They can be put into 3 categories:
- Threats – Something that can harm your business. This can range from hackers to physical threats like fire or flood damage.
- Vulnerabilities – Any gaps in your security that potentially allow the threats you have identified to harm your business. For example, the lack of a firewall.
- Risks – This is the likelihood that one of the threats you identified can exploit a vulnerability. For example, what are the chances of a virus infecting your network if you don’t have a firewall?
By thinking about your data and your business in this way, you will get a better idea of how well your data is protected.
IT Security Risk Assessment Checklist
Document where your data lives
- Speak to data holders, management, other employees. Where is all your data stored? Remember to include physical items as well as digital data.
Think about what data can disrupt your business if lost
- What data is critical to your business. What data could your business not be able to work without? Do you have customer data?
- What is used for day to day operations?
Find all valuable assets across the business
- How many servers do you have?
- Does your business have a website or multiple websites?
- Client/customer information (contact details, credit details etc)
Identify potential consequences
- Legal consequences – If someone steals your data you will incur fines and potentially other legal costs for failing to meet data protection legislation. For example, under GDPR the fines you receive can be very high.
- Loss of business – 71% of customers say they would take their business elsewhere after a data breach. Paying fines, loss of reputation and the inability to work will all lead to you losing business.
- System or application downtime – How much money will your business lose if you can’t work for a day, a week, or potentially even longer?
Determine the potential consequences of these things are for your business
- Consider the upfront cost, level of fines, loss of reputation
Identify threats and their likelihood
- Natural disasters – floods, fire and even hurricanes and earthquakes (depending on your location).
- System failure – How old are your systems, how well are they maintained, and are they made by a recognised brand name?
- Accidental human interference – perhaps the biggest threat to most businesses. Mistakes, like deleting important files or clicking on malicious links, can happen at any time.
- Malicious humans – they are out there and they target all businesses, no matter the size.
What controls are in place for each system?
- Do you have security policies?
- Do you have employee security training?
- Anti-Virus or other software?
This checklist is a helpful starting point for businesses trying to strengthen their cyber security. This will help you understand where your data is, how much of it you have and where there might be vulnerabilities.
If you need further advice about how to secure your IT infrastructure and keep your business and employees safe from cybercriminals and data loss, please don’t hesitate to get in touch – our friendly team of technology advisors will be happy to help.