Engaging in annual IT risk assessments allows you to assess the threats within your IT environment. It can serve as a performance review for your department’s ability to prevent and quickly mitigate threats, a reminder of areas that need attention, and a prognosis for the future security of your data should you continue on with your current IT setup.
In general, it’s best to have an outside organization conduct your IT risk assessment due to the impact of objectivity, however if your organization is trying to keep costs low you can also perform your own assessment in-house. If you must perform your audit in-house, try to be as objective as possible. Just because upper management traditionally overlooks or disregards specific threats as unimportant or something that “wouldn’t happen to us,” be sure to include them in your assessment if they are true vulnerabilities.
To be successful, your assessment should be as thorough as possible. And keeping record of your organization’s threat history by documenting them in your annual audits could come in handy should an unlikely threat decide to strike at some point.
1. Review possible threats
Begin by acknowledging all of the potential threats within the IT environment. It may first help to make an inventory of where all of your data lives. If your data is spread out between multiple facilities or locations, you should review threats at each of those locations and include them in your overall assessment.
Consider the 3 largest threat categories during your review: digital, physical, and human. Digital threats may include physical device failure, cybercrime, and viruses. Physical threats include things like equipment room temperatures and humidity levels, fire, flood, and device damage. Human threats account for things like data breaches, accidental deletion of data, and forgotten IT tasks, like remembering to schedule a backup.
Throughout the year, stay on top of the latest IT news and trends so that as new technology and threats develop, you can add those to your radar too.
2. Determine their likelihood
As you categorize each threat by type, assess the likelihood of their occurrence. This will help you determine what tasks, if any, need immediate attention, and which should fall last on the list.
- How long ago were your softwares updated?
- How old are your devices?
- What is the average failure rate for those devices?
- When was your technology last updated?
- Are you relying entirely on your users to remember to schedule tasks?
- Are you relying on them to never make a mistake, like deleting a file unintentionally?
- When was the last time you had a (fill-in-the-blank) incident?
- Do any particular types of incidents tend to recur? (Past incidents can be good indicators of vulnerable areas that you need to pay more attention to in the future.)
- What security protections do you already have in place to prevent the incident? Have these protections worked in the past?
3. Assess their potential impact
In addition to considering the likelihood of each threat, calculate the impact. Some threats will have a bigger impact on your organization than others. For example, one accidentally deleted file by an employee will likely not carry the same weight as the intrusion of a ransomware virus that holds all of your organization’s data hostage on the contingency of a ransom payment.
To assess the impact of threats, consider these questions:
- Would the event lead to financial, legislate, or reputational repercussions?
- How much money would your business lose for each hour of downtime?
- In the event that X occurred, how quickly could you get your data back?
- How long would downtime last, should X take place?
- What systems are in place to notify you of the entrance of attacks/breaches/human errors? With these systems in place, how quickly could you catch them?
- What data is the most sensitive within your organization? What if X event targeted or affected that sensitive data?
- Do you have reliable backup copies of all sensitive and imperative company data? How safe and certain are those backup copies? Are they cloud based, or device based?
- What is your uptime to restoring data from a backup?
Answering questions in regard to impact can also highlight how you should go about addressing the potential occurrence of these threats. You may not be able to prevent threats entirely, but you can always adjust how your organization prepares and responds.
For instance, to resolve issues immediately, you may be able to automate certain tasks to prevent the possibility of human error, or you may be able to create a cloud backup of your data that you can rely on to reduce downtime should your data be wiped out by a virus or other data loss incident.
Going through this IT risk assessment process will likely give you a long list of holes that will need to be patched in order to improve your IT design and protections. But it will also give you a prioritized list. Threats that are both high in likelihood and high in potential impact should be addressed first, followed by threats that are high in impact and moderate in likelihood, as well as threats that are high in likelihood and moderate in impact. Address threats that rank low on both spectrums later on, once higher priority threats have been addressed and you have more IT resources available to devote attention to them.
To prepare you for your organization’s in-depth IT risk assessment, begin by taking a 3-minute data security audit to recognize the immediate weaknesses and data recovery abilities.