Analyze your assets
Start by taking an inventory of your assets. This can include physical goods or digitized data, such as personal information and client databases. Make a comprehensive list of what can be lost, stolen or damaged. Understanding what your assets are, and where they are, will help you decide what you need to protect, and where your weaknesses are, so you know what elements of your organization, if any, need to be strengthened.
Imagine the impacts
The next step is to outline the consequences of an attack. What if you cannot access your data, or it is stolen—how would your business be affected? How much revenue would you lose, or would the impact be embarrassment and a hit to your brand? How long would it take to rebuild, or is that even possible? By understanding the relative impacts of asset loss, you’ll be better able to prioritize where to invest in securing your systems.
Mitigate your risks
Now consider the ways that disaster could strike. How might hackers could infiltrate your information? What are the weaknesses in the ways your employees access your systems? Do you have a rigorous on-boarding process, and an IT security policy that staff can recite by heart? Do you back up your data, to protect against potential loss? Once you determine your major weaknesses, you’re in a position to mitigate the most probable and serious risks to your business. You know what your most important assets are, and their value to your business, and the sensible steps that will help guard them.
A risk assessment example
Consider an example of a small accounting business that conducted a risk assessment for their operations. Here’s what it might look like.
- First they looked at their assets, noting a variety of physical and digital items. They quickly determined that their clients’ personal information was the most essential for their organization.
- Next they considered the consequences of a loss or damage to their key asset, and determined that it included embarrassment, a serious hit to their reputation, legal liability, loss of current and potential future clients, and lower employee morale. In other words, it would have a major financial impact with potentially disastrous long-term consequences.
- Then they considered the potential threats, by analyzing how they managed access to their sensitive client information. All staff members had access to files on the network, where all their data was stored, and the network had weak password protection. Staff made their own passwords, so it was possible that they were very basic, or were used for multiple services across the web, further increasing the likelihood of a breach.
- Finally, they took action, starting by securing their clients’ information in a part of their network with password-protected access that was tightly controlled and only accessible by those who absolutely needed it. They adjusted their password policy and ensured everyone followed it, enhancing their strength to make them difficult to crack.
Though the accounting firm had many other assets to consider, they focused on their clients’ personal information, since it was most important to their business. Rather than spread themselves thin worrying about every single asset, they zeroed in on the one that mattered most, and took steps to secure it.
Keep it simple
The good news is that while risk assessment is quite complex for big businesses, smaller organizations have fewer assets to consider, and generally fewer risks to assess. When you spend some time understanding what they are, you can take the relatively simple steps to protect them. And that’s just good business sense—regardless of your size.