What is an IT Security Risk Assessment & Strategy?

With internet hacking and cyber attacks on the rise, it’s imperative to make sure your business is as secure as possible in its digital use. A government study found that 74% of small firms in the UK suffered a cyber security breach in 2016, whilst 90% of large firms were hit. Attacks can vary in magnitude, but sometimes these security breaches can cost millions of pounds worth of damage. To help you avoid this fate you should perform regular IT security risk assessments, which will diagnose what the biggest risks are for your business and where you should be focusing your defense.

A lot of IT security comes down to common sense – you wouldn’t leave your front door open or a sign that points to where the keys are hidden, would you? It’s similar online, and a lot of cyber security will depend upon you and your actions. However, when conducting an IT risk assessment it is crucial that you seek professional advice. IT can get pretty complex, and an expert will know the biggest risks and see things where you do not. It’s really worth spending the money now in order to save losing it later, the stakes are just too high. Get your IT security risk assessment right and you will be left with a strong, practical security plan that won’t cripple your bank balance or put your business in danger.

Firstly, assess how important IT is to your business and how you use it. Do your business operations depend upon one or another form of digital programming? By addressing this question you can ascertain what position you will be in should your hardware or software be compromised, and thus how to go forward from there. Identify what the information assets are that you use – all the devices, software programs, servers, extra equipment – and how dependent you are on these. You might be a business that can continue operations over the phone, in person, etc, without too much of a hitch should your server go down, for instance, or maybe your business functions through digital equipment, such as printers and digital design programs.

Once you’ve weighed up what assets are most important to your business you can begin to assess each individually for their specific risks. Put together a list of everything that you use on a daily basis, all the computers, machines, handsets, routers, databases and software, and consider what the threats are to each thing and how your business will be affected should they be compromised. Some of the things you should consider are:

  • Theft or loss of hardware
  • Fire damage
  • Water damage
  • Hardware failure
  • Software failure
  • Data theft or loss
  • Data corruption

How easily could any of these incidents occur? What can you personally do to prevent them? Some of these answers will be simple enough, such as moving equipment away from heat sources and out of direct sunlight, but others will be more complicated, and this is why it is important to get expert advice. It’s hard to know how easy particular software is compromised if you don’t have previous experience or the time for in-depth studies of each program you use. It can be mind-boggling how many unique cases you will have to evaluate, but you don’t have to do it alone!

Make sure your IT security risk assessments are regular and consistently shrewd. The dangers regularly change and new threats develop every week, so keep on top of them. You might choose not to act on particular cyber security threats because it’s just not worth your money, but so long as you are aware of the dangers then you can be ready to face the consequences should they arise. Be smart, don’t leave your business in the hands of fate.

For more information please contact us on 0131 541 0020, send us an email info@cans.scot or complete a request via our on-line request form here.


The Rise and Rise of Ransomware

Ransomware is on the rise. In 2016, 40% of businesses across the globe reported ransomware attacks. That figure is even worse in the UK, with over 54% of businesses being targeted. There’s no denying that ransomware is a threat, but what is it and why are businesses leaving themselves vulnerable to it?

Ransomware is a particularly nasty form of cybercrime. It’s less about stealing data, and more about holding it hostage while demanding a payout. Ransomware attackers will breach a company’s security and take control of important documents, effectively blocking the businesses from accessing them. These documents could be of a sensitive nature (e.g. customer information or confidential data) or could be fundamental to the day-to-day running of a business. Many businesses will pay the ransom just to get back to normal and continue trading.

Part of the reason ransomware is on the rise is its sophistication. As technology improves, so do the techniques used by cyber criminals. In fact, most ransomware these days even has a pre-programmed time delay which enables it to be set-up days or weeks before an attack takes place. This makes the ransomware difficult to find, and its origin harder to determine. That’s why it’s essential that businesses focus more on prevention than detection, a fact that still eludes many business owners.

Ransomware attackers do not discriminate between businesses. From individuals and small businesses to universities, libraries and hospitals, all organisations are vulnerable. If you have important information stored of any kind and your security measures aren’t up to scratch, you’re an easy target for cyber criminals.

Security and business growth

One of the most common mistakes made by small businesses is their failure to adapt their security systems as they grow. It’s one thing to have a good network security solution in place when you start out, but if that system doesn’t grow with your business you’re going to make yourself vulnerable. Often, this is something that’s pushed aside by small businesses as they’re too focused on performance and ambition – it’s only natural – but the risk only gets greater as your business grows.

Neutralising the threat

So how do you stop your files from being held hostage? For starters, it’s imperative that businesses develop a ‘culture of untrust’, which means that all sensitive information on the inside needs to be secured. Having a blanket security measure in place that protects the organisation as a whole is important, but when it comes to ransomware it’s often inside access that gives attackers the edge.  You should ensure that:

  • All sensitive information is encrypted as it is transferred
  • Only employees that need access have access (tiered security)
  • Processes are in place to track and record when sensitive data is accessed

Remember that no company is too small to experience a ransomware attack. Often companies are targeted not based on their size or profitability, but their vulnerability. Cyber criminals are opportunists and will simply go for the easiest and most vulnerable business.

Collateral damage

It’s easy to think that ransomware and its effects exist solely within the business. It’s a consuming and draining process after all. However, depending on your industry there’s likely to be more collateral damage from a ransomware attack than a simple breach. There will be an inevitable effect on the relationship you have with your clients/customers and the way your brand is perceived, not to mention the added friction that can be caused as people start pointing the finger. Whose fault was it? Why did this happen? Who was managing our cyber security?

More than ever it’s important for businesses owners, regardless of size, to ‘own’ their risk. Risk isn’t a tangible thing, but it can be quantified by attributing value to data and putting necessary processes in place to protect it. All business have to balance performance with risk, and owning that risk can have extremely positive effects on the day-to-day running of your business while also making you less of a target for would-be attackers.

No business is immune from ransomware attacks. Own the risk and rise above it.

For more information please contact us on 0131 541 0020, send us an email info@cans.scot or complete our request via our on-line request form here.