Almost all businesses are dependent to some degree on their IT systems and the data stored on them. Managing the risks of IT loss or failure is essential - a major incident can be extremely costly or impossible to recover from
Assessing your IT risks
Understanding the risks helps you decide what sort of protection you should put in place. Assessing the potential impact of a problem also gives you an idea of how much it's worth spending.
Typical risks include:
- equipment theft;
- damage or destruction in a fire, flood or water leak;
- accidental damage;
- hardware breakdown;
- data theft;
- accidental or malicious data disclosure;
- data deletion or corruption;
- software or cloud provider failure;
- inability to access systems because of power loss or problems with internet connections;
- harming systems or data belonging to others.
Some systems are more at risk than others. For example, laptops, tablets and smartphones can be tempting targets for thieves, and can be particularly vulnerable outside the office. Businesses in sectors like finance are attractive to cyber attackers.
Bear in mind that while equipment can be replaced, data loss can be very problematic. Losing sensitive personal data, such as customers' personal information and credit card numbers, can cause severe damage to your reputation, as well as leading to regulatory action and even lawsuits under GDPR.
And if data has not been backed up, it can be almost impossible to restore.
Relatively simple steps can significantly reduce your level of risk. These typically include:
- physical security for IT equipment;
- controlling access to systems using secure passwords;
- anti-virus software and firewalls;
- keeping software up to date;
- ensuring sensitive data is encrypted;
- making sure you have a robust system for backing up data.
Proper training and clear procedures can have a major impact. For example, employees should be aware of the risks if they install untested software on your system, click on links or download attachments from emails, or transfer confidential information onto a mobile device.
If you don't have in-house IT security expertise, you may want to take advice from an expert. You can also find free advice on online safety at Get Safe Online.
The government-backed Cyber Essentials scheme helps businesses reduce their vulnerability to cyber threats, and demonstrate that they are doing so. Having a Cyber Essentials badge is a requirement for some government contracts.
Planning for IT incidents
No matter how good your security and other IT procedures, it's impossible to eliminate IT risks altogether.
Insurance can help offset some of the risks. You should be aware that standard contents insurance is unlikely to provide full cover, particularly for incidents such as cyber attacks. You may want more specialised IT insurance.
It's also worth working out a disaster recovery plan in advance, so that you can minimise disruption and loss if the worst happens. Key issues to consider include:
- Where would your business operate from if your premises were flooded or burnt down?
- How would you work if equipment was stolen or damaged? How quickly could you replace it?
- How could you access backed-up data from replacement computer systems?
- Have you tested your back-ups to check they would actually work?
- What arrangements have you got with IT support companies to help in case of emergency? How quickly will they respond?
- Would you be able to connect to services like email and cloud-based software?
- What actions would you take if there was a major data breach? How would you deal with customers and regulators?