08/12/10

By Graham Fern, Technical Director of IT solutions provider axon IT in Cheshire

We all take risks. We probably wouldn’t be business owners to begin with if we didn’t. But like any aspect of running a business, risks have to be carefully managed if we are to get the balance right and be successful.

When it comes to IT, most businesses are dependent, yet many people do not place technology high enough up their list of priorities and as a result, put their business at unnecessary risk.

Let me explain.....

Risk management is the discipline of identifying, monitoring and limiting risks. The process can be broken down into the following stages;

•Identify assets and which are critical

•Identify and assess threats

•Assess the vulnerability of critical assets to specific threats

•Determine the risk

•Identify ways to reduce those risks

•Prioritise risk reduction measures

This all makes sense as an overall “big picture”, but how do we now optimise these guidelines to produce a thorough risk assessment on a business’s IT infrastructure, and the systems that run on it?

The first question to ask when conducting this type of assessment or audit, is how important IT is to the business in question?

Ask any business owner that question directly, and they’ll state that IT is vital and they cannot accept any associated risk. This first question needs to be impartial, as setting a goal of no risk is unlikely to be reached, and will have considerable cost implications.

In reality, I never ask this question. Nor is it one I expect an answer to. The answer is more of a feeling that builds up as the discovery process unfolds. Once I’ve assessed and analysed a business, I am able to tailor any solution relevant to risk versus cost, as it is nearly always a balance of these two factors.

I will now translate the points above into the IT world, and some of the key areas that should be considered during an IT risk assessment.

•Physical IT Assets (server, desktops, laptops)
Compile a list of these devices, then assess the effect of each item from the list below, and the possible knock on effect to the business and its continuity:

o Theft (physical security)

o Fire or excessive heat

o Water or excessive damp

o Equipment failure or damage

•Software Assets (databases, business applications, bespoke software)

Again, compile a list of applications or software systems that your business uses day to day, and then look at the list below and consider the impact on each point.

oTheft of data (through poor data security or a disgruntled employee being malicious)

oSoftware failure (be it a business database or other application)

oAccidental data deletion or corruption

oData being unavailable due to physical equipment failure

oData security (who can access what and from where)

By looking at these two key areas you will be able to form opinions about importance and risk. What are the chances (or risk) of a fire or a flood? What about theft?

We now have to attribute the chances of these incidents occurring, and decide upon the percentage of that risk are you willing to accept. This decision will in turn expose the likely cost implications that will arise in order to meet the requirements.

So, if you think your business premises are at particularly high risk of theft, and you decide to accept that theft is a possibility, then you are almost certainly going to need to bolster physical security and ensure that you have a robust backup solution that takes the data off site. Both of these simple sounding solutions however, could attract considerable cost.

The average SME will have tight financial constraints that mean they have to accept some risk. They have to deal with the reality of day to day risk, which normally presents itself as data loss through hardware failing, data corruption or accidental data deletion.

Here are some suggestions to a simple blanket solution that turns a blind eye to the more exceptional risks, but covers the likely events:

•Ensure all hardware - particularly servers - had good manufacturer’s warranties. Typically this would be 3 years cover with a 4 hour response or next business day at least.

•Ensure all business critical software has support from the suppliers and be clear what the support offered actually includes.

•Protect all vital physical equipment from theft.

•Protect key equipment from electrical surges or outages - a regular occurrence across the UK.

•Backup key data. This is a complete subject in its own right, but a good disaster recovery plan is vital and it must be multi layered (i.e. don’t rely on one system). Remember though, a backup is only as good as the last restore!

•Protect system administration. Ensure that you either have qualified professional IT staff, or use an industry certified outsourced IT support company, who can maintain system integrity and security to ensure no risk is presented through viruses, spyware, hacking or incorrect access to data. Ensure you have a service level agreement with your IT department — whether in-house or external, so you know the likely response times in the event of things going wrong.

•Consider Cloud Computing solutions. By placing critical data and systems in the Cloud — a highly available, secure, fire protected environment. — you almost completely eliminate the traditional low percentage chance but high risk losses like fire, flood and theft.


IT risk management is largely common sense, but it is crucial that you seek the right IT professionals to help guide you through the possible scenarios and the solutions.

Get it right, and the result is a well-balanced solution which protects your business from the biggest risks, without costing you an arm and a leg. Get it wrong, and not only could you end up out of pocket, but out of business as well.