6 Areas to Control IT Risk Management: Strategies and Best Practices

What is risk management? 

Business school academics have varying definitions of risk and risk management, but for our purposes the concepts are fairly simple. Risk is the negative uncertainty that comes from any potential loss. Risk management is the collection of activities a business undertakes to mitigate, avoid, and transfer the losses that might damage the business due to some negative event.

Background:

Why is risk management gaining greater visibility? As noted, risk management isn’t new. However, the last few decades have seen the United States face major catastrophic events: Hurricane Katrina in 2006, the terror attacks in 2001 and now the COVID pandemic in 2020. All have brought to the fore the consequences to businesses who are unprepared, as well as the reality that very bad things can happen.

Globalization has also shown that distance does not shield us from the consequences of far away events. The earthquake and subsequent tsunami that hit Japan in 2011 reminded manufacturers and businesses in the United States about the consequences of their reliance on long supply chains and just-in-time inventory.

Another new threat that has alerted even the smallest firms to their vulnerability is technological. For a small firm, a major man- made or natural disaster may seem too distant to distract management from day-to-day operations, but the emergence of cyber threats, ransomware, hacking and data theft has really hit home for every organization out there. Even smaller firms totally focussed on making it day-to-day are taking notice of this threat.

So why are we addressing Risk Management?

Because every firm needs to make plans if something bad happens. It could be a fire, flood, hurricane, extensive power or broadband outage, even an act of terror, but any of these events could affect your IT infrastructure or capacity to connect to it. And many smaller firms fail to recognize how reliant they are on their IT infrastructure.

If you are storing data on-site, this means you maintain full responsibility for securing that data against theft, cyber attacks and ransomware

Here are six areas to consider:

1. Data storage and cloud backups 

If your data is stored and backed up on-site, you may be exposing your business and customer data to an entirely unnecessary vulnerability. On-site data storage and backups expose your business to serious risk.

First, if you are storing data on-site, this means you maintain full responsibility for securing that data against theft, cyber attacks and ransomware. That is quite a responsibility and requires diligence and skill on the part of your IT staff. Data breaches represent a serious liability. You lose the trust of your customers if their data is compromised and you may be liable to penalties for a data breach (think HIPAA and the new GDPR, both of which carry extensive fines.) 

Data breaches also represent a bad mark on your brand that cannot be easily polished away. Victims of data theft have long memories.

Second, on-site storage and backups mean that if some disaster happens on-site, your data may be permanently lost, or at least temporarily inaccessible. Neither of these are good options.

Third, onsite backups represent a responsibility for handling backups on a routine basis. Outsourcing that responsibility to a cloud provider eliminates the risk of a failed in-house backup.

Moving data storage and backups to the cloud means that no matter what happens to your physical location, your data is safe and immediately accessible from anywhere. 

2. SAAS – Software as a Service 

How does this help manage risk in case something happens?

SaaS is a great innovation. You may be used to buying a software program and downloading it to a PC. You may even buy a package deal that gives access to everyone in your organization. However, there is a hitch in this software purchasing model. Those software programs are living in a particular piece of hardware. If that hardware is lost, stolen, inaccessible due to geographical events, or just plain wears out, accessibility to the data contained may be compromised. You buy a new laptop and you have to buy new software access to Word, etc.

Short story, your software access is tied to a piece of machinery. SaaS ends that. You buy online access, so it doesn’t matter where you are or what happens to your laptop, desktop, building or office, you can still login and get back to work. 

3. VoIP (Voice over Internet Protocol)

This is an interesting option. You may have the standard PBX system that handles switching calls that are directed within your physical organization, and it may even allow call forwarding, but that is all it usually permits. VoIP systems allow dramatically aggressive approaches to call forwarding, including time windows. This makes it easier to maintain voice connections even if access to a physical site has been blocked. VoIP also offers many innovative features such as voice-to-text and voice-to-email that can increase productivity.

4. Uninterruptible power supplies (UPS) and surge protection  

Don’t forget the obvious. Risk management means looking at one of the key risks any business faces: power interruption.

What would you do if a long term power event occurred?

Could you just tell your customers “oops-sorry?”

That won’t likely work out very well. There are uninterruptible power supply systems using battery support, natural gas and other fuels which can provide support for as long as is needed. Contact a managed services provider to discuss in-house UPS management. 

5. Antivirus software and network protection 

One of the risks you face these days is one that is most likely to damage your brand. It is the one most likely to deeply undermine customer confidence and trust.

That risk is a data breach.

If you experience some form of data breach where your clients perceive their data has been compromised, your brand is damaged permanently. More importantly, you are likely liable for the financial consequences of a data breach. Make sure that your systems are protected by the latest antivirus software and that you are consistently updating it. New viruses appear every day, so outdated antivirus software is less likely to protect you. 

A managed service provider can provide tips and guidance on training your employees about data security. 

6. Employee training 

Lastly, one of the tools of risk managers is risk avoidance. Avoid getting into trouble in the first place. Training employees about their responsibility for data security is critical.

One of the primary ways that hackers and thieves gain access to corporate data is through employee error. Every employee should be trained on proper password behavior. Simple guidelines about changing passwords frequently and never sharing passwords are basic but important first steps.

Additionally, employees need to be trained to identify fake websites and phishing scams. Opening emails with bad attachments and links is a principal source for entry into company accounts and databases.

A managed service provider can provide tips and guidance on training your employees about data security. 

In summary, small businesses need to be aware of the risks the exist out there and make plans so they are not caught flat-footed when disaster strikes. It is especially important for smaller firms to be aware of this, because they are the least likely to have the deeper pockets to be able to rebound after a catastrophic event hits their business.

A managed service provider is an excellent resource for developing a risk management plan for your IT infrastructure. 

Next steps

NetOne Technologies is a Managed Service Provider expert in network design, disaster recovery, VoIP and IT risk management and offers assistance with all of your technology needs.

For the past 20 years, as President and Technical Director of NetOne Technologies, my team has brought companies the connectivity, security, and network infrastructure to be successful in today’s changing world.

Do you have a business continuity/disaster recovery plan in place?

Are you managing risks to your IT?

I invite you to have a 15-minute conversation. Whether or not we decide to collaborate, I’m confident I can offer insights that can help you find the right solution for your needs. Please click here to book a call with me.

Like this article? Download the ebook: