Best Practices for IT Risk Management

Information technology professionals have an important role to play in keeping an organization’s IT infrastructure up and running, ensuring it functions smoothly and is secure.

Businesses rely on information technology systems such as computers, networks and mobile devices to carry out key business activities. There are a range of risks that can befall those systems, including:

• Hardware and software failure which can lead to data loss or corruption as well as extended periods of downtime.
• Human error including careless disposal of data, accidental opening of malicious attachments.
• Malicious software such as malware, viruses, ransomware that can disrupt computer operations.
• Scams, spam and phishing attempts via unsolicited emails that are designed to fool employees to reveal login details or personal information, or to pay for goods and services that don’t exist.
• Denial of service attacks that prevent access to company websites.
• Hackers and other security breaches where systems are accessed illegally and important data stolen.
• Staff dishonesty and fraud when computer systems are accessed to obtain illegal benefits.
• Natural and man-made disasters including fires, hurricanes, floods, terrorism, severe weather events which can pose problems for IT systems, infrastructure and data.

All of these risks can result in different outcomes for the organization, from mild inconvenience through to the utter destruction of the business, with other scenarios falling on the spectrum somewhere in between.

When risks aren’t managed effectively the results can include the inability to carry out business, financial loss, reputational loss and legal problems.
Risk management refers to a process followed by IT managers enabling them to balance the economic and operational costs of protective measures against the gains that can be achieved by investing in technology.

It is imperative that your organization takes stock of the range of specific IT risks that could befall it, and implements strategies designed to mitigate this risk, founded on the best practices for IT risk management.

This includes:

1. Carrying out comprehensive IT risk assessments

Any risk assessments should assess the likelihood of an incident occurring by evaluating the threats and vulnerabilities, and the consequences of these risks being exploited such as costs to business of the impact and recovery.

2. Implement policies and procedures

Not only does it make good business sense to secure your IT systems and data, your business also has legal obligations to ensure data is secure to protect your customers’ privacy.

It is essential your business has policies that comply with these laws, outlining how your business collects uses and stores data, restrictions on sharing with third parties and so on.

Your organization should also have defined procedures around the use and accessing of IT systems and data, backing up of data and protection of data. These should cover both employees and contractors alike.

Your policies and procedures should also clearly outline any steps that your employees should take to ensure that your company data is kept safe and secure at all times. These should be easy to follow and act on and should be kept in a place, such as a company intranet site, where employees can easily access them at any time.

3. Complying with any legal requirements

There are many different legal requirements that organizations must abide by depending on which jurisdiction(s) in the world they operate in. It is critical that your organization is familiar with any legal , legislative and regulatory requirements from an information technology and data security perspective and put processes in place that are designed to comply with these requirements.

4. Ensure your cyber security is top notch

As cyber security is one of the biggest IT risks to your business, it’s critical that you take all necessary steps and precautions to ensure that threats and risks to IT systems and data are minimized and you have measures in place to protect systems from hackers and other cyber criminals.

This should include:

• Ensuring your computers, servers and wireless networks are secure.
• Using anti-virus software with up-to-date virus definitions as well as firewalls.
• Keeping software patched and up-to-date, always ensuring you are running the latest versions.
• Keeping passwords secure.
• Educating employees about cyber security and their responsibility to keep your company’s systems and data safe and secure.

5. Creating a secure online presence

This is particularly important for businesses that carry out commercial transactions online such as via their website or online banking.

You should ensure that these transactions are carried out as securely as possible such as by using secure socket layer (SSL) technology that encrypts transaction data. Any web hosting solutions your company uses should be capable of supporting this protocol.

6. Induction and ongoing training of employees

When new employees join your organization, it is important that they are taught about your IT policies and procedures and any codes of conduct that are expected of them.

You should also carry out ongoing cyber security awareness training for all employees, including offering refreshers. This can include things like not opening suspicious emails, being aware of phishing, the importance of keeping passwords safe, why privacy is important, what to do if there is an online security breach and so on.

7. Procedures and protocols to follow in an information technology incident

Should the worst happen, you need to be prepared to respond quickly. It can affect both how your business recovers from the incident as well as your customer and stakeholder relationships.

You should prepare IT incident response plans, emergency response plans and recovery plans in advance that serve as a roadmap for you to tailor and follow during and after an incident.

These should be clear, easy-to-follow steps that you take in the wake of a crisis in order to mitigate the effects or the damage. It can include things like how to notify staff, such as using DeskAlerts to quickly inform your employees of a security breach, communications plans, contact lists and so on.