Risk Assessments: Checkup Checklist

Rating your client’s risk profile from threats to their data infrastructure (and business!) should never be a do-once-and-forget task.

  • August 24, 2021 | Author: Todd Hyten
Learn More about this topic

Article Key

Rating your client’s risk profile from threats to their data infrastructure (and business!) should never be a do-once-and-forget task. Everyone knows it’s a risky world for data security, storage and protection. Some risks become more likely over time, but only slowly, making periodic evaluations important. 

A company may not even have weather-related disasters on their radar until they realize a service supplier’s servers are in a region threatened with wildfires. Another may be confident in its new hybrid infrastructure, but unaware their on-premises servers are approaching the end of their useful lifetime. 
 
Even if the risk assessment is not something you share with your client, updating a client’s risk profile may help you adjust your offerings and solutions. Here’s a checklist of risks that can greatly affect the type of data solutions you offer.
 
Human Error: This should be at the top of your list because there’s an interesting tie-in with other threats. While you may be thinking of “human error” as a data-input error such as overwriting a file, clicking on a phishing scam is also human error. This is how many attackers gain access to a system with stolen passwords and identities. To assess this risk, you may want to find out the frequency of testing or training for employees. 
 
Insider threats: The ways to mitigate insider threats sit close to IT procedures and policies. This makes evaluating an organizations effectiveness difficult, but not impossible. If there’s one identification security practice that has risen in importance, it’s two-factor authentication. It’s still a relatively low-tech tactic but can be very effective. 
 
Ransomware/Cyberattacks: Assessing the risk of any organization’s ransomware exposure is difficult. in fact, it’s so hard that the best strategy is to ensure data recovery in worst-case scenarios. However, whether you are a solution provider or MSP, you should evaluate the client’s security practices and rate their readiness for a full data recovery. A cybersecurity plan without a data recovery plan is only half complete, at best. This blog identified some key questions you should ask your client about their readiness. 
 
Natural Disasters and Outages: Assessing natural disaster threats isn’t that hard. A good insurance company will have data on regional threats from natural weather and events. However, there could be a natural disaster vulnerability hidden in your client’s supply chain of service providers and vendors: outages. In a survey earlier this year conducted by the Uptime Institute (a data industry advisory board), 59 percent of data managers said they think there will be more IT service outages as a direct result of the impact of climate change. You may want to check your client’s most critical vendors and their records of uptime compared with their geographic location.
 
Hardware failures: The cloud solution that many companies are embracing is hybrid architecture—a mix of both on-premises data centers and public or private clouds (and often both). This has too many benefits to list here, but some things never change. The life expectancy of the average server is still typically three to five years, according to the Great Lakes Electronics Corporation. Much depends on use and configuration of course, but most companies do not have many idled machines in low use. 

Related Content