IT risk management for small business owners is challenging, requires continuous monitoring and adjustments and regular review and planning. Most small business owners lack the time and experience to maintain effective IT risk management strategies in house.
Yet in today’s world, IT risk management is an essential part of running a successful business and working across supply chains and industry channels.
In this post we provide a broad overview of IT risk management tips for small business owners who wish to DIY it, or tips that can be used as a guideline when searching for a local IT Support Company to outsource to.
Let’s begin with a visual overview.
This image shows a high-level overview of IT Management focus areas for your review. Each area offers some examples of tools, processes, and policies to consider including:
- Decision Making
- Governance & Compliance
Cyber threats are a real and constant threat to business of every size. Small businesses are targeted every 11 seconds.
Hence, your IT management planning must include security, prevention and continuity if things go sideways. Day to day workflows must be considered as well. Every successful business is good at managing productivity, efficiency and making collaboration as frictionless as possible.
Overall, IT managements involves making decisions, setting up processes, and managing data. You check your results every so often, take in new information and course correct. It is a continuous process without an end. Here are tips to steer you in the right direction.
Decision making covers the products and services that help you make better decisions about your business. QuickBooks reports, Power BI dashboards, Google and marketing analytics, cyber threat monitoring reports, consulting and other services are often starting points to address needs. Decision making is at the top of the IT process in terms of value to an organization. Good data is essential to decision making.
You likely already have processes in place for decision making pertaining to revenue, finance, budgeting and marketing. Now it’s time to collect data that will help you with IT management. Some data you may want includes:
→ A current and always up to date list of all active email and user accounts (because inactive accounts are a common source of cyber attacks)
→ A current list of all devices in use along with their age, operating system and capacity. This will help you with device lifecycle management and budget well in advance for replacing computers as they age.
→ A list of apps approved for use by your staff and a process for getting approval to install any application not on the list. Many applications and browser extensions contain malware or poor security vulnerabilities making it important that your staff are not in the habit of installing software on their devices without approval.
→ A process for vetting and approving applications for installation.
→ A documented processes for onboarding new staff members and offboarding employees exiting, as well as adding or removing them to and from your email and IT systems.
→ A process for ensuring all computers are up to date with antivirus updates, security and operating system updates, and how to process alerts that arise.
→ A process to assess your IT security risk on a regular schedule, and use the data to decide on risk management and mitigation processes and policies across your organization. This may include policies such as no USB’s allowed to connect to computers, no personal devices allowed to connect to work email accounts and so on. It may also determine the type of cyber insurance policy you purchase.
This is not an exhaustive list, but we hope it gives you direction for the decision making portion of your IT management planning.
Some of the items above can be handled with a simple spreadsheet. Others require specialized IT knowledge and IT security policies to be set across your fleet of devices. It’s easy to see why more small business choose outsourced IT management services, and that may be something you want to consider now as well.
Collaboration covers the products and services that you use to work better together internally or with your external customers. Line-of-business applications, CRMs, Microsoft Teams, Cloud PBX, conference rooms, conferencing solutions and training are often starting points to address this need.
For years, workplace technologies have focused on the individual-from personal computers to individual workstations to a user’s spreadsheets and so on – catering to employees working largely in isolation. However, nearly everything of value in business requires employees working together to achieve shared results.
As companies become more dispersed physically, software designed for individual tasks does little to help. Collaboration tools bring companies together internally and help them achieve closer and more profitable relationships with clients.
Some areas to focus on with your IT management may include:
→ A review of collaboration across your organization. What is working? Where can bottlenecks be improved?
→ A list of approved collaboration tools and apps and their main features shared with all staff.
→ A documented process for when and how to share files with staff members based on job role.
→ A documented process for when and how to share files with clients, how to revoke access if needed, how to label shared files if needed etc.
Productivity covers the products and services that help you get more done with less effort or resources.
Google Workspace or Microsoft 365 with its rich set of features and applications, is often the starting point to address productivity needs. It is a key part of an IT stack that helps businesses get the most from their investments in people and processes.
Remote work and mobile work are productivity enhancers, however they must be balanced with IT security processes to protect your data.
Automated patching and security updates are effective.
Automated file clean ups, downloads deletions and email archiving help keep systems working smoothly and avoid corrupt profiles, downtime and productivity killers.
What other areas can you explore in your own business to enhance productivity?
Governance & Compliance
Governance & Compliance covers products and services that help you:
- granularly manage data
- improve data security
- reduce risk for your customers
- mitigate risk for your organization
- meet your compliance requirements
Governance & Compliance can range from basic consumer protections all the way through complex industry regulations. Governance & Compliance helps your company ensure they meet their internal policies for employee behaviors, as well as meet their obligations involved with potential litigation and regulatory audits. In fact, every jurisdiction and industry have compliance requirements. Is your company addressing them?
We’ll talk about IT compliance today. IT compliance policies can be self assigned to protect your business, or dictated by your regulatory professional body. Some areas of IT compliance management to explore may include:
→ Cyber awareness courses for all staff, every year.
→ Acceptable use policies signed by all staff that outline policies for internet and email use.
→ Threat monitoring software.
→ Threat reduction and encryption technologies.
→ Data monitoring policies.
→ Document and data classification, labelling and loss prevention.
→ Security Incident and Event Monitoring tools (log file analytics that provide visibility into cyber events).
→ Processes to address security incidents.
→ Regularly scheduled technical assessments and audits to ensure integrity of governance and IT compliance management.
Every business is unique however all IT compliance frameworks have the same fundamental underpinnings.
Governance & Compliance is not just a burden imposed by governments; it is way to minimize the expense and risk of running a business.
Business Continuity Planning
Continuity is a critical layer of the IT management planning process that protects your business from the unexpected.
Continuity covers products and services that protect your business against Internet outages, malware, natural disasters, employee accidents and other threats that can make it impossible for your business to operate for hours, days and sometimes even months.
Backup services and cloud infrastructure are often starting points to address this need. If you have your server data backed up, but your office flooded, you will need to first dry out the office, purchase a new server, have the server configured, and then restore data from backup. As you can see, continuity planning is more than just having data backup in place.
Business continuity planning is the process of creating systems of prevention and recovery to deal with potential threats to a company. In addition to prevention, the goal is to permit ongoing operation, before and during execution of disaster recovery.
Think about all the ways your company interacts with and serves clients. Now think about how you could continue to do that if your internet went down. How about if a fire destroyed your office. What about a ransomware infection locking your server files. What do you when your information technology stops working? This is what continuity planning requires you to address.
Here is another helpful post that will help you create and document your business continuity plan.
IT Security Planning
Security covers the products and services that protect your personal, client, financial and business data from hackers, rogue employees and sometimes even competitors.
Unfortunately, security has become the most important layer of the IT stack. Cybercrime is a multi-trillion-dollar industry. Ransomware damage alone is over $11 billion dollars a year.
Cybercrime is real and every company and user is a potential target. Huge data breaches at larger companies provide mailing lists for hackers. If any email at your company was scooped up in one of these breaches, it’s almost a guaranteed that the email will be targeted.
Over 90% of all attacks occur via email, but other techniques can be just as successful. That’s why it is important to have and maintain multiple layers of security to protect users in the office and when they work from home or the coffee shop.
Your IT security planning should include listing the various layers of security you will need, vetting options, implementing the tools, monitoring the alerts and reports, and actioning tasks that require hands on deck.
Antivirus alone is not enough. You truly need multiple layers of security at the domain level, the email level, the network level, the user authentication level, the file storage level and so on.
It is best to consult with an IT security services provider to assess your needs and create and manage a plan for you.
A new staff member starts tomorrow. Will their IT setup take a day or two, or under an hour?
Is the process standardized and repeatable or haphazard?
Is efficiency balanced with security across your organization? What inefficiencies can you improve on in your business?
IT efficiency covers the products and services that make your business more productive using computers, servers and cloud applications, and how effectively you deploy and use them.
Tools such as Microsoft InTune allow you to standardize data governance and user profiles and automate new computer setups so that new staff can start with the right technology and permissions in place as soon as they clock in on day one. Manual user provisioning processes are clunky, time consuming, irregular, undocumented and have no security built in. Automating with InTune has enormous efficiencies and security benefits.
COVID accelerated adoption of mobile and remote work that can improve efficiency in an organization. Remote work can also increase security risks if not planned and deployed with appropriate checks and balances in place. Microsoft InTune is just one tool you can use to improve both efficiency and security. Azure Virtual Desktops is another. Here is a comparison of Microsoft InTune versus Azure Virtual Desktops.
Adoption of either strategy will require the help and retention of IT professionals but doing things the old way will leave your company behind the competition.