What it is
A risk assessment helps you understand the online security risks to your business processes, systems and data, and put a plan in place to mitigate them.
Why it matters
It's easier than ever to run your business online – which means it's easy to access your business information online too. Your business might:
- have a public website and a social media presence
- allow staff to use personal devices to access the business network
- have employees who travel often and need to use public wireless networks.
Having data and systems that are accessible via the internet means that anyone can access them — not just you and your staff.
It's important to consider online security risks alongside the other types of risk your business faces. This will drive the decisions you make around your use of technology.
How to protect your business
Here's how to assess your business's online security risk.
Know your systems
Systems can be:
- external systems that you access through a web browser – for example, Xero or Gmail
- internal systems that you host and manage yourself – for example, if you have a business that prints t-shirts, the software that runs the printing machine would be an internal system.
It’s hard to assess everything at once. Start by considering which systems are most important to you. Focus on the systems that are critical to your business running, and the systems that store data. This could be systems that store customer details, or systems that process payments.
Identify threats and vulnerabilities
When you’ve identified what your most important systems are, you can work out what kind of threats they face.
For most businesses, the threat of an untargeted attack against a system that’s accessible over the internet is quite likely. For example, attackers might:
- scan your business’s web server, using automated tools made to find known vulnerabilities
- attempt to access your web mail account using a database of compromised passwords.
Common risks and threats for business
You may want to hire a security professional to help you document threats, to make sure you don’t miss anything.