Do an online security risk assessment for your business

What it is

A risk assessment helps you understand the online security risks to your business processes, systems and data, and put a plan in place to mitigate them.

Why it matters

It's easier than ever to run your business online – which means it's easy to access your business information online too. Your business might:

have a public website and a social media presence
allow staff to use personal devices to access the business network
have employees who travel often and need to use public wireless networks.

Having data and systems that are accessible via the internet means that anyone can access them — not just you and your staff.

It's important to consider online security risks alongside the other types of risk your business faces. This will drive the decisions you make around your use of technology.

How to protect your business

Here's how to assess your business's online security risk.

Know your systems

Systems can be:

external systems that you access through a web browser – for example, Xero or Gmail
internal systems that you host and manage yourself – for example, if you have a business that prints t-shirts, the software that runs the printing machine would be an internal system.

It’s hard to assess everything at once. Start by considering which systems are most important to you. Focus on the systems that are critical to your business running, and the systems that store data. This could be systems that store customer details, or systems that process payments.

Identify threats and vulnerabilities

When you’ve identified what your most important systems are, you can work out what kind of threats they face.

For most businesses, the threat of an untargeted attack against a system that’s accessible over the internet is quite likely. For example, attackers might:

scan your business’s web server, using automated tools made to find known vulnerabilities
attempt to access your web mail account using a database of compromised passwords.

Common risks and threats for business

You may want to hire a security professional to help you document threats, to make sure you don’t miss anything.

Choosing an IT service provider

Not all threats and vulnerabilities are malicious. For example, one of your employees could accidentally delete or modify some of your data. This might be human error rather than anything sinister, but it’s still important to consider.

Identify the risks

A risk is something that could damage your data or systems – caused by a threat or vulnerability. You can break your security risks down into three categories:

confidentiality – meaning that your system or data is no longer secret. Privacy of personal data (like customer details) is a type of confidentiality risk
integrity – when your system or data is no longer accurate
availability – when systems or data are unavailable.

Common security risks for businesses include unauthorised access, leaked information, and production stopping. For example:

if an attacker was scanning for vulnerable web servers and noticed that yours was missing a patch, they could exploit it. They could access your server and use it to host malicious content like malware or phishing pages. That would be an integrity risk, as the attackers could make changes to your web server without your permission
if an attacker was able to access your web mail, they could use it to collect sensitive business information. This is a confidentiality risk. They could also direct your clients to make payments into their bank account instead of yours. That would be an integrity risk.

Remember that risk is always going to be a trade-off. There will be some risks you have to accept, and some you can manage so the risk is not as high. You need to find the balance that’s right for you.

Be aware that your balance of risk will change over time. As you learn more about your systems, and the different threats they're susceptible to, you may find that your risks change.

Define the impacts

Next, you need to think about the impact of these risks — how they'd affect your business if they happened. Impacts are usually:

operational
reputational
financial, or
technical.

For example, if an attacker:

compromised the printing software at your t-shirt printing company, that would be an operational impact
got access to your customer data and leaked it, the impact would be reputational.

When you’ve documented the impact that each risk would have on your business, give them a rating.

Low – there would be minimal impact on your business if the risk happened.
Medium – the risk would cause some damage to your business, but you’d recover.
High – the risk would cause lasting damage to your business.

CERT NZ's quarterly reports show the type of incidents that affect businesses across NZ. Take a look at them — they'll show you examples of the type of risks your business may face too.

CERT NZ’s quarterly reports – CERT NZ

Define prevention and recovery options

Once you know what your risks are, and the impact they’d have on your business, start working out:

how you could prevent the risks from happening, and
how your business could recover from an incident.

Think about what’s critical to your business running, and what’s important. Based on that, you can start to define what you (and your staff) can do to prevent, or mitigate, the risks. Talk to your IT service provider too — see how they can help you prepare.

You’ll need to think about things like:

putting a mitigation plan in place, to make sure you’re prepared for any of the risks happening
talking to your staff about the risks the business faces, and what they can do to keep the business secure
creating an incident response plan, so you’re prepared in the event of an attack.

If you've had an online security incident

Make sure you revisit your risk assessment from time to time and check to make sure it’s still accurate.

What to read next

Managing incidents

If you have had an online security incident

Browse all Managing incidents

Outdated browser