Managing incidents
Ngā tiro tūraru haumarutanga tuihono mā tō pakihi

Do an online security risk assessment for your business

An online security risk assessment is something every business should do. Knowing the risks your business faces can help you prevent — or recover from — an online security incident.

What it is

A risk assessment helps you understand the online security risks to your business processes, systems and data, and put a plan in place to mitigate them.

Why it matters

It's easier than ever to run your business online – which means it's easy to access your business information online too. Your business might:

  • have a public website and a social media presence
  • allow staff to use personal devices to access the business network
  • have employees who travel often and need to use a public .

Having data and systems that are accessible via the internet means that anyone can access them — not just you and your staff.

It's important to consider online security risks alongside the other types of risk your business faces. This will drive the decisions you make around your use of technology.

How to protect your business

  • Know your systems

    Systems can be:

    • external systems that you access through a web browser – for example, Xero or Gmail
    • internal systems that you host and manage yourself – for example, if you have a business that prints t-shirts, the software that runs the printing machine would be an internal system.

    It’s hard to assess everything at once. Start by considering which systems are most important to you. Focus on the systems that are critical to your business running, and the systems that store data. This could be systems that store customer details, or systems that process payments.

  • Identify threats and vulnerabilities

    When you’ve identified what your most important systems are, you can work out what kind of threats they face.

    For most businesses, the threat of an untargeted attack against a system that’s accessible over the internet is quite likely. For example, attackers might:

    • scan your business’s web server, using automated tools made to find known vulnerabilities
    • attempt to access your web mail account using a database of compromised passwords.

    Common risks and threats for business

    You may want to hire a security professional to help you document threats, to make sure you don’t miss anything.

    Choosing an IT service provider

  • Identify the risks

    A risk is something that could damage your data or systems – caused by a threat or . You can break your security risks down into three categories:

    • confidentiality – meaning that your system or data is no longer secret. Privacy of personal data (like customer details) is a type of confidentiality risk
    • integrity – when your system or data is no longer accurate
    • availability – when systems or data are unavailable.

    Common security risks for businesses include unauthorised access, leaked information, and production stopping. For example:

    • if an attacker was scanning for vulnerable web servers and noticed that yours was missing a patch, they could exploit it. They could access your server and use it to host malicious content like malware or phishing pages. That would be an integrity risk, as the attackers could make changes to your web server without your permission
    • if an attacker was able to access your web mail, they could use it to collect sensitive business information. This is a confidentiality risk. They could also direct your clients to make payments into their bank account instead of yours. That would be an integrity risk.

    Remember that risk is always going to be a trade-off. There will be some risks you have to accept, and some you can manage so the risk is not as high. You need to find the balance that’s right for you.

  • Define the impacts

    Next, you need to think about the impact of these risks — how they'd affect your business if they happened. Impacts are usually:

    • operational
    • reputational
    • financial, or
    • technical.

    For example, if an attacker:

    • compromised the printing software at your t-shirt printing company, that would be an operational impact
    • got access to your customer data and leaked it, the impact would be reputational.

    When you’ve documented the impact that each risk would have on your business, give them a rating:

    • Low – there would be minimal impact on your business if the risk happened.
    • Medium – the risk would cause some damage to your business, but you’d recover.
    • High – the risk would cause lasting damage to your business.
  • Define prevention and recovery options

    Once you know what your risks are, and the impact they’d have on your business, start working out:

    • how you could prevent the risks from happening, and
    • how your business could recover from an incident.

    Think about what’s critical to your business running, and what’s important. Based on that, you can start to define what you (and your staff) can do to prevent, or mitigate, the risks. Talk to your IT service provider too — see how they can help you prepare.

    You’ll need to think about things like:

    • putting a mitigation plan in place, to make sure you’re prepared for any of the risks happening
    • talking to your staff about the risks the business faces, and what they can do to keep the business secure
    • creating an incident response plan, so you’re prepared in the event of an attack.

    If you've had an online security incident

CERT NZ's quarterly reports show the type of incidents that affect businesses across NZ. Take a look at them — they'll show you examples of the type of risks your business may face too.

CERT NZ’s quarterly reports – CERT NZ
Photo of a woman's hands holding a mobile phone with webpage showing the words Your business action plan.

Business online security assessment tool

Get a free customised action plan that will help you and your business become more secure online.