What is IT risk management?

Murphy has two laws, and both apply when it comes to IT risk management. “Anything that can go wrong, will go wrong” is Murphy’s first law, which is considered accurate because, given enough time, there is a high probability that anything will go wrong. You need to be prepared for anything! Murphy’s second law states that “nothing is as easy as it looks,” and this is also true when it comes to managing business risk. 

These are the two reasons why businesses look to a managed service provider (MSP) to help them identify, assess, prioritize, and remediate risks. If you are an MSP, read on and discover how you can help your clients mitigate risk and ensure the protection of their systems and data.

IT risk is defined as the potential for loss or damage when a threat exploits a vulnerability in an organization’s information resources, including the IT infrastructure, applications, and data. It is a broad term that covers any type of risk, whether a cyber security risk, a power outage, a disaster, human error, software/hardware failure, etc., anything that can disrupt a business and relies on information technology (IT) in some way.

IT risk management is the process of analyzing a threat to a business’ IT infrastructure by assessing what level of risk a business is prepared to accept. The industry refers to this as a “risk appetite.” If the business cannot assume a specific risk, it then needs to determine whether the risk can be reduced and how.

Here are some examples of risk scenarios and the risk appetite a business is willing to assume:

• In the event of a natural disaster, a business’ email communication will be down for 24 hours. The business accepts this level of risk because the impact to the business is minimal, and disasters happen infrequently.
• In the event of an asteroid hit, the business’ offices and buildings will be destroyed. The business accepts this level of risk because the likelihood of an asteroid hit is unlikely even though the results are catastrophic.
• If a business experiences a ransomware attack, it can bring down IT operations for an indefinite period. This type of event is common and can devastate a business and the business does not accept this level of risk. 

Risk management does not always mean bringing the risk to zero but minimizing the risk when the impact is big. 

A business needs to know and assess the risks it faces to know its weaknesses, determine if the business is overexposed, prioritize gaps, and mitigate the risk. If overexposed, a business needs to take action based on available resources and risk priorities, which are determined using the risk calculation discussed below. 

The IT risk management process is a task that a business can perform in-house using either the five-step process discussed below or an external risk assessment, such as the ISO 27005. This is an international standard that describes how to conduct an information security risk assessment in accordance with the requirements of ISO 27001.

These are the 5 steps a business should follow to identify IT risks.

1. Identify the vulnerabilities. The IT department must define all possible weaknesses and risks in the IT infrastructure.
2. Label and classify the organization’s data. This is a critical step because a business can only protect data if they know what data to protect. This step provides an opportunity for the business to identify personal and sensitive data, which is the most crucial data to secure and protect.
3. Prioritize vulnerabilities. This task should be performed in a joint meeting with the line of business (LOB), who can identify the critical systems that need to be up and always running, and the IT department, who can determine if the critical services are protected. During this step, IT and the LOB will also conduct a:

• Risk analysis to determine how frequently an event will happen, how likely is it that it will happen, and the consequences.
• Risk evaluation. The “formula” to calculate a risk is: Risk = threat x vulnerability x consequence.  This is not a mathematical formula but should be used as a guideline.

Here are some examples for how to evaluate risk using the “formula.”

If a business is not backing up its systems, the likelihood that human error, a natural or human-made disaster, or a malicious attack will bring down its systems is high, and the consequences of lost data is significant. This vulnerability would be a high risk and require immediate remediation.

The business recognizes that spam ads can be a nuisance to users. While this is a common occurrence, the impact is not significant so this would be considered a second priority for remediation.

On the other hand, the business recognizes that phishing attacks that can steal a user’s password. This is a common occurrence, and the impact can be big so this would be considered a top priority requiring immediate remediation.

     4. Address the risks. Now that the business knows the risks, it must address them based on the prioritization, risk appetite, and tolerance.      5.Perform on-going risk monitoring. The process of identifying an IT Risk is an ongoing process as the security landscape is always changing due to both external and internal forces.  

It is critical for a business to continuously monitor its infrastructure – including its supply chain and cloud-based applications – for new risks. For example, prior to the pandemic, there was low risk of data leaks and breaches for telecommuters. However, with the mass migration to remote work in 2020, the security of data is a high risk as most employees work from home. This means a higher probability that laptops can be lost, unattended laptops at home can be accessed by someone else (increasing the risk of malware), etc. The pandemic has also created more risk as cybercriminals exploit the fear of COVID-19 to spread malware.

The business must be sure to monitor the risks associated with vendors, partners, any individuals (e.g., contractors) or any other company the business works with. For example, the SolarWinds breach happened because criminals hacked into the Orion software system and added malicious code. That malware was then spread to SolarWinds’ 18,000 customers when the company send out system updates. It was a catastrophic event, which put many organizations at high risk.

Any business subject to regulatory requirements, such as the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), or ISO 27001, must also continuously monitor compliance regulations and the company’s adherence. 

Acronis Cyber Protect Cloud is a one-of-a-kind solution that detects and prevents advanced malware, offers remediation and investigation capabilities, and provides total protection of your clients’ data. It unites behavioral and signature-based anti-malware, endpoint protection management, backup, and disaster recovery in one solution. With a single console and single agent, Acronis Cyber Protect Cloud offers unmatched integration and automation to reduce complexity, improve your productivity, and decrease operating costs. With Acronis Cyber Protect Cloud, you can enhance your backup service with essential cyber protection at no cost. You can also expand your service with advanced protection packs, which include:

Advanced security:

• Next-generation anti-malware, which uses machine intelligence (MI)-based technologies to prevent emerging/new malware
• Global threat monitoring and smart alerts from Acronis Cyber Protection Operation Centers (CPOC) so you can stay well-informed about malware, vulnerabilities, natural disasters, and other global events that may affect your clients’ data protection, so you can take action to prevent them
• Forensic backup that allows you to collect digital evidence data, include them in disk-level backups that are stored in a secure place to protect them from cyber threats, and use them for future investigations

Advanced management:

• Patch management for Microsoft and third-party software on Windows, allowing you to easily schedule or manually deploy patches to keep your clients’ data safe
• Drive (hard disk) Health using MI technology to predict disk issues and alert you to take precautionary measures to protect your clients’ data and improve uptime
• Software inventory collection with automatic or on-demand scans to provide deep visibility into your clients’ software inventory 
• Fail-safe patching by generating an image backup of your clients’ systems to enable easy recovery in case a patch renders your client’s system unstable

Advanced backup:

• Protection for more than 20 workload types from a single console, including Microsoft Exchange, Microsoft SQL Server, Oracle DBMS Real Application clusters, and SAP HAN
• A data protection map that tracks data distribution across your clients’ machines, monitors the protection status of files, and uses the collected data as the basis for compliance reports
• Continuous Data Protection that ensures you will not lose your clients’ data changes that are made between scheduled backups

Advanced disaster recovery:

• Disaster recovery orchestration using runbooks – a set of instructions that define how to spin up your client’s production environment in the cloud – to provide fast and reliable recovery of your clients’ applications, systems, and data on any device, from any incident

Advanced email security:

• Block email threats, including spam, phishing, business email compromise (BEC), malware, advanced persistent threats (APTs), and zero-days before they reach end-users’ Microsoft 365, Google Workspace, or Open-Xchange mailboxes. Leverage next-generation cloud-based email security solution, powered by Perception Point.

With Acronis Cyber Protect Cloud, you can provide your clients with multiple layers of protection for their endpoints, ensure their data, applications, and systems are always available and protected, and provide the shortest time to recover their data and systems no matter what happens.