Are you scrutinizing your clients' information systems, looking for every last flaw? If you aren't, you're failing to protect them from their own network vulnerabilities. What about your prospects? In order to know whether your services are a right fit and to determine which bundle to offer them, you have to understand their infrastructure and its underlying weaknesses. Indeed, for prospects and customers alike, it's vital that you frequently perform IT security risk assessments. In the following blog post, I'll examine why they're an important component of data protection and uptime optimization. Additionally, I'll outline how you can effectively execute on the next one you conduct to better serve your client's needs.

The Purpose of an IT Security Risk Assessment

IT security risk assessments are designed to help businesses evaluate and optimize their overall security plan by viewing their IT systems through the lens of an attacker. If done right, they can mitigate and even prevent data breaches and the bad PR that accompanies them. While security risk assessments differ depending on the client, they should be completed in the following stages.

High-Level Walk-Through of an Effective Assessment 

Stage 1

First, you must take inventory of your client's assets. Identify the scope of their infrastructure as well as all software and hardware in their system. Specifically assess the web applications that pertain to their billing, CRM, HR, etc. Is your client using Salesforce, for instance? Include it in your analysis.

Stage 2

Next, you need to find weaknesses in your client's information system that put their organization at risk. During this stage, it's important to understand the difference between a vulnerability and a threat. As TechTarget explains it, a "threat is the potential for a particular threat-source to successfully exploit a particular vulnerability." When judging the level of risk a client's security posture has, look for vulnerabilities to take action on before they become threats. Not sure what to review? Start with the state of your client's:

  • remote access systems
  • servers
  • Internet connection
  • firewalls
  • integration with third party solutions
  • security policies
  • network architecture

Stage 3

Once you have a good read on your client's IT environment, it's time to then perform an impact assessment. Basically, you want to take all of the vulnerabilities you've identified and predict the consequences if each were to be exploited. How big of a disaster would it be for your client? In a worst case scenario, how much downtime and data loss would result? As explained in ISACA's article, Performing a Security Risk Assessment, you want to look at the impact on variables such as revenue, profit, cost, service levels, regulations and reputation. For example if your client's e-commerce website is taken offline, the cost at minimum is the revenue lost from missed sales transactions, but increases as downtime is prolonged and clients become dissatisfied. Risks are weighted by how dire the consequences are.

Sure, but risks aren't guaranteed, so what if threats aren't realized?

Stage 4

This brings us to the next stage, the one in which we judge the chances that a vulnerability will be successfully compromised. As you'd guess, the greater the likelihood that a threat will occur, the higher the risk. It is important to note that as more users are given access to the information system, the greater the likelihood that it will be compromised. For this reason, ask how many authorized users a client's environment has when you conduct an IT security risk assessment. 

Stage 5 

Finally, once you have compiled as much useful information as you can, it's time to write your prescription. What controls can you implement that will diminish or remove the risks you identified in Stage 2? That's what you want to achieve in this last part of the process. A few key areas to look at changing include:

  • amount of authorized users
  • policies
  • procedures
  • configurations
  • existing technology used by clients

3 Reasons Why It's Necessary 

Helps You Tackle Risk Mitigation One Vulnerability at a Time

How do you eat an elephant? One of the main objectives of an IT security risk assessment is to obtain enough data about client network health to prioritize which threats should be addressed. You'll likely discover more issues than your client or prospect previously informed you of and when so many cogs and wheels need improving, it can be difficult to determine which ones need the most immediate attention. Although I didn't discuss this above, MSPs and IT Service Providers that perform these audits are usually advised to assign point values to the areas of concern they flag. For a more detailed overview of how to do this, definitely check out InformationWeek's How to Conduct an Effective IT Security Risk Assessment report!

Justifies Spending on Security & Your Services

Many internal IT departments advocate IT security risk assessments because they shine a light on network insecurities, thereby securing more budget for security. It can be hard to get the higher-ups to approve security expenditure requests when they don't see how such requests will help the company's bottom line. With security risk assessments, these IT departments have the opportunity to receive more funding if they can demonstrate how damaging a disaster scenario could be for their company. This process also helps MSPs since you can position yourself as a trusted business advisor, upsell existing clients, or convince prospects that they need your managed IT services.

Increases Awareness & Makes Security a Shared Responsibility

Contrary to popular belief, IT personnel are not solely responsible for security. When conducting IT security risk assessments, it's a best practice to involve all of the company's major stakeholders to not only ensure you get a complete picture of the organization's IT environment, but to also get buy-in from each key decision maker at the company. Security risk assessments are a form of security education in and of themselves. With more departments included, there's greater potential for interdepartmental understanding of risky user behavior. Those participants can then go back and educate the rest of their teams, reducing risk. 


While I've barely scratched the surface of IT security risk assessments, hopefully you've learned more about the process and why it's a crucial part of IT management. One thing I want to stress is that you must continually audit your clients' infrastructure - it's not enough to just do it once. Aim to conduct an IT security risk assessment once every couple of years, although some clients (like those bound by compliance regulations) may require more frequent visits. Again, there's no one-size-fits-all approach to these check-ins, but understanding their framework and what makes them effective will demonstrate your value and set you apart from your competitors.

Do you have any tips that have worked for you? Perhaps you still have lingering questions. Leave a comment below, and keep the conversation going!


I hope you didn't forget about BDR's role in risk mitigation...

Hope for the Best, Plan for the Worst: The Keys to Effective Backup & Disaster Recovery



See also: