Written by

Tauseef Muhammad


December 19, 2016

Three Core Essentials of IT Risk Management

IT Risk Management Image

We’ve all heard the adage, a house is only as strong as its foundation. Well, in this digital age, the same can be said about a business and its IT operations — particularly businesses whose bottom line depends on the efficiency and speed of its data interchange system.

However, according to a recent survey by Deloitte, only 5% of CIOs believe they exceed expectations when it comes to aligning their IT operations with their business strategy. How well is your company’s IT foundation managed, not only to run efficiently, but also, to minimize risk?

To help you answer that question, let’s look at three fundamental processes critical to maintaining a company’s information technology long term:

1. Infrastructure Management;

2. Security; and

3. Disaster Recovery. 

Infrastructure Management

The backbone of every company is the physical infrastructure that composes its network — the computers, the servers, the printers and other devices. Hardware failure is relatively unpredictable, and as equipment ages, the possibility of its failure increases. The cost of replacing failed equipment also increases up to 400% (3 to 5 times), when you account for the expense of expediting equipment, paying for overtime and lost productivity.

The following rules of thumb will help you plan your hardware equipment refresh schedule:

  • Desktops 4-5 Years
  • Laptops 3-4 Years
  • Servers 3-4 years
  • Firewalls, Switches, routers, wireless devices: 4-5 years

Please note that servers, firewall and network devices usually require a support staff that is up-to-date with the latest certifications, which for SMB’s can be challenging. If you do not feel your organization scores well in the area of infrastructure management, strong consideration of managed services and/or transition to the Cloud is recommended.


Security is another vital component of IT risk management. A common error of busy IT teams is to delay updates while focusing on the more immediate urgencies of the department which, in turn, leaves little time to conduct non-urgent tasks.

Security management should never be viewed as a one-time event, but rather managed with ongoing hyper-vigilance. Continual updates to firewalls and antivirus software with the latest releases and as they become available is a must and should be scheduled at regular intervals. The software also should include sophisticated monitoring and management of network traffic that looks for anomalies and attempts to detect intrusions in real time.

Also remember that email is one of the major paths for malicious malware and ransomware. Phishing techniques target unsuspecting employees who are clicking through emails all day. If the integrity of your IT systems is attacked and if sufficient security systems are not in place, a company will not only suffer a potential loss of business and money, but also the public trust.

If you do not feel your organization scores well in this section, have a managed services specialist look at your firewall, network and infrastructure and look to move your email to the Cloud along with the necessary anti-virus programs.

Disaster Recovery

Companies often confuse data backup with disaster recovery. The two are closely related but are different concepts: Data backup preserves copies of information saved in files, as well as database and customer information, in the event of a hardware or software issue or virus. A Disaster Recovery (DR) plan, on the other hand, more than just copies data, but also protects the hardware and software used to access the data.

Although many companies have a system in place for data backup, fewer are prepared to respond to a breach in their hardware. Being down for hours or several days while trying to recover hardware can cost a business millions of dollars and also damage a company’s brand. A strong disaster recovery plan can be customized to fit the specific needs of an individual business. At a minimum, it includes the ability to recover, either by restoring from a backup or switching to a secondary site.

From a DR perspective, the Cloud enables much more efficient testing of your DR plan, which should be performed 1-2 times a year. To secure your data, in the event of a breach, consider implementing low hanging fruit such as Backup as a Service (BaaS) and Disaster Recovery as a Service (DRaaS) technologies in the Cloud. This will help move you away from tape backups and secondary servers to mitigate risks, saving your company time and money.

Outsourcing parts of your IT support systems may take a little more time and effort. But when managed properly, your IT infrastructure, processes and IT team can deliver great value to your organization. Keep in mind that there is no one-size-fits-all solution; your strategy must be tailored to your specific business needs and match your business goals. By partnering with a specialist in managed services and utilizing Cloud technology to manage the infrastructure, security and disaster recovery system, your company will significantly reduce cost and risks while regain new bandwidth to effectively focus on running the business.

Contact a specialist to identify the options that make sense for you.