By Karl Bickmore, CEO

 If you’re like every other good business owner or manager, you’re more concerned about cybersecurity and information technology (IT) risk today than you were five years ago. And while as a small- to medium-size business (SMB) owner you’re probably very good at your job, you might be a little out of your element when it comes to the nitty-gritty of IT. That may have been OK in the past, but these days, it’s important to understand your risk, and ensure you and your IT provider are doing the right things to protect your business.

That’s why a regular review of your IT systems is critical. Part of risk management is understanding the difference between risk analysis and risk assessment. Unfortunately, the terms are often used interchangeably. If you ask 10 different IT providers what needs to be done, you’ll probably get 12 different answers. This has created some confusion I’d like to help you sort out.

First, I recommend you shift your mindset and adopt a new attitude about your IT needs. As an SMB owner, it’s important to be educated on IT management, so you can hold your IT professional accountable and make sure they’re delivering on their promise. A great place to start is with a risk analysis and assessment.

Next, let’s clear up the confusion of the terms. The common consensus is: A risk analysis is a focused activity to determine what risks exist; the assessment is the quantification of the probability and exposure that risk creates. In essence, the risk analysis is where you start, and that should lead you to your assessment process.

Keep in mind that what many providers call an “assessment” is really just a minor analysis that becomes a sales pitch to buy additional services and solutions. A legitimate vendor performing a risk assessment should be willing to provide you with a detailed report of findings and recommendations without any requirement of longer-term services.

When selecting your vendor to do an analysis and assessment, here are three things you should keep in mind:

  1. The vendor should be able to provide you with a reputable third-party audit that’s done annually to assess their business practices. At a minimum, we recommend they provide an annual Service Organization Control Type 2 audit. Additionally, audits related to PCI, HIPAA, NIST and FINRA are signs of a reputable IT provider. If a provider offers lesser credentials, you should investigate their industry acceptance and how effective an audit it really is. Avoid any company that uses “self-assessment.”
  2. The vendor performing the analysis should be able to clearly describe the process, what will be evaluated and what the deliverables will be. Be wary of vendors who aren’t specific and do a minimal analysis, then leverage preliminary findings to upsell you on their solutions or services.
  3. Unless you have an amazing IT staff and you already understand everything you need to in order to hold them accountable, don’t rely on them or that IT provider to provide a thorough analysis. Without an objective analysis performed by an independent third party, you’re unlikely to uncover some of your greatest risks.

For more on risk analysis and risk assessment, see our white paper here.