Business Owners Guide to IT Risk — Identify Your Critical Systems First
If you typed that phrase, you want a short, useful answer: start by naming the handful of systems that would stop revenue, compliance or staff from working if they failed. Do that now and most IT risk decisions become simple prioritisation instead of guessing at every possible threat.
Payroll stops on Monday morning — create a simple failover and a one‑hour workaround
Problem: Payroll failing is an existential event for staff morale and legal compliance. It often happens because a single server, a cloud account or an outsourced provider is misconfigured or unavailable at the wrong time.
Diagnosis: Ask who can run payroll and how. Is it one person with a password, a single file on a laptop, or a web portal owned by a supplier? If only one person or one machine can trigger payment runs, you have a single point of failure.
Action to take: Define a disciplined fallback. Export the necessary payroll data and store it in an encrypted shared folder accessible to at least two authorised people. Document a manual process that can be completed in an hour using that exported file and run a timed drill once a year. If your payroll is hosted by a supplier, confirm their recovery SLAs in writing and get administrative access to your data export schedule.
All admin accounts are controlled by one leaver — split control and rotate credentials
Problem: Your business grinds to a halt when a senior admin leaves or is unavailable because too much access was concentrated in one account.
Diagnosis: List every person who has “admin” or “owner” privileges on business systems: email, finance software, phone provider, cloud services. If that list is shorter than three, you’ve concentrated risk.
Action to take: Introduce two practical controls this week. First, assign at least two authorised administrators for each critical system and record who they are. Second, stop using permanent shared passwords — use an audited credential manager and enforce two‑factor authentication for all admin accounts. These are low‑cost steps that reduce the chance that a single departure creates days of downtime or expensive emergency access fixes.
Ransomware encrypts files — separate backups and practise recovery runs
Problem: Backups exist, but they’re on the same network or the backup tool talks to the same credentials as live systems — so an infection takes both live files and backups.
Diagnosis: Check how your backups are stored. If backups are writable from the network in the same way as live file shares, or if the same service account can delete backup sets, your backup is not a defence.
Action to take: Isolate at least one immutable or offline backup copy for critical documents and finance data. That could be an object storage snapshot with write‑once settings or a daily export stored offsite. Crucially, practise a restore yearly (or quarterly for very active systems) to confirm data integrity and time required. Know how long it will take to get trading again and budget for that downtime in your contingency planning.
Supplier portal access is lost — demand documented handover and emergency contacts
Problem: A third‑party you rely on (payment gateway, bookkeeping software, delivery API) changes access or goes offline and you have no documented escalation path. You end up calling helpdesks and spending days on hold while the business stalls.
Diagnosis: Make a supplier map. For each critical supplier record: who has your contract, who has admin access, how to authenticate as the organisation, and an emergency contact that isn’t the generic helpdesk email. If you can’t find that information quickly, you face extended outages when things go wrong.
Action to take: Add contractual clauses that require suppliers to provide an emergency escalation contact and a documented handover process. Keep a short “who does what” sheet that includes contractual notice periods, SLA credits, and how to extract your data if you move away. If a supplier can’t provide that, plan an alternative or budget the risk — the cost of last‑minute migration will usually exceed a small annual contingency.
Practical sequencing: Do these in order of business impact. For most firms of 10–200 staff the quick wins are: identify critical systems, create two authorised admins, secure an isolated backup, and document supplier recovery routes. Each of those actions cuts the likely business pain from an incident by more than half.
When a breach affects personal data, you may have a legal duty to notify the Information Commissioner’s Office within 72 hours. Confirm the trigger points for reporting in your incident plan and keep the ICO guidance handy: ico.org.uk.
Costs and timeframes: none of these steps needs large capital expenditure. Expect to spend a few hours with your IT provider and one to two days of internal time to map systems and assign owners. Automating credential management and immutable backups has a modest subscription cost but pays back rapidly when an incident is avoided or resolved fast.
What to do tonight: list the five systems that would stop trading, name the two people who should be able to fix each, and save that list in a secure shared document. That single action changes conversations with suppliers and your IT team from “what if” to “here’s how we recover”.
Want help turning that list into a recoverable plan? Book a one‑hour review to reduce downtime, protect payroll and meet compliance more confidently — your business will recover time and calm when you have named owners and tested fallbacks.
