Every industry relies on technology. But when the technology doesn’t cooperate—either due to hardware or software failure, human error, or nefarious acts by hackers and criminals—businesses face a variety of risks such as lawsuits, compliance fines, and lost sales. The price of technology failure is high: 86% of businesses say that the cost for one hour of downtime is $300,000 or higher. One in three businesses report that the cost of a single hour of downtime can reach $1 million to $5 million.
How Benchmarking and Key Risk Indicators Help Manage IT Risk
Key risk indicators (KRIs) measure the risk of an activity, and benchmarks serve as an early warning system that risk is higher than acceptable. In information technology, or IT, risk is any threat to a company’s business data, systems, and business processes. Risks can range from cyber risk in which bad actors try to harm a company’s technology systems or steal data, to natural disasters that damage buildings and hardware, to outdated technology. These incidents can incapacitate systems for days or weeks.
Benchmarking can also identify the risks of human error. A significant number of IT issues aren’t caused by hardware or software failures, but by employees not following established procedures. For instance, an employee debugging an application may inadvertently change firewall settings, allowing a virus to enter. Or, an employee may open a phishing email, only to let loose malicious malware on a company server.
Benefits of Using IT Benchmarking to Manage Risk
IT security risks are an area of focus for all industries, in part driven by the high-profile data breaches at firms such as Equifax, Yahoo, Anthem, Target and others. Not only did these companies suffer reputational damage, they also had to settle lawsuits and pay hefty compliance fines.
Since the vast majority (95%) of data breaches are preventable, there’s a lot that organizations can do to protect their critical technology infrastructure. Benchmarking alerts businesses to risks, enabling them to make changes such as updating anti-virus protection and firewalls, updating software and operating systems to the latest versions, training staff in IT policies and procedures, and implementing IT checks and balances.
Organizations can also use benchmarking to gauge the risk of viruses, malware, and denial-of-service attacks designed to disrupt operations, as well as identify its vulnerability to spam and phishing that trick users into revealing private information.
IT Security Benchmark Examples
Every business understands the harm caused by hardware, and software failures, but protecting the organization against incidents that impact IT security is especially challenging. The following KRIs can help businesses monitor the risks of software and hardware failures and keep its data safe.
IT Benchmark #1: Percentage of Incidents Caused by Recent Change
Hardware and software updates are a fact-of-life in any IT department. But these commonplace updates—due to the release of a new software version or to repair a known security hole—can lead to infrastructure incidents. If there are a high percentage of incidents caused by recent changes, an organization may need to improve IT change management processes for issues such as operating system patches and software upgrades.
To calculate this benchmark, divide the number of incidents where the root cause was traced to recent changes by the total number of incidents over the same time period, as a percentage.
IT Benchmark #2: Average Age of Known Problems
Solving IT problems faster means that there is less chance that a hacker or even a disgruntled employee will be able to take advantage of a known weakness. Determining how long problems are open, on average, can alert the organization to an overworked or untrained IT staff who don’t have the time or skills to fix problems.
To calculate, divide the total number of days which all of the company’s known problems have been open by the number of known problems in the backlog.
IT Benchmark #3: Percentage of High Priority Incidents
Since IT problems vary in the timeliness of response required, organizations routinely categorize incidents by priority based on impact and urgency. An incident that shuts down a company’s ecommerce site is likely higher impact than the unavailability of an application used for departmental reporting. Too many high priority incidents means the IT department is spending too much time putting out fires and that critical systems and data are compromised too often, increasing risk.
To calculate the percentage of high priority incidents, divide the number of incidents that are classified as high priority by the total number of incidents that occurred over the same time period, as a percentage.
IT Benchmark #4: Percentage of Recurring Incidents
Fixing hardware and software problems that occur over and over are a waste of IT resources. A high percentage of repeated incidents could indicate that IT employees are not adept at fixing the root cause of technology problems, or that the hardware or software is past it’s life cycle and needs to be retired.
To determine the percentage of recurring incidents, divide the number of incidents that have occurred more than once by the total number of incidents that occurred over the same time period, as a percentage.
IT Benchmark #5: Percentage of Unmanaged Devices Detected on Network
Unmanaged devices are devices such as smartphones and guest user’s laptops that are managed by the user rather than the organization. Cyber criminals often use these devices to infiltrate corporate networks. A high percentage of unmanaged devices indicates a higher risk of invasive viruses that the organization may not immediately detect.
To calculate this benchmark, divide the number of unmanaged devices detected on the company network by the total number of endpoint devices on the network, as a percentage.
Final Thoughts
IT risk is industry-agnostic: any organization that uses technology to run its business is vulnerable. However, certain indicators, such as having rouge devices on the network or a high number of high priority or recurring incidents, expose an organization to additional risks. KRIs and benchmarking that measure and monitor IT risk help organizations implement practical steps to better protect systems and data.
No matter the industry, key risk indicators for information technology can help bolster your business. For a full list of KRIs for benchmarking you can download our Technology Services Key Risk Indicator Benchmarking Report.
If your business needs additional help benchmarking your IT risk or building a strong library of KRIs, then help yourself to our presentation-ready Risk Management KPI Encyclopedia. For even more assistance, contact us for more information about our benchmarking services. We can help you effectively and efficiently benchmark your technology services department and provide you with high-quality delieverables at an affordable price.