And behind the curtain was a door

Here’s Why a Tech Risk Assessment Should Come First

When looking to buy a business or merging with another business, part of the process should include doing due diligence – checking everything top-to-bottom about the other party’s business. Due diligence includes making sure the other business is operating within the law and the guidance of its industry’s regulatory bodies. And because of societal reliance on technology, due diligence ought also to mean scrutinizing the business’ IT practices.

What If You Don’t Up-front Look at the Business’ Network and Data-Handling?

Entering an agreement blind to your potential partner’s data-management practices means you don’t know the problems that may be there from previous, sometimes even undetected-by-the-current-owners, cyber-incursions, or the weaknesses in the network that could be a damaging and costly problem going forward. How will you be able to run the business if criminals are able to get in, disrupt and steal? When you buy a business, you buy its data security problems, too. Instead, why not go in with eyes wide open?

Risk Assessment

A risk assessment will analyze and show the areas of risk in the existing data environment – the final report will serve as a roadmap to mitigating the revealed risks should you choose to go forward with the business purchase or merger. Honestly a risk assessment is recommended at any stage in a business; an as-is snapshot of a business’ IT is the foundation of any sound cybersecurity approach. Unless the business’ unique risks are uncovered and joined to a risk-reduction plan, all you can do is just guess and hope you’re making the right IT decisions.

What You Want in a Risk Assessment

A risk assessment should include the following:

  • identify the unique risks that threaten the soundness of a business
  • areas of risk explored should cover
    • criminal risks (like ransomware)
    • accidental risks (like losing a laptop)
    • hardware/software risks (like database corruption)
    • environmental risks (like fire)
  • include appropriate responses to the revealed risks to lessen, transfer or remove those risks
  • prioritize the severity of risks and the implementation of the risk-reduction responses
  • follow NIST SP800-30 guidance

Investing in a Business? You Need a Good Look

If the business you have your sights on has flawed or obsolete IT, it opens you up to risks you ought to be aware of before your purchase decision.

Only after the many-sided work of due diligence has been done, should you consider closing. Since 1987 Bryley has advised about the IT element of preparing to buy a business or create a merger. For more information about assessing the security risks of your decision, please call 978.562.6077 or email