Are free IT risk assessments helpful?

An over-shoulder photograph of a man working on his laptop in a coffee shop. The laptop screen is in focus, displaying a graph.

When browsing the internet, it's easy to run into offers for free IT risk assessments. But are they helpful and effective for your business? Or are they a sales pitch?

Some free assessments can indeed bring immediate, glaring dangers to light. However, these assessments are often ineffective in the long wrong due to the limited time and resources used.

For over 25 years, WEBIT Services has helped hundreds of clients by running and analyzing quarterly risk assessments. WEBIT feels risk assessments are powerful educational and strategic tools for businesses.

To be transparent, WEBIT utilizes risk assessments for our customers but does not use free risk assessments as part of its sales strategy. As such, we will try to show the pros and cons of these assessments as fairly as possible, but we are aware of our own biases.

You know your business and its needs best. We hope this article helps you make an educated decision regarding free risk assessments.

By reading this article, you will learn more about what is involved in a free risk assessment, why providers often give free assessments, how it compares to a full risk assessment, and the purpose of both assessments.


What happens in a free risk assessment?

Free risk assessments are a quick look at your current IT risks. These assessments come in two forms:

  • Self-assessment quiz or form
  • A scheduled examination of your system by the potential IT provider


Free self-assessments

These risk assessments are found on some IT provider websites and are often given in exchange for contact information.

You will answer various questions about your security setup, policies, and practices. These questions are not customized for you and your business but are more generalized questions for any business.

If the free assessment does require contact information, it will either request this at the beginning to take the assessment or at the very end to access your results.

The benefits of self-assessments

Self-assessments are quick and performed without human contact. You read the form or answer the quiz questions and receive a speedy result.

The disadvantages of self-assessments

These are not customized deep dives into your company's actual risk. Instead, free self-assessments give you a generalized view of your security risk based on other companies, trends, and standards.

As such, a free, generalized risk assessment will not speak to your company's genuine risk. Sometimes, it may point you in the right direction, but it is not a complete snapshot of your business's security.

You also have to ask yourself, "Do I feel qualified to answer these questions? Do I know all the ins and outs of my IT systems, policies, practices, and tools?"

If you do, fabulous! Knowledge and an in-depth understanding of your IT system and policies are crucial in conducting an effective risk assessment.

If you do not feel qualified, comfortable, or knowledgeable in answering the free self-assessment questions, it may be time to call in an expert.


A free scheduled examination of your system by the potential IT provider

Sometimes, free risk assessments are performed by a potential IT provider. These assessments can take on multiple forms.

Some are scheduled and performed by a salesperson or technician. Others are conducted using an automated program. Regardless of the delivery method, these assessments are usually quite fast compared to regular IT risk assessments.

The benefits of free risk assessments by a potential IT provider

Free risk assessments are often speedy and, of course, free of charge.

On occasion, they can bring some significant risks to light for examination.

The disadvantages of free risk assessments by a potential IT provider

Like the self-assessment, free risk assessments are not constructed to give a complete picture of your company's current risk. Sadly, these assessments are often built to show more negative results.

For example, a free risk assessment shows significant risk because your system has not applied recent software patches.

Software patches are an essential part of security. Often, patches will address newly discovered security vulnerabilities. As such, they should be applied within 30 days of a patch's release.

However, experts advise waiting a few days to apply patches just in case some errors remain undiscovered at the initial patch release. An unapplied patch more than a month old is a valid security risk. An unapplied patch a day old is not.

If the potential provider does not explain the results in detail, then the free assessment is being used to scare you rather than discover true security risks.


How can IT providers give free risk assessments?

Free items and services are rarely truly "free." Either the customer interaction is the product (i.e., free web services selling your information to retailers) or marketing hopes the free sample will lead to sales.

True risk assessments are time-consuming, in-depth, and expensive to perform. They also require experts to execute the assessment, analyze the data, and explain the results. Quality tools, systems, and expertise are expensive.

So how do free risk assessments stay free?

The company is either performing much smaller assessments (taking less time) or using less-experienced technicians (bringing less expertise). If the company is not scaling down the inspection, they are losing money to give free complete assessments.

So why do some IT providers give free assessments?

While some providers use free assessments to help potential customers, others use them to motivate potential customers to leave their current providers.

Poor assessment results may make your IT provider look ineffective, and it may be the final straw to push you out of that partnership.

However, it's important to know the full scope of risk assessments before deciding whether or not to leave your current IT provider based on a free assessment.


What does an actual risk assessment look like?

True risk assessments are a collection of holistic security snapshots used to identify trends. They will examine your security policies, practices, IT systems, hardware, software, and, sometimes, IT compliance multiple times throughout the year.

This security deep-dive takes time to complete. Your first baseline risk assessment with a provider will take days and include on-site equipment and facility inspections.

After establishing this foundation, your IT provider will perform quarterly assessments to spot trends in your security habits and functions.

For example, suppose one assessment shows multiple employees clicking phishing links. That's a significant security risk.

In response, you conduct email security training for all employees.

Your following risk assessment will show if this training was successful as phishing clicks trend down.

Authentic risk assessments are not a one-and-done, set-it-and-forget-it process. Instead, it's about building on a secure foundation to keep your data and system as safe as possible.

Complete risk assessments with a trusted provider are not a sales tactic.


So what do you do with a free risk assessment?

While they can occasionally be helpful, free risk assessments are often a sales technique highlighting supposed security vulnerabilities in your IT system. Unfortunately, the results are rarely holistic or a true reflection of your business.

The end goal is to bring you away from your current provider and, instead, join the provider who gave the assessment.

If you're taking a free assessment, chances are that your IT partnership isn't doing what you hoped it would.

If that's the case, bring your free assessment results to your provider and ask it to explain the results compared to your last risk assessment. It should be able to explain the results more thoroughly.

If the results of the free assessment do reveal a vulnerability, a quality provider will take steps to address it.

If you have never had a risk assessment with your current provider, that is a red flag for poor security service. Risk assessments are essential, repeated processes to evaluate and build your company's security.

WEBIT Services conducts hundreds of risk assessments each year for its clients. In addition, it uses risk assessments as educational tools to help build strategies and protect its clients.

If you are looking for a new IT provider, schedule a free 30-minute consultation to see how WEBIT can help.

If you are not ready to make a commitment but would like to learn more about IT risk assessments, we recommend the following articles: