Cyber-Attack & System Failure Resilience Risk Assessment
Effective Date: 5 Jan 2026
1. Purpose & Scope
This assessment identifies cyber security and system resilience risks affecting AIC Professional Services UK Ltd and documents the controls in place to ensure continuity of operations, protection of information assets, and timely recovery from cyber incidents or system failures.
Scope includes all core business systems, cloud services, endpoints, and supporting processes used to deliver professional services.
2. Systems & Criticality
System | Description | Criticality |
|---|---|---|
Corporate Email & Collaboration | Business communications and coordination | High |
Cloud File Storage | Storage of project and business documentation | High |
Business Website (aicuk.ltd) | Corporate presence and contact point | Medium |
End-User Devices | Laptops and workstations | High |
Identity & Access Systems | Authentication and access control | High |
Backup & Recovery | Data protection and restoration | High |
3. Key Threats & Failure Modes
Phishing and credential compromise
Malware or ransomware infection
Cloud service outage
Loss or theft of endpoint devices
Misconfiguration of cloud resources
Accidental deletion or corruption of data
Denial of service affecting availability
4. Notable Vulnerabilities
Small team size leading to reliance on cloud providers
Dependence on internet connectivity
Human error (e.g. phishing susceptibility)
Limited redundancy compared to large enterprises
These vulnerabilities are mitigated through technical controls and procedural safeguards proportionate to organisational size and risk.
5. Likelihood & Impact Scales
Likelihood:
Low – Unlikely, strong controls in place
Medium – Possible but mitigated
High – Likely without additional controls
Impact:
Low – Minimal disruption, no data loss
Medium – Temporary service disruption
High – Significant operational or data impact
6. Risk Summary
Risk | Likelihood | Impact | Overall Risk |
|---|---|---|---|
Phishing / credential compromise | Medium | High | Medium |
Malware / ransomware | Low | High | Low–Medium |
Cloud service outage | Low | Medium | Low |
Data loss | Low | High | Low |
Website availability | Low | Low | Low |
Overall assessed risk posture: Low to Medium, acceptable for business size and nature.
7. Required Resilience Level (Set per System)
Resilience Level | Definition |
|---|---|
Level 1 – Basic | Non-critical systems |
Level 2 – Standard | Important business systems |
Level 3 – Enhanced | Mission-critical systems |
Assigned levels:
Email, Identity, File Storage, Endpoints: Level 3
Website: Level 2
8. Minimum Actions by Level
Level 1 – Basic
Secure configuration
Basic access control
Provider-managed resilience
Level 2 – Standard
Strong authentication
Backups
Patch management
Incident response awareness
Level 3 – Enhanced
Multi-factor authentication
Encryption at rest and in transit
Regular backups with recovery testing
Device security and remote wipe
Monitoring and logging
Defined incident and recovery procedures
9. Decision & Approvals
Assessment Outcome: Risks are understood and adequately mitigated
Risk Acceptance: Approved
Approved By: Managing Director
Role: Senior Responsible Owner
Date: 5 January 2026
No unacceptable residual risks identified for current operations.
10. Review Cadence
This assessment is reviewed:
Annually
Following any significant system change
After any cyber security incident or material service failure
