How To Perform A Cybersecurity Risk Assessment
Every modern organization has some type of IT infrastructure and internet connectivity. This means that nearly all organizations are at risk of an attack or cybersecurity breach.
To understand your vulnerabilities and better manage your risks, you must run a comprehensive cybersecurity risk assessment—and this guide will teach you how.
Step 1: Establish Your Information Value
The vast majority of organizations don’t have unlimited funds set aside for cybersecurity risk management. So you should limit the scope to all assets that are business-critical.
Determining the value of information is the best way to save time, money, and effort during this process.
Create a set of standards that will establish the importance of any asset you’re evaluating. You can do this by identifying the asset in three parts—value, legal standing, and importance to business operations.
Once you’ve formally added these standards to your risk management policy, you can classify every asset as a critical asset, major asset, or minor asset.
If you need help determining the value of information, try asking yourself the following questions:
- Would there be a legal penalty or fine if this information was exposed or lost?
- Does this information have any value to your competition? How much value?
- Is it possible to recreate this asset or information from scratch?
- How long would it take to recreate the information, and how much would it cost?
- Would revenue or profitability decline if this information was lost or stolen?
- Can your staff continue working on day-to-day business operations without this information?
- Would your company’s reputation be damaged if the information was leaked to the public?
These standards for information value make it easier to identify your most important assets in the next step.
Step 2: Identify Highest Value Assets and Prioritize Them
Now that you’ve determined the information value, you can start to evaluate the scope of your cybersecurity risk assessment. Then you can also prioritize which IT assets should be assessed.
For example, if there’s no financial or legal penalty associated with the data loss, your company could continue running day-to-day without any impact on the bottom line, and recreate the information in a week, you could probably classify it as a “minor” asset—unless it contained proprietary information that would hold great value to your competition.
Depending on your budget, you may decide to leave this out of the assessment altogether and only focus on ones that pose higher risks.
Once an asset has been identified, you need to gather additional information about it to understand all of its potential risks. Examples include:
- Data
- Hardware
- Software
- Users
- Critical function
- Functionality requirements
- Security policies
- IT security architecture
- Support personnel
- Information flow
- Technical controls
- Physical controls
- Environmental security
- Network topology
- Information storage protection
You want to uncover everything here. From network equipment to office drawers, physical documents, trade secrets, vehicles, and employees, leave no stone unturned as you’re identifying and prioritizing assets.
Step 3: Identify Threats
Next, you need to determine any type of vulnerability that could be exploited in a breach.
Many organizations jump straight to things like malware, hackers with malicious intent, ransomware, and other traditional cyber breaches. These are just a few of the many types of threats you might be faced with. Other examples include:
- Natural disasters like earthquakes, floods, fires, or hurricanes that destroy servers
- System failures for critical assets
- Human error (like an employee clicking a malware link)
- Adversarial threats (coming from privileged insiders, suppliers, third-party vendors, etc.)
- Unauthorized access by employees or hackers
- Insider threats and misuse of corporate information
- Sensitive data leaks
- Data loss
- Service disruptions
Once you’ve determined which threats your organization is faced with, you can then determine the potential impacts of each one.
Step 4: Determine Your Cybersecurity Vulnerabilities
Threats and vulnerabilities are commonly used interchangeably, but they’re not the same thing when you’re conducting a cybersecurity risk assessment. So this step should be done separately from the previous one.
Vulnerabilities assess weaknesses that can be exploited by your threats.
There are lots of ways to approach this initiative. But you need to run a vulnerability analysis and look through audit reports to get a firm grasp on where your organization is most vulnerable.
Think about both physical and digital vulnerabilities.
For example, regular patch management can help fight against newer forms of malware or reduce the threats associated with system failures. But that won’t stop an unauthorized employee from physically walking into a room with your organization’s servers that hasn’t been properly secured.
Step 5: Evaluate and Implement Cyber Controls
Now you need to look at your existing cybersecurity controls and analyze the effectiveness of each one.
When we talk about “controls,” we’re referring to things like encryption, intrusion detection software, multi-factor authentication, hardware, data leak detection, automatic updates, and other technical means of controlling risks. But you can also assess non-technical controls such as physical locks, keycards, and vendor security policies.
Do your current controls adequately reduce or eliminate the threats and vulnerabilities that you’ve previously identified in the last two steps?
Every control should be classified into one of two categories—detective or preventive.
Detective controls are used to discover when something wrong has occurred. For example, data leak detection software can notify you when data goes missing. Preventative controls stop cyber risks through means like antivirus software, endpoint monitoring, and data encryption.
Step 6: Determine the Likelihood of a Scenario and Measure the Impact
By now, you should have all of the information value, cyber threats, vulnerabilities, and controls identified. It’s time to tie all of these together and calculate the likelihood of an event occurring.
For example, let’s say you have data centers in a landlocked state like Nevada.
You can probably rule out natural disasters like tsunamis or hurricanes that just don’t occur in this region. Flooding could still be possible, but it would have to come from something like a broken pipe or water main break.
If you find out that a threat is likely to occur, you also need to estimate the cost of the occurrence.
For example, let’s say your database with your organization’s highest-value information is valued at roughly $50 million.
During a breach, about half of your data would be leaked before you could contain it—estimating a loss of $25 million. But let’s say this event is very unlikely to occur. Maybe this would happen once every 50 years, resulting in an estimated loss of $500,000 per year.
In this hypothetical scenario, you could justify a budget of $500,000 to prevent the occurrence. But if it would cost you $2 million per year to prevent a loss of $500,000 per year, then you might reconsider the investment.
Step 7: Rank and Prioritize the Risks
Using the information you gathered in the previous step, you need to create a list of all risks prioritized based on the cost of prevention vs. the information value.
Based on this information, you can assign a priority level to each one:
- High Priority — Should develop corrective measures immediately
- Medium Priority — Should develop corrective measures eventually
- Low Priority — Determine whether to mitigate or simply accept the risks
In most cases, if it costs more money to protect an asset than it’s worth, it usually won’t make sense to implement preventative controls. There are some exceptions to this rule. For example, certain asset leaks could damage your reputation or your customers.
Every organization has a different risk tolerance level. So your decision-makers ultimately need to decide how much risk they’re willing to take.
Common Problems When Performing Cybersecurity Risk Assessments
Cybersecurity risk assessments look different for everyone. But across the board, there are some common stumbling blocks and pain points associated with the process.
We’ll tackle those hurdles in greater detail below. This will make it easier for you to overcome them or avoid them altogether.
Problem 1: Understanding the Goals and Purposes of Risk Assessments
Many companies confuse risk assessments for other cybersecurity initiatives. They think that a risk assessment will harden security controls or make a network bulletproof. But this is not the case.
Running a cybersecurity risk assessment is just the initial phase of strengthening your organization’s IT infrastructure and security.
It will ultimately help lay the groundwork for future initiatives, software, controls, and more. But there’s very little implementation involved with this process.
Cybersecurity risk assessment does not identify malware or detect ransomware. It’s not an endpoint detection and response solution either.
The goal of a risk assessment is to identify, estimate, and prioritize risk to assets, operations, and individuals throughout an organization.
To perform a cybersecurity risk assessment, you’ll want to address the following points:
- What are the organization’s most crucial IT assets?
- What type of data breach would have the biggest impact on the organization?
- Can you identify all threat sources to your organization?
- What is the potential impact level of each possible threat?
- What are your internal and external risks?
- What would happen if your vulnerabilities get exploited?
- How likely is exploitation?
- What type of cyber threats, attacks, or incidents could impact your organization’s ability to function?
- What risk level is your organization comfortable with?
Once you can confidently answer these questions, you can figure out which assets need protection. Then you can create an adequate data security plan and develop internal security controls to reduce risks.
Problem 2: Justifying a Cybersecurity Risk Assessment
Some organizations don’t like investing time, money, or efforts into initiatives that don’t have a direct output or benefit.
For example, risk assessments alone don’t necessarily stop a threat. They simply identify different types of vulnerabilities and how exploitable certain controls are. But you still need to go ahead and deploy software, train your staff, and take steps for prevention and detection.
Some stakeholders and decision-makers want to jump straight into the action, bypassing the risk assessment phase. But without a proper cybersecurity risk assessment, you could be putting your action efforts into the wrong initiatives.
Here are some of the top benefits of a cyber risk assessment that can help you justify the cost and process:
- Reduce lost-term costs associated with security incidents
- Gain a clear picture of where your organization needs improvements
- Prevent data breaches
- Avoid issues associated with regulatory non-compliance
- Reduce the chances of downtime for customer-facing systems
- Prevent data loss
Failing to perform a cyber risk assessment could lead to hefty fines with HIPAA, PCI DSS, GDPR, APRA CPS 234, CCPA, and more—not to mention the damage to your brand name associated with a data breach or downtime. It can take an organization months and millions of dollars to recover from a cybersecurity incident.
Implementing the right software and infrastructure controls can cost tens of thousands of dollars as well.
So it’s definitely in your best interest to perform risk assessments to know exactly where your efforts should be concentrated. Otherwise, you could be pouring money into the wrong area and neglecting assets that need the most attention.
Problem 3: Assigning Responsibility for Risk Assessment Initiatives
Who should perform cybersecurity risk assessments?
This is a very common question at the start of this process. But the answer isn’t always so simple. In short, it depends on the organization type and the organization’s resources.
In a perfect world, companies with a dedicated in-house IT staff can perform the risk assessment. But this requires a knowledgeable and capable IT team with a deep understanding of your network infrastructure, information flows, and organizational knowledge.
Transparency is crucial for this process to work.
It’s also important that you have enough resources to complete the assessment without neglecting the other day-to-day responsibilities of powering an IT department. You still need to keep your operations functional while you’re running the assessment.
If you don’t have the personnel in-house to handle this job, you’ll likely need to outsource the initiative to a third party.
Hiring new employees is an option too. But it’s likely not worth the added costs. Plus, new staff likely won’t have the organizational knowledge that’s required to run an internal assessment.
If you’re outsourcing the project, see what else the cybersecurity company has to offer. Ideally, you can also get cybersecurity software and other third-party tools from this provider after the assessment is over—reducing the need to turn to multiple companies for different security solutions.