How to perform a cybersecurity risk assessment
Regular cybersecurity risk assessments are a must for all businesses. Risk assessments help businesses to be prepared for emerging digital threats and promote cybersecurity awareness amongst employees. The latter is particularly crucial since it has been shown that employees can be some of the weakest links in an organisation’s security structure.
We’ve put together a guide to performing a risk assessment to help organisations to start assessing their own business’ cyber risks. In this guide, we explain:
Understanding what risk is
Cybersecurity risk is the probability of an organisation to be exposed to, or incur a loss from a cyber attack or data breach. Risk is assessed in terms of the threat and vulnerability of an asset. The assessment of the loss can be either zero, low, medium or high.
Each of these components is explained for a better understanding of how they apply to cybersecurity risks:
- Threat: A natural or man-made event which may adversely or undesirably impact, minor or major, on an organisation’s asset or process
- Vulnerability: The absence or weakness of controls or safeguards in an asset or process (or an intrinsic weakness) which makes a threat potentially more harmful or costly, more likely to occur, or likely to occur more frequently.
- Asset: A resource, process, product, or system that has some value to an organisation and must, therefore, be protected. Assets may be tangible, for example, computers, data, software, records, or intangible such as privacy, access, public image, ethics. Those assets may likewise have a tangible value (purchase price) or intangible value (competitive advantage).
Given sufficient funding, motivation, resources, and time, any system or environment, no matter how secure, can eventually be compromised. Specific threats or events, such as natural disasters, are beyond our control and quite unpredictable.
Consequently, the main goal of managing risks is risk treatment: making specific decisions about identified risks.
The risk management triple comprises of an asset, a threat, and vulnerability and can be conveyed as the following formula:
Risk = Asset Value × Threat Impact × Threat Probability
Risks can never be eliminated entirely. Any system or environment can eventually be compromised, no matter how secure.
What is a cybersecurity risk assessment?
To improve cybersecurity, there are some fixes that organisations can undertake with very little preparation. However, more robust remediation usually start with a cybersecurity risk assessment.
A cybersecurity risk assessment helps organisations to understand any flaws or vulnerabilities within the organisation, and what steps are required to remediate them. A cybersecurity risk assessment is an essential part of risk management, and cybersecurity in general, because it focuses on choosing the right controls that are appropriate to the risk faced by and organisation.
Risk assessments are used to identify, estimate, and prioritise risk to organisational operations, organisational assets, individuals, other organisations, and the Nation, resulting from the operation and use of information systems.
A cyber security risk assessment helps determine the value of the various types of data generated and stored within the organisation. By valuing the multiple types of data within the organisation, businesses can prioritise and allocate technology resources where they are most needed.
One of the critical objectives of a cyber risk assessment is not only to keep the key decision-makers well informed about the situation and the risks involved but also to be ready to support proper responses to the risks involved. It also provides the decision-makers with an executive summary allowing them to make informed decisions about the organisation’s security. The process of information security risk assessment offers to provide answers to the questions stated below:
- Which of the organisation’s IT (information technology) assets is of the utmost importance?
- What type of data breach would leave a significant impact on the business? Will it be due to a human error, a cyber-attack, or a malicious malware threat?
- What are the major threats and their sources related to the concerned organisation?
- Whether or not the organisation has external or internal vulnerabilities?
- How likely are they to be exploited?
- What type of security mishaps, cyber threats, or cyber-attacks could severely damage the business’s ability to operate?
- What level of risk is within the organisation’s comfort zone?
Being able to answer these questions will allow you to decide what needs to be protected. It will help you initiate data security strategies and IT security controls for risk mitigation purposes.
These questions will not only allow you to realise the educational value of the data you are planning on protecting but also help you gain an understanding of your risk management process regarding the protection of your business needs.
Why should businesses perform a cyber risk assessment?
Organisations have plenty of reasons for undertaking a proactive and repetitive approach to addressing information security concerns. With the average business dependency on IT hardware and software on the rise, it would be sensible for businesses to conduct a cybersecurity risk assessment to prevent and prepare for any potential cyber attack or data leak.
Legal and regulatory requirements aimed at safeguarding confidential or personal data, as well as general public security requirements, set an expectation for organisations of all sizes to devote the utmost attention and priority to cybersecurity risks. Not only will a cyber risk assessment identify areas of vulnerability, but it will also help an organisation prioritise its risks and plan appropriate responses.
Further rationale for performing cyber risk assessment include:
- Meet regulatory requirements: Cyber risk assessment will help you meet any regulatory requirements which require to any customer data lost or stolen as a direct result of your non-compliance with GDPR, PCI DSS or HIPAA.
- Minimise data breaches: A data breach can leave a disastrous impact on an organisation’s reputation and finances.
- Prevent the loss of data: A cyber-security risk assessment highlights the weaker areas of your business, thus allowing you to take preventive measures to lower the risk of unwanted exploitation. These preventive measures, in turn, help you prevent any loss or theft of sensitive data such as critical information assets, codes or trade secrets. Otherwise, this very loss or theft of data could result in you losing your business.
- Prevent application downtime: Both customers facing systems and internal systems must be accessible and able to operate flawlessly to allow the staff members as well as customers to complete their respective tasks without worries or stress. Application downtime often leaves the users frustrated and in a foul mood.
- Reduce long-term costs: The identification of probable threats and vulnerabilities and their mitigation enables you to minimise any security mishaps, which helps you save your organisation’s money and time as well as any damage of repute.
- Improves understanding of the organisation: Learning about your organisation’s vulnerabilities will help you get a clear understanding of your organisation’s strengths as well as weaknesses which in turn will allow you to decide which area of your organisation needs to be improved the most.
Other than that, cyber risk assessments play an extremely crucial role in information risk management as well as an organisation’s overall risk management strategy.
Who conducts a cybersecurity risk assessment?
Theoretically, an organisation should have specialised personnel with relevant expertise in handling such matters. In other words, there should be a team of IT experts among the staff who are aware of all the ins and outs of both the information and network infrastructures.
Furthermore, the organisation must also have executives who have a clear understanding of the flow of information as well as any other exclusive piece of information related to the organisation that might prove fruitful during the cyber risk assessment. One of the most critical factors for a thoroughly conducted cyber risk assessment is organisational transparency.
However, small scale businesses might not be able to hire the required team of IT experts in-house for conducting a thorough cyber risk assessment due to their financial limits. Hence, they may have to resort to outsourcing the cyber risk assessment to a third party and hope that it does a good job.
Some of the organisations have even resorted to using the cybersecurity software to keep an eye on their cybersecurity scores, mitigate third-party risks, avoid data and security breaches, and send security questionnaires.
Performing a cybersecurity risk assessment
We’ll start with an overview of the entire process and then go over each step in detail. Firstly, before you begin to assess and mitigate risks, organisations should obtain a clear idea of the actual worth of the data and assets being protected.
The best way to do so is by conducting an audit of your data. It will also enable you to answer the questions mentioned below:
- What type of data do we gather?
- How does it get stored?
- Where do we keep it?
- How do we keep this data safe?
- How do we record it?
- How long do we retain it?
- Who is authorised to access this data both internally and externally?
- Has the place we keep the data at been secured? The majority of the security breaches are a result of weak S3 bucket configurations. Hence, make it a point to check your S3 permissions before someone else does it for you.
The second step to specify the criteria for your cyber-security risk assessment. The following questions offer a good start:
- What is the primary objective of this assessment?
- What is the actual scope of this risk assessment?
- Should I be aware of any prime issues or limitations that could gravely affect the assessment?
- Is there any specific person in the organisation that I should connect with to access the information I’ll need for the assessment?
- Which risk model has the organisation been using for its risk analysis?
Most of the aforementioned questions are too simple to be explained. The real question is what exactly are you going to be analysing, who has the knowledge and the expertise required to conduct a thorough assessment, and whether or not there you need must be aware of any budgetary constraints or regulatory requirements.
Cybersecurity risk assessment: A step by step guide
Let’s talk about the steps required to be followed to perform a cyber-security risk assessment and preventing you with a risk assessment template:
1. Ascertaining the value of your data:
A vast majority of organisations don’t usually have unlimited resources to spend on information risk management. They have to work it out within their budget. Hence, the best course of action is to restrict the scope of your assessment to the assets with the utmost significance in the business.
Setting criteria for ascertaining the worth of an asset will help you save both time and money in the future. Many organisations use an asset’s importance in business, and it’s legal standing as well as its value as standards for determining its worth. Once the criteria have been specified and officially integrated into the information risk management policy of the organisation, it can be used to categorise the assets as minor, major, or critical.
The following questions can help you ascertain your asset’s worth:
- Would you get charged with any legal or financial penalties in case of loss or exposure of the concerned information?
- How dangerous could this information be for your business if it fell into the hands of your competitor?
- Can this information be recreated from scratch?
- How long could it take for it to be recreated, and how much would it cost?
- Could the loss of this information leave a damaging impact on the income or profits of the organisation?
- Could the loss of this information severely affect the daily operations of the business?
- Could the employees be able to perform their duties without the said information?
- In case of a breach, how devastating of an impact could the leak of the said data have on the organisation’s repute?
2. Recognise and rank your assets
This step revolves around the recognition of your assets for the appraisal and ascertainment of the range of the cybers-security risk assessment. It will help you categorise your assets, so you could determine which assets should be assessed first. The process is so extensive and costly that you might not be able to conduct a thorough assessment for every single one of your assets. Therefore, you might want to focus first on the most critical ones. Plus, not every employee, electronic data, building, trade secret, office equipment, or vehicle you own needs a thorough risk assessment.
Therefore, what you need to do is work alongside management and business users to generate a list of all the valuable assets in your business, and for each asset that you own, you much collect the following pieces of information, wherever applicable:
- Functional requirements of the asset;
- IT security policies and architecture;
- Network topology;
- Information storage protection and flow;
- Technical and Physical security controls;
- Environmental security;
- Hardware and software specifications;
- Data and Interface;
- End-users and Support Personnel;
- Purpose and Criticality;
3. Identify threats
A threat can be defined as a weakness that can be exploited by others to breach your system security, damage, or ruin your sensitive business information. In addition to malware, hackers, there are several other risks just as dangerous, including, but not limited to, the following:
- Natural disasters: Natural disasters like earthquakes, floods, tsunamis, and thunderstorms, could be just as lethal as any hacker or malware. It would destroy not only your data but also your servers and any other devices that you have installed next to them. It is crucial to have your information stored on cloud servers so that, in case of a natural disaster, you could retain a copy of the data backed up on cloud servers.
- System failure: Make it a point to provide your most crucial systems with the best quality equipment available.
- Human error: Ensure that the configuration of your S3 buckets that containing sensitive business information is impeccable. Are your employees well-educated about social engineering, malware, and phishing? Do they know how to avoid or deal with these issues? Make sure that you have robust IT security controls in place including, but not limited to, password managers and regular data backups.
- Adversarial threats: Adversarial threats include threats from ad hoc groups, established hacker collectives, insiders, corporate espionage, suppliers, trusted insiders, third party vendors, privileged insiders, and nation-states.
Some of the most mundane threats affecting almost every organisation include:
- Unauthorised access: Unauthorised access either due to malware attacks, hackers, or employee’s errors.
- Misuse of information by authorised users: Usually, the main threat in these cases is an insider who misuses his authority to steal, damage, delete, use or alter sensitive information without proper approval.
- Data leaks: Due to poorly configured cloud services, sometimes hackers gain access to the information and end up leaking sensitive information such as personally identifiable information (PII).
- Loss of data: Any loss data by the organisation either due to accidental deletion of data in the absence of an adequate data backup or recovery measures.
- Service disruption: Application or system downtime can easily cause a business to lose its income and damage its reputation.
Once you have recognised the threats that your organisation is facing, you will also have to evaluate their impact thoroughly.
4. Recognise the vulnerabilities:
Vulnerability, just like a threat, is a weakness that can be exploited to breach security, steal sensitive information, use it, or alter it or damage it completely.
You can identify your organisational vulnerabilities with the help of audit reports, vulnerability analysis, the National Institute for Standards and Technology (NIST) vendor data, vulnerability database, software security analysis, and incident response teams.
5. Analysis of existing controls and the implementation of new ones:
Perform a detailed analysis of controls to see if they are in place or not, and if there’s any need for new controls to be implemented. It will minimise the risk of a threat attacking your system.
You can implement controls through technical means like software, hardware, intrusion detection mechanisms, automatic updates, two-factor authentications, and continuous data leak detection. Or through nontechnical means such as physical mechanisms, i.e., keycard access or locks, and security policies.
6. Calculation of the probability and effect of a wide range of scenarios annually:
After getting a detailed understanding of the value of information, asset worth, threats, and vulnerabilities, you must not try to figure out how probable it is for these threats to occur or vulnerabilities to be exploited the consequences if they do. How would they impact the operations and the reputation of the organisation?
7. Rank your risks based on the preventive costs vs value of information:
Use the risk level as a basis and determine actions for senior management or other responsible individuals to mitigate the risk. Here are some general guidelines:
- High – Corrective measures must be taken as soon as possible;
- Medium – Corrective measures can be made within a specified time. There is no rush.
- Low – Decide whether or not you want to accept the risk or mitigate it.
Once you have determined an asset’s value, it will be easier for you to decide if it is worth protecting and spending a little more on or not. If the value of your asset is lower than the cost of protection it requires, then it is not worth it.
Furthermore, it is not only the financial impact which should have you worried. These risks, if not appropriately mitigated, could have a reputational impact as well.l.
8. Document results in a risk assessment report
The last step to this extremely exhausting process is the generation of a cyber-security risk assessment report to allow your management to make informed decisions regarding the inherent risks and vulnerabilities. The report should offer a detailed description of the risks involved, the vulnerabilities, and the value of data against each thread.
In addition to that, it should also mention the probability or those threats occurring, the expected level of impact on the organisation’s finances, operations and reputation, and a list of recommended preventive measures to control the situation.