Sales Director, ProtectBox
Jan 15th, 2021
How to Conduct a Cybersecurity Risk Assessment
Conducting a regular cybersecurity risk assessment keeps you on top of cyberthreats and helps identify where to direct your budget for maximum effect.
Cybersecurity risk analysis provides a methodological way of understanding, prioritising and taking action to mitigate security risk, reducing the probability of financial or reputational loss.
- Laying the groundwork for a successful cybersecurity risk assessment
- Determining the value of the information you hold
- Identifying threats and vulnerabilities
- Calculating the risk of each asset to prioritise mitigation spending
Defining the scope and parameters of your cybersecurity risk assessment upfront will save significant confusion and time overruns.
Ultimately, before you start you will need to know:
- Which IT assets you will be analysing
- Who has the expertise to carry out the risk assessment
- Which business areas your conclusions might affect
- Whether there are any regulatory issues that might affect your activities
- What your budget is
To ensure you can complete your cybersecurity risk assessment without overruns and with enough depth to draw meaningful conclusions, consider limiting your risk assessment to your most business critical assets, or areas where you believe risk is high.
As part of this stage, you may also want to perform a data audit so you’re clear on:
- Which data you collect
- Who has access to your data
- How long you keep your data for
- Your processes for storing, processing and protecting sensitive information or personal identifying information (PII).
To help in this process, at ProtectBox we take the hard work out of this step by letting you delegate questions to members of your team and/ or third party service providers, online. In fact, you can complete Steps 1, 2 and 3 simultaneously online to save both time and resource.
To calculate the potential damage various security threats could do to your organisation, you’ll need to calculate how much each of your assets is worth.
Base your estimates on these three considerations:
- Explicit monetary value (for example, the outright cost of servers and other hardware)
- Regulatory or legal importance (for example, whether you’re liable to fines or legal action without a particular asset)
- Business importance (for example, intellectual property or operation essential IT systems)
To help you establish the value of your information ask yourself the following questions:
- How valuable is this information to a competitor?
- Could we recreate this information from scratch – and, if so, how long would it take and what would be the associated costs?
- Would revenue or profitability be impacted should this information be lost? If so, by how much?
- Would losing this data impact day-to-day business operations?
- Would a data leak lead to reputational damage?
3. Identify Threats Value and Vulnerabilities
Once you’re clear on the value of your assets, you can map out key threats and threat sources that pose a risk to them.
Threat sources include:
- System failure: crucial hardware or software crash
- Natural disaster: disasters like fire or flood that impact your data storage – particularly important to consider if you store data on-premise
- Human error: accidental data loss via alteration, unneeded access or device loss
- Adversarial threats: both internal and external malicious actors, including hacker groups, lone cybercriminals, disgruntled employees, employees being bribed or blackmailed, corporate espionage or adversarial nation states
- Business associate error: errors made by suppliers or vendors when handling data you share for business purposes
These sources open you up to the following threats:
- Accidental data loss
- Data leak, whether accidental or because of malware attack
- Unauthorised data access, either internal or external – and misuse of data by unauthorised users
- Cyberattacks like phishing, social engineering, ransomware and a Distributed Denial of Service attack.
- Service disruption and reputational damage
Identifying Where You Might Be Vulnerable
To complete a meaningful cybersecurity risk assessment, think about how vulnerable your assets are to the threats above.
- How many people have access to your data assets
- What security controls you have in place already
- Whether you have had any cybersecurity issues with your assets before
Your R&D documents for a new product might be worth millions to a hacker that wanted to sell them on the dark web. If they’re encrypted at file level, only accessible by four authorised users and backed up securely, you might identify that the only significant threat source is malicious internal action .
On the other hand, a moderate value sales data file containing sales data and some personal identifying information that is accessible to everyone in the company, will have multiple access points. If you identify that half of your employees receive little to no cybersecurity training, you might judge that file to be particularly vulnerable to a data breach, either by untrained employees or via malware delivered by social engineering attacks.
4. Calculate the Risk of Each Asset and Prioritise Mitigation Spending
Now you know how much your assets are worth, which threats they are vulnerable to and what controls exist to mitigate those threats, you can calculate how much it would cost to protect them.
Performing the above calculations on all the assets you have helps you prioritise where to take action to mitigate risk. Use a scale as a basis for prioritising assets for increased spend or action to mitigate risk.
This could be as simple as:
- High risk: corrective measures to be taken immediately
- Medium risk: corrective measures to be taken, but not as urgent as high risk
- Low risk: no urgency for further action
How Do You Reduce Risk?
The measures you can use to reducing risk fall into two categories:
- Preventative: methods which aim to stop an attack happening, such as staff training, access controls, firewalls.
- Detective: methods to identify when a security breach has occurred and mitigate damage, such as crisis protocols, backup and recovery plans and malware detection software.