One of the most important aspects of cyber security, and something that many organisations get wrong, is identifying relevant risks. You cannot protect against every threat and every weakness you face, because they are simply too numerous.
If you tried, you would have an overly complex cyber security system that was impractical to maintain, and you would spend huge amounts of your budget doing so.
It’s why cyber security risks assessments are crucial. They give organisations the opportunity to assess the threats to their systems and sensitive information and to allocate their resources efficiently.
What are cyber risks?
Cyber risks are incidents that could disrupt an organisation’s systems or compromise sensitive information. They usually relate to data breaches and therefore come with regulatory ramifications. For instance, organisations are required to disclose certain security incidents under the GDPR (General Data Protection Regulation) and similar legislations.
But cyber risks can also refer to other types of disruption. A DDoS (distributed denial-of-service) attack is another form of cyber security risk. Similarly, ransomware is a cyber risk, with the malware potentially crippling an organisation’s systems.
These are just two examples. There are a wide variety of techniques at cyber criminals’ disposal and countless ways in which cyber risks can manifest.
Plus, there are risks related to an organisation’s employees. If they make mistakes, such as leaving databases publicly available or failing to follow an organisation’s security policies, they could be responsible for a data breach.
What is a cyber risk assessment?
A cyber risk assessment ensures that organisations evaluate and document the potential causes for data breaches. They can then use this information to prioritise mitigation strategies and ensure that appropriate defensive measures are taken.
Completing the risk assessment will help you answer three questions:
- Under what scenarios is our organisation under threat?
- How damaging would each of these scenarios be?
- How likely is it that these scenarios will occur?
Conducting a cyber security risk assessment
When conducting a cyber security risk assessment, you should follow the following seven steps:
1. Determine the scope of the risk assessment
A cyber security risk assessment begins by determining what’s in scope of your evaluation. This involves identifying which parts of your organisation are at risk of cyber security incidents.
More specifically, you should be looking at where digital information is stored, as well as physical assets where they’re kept, such as server rooms and remote workers’ homes.
2. Identify assets
Once you’ve defined the scope of your assessment, you can look further at specific assets that could be compromised.
There is no set way in which you should complete this process, but it’s important that you understand the ways that a cyber criminal might leverage their access. As such, you should not simply identify your organisation’s crown jewels – such as databases containing customer files or your financial directory.
You should also consider the steps that could lead criminal hackers there. For example, they might attempt to compromise an employee’s account to gain unauthorised access to the system, or they might infect computer with a poisoned USB stick.
3. Identify threats
This step is closely linked to the identification of assets, because for a risk to manifest you need an asset that can be compromised and an actor who can threaten it.
Having previously identified assets, it’s time to consider threats. The most obvious threats relate to criminal hackers and the tools at their disposal, but you should also consider weaknesses in your own systems.
For example, a negligent employee might expose a database, while a malicious insider could deliberately leak information.
There’s also the possibility of a system failure corrupting files, or a natural disaster damaging physical infrastructure (for example, a fire or flood could destroy a server or knock power supplies offline).
4. Identify vulnerabilities
We now move on to the final aspect of cyber risk: vulnerability. A vulnerability is a known flaw that can be exploited to damage or compromise sensitive information.
Vulnerabilities are often associated with software and how they can be exploited to perform tasks they weren’t intended for. Examples include injection flaws, cross-site scripting flaws, broken access control and misconfigurations.
5. Create a risk score
Now that you have a comprehensive understanding of your organisation’s risks, threats and vulnerabilities, you must determine which scenarios pose the biggest problem.
You can do this by comparing risks and assigning each one a ‘risk score’. The score should be calculated by determining the likelihood that it might occur and the damage that it will cause.
When assessing potential damage, you should consider how the confidentiality, integrity and availability of data can be affected by each risk.
You should also consider the business, legal, contractual and regulatory implications of risks, including the cost of replacing the asset, the potential loss of income, fines and reputational damage.
6. Determine the right risk management strategy
There are several ways that you can address risks, and the best course of action will depend on your specific circumstances.
You can, for example, modify the risk by implementing a control to reduce the likelihood of it occurring.
Alternatively, you can avoid the risk by ceasing any activity that creates it. This response is appropriate if the risk is too significant to manage with a security control.
Another option is to share the risk with a third party. This might involve outsourcing the security efforts to another organisation or purchasing cyber insurance to ensure you have the funds to respond appropriately in the event of a disaster.
The final option is to retain the risk. This means that your organisation accepts the risk and believes that the cost of treating it is greater than the damage that it would cause.
7. Document your results
The final step is to create a report summarising your findings.
This will be used to help senior management make decisions regarding the organisation’s cyber security budget and the policies and procedures that are implemented.
For each cyber security risk, the report should describe the nature of the issue and its risk score – including a breakdown of its probability and likelihood. The report should also provide a recommended risk mitigation strategy.
Meet your cyber security requirements
Cyber security risk assessments are a crucial aspect of regulatory compliance. Legislations such as the GDPR and the PCI DSS (Payment Card Industry Data Security Standard) mandate that an assessment be completed to ensure that the organisation understands the potential ways that it might suffer a data breach.
Risk assessments are also necessary for voluntary standards, such as ISO 27001. The international standard describes best practice for information security management, and organisations are often obliged to implement its framework to win business with suppliers.
You can learn how to complete risk assessments and meet your compliance requirements with Vigilant Software’s CyberComply platform.
This toolkit helps organisations manage their cyber security compliance requirements. It guides you through your compliance needs and the most appropriate controls to mitigate risks.
Plus, it comes with tools dedicated to treating security threats, risk management and data flow mapping.
The platform is ideal for small- and medium-sized organisations to address their information security and compliance requirements.
