Emma Middleton,
Sales Director, ProtectBox
Jan 15th, 2021
How to Conduct a Cybersecurity Risk Assessment
ProtectBox explain how to conduct your own Cybersecurity Risk assessment.
Conducting a regular cybersecurity risk assessment keeps you on top of cyberthreats and helps identify where to direct your budget for maximum effect.
Cybersecurity risk analysis provides a methodological way of understanding, prioritising and taking action to mitigate security risk, reducing the probability of financial or reputational loss.
With security breaches on the rise across the board it’s never been more important to invest time and resources in this area.
(Image source: Cyber Security Breaches Survey 2020 )
That’s why we’ve outlined four key steps you can take to carry out your own cybersecurity risk assessment. In this article we’ll cover:
- Laying the groundwork for a successful cybersecurity risk assessment
- Determining the value of the information you hold
- Identifying threats and vulnerabilities
- Calculating the risk of each asset to prioritise mitigation spending
1. Lay the Groundwork for Your Cybersecurity Risk Assessment
Defining the scope and parameters of your cybersecurity risk assessment upfront will save significant confusion and time overruns.
Ultimately, before you start you will need to know:
- Which IT assets you will be analysing
- Who has the expertise to carry out the risk assessment
- Which business areas your conclusions might affect
- Whether there are any regulatory issues that might affect your activities
- What your budget is
Your team may have limited time and budget to complete the risk assessment. This means that attempting to evaluate your entire IT infrastructure might not be possible, particularly if you’re working in a larger organisation.
To ensure you can complete your cybersecurity risk assessment without overruns and with enough depth to draw meaningful conclusions, consider limiting your risk assessment to your most business critical assets, or areas where you believe risk is high.
As part of this stage, you may also want to perform a data audit so you’re clear on:
- Which data you collect
- Who has access to your data
- How long you keep your data for
- Your processes for storing, processing and protecting sensitive information or personal identifying information (PII).
To help in this process, at ProtectBox we take the hard work out of this step by letting you delegate questions to members of your team and/ or third party service providers, online. In fact, you can complete Steps 1, 2 and 3 simultaneously online to save both time and resource.
2. Determine the Value of Your Information
To calculate the potential damage various security threats could do to your organisation, you’ll need to calculate how much each of your assets is worth.
Base your estimates on these three considerations:
- Explicit monetary value (for example, the outright cost of servers and other hardware)
- Regulatory or legal importance (for example, whether you’re liable to fines or legal action without a particular asset)
- Business importance (for example, intellectual property or operation essential IT systems)
To help you establish the value of your information ask yourself the following questions:
- How valuable is this information to a competitor?
- Could we recreate this information from scratch – and, if so, how long would it take and what would be the associated costs?
- Would revenue or profitability be impacted should this information be lost? If so, by how much?
- Would losing this data impact day-to-day business operations?
- Would a data leak lead to reputational damage?
3. Identify Threats Value and Vulnerabilities
Once you’re clear on the value of your assets, you can map out key threats and threat sources that pose a risk to them.
Threat sources include:
- System failure: crucial hardware or software crash
- Natural disaster: disasters like fire or flood that impact your data storage – particularly important to consider if you store data on-premise
- Human error: accidental data loss via alteration, unneeded access or device loss
- Adversarial threats: both internal and external malicious actors, including hacker groups, lone cybercriminals, disgruntled employees, employees being bribed or blackmailed, corporate espionage or adversarial nation states
- Business associate error: errors made by suppliers or vendors when handling data you share for business purposes
These sources open you up to the following threats:
- Accidental data loss
- Data leak, whether accidental or because of malware attack
- Unauthorised data access, either internal or external – and misuse of data by unauthorised users
- Cyberattacks like phishing, social engineering, ransomware and a Distributed Denial of Service attack.
- Service disruption and reputational damage
Identifying Where You Might Be Vulnerable
To complete a meaningful cybersecurity risk assessment, think about how vulnerable your assets are to the threats above.
Consider:
- How many people have access to your data assets
- What security controls you have in place already
- Whether you have had any cybersecurity issues with your assets before
Your R&D documents for a new product might be worth millions to a hacker that wanted to sell them on the dark web. If they’re encrypted at file level, only accessible by four authorised users and backed up securely, you might identify that the only significant threat source is malicious internal action .
On the other hand, a moderate value sales data file containing sales data and some personal identifying information that is accessible to everyone in the company, will have multiple access points. If you identify that half of your employees receive little to no cybersecurity training, you might judge that file to be particularly vulnerable to a data breach, either by untrained employees or via malware delivered by social engineering attacks.
4. Calculate the Risk of Each Asset and Prioritise Mitigation Spending
Now you know how much your assets are worth, which threats they are vulnerable to and what controls exist to mitigate those threats, you can calculate how much it would cost to protect them.
As an example, consider a file containing customers’ personal identifying information that you value at £50,000 would have a financial impact of £34,000 if leaked. If you judge the probability of breach as medium (say, once every ten years), you can estimate a financial loss of £34,000 every ten years with your current controls – or £3,400 per year (for this asset alone).
Use this per-year cost as a benchmark for reasonable cybersecurity spend> to protect the asset, but don’t forget about reputational loss as well. It might be worth spending more per year than your estimate to keep your customers’ trust – and by extension their business.
Prioritising Risks for Corrective Action
Performing the above calculations on all the assets you have helps you prioritise where to take action to mitigate risk. Use a scale as a basis for prioritising assets for increased spend or action to mitigate risk.
This could be as simple as:
- High risk: corrective measures to be taken immediately
- Medium risk: corrective measures to be taken, but not as urgent as high risk
- Low risk: no urgency for further action
How Do You Reduce Risk?
The measures you can use to reducing risk fall into two categories:
- Preventative: methods which aim to stop an attack happening, such as staff training, access controls, firewalls.
- Detective: methods to identify when a security breach has occurred and mitigate damage, such as crisis protocols, backup and recovery plans and malware detection software.
So, for example, you could take preventative action to mitigate the risk of a data breach by making all staff change passwords regularly, restricting access to business-critical documents and providing anti-phishing training.
You could then back this up with well-laid-out data breach protocols and malware detection software.
With ProtectBox, you will receive 6 personalised bundles of recommendations for comparison. Your bundles not only include product descriptions, but reviews from real users so you can see what’s right for you. You even have the ability to personalise further by risk score, budget or suppliers.
Find the Right Cybersecurity Solution for You
The right cybersecurity solutions package will act as both a preventative and a detective method of mitigating cyber risk.
The difficulty is that there are a multitude of suppliers out there, offering different combinations of products.
At Protect Box, our solutions are designed for you – and for your ease of use. You can Assess, Match and Bundle solutions, then Compare and Personalise and finally, Buy and Rate. A transparent process, with you at the heart of everything we do – to protect your business.
To start the process, why not just complete our free questionnaire and see how ProtectBox can protect your business