Whether it’s HR systems, payment systems, or client databases, your data falling in the wrong hands can turn into a weapon of irreparable harm. Not only is a data breach expensive to correct, but it may also end up costing you in legal settlements and fines. According to IBM, the average cost of a data breach rose to $4.24 million in 2021 — the highest figure on record. Every organization that deals with digital data should conduct a regular cybersecurity risk assessment to avoid these threats.
What is a Risk Assessment in Cybersecurity?
A cybersecurity risk assessment is an analysis of threats to your information and operational technology systems. A completed cybersecurity assessment will result in a report detailing the risk and remediation measures for all your network-connected assets. These can be obvious things like your computers and servers, but also less-obvious Internet of Things (IoT) objects like printers, digital thermostats, and even fish tanks.
Hackers aim to breach your security systems in any way possible to steal your company’s data to make money. Whether it’s stolen credit card info, bank account numbers, personnel files, patient records, hackers can find a willing market for stolen data on the dark web where information can go for as little as few dollars, but cost organizations big money.
And that’s just if they steal your information. Another rising form of cyber threat is ransomware which locks your systems until you pay the hacker a fee — and even then recovery is not guaranteed. Having a business continuity and disaster recovery framework in place can help, but breach prevention is a much easier and more cost-effective measure.
A regular cybersecurity risk assessment is essential to ensuring your organization is prepared for any cyber risk. It’s good for your business relationships and your bottom line.
Cybersecurity Risk Assessment Framework
Before committing to a cybersecurity risk assessment, it’s important to choose a framework. A framework is a system of standards, guidelines, and best practices that can help you identify baseline controls and creates a methodology for systematically improving cybersecurity. There are many frameworks to choose from. While choosing the right framework is important, more important is deploying it effectively.
One of the most common is the NIST cybersecurity risk assessment. NIST, the National Institute of Standards and Technology, is a government agency that develops technological standards for industry and government.
NIST has a general cybersecurity framework as well as frameworks for specific, highly sensitive industries such as healthcare and financial services. NIST is required for many government contracts in sensitive industries such as defense or election management.
There are other cybersecurity standards such as ISO and HITRUST which have their own specified use cases. Whatever cybersecurity risk assessment template you choose, your cyber risk management policy will only be as effective as you are proactive.
How to Conduct a Cybersecurity Risk Assessment
Regardless of the security standard, you choose to implement, conducting a cybersecurity risk assessment follows the same general steps. You will inventory your cyber assets, assess them for vulnerabilities, identify the various potential threats, and prioritize your risk remediation strategies.
An easy-to-understand way to conceptualize this is to think about your business’s technology infrastructure as a house. Cybercriminals are like thieves trying to break in and steal your belongings. With this in mind, let’s discuss how you can secure your home.
Identify Your Entryways (Assets)
Like the windows and doors of your home, your information and operational technology (IT and OT) are access points that cybercriminals can use to break into your business. Before you can work on securing these entry points, you have to know where they are.
The first step in a cybersecurity risk assessment is to identify and itemize all your IT and OT assets. Begin by creating an itemized list that also details what software they run and what in your network they are connected to.
Many organizations find it helpful to apply labels to digital assets to keep track of them. In businesses with good cybersecurity, it’s fairly common to see barcodes on CPU towers, on the bottom of mice, and on projectors. This allows you to track your assets on an ERP or other asset tracking system.
Identifying and labeling assets will help you when it comes time to install and update cybersecurity tools and configurations. With labeled assets, you can ensure that all of your assets receive the appropriate cybersecurity protections. This will also make it easier for SOC analysts to identify which devices are associated with SIEM log events.
For organizations starting from scratch, conducting a risk assessment on the entire organization may be a large task. In that case, it’s a wise idea to break down your cyber infrastructure into manageable chunks. In our house metaphor, this means securing your front door and first-floor windows (personal computers, servers, and networks).
Identify Your Valuables (Risks)
When a burglar breaks into your home, it’s unlikely they’re interested in your family photos or cookbook collection. Instead, they’re after the high-value items like cash, technology, and jewels. Likewise in your business, there are certain objectives or items that are more valuable to cybercriminals than others.
Once you understand what entry points you have, it’s time to think like a thief.
An easy way to do this is to classify your risks in a systematic way.
- Magnitude: If this item was stolen or breached, what would the monetary or reputation cost be? Is this like stealing a Matchbox car or a Ferrari?
- Timescale: How long will it take for someone to notice if these assets are left unsecured? Is this like an open garage door that poses an immediate risk or an unlocked attic window?
- Origination: Where is the threat of a security lapse coming from: individual teams, or automated systems? Are you worried about someone with keys to your home or a shadowy figure with a crowbar?
- Impact Type: What kind of consequences would a breach have: financial, reputational, environmental, etc? Will you need to file an insurance claim or just grab a mop and bucket?
- Affected Parties: If you get attacked, who is going to pay the price: your employees, customers, shareholders? You likely aren’t the only one who will be affected by a break-in to your home.
Not all assets and information carry the same risk. Some risks may not result in any negative consequences while others may stand to bankrupt your whole business. Knowing which are the serious and likely threats is crucial to a sensible cybersecurity policy.
One helpful way to visualize a risk assessment is to plot the likelihood and magnitude of possible threats. The chart above gives an example of such a plot, with zero-day APTs, DDoS attacks, and social engineering plotted based on a company’s security profile. If your business has DDoS protection and doesn’t deal with government secrets, your plot may look like this.
While you can remediate all risks that you can find, this probably isn’t a feasible way to approach security assessment. A better approach is to prioritize risks according to their likelihood and severity. In this way, you fix the biggest vulnerabilities first, protecting your business from massive damage.
Once you know what you have to lose and how you could be attacked, it’s time to think about how cybercriminals would break into your home. Will they sneak in while you’re sleeping? Will they walk in the front door like a guest?
With your vulnerabilities identified, you need to analyze how those risks can be turned into threats. This step will probably require the most research, as new threats are developing every day.
From ransomware to backdoors to social engineering, threats are multiplying every day. With the shift to remote work, identity verification is more difficult leading to an increase in cyberattacks and scams.
Here a just a few examples of recent real-world examples:
- The Colonial Pipeline Co. was a victim of a ransomware attack that investigators believe was the result of a single compromised password. Hackers were able to implant ransomware, locking their entire network until they paid a $4.4 million ransom. The hack caused nationwide fuel shortages in the US. With the intervention of the FBI, the company was able to recover part of the ransom. Most companies aren’t so lucky.
- The United States Office of Personnel Management was the victim of a data breach that exfiltrated personal identifying information of government employees and contractors including social security numbers. It’s suspected that the attacks were carried out by the Chinese government. As a result of the hack, the government provided identity monitoring services to affected personnel.
- In the healthcare sector there has been a wave of ransomware attacks from Russian cybercriminal gangs. These attacks have cost hospitals millions of dollars and led to actual deaths.
Identifying threats is very difficult, and the opportunity for error is massive. New threats are developing every day motivated by greed, politics, or espionage. For this reason, it’s a good idea to consult with a cybersecurity expert.
With your threats identified you’re ready to strategize about mitigation. However, it is unlikely that you can (or should) completely patch every vulnerability. After all, if you put up a 10-foot tall steel fence with a lava-filled moat around your home, it’s going to be a pain trying to get in or out. Likewise, many vulnerabilities are necessary for communication or easy data access in your business.
For this reason, every risk should be given a risk rating, so that risks and their remediation can be prioritized. A helpful approach is to use a cybersecurity risk assessment matrix when identifying risks.
How do you remediate a vulnerability? There are many cybersecurity tools you can buy, but off-the-shelf software is not the same as a comprehensive cybersecurity strategy. Employees need to be trained to recognize social engineering. Software needs to be properly configured. In short, you need a base of knowledge to guide you through a cybersecurity risk assessment.
Cybersecurity Risk Assessment Tools
A cybersecurity risk assessment is the first step in a comprehensive cybersecurity strategy. Your business has lots of digital parts— likely more than you can think of off the top of your head. Ensuring these parts are protected is crucial to the functioning of your business.
Cybersecurity risk assessments used to be a tedious manual process of checking individual devices for software and hardware configurations. Now these processes have largely been automated.
Foresite offers cybersecurity automated solutions to help companies understand their risk and align to security frameworks quickly. ProVision is an all-in-one cybersecurity solution that provides vulnerability assessments, network monitoring, and breach response while FIRM makes it easy to achieve framework compliance in days, not weeks or months.
Thinking about your technology infrastructure like a home for your data makes it easy to understand the associated assets, risks, and threats.
Tristin Zeman is the Digital Marketing Manager at Foresite. For the past 10 years, she has helped organizations of all sizes create and scale marketing programs through digital and traditional marketing channels and efficient marketing operations.