How safe is your organization from cyberthreats? The best way to answer that question is by performing a thorough cyber security risk assessment. A cyber security risk assessment—the process of identifying, analyzing and evaluating risks—is the only way to know which cybersecurity controls you need, and how to prioritize them. Without such an assessment you could waste time, money and resources on events which might have minimal impact and be ill-prepared for events that might have significant ones.
These Are the Steps You Need to Perform Your Own Cyber Security Risk Assessment:
Review Your Resources
Before you can assess risk, you should review all the resources you need to protect. Don’t just audit the resources you think might be at risk. Assess everything that connects to your network. Hackers will.
For example, did you know smart watches can be hacked to steal ATM PIN numbers and passwords, merely based on your hand movements? Or that someone can take control of a presenter’s screen and screen controls by hacking into video conferencing technology? In your cyber security review include IoT devices, unused desktops, and everything you use on a daily basis including telephones (landline and smart phones), applications and routers. A cybersecurity risk assessment will identify not only hardware but customer data and software.
Threat identification should include anything that can damage your infrastructure, cost you money from lost revenue, threaten intellectual secrets or infringe customer (or employee, or student or family) privacy. While a professional will be able to identify those threats more thoroughly than you can yourself, you can still perform a cursory review of them. For example, malware and viruses are obvious network risks.
The hardest part, and why a professional cyber security risk assessment is important, is identifying those lesser known risks, such as from your printer or voice mail. A professional will check to see if firmware updates have been made, as well as the status of your firewall and antivirus software.
Don’t forget to consider threat assessment from an internal standpoint as well. As
Jorge Rey, chief information security officer for accounting firm Kaufman Rossin recently said, “I think small businesses [are] worried about threats that [aren’t] even affecting them. They’re all freaking out about hackers, but they’re not even looking at their own employees and their access to systems and … data.”
Not every risk listed in your cyber security risk assessment is a high priority, and determining the risks, and impact of those risks, will help you determine where to focus your security attention and dollars. You should rate each risk on a scale of low to high. This will help you prioritize your initial and longer-term efforts. For example, you could rate your risks according to this scale:
High – Substantial, possible crippling and unrecoverable impact
Medium – Damaging, but recoverable or inconvenient
Low – Impact is minimal and easily worked around
An example of a high-risk resource would be your perimeter routers. A router with outdated firmware could let hackers run rampant. Conversely, a low risk resource might be data or documents that do not have sensitive information, or that is publicly available.
You likely have basic protocols in place, but how much protection do they really provide, and where are you the weakest? Hiring a professional (like DYOPATH) may be critical in completely understanding how well you are protected from each possible threat. DDoS security, adequate cyber security monitoring services, and employee training are basic proactive protection measures you should be taking (and which we have written about many times before on this site).
Calculating risk will also help you determine what areas to prioritize, and what threats need immediate financial support in order to implement. Two questions to ask are: What is the chance of each incident occurring, and what amount of risk, if any, am I willing to accept? Your type of organization, such as whether you are a business or school, or a public or private entity, will no doubt greatly influence that decision.
When determining the likelihood of each event, you will need to list every breach point and possible point of origin for an attack, both external and internal. Depending on network complexity, this could involve dozens of breach/source pairings.
DYOPATH Can Help
Creating a cyber security risk assessment is not an undertaking that can be finished in an afternoon. It takes careful analysis, and quite a bit of experience. After you finish your initial steps and have a basic grasp of your potential risks and vulnerabilities, you will want an outside expert to fill the gaps and take an unbiased, knowing look. At DYOPATH, we’re well-versed at doing exactly this. DYOPATH can help identify trouble spots, give advice on how to prevent problems, and provide guidance if problems do happen. Our impressive menu of security solutions will go a long way to protect your valuable assets, and your organization from risk. A cyber security risk assessment is a critical step in protecting your organization. Ask us how to get started.