June 4th 2020
I’m a Principal Security Consultant and an instructor for the SANS DEV541 Secure Coding in Java/JEE.
Companies are increasingly spending money on cyber security. However, attackers are launching more sophisticated cyber attacks that are hard to detect, and businesses often suffer severe consequences from them.
Performing a cyber security risk assessment helps organizations strengthen their overall security. The primary goal of a risk assessment is to determine what the critical assets are and if a threat exploits those assets, how much it would cost to mitigate those risks and to protect your assets from a breach.
How can you perform a cyber risk assessment?
In order to perform a cyber security risk assessment, you need to consider three factors:
- Importance of the assets at risk
- Severity of the threat
- Vulnerability of the system
But before we dive into how to perform a cyber security risk assessment, let’s understand what a cyber security risk assessment is.
What is a Cyber Security Risk Assessment?
A cyber security risk assessment is the fundamental approach for companies to assess, identify, and modify their security protocols and enable strong security operations to safeguard it against attackers.
It also helps to understand the value of the various types of data generated and stored across the organization. Without determining the value of your data, it is quite difficult to prioritize and assign resources where they are needed the most.
In a cyber security risk assessment, you also have to consider how your company generates revenue, how your employees and assets affect the profitability of the organization, and what potential risks could lead to monetary losses for the company.
Once you have identified all this, you should think about how you could enhance your IT infrastructure to reduce potential risks that might lead to financial losses to the organization.
Furthermore, a cyber security risk assessment helps inform decision makers and support proper risk responses. Most C-suite executives and higher management professionals don’t have the time to delve into the minute details of the company’s cyber security operations.
A cyber security risk analysis serves as a summary to help them make informed decisions about security for their organization.
There are several ways you can collect the information you need to start your risk assessment process:
- Review documentation.
- Interview data owners, management, and other employees.
- Analyze your infrastructure and systems.
How to Perform Cyber Security Risk Assessment?
To begin cyber security risk assessment, you should take the following steps:
Step 1: Determine Information Value
Most organizations don’t have a large budget for security risk assessments, especially small-to-medium businesses (SMBs), so it’s best to limit your scope of assessment to the most critical business information.
Spend time to define a standard for determining the importance of information and prioritizing it. Companies often include asset value, business importance, and legal standing.
Once you have created a standard and it is embedded in your organization’s cyber security risk analysis solution, use it to categorize information as minor, major, or critical.
Here are some questions that you can ask to determine information value:
- How valuable is this information to competitors or attackers?
- If this information is lost, could you recreate the information? How long would it take? What would be the associated costs?
- Are there any financial or legal penalties associated with losing or exposing the information?
- Would losing the information impact the company’s day-to-day operations?
- What would be the financial damage of the data being leaked or stolen?
- What would be the long-term impacts of the information being lost completely or exposed? Would it cause reputational damage? How could you recover from it?
Step 2: Identify and Prioritize Assets
The first and most important step to perform a cyber security risk assessment is to evaluate and determine the scope of the assessment.
This means you have to identify and prioritize which data assets to assess. You may not want to conduct an assessment of all your employees, buildings, trade secrets, electronic data, or office devices.
You need to work with the management and business users to create a comprehensive list of all the valuable assets. Some assets could be valuable because they largely impact your company’s revenue, while others could be valuable because they ensure data integrity to your users.
Once you have identified crucial assets for the assessment, collect the following information:
- Functional requirements
- Information flow
- Information security policies
- Information security architecture
- Network topology
- Technical security controls
- Physical security controls
- Environmental security
- Information storage protection
- Support personal
Step 3: Identify Threats
Once you have identified and prioritized assets that are crucial to your company, it is time to identify threats that could impact your organization.
A threat can be defined as an occurrence, individual, entity, or action that has the potential to harm operations, systems and/or exploit vulnerabilities to circumvent the security of your organization.
There is a wide range of threats that could impact an enterprise ranging from malware, IT security risks, insider threats, attackers, etc.
Some of the most common threats that affect every organization in one way or another include:
- Data leaks: Leakage of sensitive data such as personally identifiable information (PII) like customers’ personal information, credit card info, passwords, other important details could lead to loss of brand reputation and negatively impact your customer relationships. These data leaks could occur due to poor configuration of cloud services, insufficient security policies in place, or weak authentication.
- Insider threats: Often, authorized users misuse their access to information and cause data breaches. These threats pose a great risk to companies as they could have devastating impacts including decreased brand reputation and loss of revenue. According to the 2018 Cost of Insider Threats study by the Ponemon Institute, the average cost related to insider threats incidents is $8.76 million.
- Service disruption: A cyber attack might cause unexpected service disruptions which could lead to loss of reputation and revenue, which can cause your customers to switch to one of your competitors.
Step 4: Identify Vulnerabilities
A vulnerability is a weakness that could be exploited to cause data breaches or other cyber attacks.
How can you identify vulnerabilities?
There are several ways to identify vulnerabilities:
- Audit reports
- Vulnerability analysis
- Vendor data
- Software security analyses
- Incident response teams
- The National Institute for Standards and Technology (NIST) vulnerability database
A vulnerability could be as simple as the absence of a patch in an operating system, but an attacker could leverage this and conduct a major data breach.
Step 5: Calculate the Likelihood and Impact of Various Scenarios on a Per-Year Basis
Now that you have identified information value, assets, threats, and vulnerabilities, the next step is to calculate how likely these cyber risks are to happen and their impacts if they occur.
Think about what protects your assets from these vulnerabilities, what the chances are that these threats might impact your assets multiple times, and how you can mitigate these risks.
For instance, imagine you have a database that stores all of your customers’ sensitive information such as credit card details, contact numbers, usernames, and passwords.
If this sensitive information is leaked, you could find your organization’s name in the media, which would have a drastic impact on your reputation and market valuation.
Not only that, but you could also face hefty penalties and fines for non-compliance with information security standards and for being unable to protect your customers’ data.
Remember that compliance with security standards can only protect your data so far. Proper mitigation and cyber security defense strategies have to be in place to secure your data from attackers.
Ultimately, it depends on what information security protocols you follow and how you combat data breaches when they take place.
Step 6: Prioritize Risks Based on the Cost of Prevention vs Information ValueUse risk level as a basis to determine what actions should be taken to mitigate those risks.
Here is how you can categorize your risks:
- High: An urgent and significant threat to the organization and risk mitigation should be done immediately.
- Medium: A viable threat to the organization exists, and risk mitigation should be done within a specific period of time.
- Low: Threats have a low impact on the assets, but may pose some issues later to the organization. Consider enhancing information security policies or deploying specific security software to address these threats.You have now determined the value of the asset and whether a risk is critical or normal that can be dealt with easily.
You have to understand that if it costs more to protect an asset that has little to negligible impact on your organization, it may not make much sense to invest heavily into protecting it.
However, remember that not all assets could lead to monetary losses, but also damage your company’s reputation, so it’s important to consider this as well.
Step 7: Document Results in Risk Assessment Report
Develop a risk analysis report which describes the value, risk, and vulnerabilities for each threat.
Make sure that you also add the likelihood and impact of occurrence and mitigation recommendations. This will help management make informed decisions about policies, procedures, and budgets.
It is essential to the credibility of your entire risk assessment that the final document captures all the necessary information that you have collected throughout the assessment.
Having a cohesive risk analysis report also enables the assessor to communicate clearly with responsible individuals and stakeholders, helping them understand how these risks were discovered, and what they have to do to contribute to their mitigation.
A clear and cohesive risk analysis report helps establish guidelines and rules that provide answers to what vulnerabilities and threats could cause reputational damage and financial loss to your business, and how they can be mitigated.
Step 8: Implement and Monitor Security Controls
Now that you have your cyber security risk assessment report ready, implement and monitor security controls to minimize or eliminate the possibility of a vulnerability or threat.
You can implement controls through technical means, such as software or hardware, intrusion detection mechanisms, automatic updates, two-factor authentication, or encryption or through non-technical means such as physical mechanisms like keycard access.
Ensure continuous monitoring of these security controls to check whether or not they are performing as per requirements. Implementing security controls is not a one-step process where you can just install and forget them. You have to monitor these controls to ensure optimal performance.
Remember, your organization might have the best security policies in place, but with the constantly changing cyber security threats, you need to stay abreast of the latest threats that might attack your organization.
It is important for businesses to understand that a risk assessment can help them prevent breaches, avoid penalties and regulatory fines, and safeguard their valuable data.
At Cypress Data Defense, we can help your business perform a cyber security risk assessment to mitigate risks and improve your security posture.