Cyber security is a catch-all term, but your approach to it doesn’t have to be. Not all organizations need to be utilizing the same types of security controls. An organization processing payment cards, for instance, will need to implement different security procedures than a small business collecting names and email address for lead generation.
Simply put: The level of security your organization requires depends on a variety of factors. If you just implement one security system across your entire network, you may end up over–protecting certain information while under–protecting others.
This is why a risk assessment is so important. Identifying and evaluating your current cybersecurity risk will not only ensure you have adequate security controls in place but will also help you understand how you can properly direct your resources.
The Basics of a Cybersecurity Risk Assessment
Before starting, it’s important to sit down and set the parameters for the assessment. Make sure everyone understands the scope of the assessment, and that any priorities or constraints are well communicated. Once everyone is on the same page, you can begin the assesment itself.
The first step is to identify what potential threats your organization faces. In general, threats can be categorized as either adversarial or non-adversarial. Adversarial threats include both internal and external entities acting with malicious intent. You will want to identify possible sources and capabilities of such threats. Non-adversarial threats generally include unintentional acts from employees or admins that expose system vulnerabilities.
In addition to threat actors, you want to identify the types of threats those actors pose. This includes anything from installation of malware and targeted phishing attacks to unintentional data leaks and misuse of information by an authorized user.
After identifying the threats your systems could face, the next step is to understand to what extent your systems are vulnerable to those threats. Such vulnerabilities include holes in your technical controls such as out of date software or security patches, mismanaged user access privileges, under-trained employees, and even the physical security of your data center.
Determine Likelihood and Impact of Threat
Now that you’ve determined possible threats and your vulnerability to them, it’s time to categorize the likelihood and impact of those threats. Determining the likelihood of a threat will depend on a number of factors, not only including your current vulnerabilities but also whether certain threats target your specific industry. Financial institutions, for instance, are common targets of business email compromise schemes, so are likely to experience phishing campaigns.
Along with calculating the likelihood of a threat, you’ll need to understand the impact or potential harm each threat poses to your organizations, employees, and customers. You can determine the impact of a threat by analyzing what systems would be effected, the sensitivity of the information involved, and whether the threat could spread to other areas.
Having completed the previous steps, you’ll be able to calculate the risk each type of threat poses. There are a number of methods you can use to calculate risk, but the simplest is to weigh the likelihood of each treat against its potential impact. You can then arrange potential threats by the level of risk each poses and prioritize actions to prevent them.
While all organizations should devote time to assessing their cybersecurity risk, it may even be required by state, federal, or industry regulations. PCI-DSS, for example, requires yearly risk assessments as a part of their compliance validation reports. Both HIPAA (Health Insurance Portability and Accountability Act) and FERPA (Family Educational Rights and Privacy Act) also require some form of risk assessment. Be sure to check which regulations apply to you.
Lastly, for more details on conducting a risk assessment, we recommend checking out the National Institute of Standards and Technology’s (NIST) Guide for Conducting Risk Assessments. We’ve outlined the basics, but NIST’s report contains further details on each step and a variety of charts and tables on threat types, quantifying likelihood and impact levels, and more.