How to conduct a cybersecurity risk assessment

Today’s threat-heavy cyber landscape is rife with challenges. Risk is everywhere, whether in the form of malware, ransomware, social engineering, or any other upcoming threat malicious actors will develop to get around established cybersecurity protocols. 

Anyone can become a victim of a cybersecurity attack. So everyone should know how to protect themselves against one. The first step is to conduct a cybersecurity risk assessment. 

What is a cybersecurity risk assessment and why is it needed?

A cybersecurity risk assessment is an audit of a company’s ability either to prevent cybersecurity attacks before they happen or to mitigate damage when they do. Unfortunately, prevention is not enough anymore: 75 percent of US/UK businesses have been hit by a cyberattack at least once since 2019. 

Why are cyberattacks so prevalent? The answer has to do with the nature of the virtual landscape and how thoroughly we’ve come to depend on it. Cloud computing has made cataloging and sharing data much easier; it has also made that data more vulnerable to cybercriminals than it ever was before. 

Cyberattacks aren’t simply a localized nuisance. By law, companies are liable to third-party partners for any data theft those third-parties experience. 

The rise of remote work has produced additional vulnerable nodes, which means that there’s greater need for a company to conduct a risk assessment for cybersecurity than ever before. 

Cybersecurity risk assessment: a step-by-step walkthrough

Cybersecurity is not a one-time initiative. Rather, it is an ongoing, holistic process whereby threats are repeatedly assessed, protective software is constantly upgraded, and the prevention techniques you must teach your team routinely evolve to respond to ever-shifting threats.  

It also bears mentioning that cybersecurity involves your entire team — from IT professionals to at-home workers with little formal cybersecurity training and little general IT knowledge. 

So what can you do? You can perform a basic cybersecurity risk assessment in five steps. 

1. Determine your scope

It is important to understand the precise nature of the threats you face. To do so, you will need to determine the scope of your company’s vulnerability. 

A key function of cybersecurity is to protect a company’s data integrity — that is, how accurate, intact, and safe your digital assets are. 

The five fundamentals of data integrity indicate that data should be: 

• Attributable: Originating users should be easily identifiable

• Legible: Data should be recorded permanently and easy to read

• Contemporaneous: Data should be recorded in as timely a manner as possible
• Original: Data should never stray from its original form
• Accurate: Nothing but error-free data should exist, and it must do so in compliance with company protocols

Failure to observe these protocols puts your data at risk. 

Falling victim to cybercrime can be time-consuming and embarrassing at minimum. More than that, it can expose companies to legal risk, especially in industries such as:

• Finance
• Healthcare
• Pharmaceuticals
• Legal work
• Official government work

These industries deal in large volumes of profoundly sensitive information. In fact, many laws have been put in place to force certain types of IT companies to perform regular risk assessments. These include: 

• Payment Card Industry Data Security Standard (PCI DSS)
• HIPAA
• The Sarbanes-Oxley Act

Is your company that vulnerable? Are your assets quite so sensitive? Answering these questions will help you determine the scope of potential threats. 

In order to get an even clearer idea of the scope of your cybersecurity risk, you will also need to understand the relative vulnerability of different types of employees. Cybercriminals have taken to targeting remote workers in particular, but no one is totally safe from risk. 

Employees at all levels who work with finances or sensitive healthcare information are the most common targets. At the same time, though, employees are also one of your most important cybersecurity risk assessment assets. We’ll discuss that in greater detail a little later. 

2. Identify your necessary assets

While some assets are more valuable than others, understand that your company’s digital ecosystem is interconnected. A cybercriminal going after, say, a list of client credit cards may begin by phishing a call center worker, working their way further in from there. 

What assets are “most important” will vary by department. IT may argue that it is cloud-based data, HR may argue it is employees. No asset should be discarded as utterly unimportant.  

Ask yourself these questions to determine the relative value of your assets: 

• Are you running financial or legal risk if a data breach happens?
• Could competitors use your leaked data to their advantage?
• Can stolen data be recreated? 
• What is the impact of theft on revenue?
• What kind of disruption and downtime would a data breach result in?
• How badly will your reputation suffer if sensitive data is compromised? 

Furthermore: are your most important assets cloud-based? Are many of your workers remote or hybrid? You’ll want to establish a Secure Access Service Edge (SASE) program ; this zero-trust-based cybersecurity compliance software will make your company less vulnerable to malware while still allowing employees to access cloud-based data on a variety of protected devices.

Unfortunately, you may have to weigh the value of your assets against the cost involved in protecting them. 

3. Analyze your risks, vulnerabilities, and possible impacts

At this point, you need to fully understand what, exactly, can go wrong in the event of a cyberattack. If your company is in the financial industry, that could mean leakage of social security numbers, credit card numbers, and other sensitive financial information. Companies in the healthcare industry risk leaking patients’ social security numbers, as well as detailed, sensitive health information. These kinds of breaches carry high legal consequences. 

Determining risk and possible impact isn’t so much about analyzing past threats — cyber criminals change their techniques all the time — as it is about understanding the probability of an attack based on: 

• Trends in cybercrime  
• The desirability of your information
• The relative ease of discovering and stealing that information
• The reusability of threat techniques to which you are vulnerable
• Your overall vulnerability to threats

To that end, there are two types of basic risk assessments you can conduct:

• Quantitative risk assessments are number- and percentage-focused. Their major purpose is to determine the financial risk of data breaches to your company
• Qualitative risk assessments address the risk to employee morale and productivity

A holistic risk assessment — which is better than either type of assessment alone — will combine elements of both of these approaches. However, depending on your particular industry, one of the two approaches alone may be enough: qualitative risk assessments are quick to conduct, whereas quantitative risk assessments — while expensive — are useful if you’ve aggregated a large amount of data and want an objective picture of the threat risks your company faces. 

Human error is another major risk. Employees may fall victim to phishing or be convinced to click on malicious links that allow hackers to install malware on their computers. It’s important to train all employees in basic cybersecurity measures. 

Further vulnerabilities include: 

• Not encrypting data
• Not establishing strong password initiatives
• Avoiding multi-factor authentication
• Having open user access to all data
• Natural disasters
• System failures

Fortunately, you can mitigate some of these upfront. Enforce a zero-trust policy so only certain people have access to certain information; maintain your physical workspace and electronics set-up, if you have one; and be sure to encrypt all sensitive data.

4. Record all risks and vulnerabilities

Recording and documenting your risks and vulnerabilities is all-important: without doing so, you have no data upon which to base future cybersecurity decisions. 

Document: 

• Existing security measures
• Potential risk scenarios
• Your current risk and vulnerability levels
• Your action plan for when you experience theft or damage

After this point, you can quantify your risk level as high-, medium-, or low-impact, and develop a cybersecurity framework that best fits your needs. 

Looking to get ahead of the curve? Download our eBook, How EDR, SIEM, and SOC Work Together for Ultimate Customer Protection, to find out how you can get started building a cybersecurity framework from the ground up. 

5. Create an action plan based on your findings

There are a variety of cybersecurity risk assessment templates you can follow, as well as a number of action plans you can implement. The FCC recommends the following as a baseline: 

• Train employees to recognize social engineering. Social engineering is tricking people into giving up sensitive data or having them click on links that allow malware into the system. 
• Protect against online fraud. Never request sensitive information over email, chat, or social networks. Never respond to requests for such information via such channels, either. 
• Don’t fall for fake antivirus offers. Make sure employees understand your company’s policy on antivirus software. Don’t let them wing it. 
• Protect against malware. One malware to be particularly aware of is one that tracks an employee’s keyboard strokes. These are called “keyloggers,” and they allow cybercriminals to steal passwords and other sensitive information. 
• Be aware of spyware and adware. Two other specific types of malware, these manifest as pop-up ads. Once installed, they can track employee Internet behavior and even keystrokes. 
• Develop a layered approach to guard against malicious software. Don’t rely solely on antivirus software or employee training. Create a multi-layered approach to cybersecurity. 
• Verify the identity of telephone information seekers. Cyber risks don’t only happen over the Internet. Many occur over the phone in the form of scams requesting or demanding sensitive data. 

The National Institute of Standards and Technology (NIST) framework — a department of the US Department of Commerce — recommends the following action plan, according to its NIST SP 800-53 framework guide: 

• Prepare. Essential activities to prepare the organization to manage security and privacy risks. 
• Categorize. Categorize the system and information processed, stored, and transmitted based on an impact analysis.
• Select. Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s).
• Implement. Implement the controls and document how controls are deployed.
• Assess. Assess to determine if the controls are in place, operating as intended, and producing the desired results.
• Authorize. Senior official makes a risk-based decision to authorize the system (to operate).
• Monitor. Continuously monitor control implementation and risks to the system.

Whatever direction you go in, your action plan should fit your particular needs, budget, and vulnerability. 

Are you ready to improve your cybersecurity infrastructure? ConnectWise cybersecurity web resources include live antivirus software demos, webinars, and on-demand videos to help your MSP get ahead of the trends—and stay there. Talk to a cybersecurity expert about our solutions or try ConnectWise Identify for free today.