How to Conduct a Cybersecurity Risk Assessment on Your Business

Posted on June 9, 2020 - by Darren Gallop - in Building Your InfoSec Program

Every business needs a cybersecurity risk assessment these days.

Recognizing and understanding the specific risks facing your business makes you better prepared to plan for potential scenarios outside your control. What would happen if your employee falls for a phishing email and your customer data gets held by ransomware? How likely is that to happen? Asking questions like that through a risk assessment has become one of the most critical projects for any business to undertake. 

You can avoid many kinds of business disruptions and disasters by conducting a thorough risk assessment of your business, to lay the groundwork for a comprehensive disaster management plan. Continue reading to see how.

How to Conduct a Risk Assessment on Your Business in 5 Steps

A risk assessment is a comprehensive survey and analysis of all the risks that your business faces. It’s also a key part of any business continuity and disaster recovery plan. While there are certain risks that unite every business – such as those associated with information security – still others will hinge on specifics like your company’s geography, industry, and organizational structure. Here’s how to get started conducting a thorough risk assessment of your business.

1. Identify All Business Assets

While many risk assessment guides start with identifying possible business risks, sometimes kicking things off with the company’s assets may prove more beneficial. This approach creates a tailored, specific assessment that thoroughly captures all risks associated specifically with your company.

Every company has assets, things that they use to carry out the vital functions of the business. Among these include:

  • Tangible assets: Assets like buildings, vehicles, hardware, machinery, software, raw materials, networks, or cash on hand are all tangible assets.
  • Intangible assets: Supply chains, business reputation, industry knowledge, or data are all intangible assets. They’re not listed on a balance sheet anywhere, but they impact the ability of a company to generate revenue. Classifying data is critical for assessing what you have at risk.
  • Intellectual assets: This includes patents, trademarks, brand names, logos, and trade secrets. They’re intangible assets, but unlike the above, laws protect the company’s ownership of them.

2. Identify the Risks to Which Each Asset is Susceptible

Data security and privacy hinge on reducing and mitigating your risks of a breach, theft, or corruption of confidential information.

Hazards, or business risks, refer to events or conditions that might result in a loss of profit due to uncertainties. These events are typically unforeseen and may happen suddenly, giving the company little or no time to take proactive steps once the hazard occurs, seeming inevitable. With a risk assessment, we want to identify these hazards. There are different types of risks that might affect a business:

  • Human risks: This includes strikes, data security breaches due to human error (which are 90 percent of all data breaches), intentional leaks, non-paying clients, workplace violence, ineffective management, or employee illness or injury.
  • Technological risks: Tech failures can significantly impact information security in a company. However, other technological risks include cyberattacks, disrupted production or delivery, dated hardware or software, viruses, or corrupted data. When we think of cybersecurity, the technological risk is often what pops to mind first.
  • Physical risks: This includes the loss or damage of physical assets of a company, such as data servers, Internet or utility outages, stolen devices, unsecured facilities, accidents, or fires.
  • Economic risks: Changes in market conditions, consumer preferences, sudden economic downturns, or other pressures affecting pricing may constitute economic risks.
  • Political risks: Many changes in import/export laws and tariffs occur due to political situations. Unrest or the introduction of compliance demands, regulations or laws imposed by the government are also political risks.
  • Natural risks: Natural disasters such as hurricanes, tornadoes, wildfires, flooding, earthquakes, etc., can have severe if not fatal consequences for a company.

We can’t actually plan for every hazard in existence. Start with known risks according to geography, industry, and the company. Then, use a risk assessment matrix or another analysis of your business assets to explore the possible unknown risks that you may be overlooking. (Our experts at Team Securicy help conduct or review risk assessment.)

For most companies, a global pandemic was not on their cybersecurity risk assessment. But companies with a risk assessment (as well as a full business continuity and disaster plan) were more prepared for the disruptions brought on by COVID-19, the rapid shift to remote work, and the rise of malicious actors jumping to profit off of coronavirus anxiety.

3. Conduct an Impact Analysis for Each Asset

Every asset will have vulnerabilities on some level that make it susceptible to a given set of hazards. A risk assessment seeks to identify and mitigate those vulnerabilities. During the impact analysis, you’ll take a look at the different ways in which each hazard or risk might affect assets and the wider business operations. Some impacts or consequences to consider might include:

  • Personnel injuries or casualties
  • Property damage
  • Data loss
  • Business process interruption
  • Loss of customers and reputation
  • Fines and penalties
  • Lawsuits

Identify the consequences associated with each asset should it be rendered non-functional, compromised, or eliminated entirely. Then, determine the likelihood that those vulnerabilities will be liabilities in the event of a disaster, or exploited by an actor. That will help you identify the weak spots in your disaster planning and information security strategy.

4. Identify Resources Needed to Address Those Vulnerabilities

Figure out what it will take to protect an asset, either by mitigating or eliminating vulnerabilities, or replacing the asset with a more secure alternative. Follow these tips to ensure that your plan remains cost-effective:

  • Never spend more money protecting an asset than what the cost of replacing it would be.
  • Consider the asset’s lifecycle. It may currently be worthwhile to protect it, but there will come a point when it’s better to replace it.
  • Seek to protect an asset just enough to lower the risk of loss so that it’s acceptable to senior management. It isn’t always necessary – or cost-effective – to seek total protection.

5. Create a Risk Assessment Policy

Finally, use the information acquired in the risk assessment above to create a risk assessment policy. This policy should contain the framework necessary to analyze each new asset as it enters the company in the matrix of known threats. It should also include recommendations on how best to secure the asset in the context of your security policy. Also consider adding policies regarding:

  • Holistic risk and security assessment frequency: Strive to conduct risk and security assessments on the entire company at least yearly to keep the risk assessment current.
  • Budget requirements: Maintain a budget for risk mitigation activities so that the resources are there when they’re needed.
  • What to do in the event of identification of new risks: Sometimes, risks or hazards will appear without looking for them. Have a plan to handle these situations.

Get the Tools You Need with Securicy

A risk assessment policy is a vital tool for any company interested in developing a robust information security strategy. That’s why we include a risk assessment tool with each free Securicy account, as well as essential security policies addressing topics like remote work, and a Business Continuity Plan Builder. If your security program is just starting out, free templates, tools, and expert advice will help get you on the right track.

It’s an essential step in business continuity and disaster planning and creates a map of your company’s operational landscape. If you haven’t conducted a risk assessment of your company, you need to as soon as possible. Forewarned is forearmed and being prepared goes a long way to ensuring your company survives the worst-case scenarios.

Tags: cybersecurity / cybersecurity strategy / information security / Information Security Policies and Procedures / information security program / infosec / risk assessment matrix /

About the author

Darren Gallop

Darren Gallop is a tech entrepreneur, information security expert, Techstars alumni, board member, and the CEO of Securicy. He co-founded Securicy and led the team to develop a SaaS product that guides businesses through creating, implementing, and managing their information security and privacy compliance program. Gallop previously co-founded Marcato and was CEO there for 10 years, until the successful event management software company was acquired by Patron Technology. He is fluent in English, French, and adept in Spanish. Gallop spends much of his non-work time traveling or engaging in the outdoors. Swimming, fly fishing, canoeing, camping, and surfing (basically in that order). He is from Nova Scotia, Canada.

Related Articles

CIA Triad Infosec

3 Principles of Infosec: The CIA Triad
penetration testing as a service

What is Penetration Testing as a Service: The Benefits for SaaS Companies
Cloud storage vs. local storage

Cloud Storage vs. Local Storage: 19 Pros and Cons