What Is a Cyber Security Risk Assessment and Why Do One?

Posted by David Cahoon on Mar 6, 2018 9:38:39 AM


Cybersecurity is one of the most important ongoing business concerns for any enterprise.

Major security risks are not limited to the Fortune 500. On the contrary, small and mid-sized businesses are often completely wiped out by the repercussions of a network breach.

In addition to direct loss of business capabilities and data resources, companies can find their brands irreparably tarnished as customers are no longer willing to do business.

Firms dealing with sensitive financial and healthcare information are at particular risk. They might be devastated by onerous fines and increased audit or compliance burdens.

To address core cybersecurity risks and mitigate the likelihood of these outcomes, enterprises of all industries, geographies, and sizes can begin with a complete risk assessment.

Cybersecurity Risk Assessment Explained

A risk assessment answers core questions about an enterprise’s data resources:

  • What are the most important resources (i.e.: What needs to be protected?
  • Who or what are the threats and what vulnerabilities might they exploit?
  • What are the business implications if resources are lost or compromised?
  • What is the value of each key resource to the overall organization?
  • What can be done to minimize the loss or damage of each resource?

The foundational questions asked in a risk assessment serve as starting points for policies and processes aimed at protecting business from unacceptable losses in the cybersecurity arena. Day-to-day activities, software tools, and other considerations are derived from these answers.

How a Cybersecurity Risk Assessment Manages Threats

Non-technical stakeholders often have difficulty calculating ROI in cybersecurity measures because, all in all, it is impossible to totally eliminate most security threats. In most cases, threats must be mitigated – reduced as far as practical under the circumstances.

How threats should be addressed and what investments may be made in that pursuit is a function of the value of the assets being protected and how security measures impact that value.

For example, you could eliminate conventional network-based cybersecurity threats by taking the computer with your most valuable business data and isolating it from any online access. This will, of course, significantly impede the use of that data.

Every risk assessment must begin with a clear accounting of vital business assets, including which hardware, software, and data resources are business critical and where these are stored or used.

From there, specific threats to each asset can be triaged in terms of their likelihood.

Actions Taken After a Risk Assessment: An Example

Threats are not managed by cutting off access to an asset, of course. In practice, they are rendered less likely by addressing the vulnerabilities that make certain threats more likely to materialize.

For example, all enterprises today face the threat of ransomware. This is a type of malware that prevents access to valuable business data by encrypting the contents of a computer. At that point, the perpetrators demand a hefty ransom before they will restore access.

One might look at the risk – permanent loss of key data or a “ransom” that may total millions – and decide to harden certain data by moving it to a highly secure internal system. However, a risk assessment might uncover a more efficient and cost-effective method.

In this case, most enterprises become vulnerable to ransomware because non-technical personnel miss the signs of a dangerous email. They download unsafe file attachments from an unknown sender, leading to infection. Security training is an inexpensive and effective antidote to this vulnerability.

A comprehensive risk assessment not only helps protect your business, but empowers you to align security practices with your specific needs – optimizing security investments and saving money.

To learn more, contact NCA.