How to conduct a cyber risk assessment: five steps to success

22 February 2021

Cyber security risk assessments sit at the heart of any effective cyber security strategy. They are key to understanding, managing, prioritising and mitigating cyber risks within your organisation.

2020 was the year that everything changed. A shift to remote working led many organisations to evolve their systems, and as their cyber security postures lagged behind, hackers were quick to exploit any weaknesses they could. Where many saw a crisis in the Covid-19 pandemic, hackers saw an opportunity. Cyber-attacks increased at the beginning of the first UK lockdown in March last year, and the cybercriminal fraternity claimed a number of high-profile victims. In 2021 we are still operating in a hostile digital landscape. All organisations need to take steps to understand, manage, prioritise and mitigate the risks they face, and in order to do that they need to carry out risk assessments. But what actually is a risk assessment?

Fundamentally, a risk assessment requires answering questions such as:

● What are your most important IT assets?
● How do you collect and store data?
● What are your internal and external vulnerabilities?
● How would a data breach or cyber-attack impact your organisation?
● What cyber risks pose a threat to your organisation’s ability to continue functioning?
● What level of risk is your organisation willing to take?

By answering these questions, you can develop a strategy for action., Cyber security isn’t about guarantees — it’s about priorities and informed choices. A risk assessment is about identifying those priorities and putting risk in context.
In this article, we are going to explain how to build a framework that will allow you to systematically ask the right questions about your organisation and understand the risks you face.

With this in mind, it’s important to remember that a cyber risk assessment is part of a wider cyber journey. That journey requires assessing risk, but it also means developing solutions, testing outcomes and monitoring progress in a continuous feedback loop. Cyber security isn’t a destination, it’s a journey.

Step one: define your parameters and assess your assets

Not all risk assessments are undertaken for the same reason. First, take stock of what you are analysing and why. This is about defining the scope and purpose of your assessment — including determining which assets you’re going to be assessing. This is an especially important part of the risk management process within large organisations that have a large number of assets, personnel and processes.

Step two: identify threats

Once you’ve determined the scope of your assessment, the next step is identifying any threats to the security of your data. We define a threat as any instance where your data could be compromised with negative consequences. That could include:

● Malware
● Hackers
● Natural disasters
● System failure
● Human error
● Risks to third party vendors

This list is far from exhaustive. Depending on your organisation and industry, there may be other cyber threats that exist. It’s critical that you get a little creative in this step and think like a cyber-criminal or hacker. .

Step three: put those threats in context

Once you’ve developed a list of potential threats, the next step is to take your hypothetical threats and compare them against your actual systems and processes to determine their impact and the likelihood that they would actually occur.

We call those threats that have a high probability of occurring with negative consequences vulnerabilities. These typically come in two forms:

● Systemic vulnerabilities. These are gaps in security and information systems that hackers or malware could exploit intentionally to access sensitive data.
● Environmental vulnerabilities. These are internal and external gaps in your cyber security that could unintentionally or accidentally compromise your data (natural disaster, human error, etc.)

There are several ways to identify vulnerabilities in each category as you’re doing your assessment.

Step four: prioritise risks and actions

Once you’ve identified all of your vulnerabilities, determine which of them present the greatest risk and what actions should be taken to mitigate them.
Fundamentally, there is almost always a cost associated with addressing vulnerabilities. It’s important to weigh the cost of preventing that vulnerability against the cost of failure and the likelihood of failure.

When considering damage, think both long-term and short-term. For example, an immediate inability to continue operations, or fines/lawsuits that may be likely. Long-term, do not underestimate potential reputational damage — something that is not always readily quantifiable, but often more financially impactful in the long run.

Step five: record and present your findings

The goal of any assessment is to produce a report that records the findings and makes suggestions about actions in a clear and concise way (so that your board can understand why it’s worth spending to address, for instance).

In that respect, we find it’s always best to present the action in the context of damaged organisational outcomes if no action is taken, and the opportunities that effective action will open if taken.

Adapting to protect your organisation

So how can you adapt to protect your organisation in the 2021 threat landscape? A cyber risk assessment is a great place to start. But remember: the risk assessment is just a starting point for your cyber security journey. You need to use the information discovered to feed an ongoing process that will help maintain a secure outcome every step of the way.

Changes to the way we work are creating new uncertainties and opportunities. By sharing information and strategic choices, we can make a safer cyber-community overall.

By Thomas Cartlidge, head of threat intelligence, Six Degrees