Introduction to Risk Assessments
Regardless of size or industry, your organization should conduct a cyber risk assessment. In fact, according to information security best practices, you should conduct one at least annually or when significant changes occur.
Cyber security risk assessments are essential in today’s world of advanced information security threats, both internal and external.
But what exactly is a cyber risk assessment? And what is the benefit of conducting one? In this FAQ, we explore cyber risk assessments, giving you a foundation of knowledge to start planning for one of your own!
Frequently Asked Questions:
Every organization, no matter the size or industry, has cyber security risks embedded into its people, processes and technology.
From software development firms, to manufacturing operations, professional services, non-profits and everything in between, you need an understanding of your cyber risks.
Generally, organizations are only aware of around 30-40% of their information security risks prior conducting a risk assessment. And 30-40% is, unfortunately, being generous.
First and foremost, when you conduct a risk assessment, the entire organization benefits.
The risk assessment process helps identify the critical functions and information your organization requires to fulfill its objectives.
Furthermore, the risk assessment process uncovers information security threats and vulnerabilities facing your organization. This helps you understand potential impacts of risks affecting your capability to operate in a normal capacity.
With this understanding of cyber risks, you’re better equipped to prevent major information security incidents.
A risk assessment should always consider the goals of your organization.
Therefore, the first step of a cyber risk assessment is documenting what your organization does and the context in which it operates. Namely, you describe the purpose of your organization, places of business, stakeholders and information security requirements dictated by legal, regulatory or contractual obligations.
Next, you decide what kind of risk assessment you want to conduct. Are you going to quantify risks to dollar amounts or potential downtime? Or, are you going to assess risks on a “high, medium, low” methodology.
Then, you figure out the level of risk you will accept. For example, if your organization is methodical in decision making or houses protected information, perhaps then you have a very low risk tolerance.
Conversely, if your organization doesn’t store protected information or you are more willing to take risks in normal business operations, then you might have a higher risk tolerance.
With this context in mind, you begin discovering your tangible and intangible assets. You document your people, processes and technology. You examine your assets, uncovering risk scenarios. Determining the likelihood of information security risks materializing and the impact those risks could have.
With risks discovered, you are able to rank those risks in terms of severity. Meaning the higher the likelihood and impact of a risk materializing against your most valuable people, processes and technology, the more important it is to remediate that risk.
Finally, you create a plan to address those critical risks. This plan or strategy depends on the resources available within your organization to implement changes improving information security.
Many organizations are now requiring that their key vendors, suppliers, partners or primary clients conduct risk assessments. Reasoning: information shared between 3rd parties introduces cyber risks. Knowing that your key vendors, suppliers, partners or primary clients are assessing their risks makes your information supply chain more secure.
Additionally, cyber liability insurance providers often require proof of a cyber security risk assessment in order to issue a policy.
Furthermore, if your organization requires information security compliance with HIPPA, SEC rules, CMMC or related regulations or frameworks, then a risk assessment is often a large piece of compliance.
Everyone within an organization has a part to play.
Top management dedicates resources and support for the risk assessment. They are often involved in the risk assessment methodology and risk acceptance discussions.
IT Directors or Managers often champion the project, however it is important to note that the risk assessment process is NOT just an IT project.
Each department has a role to play. Accounting and Finance, Logistics, Legal, Sales and Marketing, IT, Compliance, Operations and everyone in between. Examining how each department handles sensitive information and information security risk is essential to the risk assessment process.
Additionally, key clients, vendors, partners and suppliers are often involved to help uncover where 3rd party risks exist.
Frequently, organizations contract a cyber security consultant to help conduct a risk assessment. They will bring in a cyber risk assessment expert who makes sure the project stays within scope and important risks aren’t missed.
An organization needs full support from top management. This might be your President or CEO, Executive Director, any person with top level decision making authority. Without this buy in, cyber risk assessments are often under resourced or under funded. Consequently, this results in wasted time, money and resources.
Additionally, if this is your first time conducting a risk assessment: keep it simple!
There is ZERO need to introduce an incredibly complex risk assessment methodology requiring quantification of all risks. Simply assessing on the basis of “high, medium, low” is often just as effective. Especially if this is your first time going through the process. You’re going to burn out if you make the assessment complex. Don’t do it.
And don’t be afraid to ask for help! There are companies out there who help organization’s implement risk assessment programs all the time. You should rely on the experts to help you get started. You’ll save time and money this way.
While penetration testing examines technical vulnerabilities, a pen test might not examine the administrative or physical controls present within your organization.
Your people and your processes introduce equal, if not more, security risks to your organization.
Consequently, many organizations believe that information security is all about technology. Therefore, many of their information security preventive controls are technology bound.
A penetration test will not examine the effectiveness of your information security policies, or inherent security risks to critical workflows.
Often, the risk assessment identifies need for penetration testing or vulnerability scanning. However, the two exercises are distinct from one another.
The difficulty of a cyber risk assessment directly correlates to the complexity of your organization.
The larger the organization in terms of people and technology, the larger the scope of the assessment.
Additionally, add in multiple locations, and the risk assessment process becomes more difficult to conduct effectively.
However, just because something is difficult does not mean you shouldn’t do it. Furthermore, the benefits of conducting a cyber risk assessment far outweigh it’s difficulty.
A cyber risk assessment is often concluded with the development of something called a Risk Treatment Plan (RTP).
Taking into consideration the discovered risks, along with their priorities for remediation, the RTP becomes your cyber defense strategy guideline.
Once completed, the RTP defines the steps you should take to reduce your risks to an acceptable level as defined by your risk acceptance criteria.
Cyber risk management best practices (ISO 27001) state you should assess risks “at planned intervals. or when significant changes occur.”
Most organizations who have a cyber risk assessment program established conduct these assessments annually.
So what does “or when significant changes occur” mean?
Well, Covid-19 significantly changed how organization’s go about fulfilling their business goals. With a shift to remote work, that would have been a great time to conduct a risk assessment.
Mergers and acquisitions, changes in top management, significant changes to business processes, moving locations or opening up a new office, implementing new technology… these are all great reasons to conduct a cyber risk assessment. Here, the goal is understanding how these changes might introduce new risks, helping you decide what preventive security measures might be necessary to implement when these changes occur.
You guessed it: It depends.
Might like difficulty of a risk assessment directly correlates to the complexity and size of an organization, so does time required to conduct the assessment.
Less complex organizations (smaller amount of employees and processes) can complete a risk assessment in a few weeks.
More complex organizations (large number of employees, multiple locations and complex processes) might complete a risk assessment in 2 or more months.
The length of time required to conduct a risk assessment also directly correlates to the amount of resources dedicated to the process.
From project initiation and resource requirement planning to managing the cyber risk assessment process, developing and implementing your risk treatment plan: We’re here to help.
Prevention is always cheaper than remediation.