A strong cybersecurity program begins with a clear understanding of an organization’s risk posture. In today’s hyper-connected world, data breaches are no longer a question of if but when. This makes risk management, measurement, and evaluation essential components of building cyber resilience. Conducting a thorough cybersecurity risk assessment and leveraging its insights to enhance resiliency is mission critical.

What Is a Cybersecurity Risk Assessment?

A cybersecurity risk assessment documents an organization’s process of:

  • Identifying digital assets
  • Reviewing for sensitive data
  • Detailing any given potential threat
  • Determining the likelihood of a data breach
  • Setting a risk tolerance
  • Establishing controls to mitigate potential risk

A risk assessment is foundational to a security program as it provides the roadmap for how to design a security control ecosystem and close any security gaps.

Why Do Organizations Need a Cybersecurity Risk Assessment?

Documenting the risk assessment process enables organizations to prove the governance necessary for compliance purposes. It also ensures the organization has an established and repeatable processes for cybersecurity risk management and identification.

Many compliance requirements focus on mitigating cybersecurity risk. Some examples of these compliance frameworks, standards, and mandates include:

The real value of a security risk assessment is that it gives the organization a way to structure its approach to establishing and enforcing security controls. As cybersecurity threats continue to evolve, security teams need to know how to prioritize their activities, and the risk assessment helps guide those decisions.

When to Perform a Risk Assessment

Organizations should conduct risk assessments at three critical times: when establishing a security program, when making changes to the technology stack, and on an annual basis.

Security program establishment

Before creating a security policy or program, an organization needs to engage in a risk assessment. The assessment acts as the foundation for everything that comes later. Organizations need to know the risks associated with their IT landscape. Without the risk assessment, companies may fail to put proper controls in place.

This cybersecurity assessment is often the most time consuming, as it requires thorough asset management, detailed review processes, and the implementation of control measures.

Changes to the technology stack

Another time that it’s important to formally review a risk assessment is before adopting innovative technologies or making significant changes to the IT stack. Although compliance mandates rarely define “significant changes,” understanding how adding or removing technologies can impact cybersecurity posture matters.

For example, some events that might trigger the need to review risk include:

  • Onboarding a new Software-as-a-Service (SaaS)
  • Migrating a database from on-premises to cloud
  • Adding new on-premises servers to a network
  • Adding new firewall providers

Annual review

Under most compliance mandates, organizations should review their risk assessments at least once per year. To prove governance, executive leadership and the board of directors should review the risk assessment during a meeting and document the review in the minutes.

 

How to Perform a Cybersecurity Risk Assessment

Performing a cyber-risk assessment takes time, but the outcome enables the organization to mature its security and compliance programs. Key steps in the process are to create a team, identify devices, data and users, and then assess risk. From there you are able to do a risk analysis and identify risk mitigation controls.

Create a team

No single person can manage an enterprise cybersecurity risk assessment. Organizations should consider creating cross-departmental teams to ensure they identify all risks. Some members of the team can include:

  • Chief Information Security Officer (CISO)
  • Chief Technology Officer (CTO)
  • Risk and compliance team
  • Internal auditor
  • Department managers
  • Human resources

Creating a cross-functional team ensures that the organization understands the different types of risks arising from line-of-business technology use.

Identify

The first assessment phase is the identification step. For many organizations, this is the most difficult part of the assessment process. Increased cloud and Internet of Things (IoT) device adoption leads to visibility issues.

Devices

Organizations need to identify all the devices connected to their networks that store, transmit, collect, and process data. Some devices to consider include:

  • Workstations
  • Smartphones
  • Tablets
  • Servers
  • Network devices like routers, switches, bridges, and modems
  • IoT devices like printers, coffee makers, security systems, and card readers

Scanning the network can often provide visibility into connected devices. Creating and maintaining an up-to-date asset inventory enables a more robust risk assessment.

[Related Reading: What Is Endpoint Security?]

Data

Not all data poses the same security risk. While compliance requirements often define sensitive data as personally identifiable information (PII), other data types should be included as well. Some data types that pose a greater security risk include:

  • Names
  • Birthdates
  • Addresses
  • Social security
  • Bank account numbers
  • Credit card data
  • Customer IP address
  • Biometric data like fingerprints or face ID
  • Health data
  • Education records
  • Employee personal information
  • Genetic data
  • Corporate financial records
  • Intellectual property

Locations that store, process, and transmit data

As organizations increasingly migrate data and processes to the cloud, identifying locations that store, process, and transmit data becomes more challenging. Development teams can create and erase workloads in under a minute, making it difficult to detect them using traditional methods.

When thinking about these locations, organizations need to consider:

  • On-premises data centers
  • Cloud services like Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) providers
  • Workloads
  • Containers
  • Social media accounts
  • Email servers
  • SaaS applications
  • Collaboration tools like Slack or Microsoft Teams
  • Shared drives like OneDrive, Google Drive, or SharePoint

All of these locations must be evaluated to appropriately evaluate risk.

Users

The rise in credential theft attacks means organizations need to focus more intensely on identifying users who increase their cybersecurity risk. Another challenge organizations face is that “users” may not always be people. Machine identities, like robotic processing automation (RPAs), also can pose risks.

When identifying risky users, organizations should consider:

  • Employees
  • IT administrators
  • Consultants
  • Customers
  • RPAs/bots
  • Service accounts
  • APIs

[Related ReadingWhy Are Humans the Weakest Link in Cybersecurity?]

Assess risk

Assessing risk means understanding the risk that each identified device, data type, location, and user poses. Generally, organizations assign risk along a spectrum based on impact. For example:

High risk

Being compromised would cause an extremely negative

Medium risk

Being compromised would have a negative impact

Low risk

Being compromised would have little to no negative impact

If threat actors gain access to a database containing credit card data, then the risk is high because it has a large negative impact on the organization. Risks associated with devices include:

  • Ransomware/malware
  • A known vulnerability or multiple vulnerabilities
  • Theft

Risks associated with locations that store, transmit, and process data include:

  • Misconfigurations
  • Data stored in plain text
  • Man-in-the-middle attacks
  • SQL injection attacks

Risks associated with users include:

  • Excess access
  • Privacy
  • Credential theft
  • Poor password hygiene
  • Shared passwords
  • Privileged access

Risk analysis

The risk assessment gives visibility into specific types of risk arising from critical assets and users. However, the risk analysis moves toward a more holistic look at risk impact to the organization’s financial stability.

Risk analyses usually use a variation of the following equation:

Risk = Probability of Event x Impact to the Organization

The risk analysis is the quantifiable part of the assessment. Impact to the organization includes looking at the:

  • Financial risk: how would a data breach impact financial stability?
  • Compliance risk: would a data breach lead to fines or penalties from a compliance violation?
  • Reputation risk: how would customer churn impact the organization after a data breach?

The final part of the risk analysis process usually includes creating a heat map, which is a graphical representation showing the spectrum of risks with one axis labeled impact and the other labeled likelihood.

Define risk tolerance

The organization’s risk tolerance ultimately drives the controls that an organization needs to put in place to mitigate risk. Organizations can make one of four decisions, being:

Accept risk

The impact is so low to the organization that it costs more to mitigate the risk than the impact would cost

Deny risk

The impact is so high that mitigation strategies fail to reduce cost enough to make the technology worthwhile

Transfer risk

Someone else, like a cyber-risk insurer, covers the potential impact of the risk

Mitigate risk

Put controls in place that help limit a risk’s likelihood or impact to the organization

Set risk mitigation controls

Every organization needs to set controls to reduce the impact of a given risk. These controls act as the first step toward establishing the security program.

Data risk mitigation controls

Most controls that protect sensitive information are done by limiting user access and managing where data is processed, stored, or transmitted.

However, before the organization can put those controls in place, it needs to classify sensitive data. This step is different from the data identification phase. Now, the organization is not just noting it has sensitive data, it is purposefully classifying and tagging the data so it can apply additional controls.

Device risk mitigation controls

Mitigating the cybersecurity risks associated with devices has become even more challenging with more people working remotely and using personal devices. Some typical controls include:

  • Installing anti-virus software on devices
  • Creating a security patch update policy and process
  • Requiring users to authenticate to a device
  • Encrypt devices to mitigate the risks rising
  • Hardening systems

Storage, processing, & transmission risk mitigation controls

As organizations adopt more cloud-based services, protecting sensitive data often means securing code-based locations and working to secure networks. Some risk mitigation controls include:

  • Network segmentation
  • Virtual private networks (VPNs)
  • Firewalls
  • Network scanning

User access risk mitigation controls

Cloud adoption also changes the importance of user access controls. Identity and Access Management (IAM) is more important than ever. When users connect to a network from inside the company’s firewall, the organization has more control over what they access and how they access it. Today, even users in an organization’s physical offices access applications using the public internet.

Some user access risk mitigation controls include:

  • Limiting access according to and enforcing the principle of least privilege
  • Requiring users to authenticate to networks and applications
  • Establishing and enforcing segregation of duties (SoD) controls
  • Using role-based access controls (RBAC)
  • Using attribute-based access controls
  • Enforcing strong password policies
  • Using multi-factor authentication (MFA)

Why Are Risk Assessments Challenging?

In modern, interconnected IT ecosystems, risk assessments can be difficult due to the inability to maintain asset inventory, lack of visibility into third-party vendor risk, staffing changes, and point-in-time problems.

Inability to maintain asset inventory

Organizations and users introduce new devices to the corporate network regularly. While this can streamline business operations, it also makes maintaining an accurate asset inventory difficult.

Additionally, IoT devices use different connection points, ports, from traditional IT. Many companies use network discovery scanners to detect new devices, but these scanners do not always review the ports that IoT devices use. This means that companies may have “blind spots” when it comes to IoT.

Lack of visibility into third-party vendor risk

Every technology that connects to the corporate network is a third-party vendor. As threat actors increasingly target supply chains, companies need greater visibility into their technology vendors’ security.

However, these intricate ecosystems not only include a company’s vendors, but they also include the vendors’ third-party technologies. While an organization may be able to control their own risk, they lack the ability to know or control the downstream risks.

Joiner-mover-leaver risk

All companies experience changes in its workforce. New people join. Workforce members move to different departments. Some people leave the organization. Each change impacts the risks associated with user access.

For example, when people move from one department to another, they may bring their access with them. However, people who work in sales may not need the same access as those on the marketing team. This creates a risk of someone having more access than necessary. Another risk occurs when people leave an organization. If the organization fails to terminate access in a timely fashion, threat actors may use the dormant account as a way to gain access to systems and networks.

Point-in-time problems

Risk assessments tend to provide a snapshot of an organization’s risk and security posture at a given moment in time. Although organizations need to undertake additional assessments when they make significant changes to their IT stack, this only covers their technology choices.

Software vulnerabilities or changes in attack methodologies also impact the organization’s risk posture. Unfortunately, these changes can come at any time, not just on a predetermined schedule.

As industry standards and regulatory compliance requirements change, many are requiring organizations to engage in continuous monitoring. This means that companies need to move away from the point-in-time assessments and find ways to look proactively for new risks. In order to continuously mitigate risk, organizations need to continuously monitor for it.

Protect Data with Robust Risk Assessments

A cybersecurity risk assessment is the foundation of strong security and compliance programs. Whether an organization is trying to pass an audit or reduce its risk of experiencing a data breach, it needs visibility to meet mission-critical needs.

Many organizations are concerned with addressing compliance effectively and accurately as they begin introducing public cloud vendors, because they do not have firsthand experience in the field. For those customers, it would make sense to bring on a managed security services provider like Fortra’s Alert Logic that has the experience in cloud security and can act as a single vendor for 24/7 risk visibility, threat detection and compliance coverage via a single security platform and global SOC.

With the right reports documenting continuous monitoring activities, organizations can reduce risk and enhance their compliance posture. Organizations need to prove that they can detect new risks in a timely manner, rather than waiting for the periodic assessment. Having the right tools and business partners in place enables them to reduce the time and operational costs associated with risk monitoring while improving their cybersecurity risk posture and resiliency.

Antonio Sanchez
About the Author
Antonio Sanchez
Antonio Sanchez is Fortra’s Principal Evangelist. He has over 20 years of experience in the IT industry focusing on cyber security, information management, and disaster recovery solutions to help organizations of all sizes manage threats and improve their security posture.

Related Post

Ready to protect your company with Alert Logic MDR?