This is the second of two articles on Risk Assessments. The first part asked the question, Do I Really Need To Do A Cybersecurity Risk Assessment? This article gives an introduction to conducting a Risk Assessment and helps explain the process.
I’m often asked whether an SMB needs to hire someone to help with this, or if they can do it themselves.
Well, that answer can go either way!
Let’s remember that our objective for cybersecurity is the survivability of the organization whether there is an event or not. Working through this DIY risk assessment can help prepare you if you decide to seek help from someone.
Here goes with the cybersecurity risk assessment!
But first, as you read this you’ll wonder how to keep the information you collect. One way to do that is with a Risk Register. You can Google for examples and templates of a Risk Register.
First… Every organization has assets of varying levels of importance to business operations. These need to be listed.
- Hardware: Computers, servers, mobile devices, network equipment, etc.
- Software: Operating systems, applications, databases, etc.
- Data: customer information, financial records, intellectual property, etc.
- People: Employees, contractors, third-party vendors, etc.
Then… Each asset then needs to be given a level of importance to the business operations. Create a list of assets of your organization that need protection. Think about customer data (names, addresses, payment information, etc) and internal business data (inventory, financial records, employee records, etc).
That was pretty easy, right? Let’s move on to the next step.
Second… there are cyber threats to your organization. Common threats should be identified and a likelihood of that threat given.
- Cyberattacks: Phishing, malware, ransomware, DDoS attacks, etc
- Insider Threats: Malicious insiders, accidental data leaks, etc.
- Physical Threats: Theft, natural disasters,, physical intrusion, etc.
Now… figure out how likely these threats are. For instance, if you live in North Dakota, then a hurricane is a very, very low probability of hitting. But, maybe a tornado has a much higher likelihood of hitting! Maybe you work in the local government space and ransomware-focused attacks are probable. Mark those down!
You’re half-way through now. Let’s move on to think about the cyber weaknesses of the organization.
Third… every organization has weaknesses or vulnerabilities. This requires that you honestly evaluate your environment. Are you operating with outdated software? Do you have patch management as a focus? Is your staff susceptible to phishing? Think thru and document these vulnerabilities.
Fourth… It’s time to start tying all the previously collected information together. Assess the risks to your organization by considering the likelihood of each threat exploiting a vulnerability, and evaluate the potential impact on your organization. Here are some examples…
- Is your website software outdated? (Maybe you’re running an old version of WordPress with old plugins…) There might be a high probability of malware or denial of service. These could lead to data loss or damage to your reputation.
- Maybe you are susceptible to phishing attacks which if successful could lead to exposing customer data, or even ransomware.
Finally… Take the information you’ve gathered up to this point and think about technical and non-technical controls you can put in place to reduce your risk. You might end up with a list like this…
- Schedule a regular time to apply patches to the servers, website software, or workstations
- Train your staff to recognize attempts to get them to fall victim to phishing attacks
- Force multi-factor authentication everywhere possible to strengthen authentication
Now that that’s all done, you need to regularly update the risk assessment. Formally do this annually, but informally review the risk assessment as software or processes change.
And if you don’t know how to get started, contact SureDefense Strategies by hitting that “Get In Touch” button. We’re here to help!
