5 Steps to a Cybersecurity Risk Assessment

It’s no secret that cybersecurity breaches are increasing in both frequency and complexity. Ransomware attacks are regularly in the news, and the 2020 Thales Data Threat Report found that:

49% of US companies have experienced a data breach

26% of US companies have experienced a data breach within the last year

Despite these sobering numbers, most of us still believe that it won’t actually happen to us. This false sense of confidence means that many of us haven’t done our homework and performed a cyber security risk assessment, and so we may not be aware of an attack when it’s happening.

Consider this: on average, there are 4,800 websites compromised every month with form-jacking code, which allows a hacker to capture credit card information as it’s entered on your website. 

While this attack allows criminals to steal millions of dollars, your website continues to function without any problem. Unless you actively perform vulnerability scans on your site for malware, test code updates and monitor activity you might not even realize your business has been compromised.

The Value of a Cybersecurity Risk Assessment

Performing a cybersecurity risk assessment will give you greater knowledge and understanding of the potential threats that exist, and how they can harm your business. 

Risk assessments can also help you:

  • Reduce costs
  • Avoid financial loss 
  • Strengthen your reputation with clients, vendors and business partners

Step 1: Take Inventory of your information systems

Start by making a list of all the systems your organization uses, including:

  • CRMs
  • Accounting software
  • Payroll systems
  • Website hosting and management
  • Credit card processors
  • Email systems
  • File / document storage
  • Cloud storage
  • SaaS apps or systems

Note: Small businesses should examine their entire operation, but larger organizations may need to narrow their scope and focus on specific business units, or functions (i.e. payment processing). 

Step 2: Assess the risk to each system

Now that you’ve identified your information systems, it’s time to think through how they are accessed, and where a threat exists.

Ask yourself the following questions for each item on your list:

  • How is the system accessed?
    • Is it available online, or software that must be accessed through a company portal?
    • Is it connected to other third party apps? (i.e. your credit card processor is likely connected to your website)
  • Who has access?
    • Are there multiple users, or do several people share access through a single login?
    • Do any outside vendors have access to the system?
    • Can anyone in the company access the information/files, or do different users have different permission levels?
  • How are passwords stored or shared?
  • Do any security measures exist, such as a VPN, firewall or double authentication?
  • Are there backups of the information? 
    • If so, where are they stored, and who has access?
  • What type of information is stored that could present a risk?
    Do any systems store personal information such as:

    • Social security numbers of employees or clients
    • Birthdays of employees or clients
    • Credit card information
    • Bank account information for ACH transfers/payroll

Step 3: Consider the threats

Now it’s time to consider the threats to each of your systems. Many companies tend to focus on external threats, but a study by Verizon found that a third of data breaches are caused by internal actors. 

Internal threats, whether accidental or intentional, may have the same devastating impact on a business.  A comprehensive risk assessment should identify all risks to a business, both internal and external.

External threats include:

  • Ransomware
  • Malware
  • Viruses
  • Phishing

Internal threats include:

  • Human error
  • Employees accessing information through insecure devices (i.e. personal computers or mobile phones)
  • Data theft

Don’t forget the risk of a natural disaster or structural failure – if your building burned down, could you continue to operate? 

Step 4: Prioritize your response

By now you should have a comprehensive picture of your information systems, and the threats that exist. This allows you to take steps to protect yourself. 

In an ideal world, you would secure everything immediately, but the reality is your budget may require a phased approach, so it’s important to prioritize the biggest threat. 

  1. What is the likelihood of the threat?
    An attack on your website could be very likely, while a natural disaster is less likely.
  2. Determine the severity of the threat, its impact and cost.
    If your clients’ credit card information is compromised, what will it cost you to address the breach? Be sure to include the impact to your reputation, as well as potential fines or lawsuits.
  3. What is the effectiveness of the control?
    If you require employees to use a VPN to access company systems, will that contain the risk?

Step 5: Review annually

As your business evolves, it’s highly likely that you’ll add, or upgrade, the systems you use. Your team will change, and as we’ve found with the COVID pandemic, work habits will change. 

All of these factors make it important to document your risk assessment, and review it annually to adapt to changes in your organization.

At Luminary ACE, we believe every business – no matter how big or small – should be protected against cyber threats. That’s why we offer cost-effective strategies to operate in a secure, and efficient manner. Contact us today for a free consultation to find out if we’re the right choice for you.