How to Perform a Cybersecurity Risk Assessment: A Step-by-Step Guide

 Cybersecurity Risk Assessment Guide

In 2017 over 179 million confidential documents were released because of data breaches. According to a 2018 study by IBM Security and Ponemon Institute, major data breaches cost an average of $3.86 million and global ransomware damages are predicted to exceed $11.5 billion by 2019.

These are just some examples of the destruction that cyber attacks can cause.

However, cybersecurity breaches can do more than just cost your company millions of dollars. They are responsible for the loss of intellectual and proprietary data, can ruin your company reputation, erode stakeholder confidence and lead to litigation if confidential information is compromised. Data breaches give attackers a low-risk, high-reward opportunity and recent trends indicate that successful intrusions are increasing at an exponential rate. For example, between 2010 and 2017 there was a 70% increase in data breaches in healthcare industry, leading to countless HIPAA violations and consumer litigation.

As we've already shown cybersecurity attacks can happen at any time to any company and the effects can be devastating.

But what are cybersecurity attacks? And how can you prevent your company from becoming a victim?

Cybersecurity attacks are socially or politically motivated attempts to breach the security of a network. Although attacks vary in technique and sophistication, Symantec characterizes them in five distinct stages: Reconnaissance, Incursion, Discovery, Capture, and Exfiltration. Many incursions go completely undetected - in fact, notifications of major data breaches often come after compromised material has been shared on the Dark Web.

Organizational leaders must understand that comprehensive, risk-based decisions are vital to balancing the force multiplying effects of information systems with the risk of those systems being inherently vulnerable to exploitation.

If you want to prevent or reduce the likelihood of an attack, you have to risk management strategy: how your organization will frame, assess, respond to and monitor risk over time.

How Can My Organization Frame Risk?

The first step of developing a sound risk management strategy is to frame risk. During risk framing, organizations strive to understand the risk context - that is, detailing how risk decisions are made. Here, organization’s identify the following:

Risk Assumptions: How your organization currently perceives risk factors such as threats, weaknesses, loss expediencies, consequences (fines, penalties, loss of confidence), and exploit probability.

Risk Constraints: Organizations limitations, such as resources, that will impede your ability to deal with risk.

Risk Appetite: The amount of risk an organization is prepared to accept.

Risk Tolerance: The organization’s willingness to accept risk after implementation of controls and countermeasures. Note that tolerance is often defined by regulatory and legal requirements.

Priorities: The importance of core/critical business functions.

How Can My Organization use the Risk Frame to Assess Risk?

Now that your organization understands the context and details of the risk it can be assessed. Through the assessment process, your organization should a risk determination by coupling the potential impact and the likelihood that a risk will be exploited.

 Risk Assessment Process

Risk Assessment Process

How will my organization respond to risk?

Now that your organization understands the risks and the probability of occurrence, decision makers should form a Risk Response Strategy for an organization-wide, repeatable, response to risk. There are four ways that your organization can respond to risk:

Acceptance: The risk is within the organizational risk tolerance.

Avoidance: The risk exceeds the organizational risk tolerance. Safeguards and countermeasures aren’t available or their implementation cost exceeds the expected benefit.

Mitigation: Risk is reduced through the application of controls, enhanced safety features, implementation of technical safeguards, or use of countermeasures.

Transfer: Also known as risk sharing, risk transfer occurs when organizations reassign the responsibility and liability to other entities. A great example is purchasing a flood insurance policy for a data center. It would be costly or impractical for an organization to install monitoring sensors and sump pumps below raised flooring, but it would be feasible to transfer the flood risk to an insurance company in exchange for an annual premium.

Now That My Organization is Managing Risk, How Can We Monitor it?

Risk is very dynamic and fluid and the risk environment changes hundreds, if not thousands, of times throughout the day. Now that the heavy lifting is out of the way, your organization should develop a Risk Monitoring Strategy. Your organization’s strategy should focus on program compliance, effectiveness, monitoring frequency, and how it will address changes to the internal and external environment.

The results of the monitoring efforts will likely trigger a need to amend the organization’s Risk Management Strategy. Perhaps the most beneficial quality of the Risk Management Process is it’s cyclical nature. If the process has been successfully frozen in the organization’s processes, procedures, and culture, the process can be easily repeated.

The Data Breach Upwards Trend

According to the 2018 Cost of a Data Breach Study by the Ponemon Institute, the average total cost of a data breach rose 6.4 percent this year alone. The mean time to identify the breach was 197 days and the mean time to contain it was 69 days - that’s 266 days total! 75 percent of breaches were successful because of either human error or malicious criminal attack and the majority of them could have been mitigated or eliminated through the embracement and application of Risk Management.

We can help you understand your organizational risk by performing a Vulnerability Assessment on your organization’s endpoints. After reviewing our findings, we will prepare you a Vulnerability Assessment Report detailing the tested devices, discovered vulnerabilities, and our prioritized recommendations.

If you’re interested in developing your personnel to effectively manage your organization’s risk management program, we highly recommend the Certified Authorization Professional certification. By making your employees Risk Management Framework (RMF) experts, they will be versed in containing information and information system risks to the parameters of your organization’s threshold. Please contact us today for more information.