How to perform a cyber security risk assessment? Step by step guide.

Taking cyber security risk assessment out of the equation, risk assessments are nothing new to the world. Industries such as nuclear, aerospace, oil, agriculture, military and railroad have long-established processes to deal with risk. Continuous risk assessments are performed by food, medical, hospital sectors to control risks affecting their environments. Similarly, cyber risk assessments are an integral part of any risk management programme. For discussing your security concerns or conducting a risk assessment, visit our parent service page CREST approved penetration testing To view a concise version of this article, we invite you to watch our video on the same topic.

What is cyber risk?

Cyber risk is defined as the potential harm or loss due to unauthorised use of information systems. In present times cyber risks are pervasive, and there are more than thousands of reported cases daily. There are attacks on an information system, exposure to harm, and loss from breaches. Cybercrimes such as phishing, whaling, pharming have become the most common type of economic fraud affecting the world. Cyber security incidents continue to increase and strengthen. Big and small businesses are vulnerable than ever to cybercrime and are hacked by organised criminal gangs for identity thefts, credentials theft and other financial gains. For example, risks to cloud computing can be read in detail here, clubbed under cloud security risks.

What are the security risks of the cloud computing?

Why are we talking about security risk assessment?

The impact of the internet and digital technologies has been huge in our lives. Our professional and personal lives have transformed even faster with unexpected events such as COVID-19. With so much dependence on digital assets, we expect high reliability from these technologies. Every business has its own ways to work through risks and investments in line with business objectives. However, validating and seeing how this can be improved and where blind spots lie could lead to major gaps in controls. Threat assessment helps a business make informed decisions about its technology and services investments. One needs to be aware of unknowns to prepare for how to manage potentially risky situations.

What is a cyber security risk assessment?

In today’s advancing world, every company needs to assess its IT and other risks (legal, financial, operational)  and here is what you need to know about it. A cyber security risk assessment identifies, analyses, and evaluates risks affecting an organisation’s assets. It is a critical component of risk management and data protection efforts. It is also known as security risk analysis in cyber security. It validates the security controls in place and checks whether these are appropriate for the risks faced by an organisation. An organisation cannot make informed security decisions without an assessment of its risks. Otherwise, this could lead to wasted time and resources against events that are unlikely to occur or have a low impact. A security risk assessment is a significant part of any company or organisation’s risk management strategy. NIST definition of security risk assessment is to recognize, estimate and prioritize risk to companies operations, individuals, organisational assets resulting from the operation and use of information systems. The NIST issues these lines for the federal entities. The essential function of cyber risk assessment is to help decision-makers support risk responses. Some of the executives and C-suite directors don’t have time to delve into the minutiae of your everyday cyber operations. Therefore, cyber risk assessment is a summary to brief you with informed decisions about security and safety.

Risk = probability x severity

We can understand risk using the popular equation; risk equals probability times severity. Probability is the likelihood of an event, and severity is how serious this harm could be. In technology risk, we often see this formula:

Risk = likelihood x impact

With the increase in technology, technology risk is also increasing. Therefore, the challenge at hand is to lower the likelihood of security incidents as much as possible.

What is the purpose of an information security risk assessment?

The primary purpose of an IT security risk assessment is to find out answers to several key questions such as:

• What are the most critical assets of a business?
• What event could cause a major impact on these critical assets?
• What type of events can bring the business to a halt?
• Which vulnerabilities are posing the most risk to the internal and external (internet facing) assets?
• What threats and threat actors are posing a risk to organisations’ assets?
• What is the impact and likelihood of exploitation of the identified weaknesses?
• What is the risk appetite of our organisation?

Answers to the above questions would help identify what needs to be protected and then exploring security controls that would help minimise the risk. Before developing security controls and data protection measures, it is important to realise the value of the data you will protect. Cyber security assessment and management are part of the cyber risk analysis for an organisation to prepare for future eventualities with specifics about how to deal with any adverse situations. It would be best if you calculated that based on three items:

1. What are the risk and its priority?
2. Whether to accept, transfer or mitigate the risk
3. What are the resource investments to handle this risk?

Such assessment could also be based on subsets such as network security risk analysis or data security risk assessment.

Why do you perform a cyber risk assessment?

There are various reasons why a business should perform a cyber risk assessment. These are:

1. It helps to reduce security incidents and avoid data breaches linked to financial and reputational implications. A good risk analysis improves security controls and risk mitigation strategies.
2. Fulfil compliance requirements be it be PCI DSS, GDPR, HIPAA or others.
3. Better security culture and communication across the organisation as an assessment involves inputs from various departments and stakeholders.
4. Working towards mitigating risks for an organisation leads to long haul cost savings, whether it is an improvement in internal processes or the cost of a security incident – it’s all belonging to the same organisation.
5. A risk template is prepared for future threat assessments that can be used and updated as new changes affect assets’ risk posture.
6. It provides a list of organisational vulnerabilities indicating where improvements are needed.
7. These audits are inputs into the security management, operations and engineering teams to help prevent security incidents by stepping up defensive controls.
8. Getting cyber insurance for the organisation may require cyber risk assessment as a prerequisite.

Risk assessments are an essential part of a company or any organisation with a wide range of risk management strategies. This article’s scope does not include holistic risk management but suffice to say, risk reviews are a crucial part of risk management, an essential element of organisational security.

Who can perform a cyber risk assessment?

Large businesses have in-house audit personnel or assurance teams that handle these activities. Small businesses tend to rely on freelancers or outsourced security partners who take on this project. Cyber risk analysis isn’t possible without input from various teams responsible for the critical assets and operational tasks. Often, interviews and information gathering sessions are organised to gain insights from executives to various data and asset champions during the threat assessment. The visibility across the organisation is a significant component of a cyber risk review. Small and medium businesses outsource this evaluation because they don’t have the right skill-set to do the house. In this case, vet your vendor carefully, asking for references, skill-set details and watch out for conflicts of interest, if any.

What is the difference between risk management and risk assessment in cybersecurity?

Risk management is a continuous process of identifying and managing security risks to avoid sensitive data exposure. Anyone working in the information security field is part of the risk management domain. Cyber risk analysis is one of the key stages that involves identifying, analysing, and evaluating risks. Risk management helps businesses plan for the future based on what could go wrong and the related countermeasures to minimise the business’s risk exposure changes. Uncertainty is a big factor when talking about cyber risk. This factor plays a part in preparing the organisational assets for future events. Compliance doesn’t equal risk management. It is important to stay away from tick-in-the-box approaches, whether due to external pressures or customer requirements. A business can still comply while adhering to common security standards with weak security controls. This means compliance does not equate to risk management. This topic is covered in detail under GRC in cyber security. There are two main risk management techniques:

• component-driven, i.e., managing risks due to threats and vulnerabilities affecting technical components.
• system-driven, i.e. to manage risks after identification and analysing systems as a whole

How to perform a risk assessment?

Before we begin assessing risks, we first need that data, its value and whereabouts. This is known as a data audit.

Data Audit

Data audits could be massive in the scope given the operations of a business. However, it is not a complex project. Here are the key questions that make up your data audit:

• What data is collected? Do we have functional use of the entire data or certain items?
• Where is it stored?
• How is it protected?
• How long is it kept for?
• Who has access to this data?
• Is the data storage location secure?
• In the case of GDPR or other consumer privacy laws, what is the process for data deletion?

Like every business with a limited budget for risk management, a good assessment methodology also follows a prioritised approach. It is important to determine the business’s information value, in the form of most business-critical assets to the least. The importance of an asset is mostly defined by the functional use and data sensitivity linked to it. Once a process is standardised to determine the importance of all assets, classify all the assets into critical, major, minor categories. This calculation on data value relies on the key questions such as:

• Would your organisation incur any legal or financial penalties in case of data loss, theft or exposure?
• What would be the implications of a cyber attack, data breach or theft? Would it be reputational, financial, legal or all of them?
• What is the impact of data loss or exposure on the organisation revenue?
• What costs are associated with recovering the information, whether from backups or recreating the information?

Information security risk assessment steps

The following steps are part of a thorough review that provides a template for future use. More updates and changes in the future relate to changes to controls; therefore, the need to identify, assess and evaluate risks will remain there.

1. Identify and prioritize assets

The very first step is to identify the assets to define the scope of this assessment. An asset could be servers, databases, key people, sensitive documents such as contracts, SLAs, customer contact information, trade secrets, Intellectual Property and other key information assets. Not all assets have the same value; therefore, it is important to prioritise the assets based on criticality. Create a list of the valuable assets to your organisation and gather the following information, as applicable:

• End-users
• Data
• Criticality
• Functional requirements
• Software
• Hardware
• Interface
• Support personal
• Purpose
• IT security policies & architecture
• Network topology
• Storage protection
• Data flow
• Technical security controls
• Physical security controls
• Environmental security

2. Identify cyber threats

Generally, two types of threats are part of this phase. It involves malicious threats related to internal or external attacks and non-malicious threats. Examples of adversarial threats are:

• Unauthorised access from external threat actors due to malware, employee negligence, ransomware, phishing, etc.
• Insider attacks caused by privileged insiders, negligent insiders, third-party vendors, corporate espionage, nation-states.
• Data leaks caused by disclosure of PII, sensitive data or via misconfiguration issues
• Data loss due to poor replication or backup
• Loss of revenue and reputational due to downtime causing service disruption

Non-adversarial threats relate to:

• Natural disasters such as floods, earthquakes, fire and other disasters that can destroy hardware and software
• Hardware or system failures could lead to loss of data or data corruption.
• Human error based threats related to sensitive data leakage, loss or corruption. It could be caused by a phishing scam, accidental malware execution via removable media or other ways.

3. Identify vulnerabilities

Till now, we have dived into ‘what could happen’. This section deals with specifics with real chances of happening. It would help if you needed to identify vulnerabilities. It includes cataloguing and discovering the weaknesses in your network. A vulnerability is a weakness that a threat actor can exploit to perform unauthorised actions such as data theft, modification, deletion or further infiltration into the networks. Your team’s job is to determine what vulnerability is being caused by what threats and what controls are in place to mitigate such issues. Cyphere uses the qualitative values of Critical, High, Medium, Low and Informational. Vulnerabilities are identified using various technical security assessments such as network penetration testing, web application penetration testing, mobile pen tests or vulnerability assessments. Businesses use managed vulnerability scanning to stop on top of vulnerabilities and mitigating risks as part of their vulnerability management process. The above-mentioned security assessments include checks on the controls in place. These controls are deployed to minimise or eliminate the vulnerabilities found in the infrastructure. Controls are implemented by technical solutions such as hardware or software solutions, access control security, two-factor authentication (2FA), encryption, Intrusion Detection Systems, IPS, firewall, anti-virus solutions or through non-technical means such as security policy and physical access controls.

4. Determine the likelihood and assess the impact

This section takes threats and vulnerabilities input from previous phases to calculate how an attack would succeed and impact a successful attack. It is fundamental to calculating risk probability to reduce the possibility of futuristic events from happening. It also provides inputs to determine resource investments for risk mitigation.

5. Prioritize risk and recommend controls

Technical risk analysis exercises do not take into account any environment metrics or collective risk of an organisation. In this section, pre-defined or generic risk levels such as high, medium, low are taken as a basis to determine risk mitigation measures. A general idea around cyber security risk levels is similar to the following:

• High risk An organisation should develop corrective measures as soon as possible.
• Medium risk An organisation should develop corrective measures within a reasonable period of time (short term plan).
• Low risk An organisation should decide whether to implement corrective action or live with the risk (accept).

High risks get the highest priority to be mitigated in the short term plans. A risk can be transferred, accepted or reduced. However, it is a little more complex than just implementing recommended measures from a penetration test report. Before deciding on the risk treatment action, the value of an asset and the costs against risk remedial measures are compared to check if preventative controls are worth the investment. Sometimes, preventative control costs outweigh the assets’ total cost, making a strong case of dropping the preventative control investment. In this case, the organisation decides to use compensatory controls or accepts the risk. Other factors to consider while evaluating controls for risk mitigation process are:

• Organisational risk appetite
• Organisational policies
• Cost/benefit analysis
• Feasibility
• Safety and reliability
• Effectiveness of controls
• Regulations

6. Prepare a cyber risk assessment report

A risk assessment report serves as a crucial step to present a business case to the management. Winning the management support for new policies, procedures, and budgets rely on assessment inputs highlighting the need to improve on the weaker areas. This output includes a thorough report highlighting each risk with relevant threats, likelihood and impact factors followed by risk mitigation advice. Throughout the assessment process, your security team shall understand your most valuable data, how is it treated, what should not be stored, and how best to improve security controls enabling efficiency for the business. A good security strategy is an enabler for growth. The above elements feed directly into a risk assessment policy that can be implemented and validated periodically to ensure the organisation is adhering to the process. It monitors the entire organisation’s security posture and how risks are identified, analysed, evaluated, and mitigated. Cyber risk assessments also serve as an eye-opener to some due to the amount of information collection and risk analysis tasks highlighting the assets, most valuable data and the pointers for shaping IT investments.

What are the types of cyber risk assessments?

Information security assessments map the different threats to risks that can be added to the mitigation plan. Operational business continuity demands regular checks around security controls to ensure no gaps are present, leading to negative implications. We are summarising five different IT security assessment types and their applicability, also known as cyber security threat assessments.

1. Red team assessment: This is an intelligence-led attack simulation campaign attempted to exploit weaknesses in the defensive controls deployed by an organisation. Red teaming exercise takes into account all three factors: people, process and technology.
2. Vulnerability assessment:  Vulnerability Assessment services help businesses identify, quantify, and categorise security risks with ongoing support and guidance for their remediation.  The speed with which new vulnerabilities are discovered in various products makes it important to identify and mitigate risks before hackers exploit any flaws. It is a crucial element for risk assessments.
3. IT audit: IT audit relies on technical aspects and related documentation to establish the current configuration matches a set standard, i.e. compliance, framework or a standard.
4. IT risk assessment: This assessment identifies, analyses and evaluates the security risk levels of an organisation. Finding the acceptable level and the actual risk levels helps accurately manage the threats in both terms: quantitatively and qualitatively.
5. Penetration testing: Penetration testing is a cyber security testing method aimed at finding weaknesses in an organisations’ internal and external networks, applications or systems. Various forms of pen testing are based on the target scope and threat scenarios, mainly categorised into:
   • Network risk assessment covering internal and external network security.
   • Application risk assessment covering web applications, APIs

Based on access and knowledge about the asset, grey box, black box and white box pen test methods are utilised. A penetration test offers an in-depth check followed by a detailed report of threats affecting your assets, i.e. servers, devices, networks, active directory, applications, to make informed decisions around the risk management process. Get in touch to discuss your security concerns or schedule a free call for specific advice around your environment.