Expert Counsel on How to Conduct a Cybersecurity Risk Assessment

A cybersecurity risk assessment is supposed to determine the security of your data, but the question of how to conduct the testing is an open one. As a general rule, you can either study the data of other breaches or you can run deliberative experiments to see what the clinical tests reveal.

Ideally, you can exploit both measures to get a solid handle on how far your network will go to keep hackers out. When Doug Hubbard was asked how he saw the cyber risk industry using comprehensive testing, his answer spoke a lot about how individuals handle breaches. We’ll look at the nature of the current data and how you can organize a better assessment.

Option One: Study the Data

“If I look at 1,000 companies over a year, I would get some good frequency data on various events”, says Doug. For every organization that’s hacked, there are details behind the numbers that can help people understand the Wild West reality of hacking today.

So, if phishing is the most common cybersecurity risk, what techniques have proven successful over the last year? If people are forcing their way in through the installation of viruses, which ones are easiest to embed and how much destruction do they ultimately cause? Regardless of how big your company is and how much data you store, a cybersecurity risk assessment completed with the help of data makes it easier to prioritize each goal.

The Caveat

Not everyone wants to talk about their breach: what happened, how it happened, why it happened, or who it happened to. Whether it’s because the team doesn’t understand it or they don’t want to risk their reputations, plenty of people stay quiet about it all.

Despite the regulations in both North America and Europe, we don’t really have the data to get the true picture of the problem. How much control did people really have when the incident occurred? If a security team was lax about all the protocols they put in place at the time of a breach, this is very different from a team that had air-tight checks and balances and still managed to compromise their data. Unfortunately for regulators, there’s not enough manpower to really answer these questions and organizations are unlikely to volunteer the information on their own.

Option Two: Comprehensive Testing

Apple famously runs a bug bounty program that gives outsiders a six-figure sum if they manage to get unauthorized access to sensitive data. This princely reward is in addition to having a cybersecurity team comprised of some of the best in the industry. Deliberative experiments are meant to get into the head of a hacker — regardless of whether they’re trying to steal for criminal gain, cause a little mayhem, or just prove that it can be done.

If you’re wondering how to conduct a cybersecurity risk assessment, here are a few tips on organizing everything.

Break It Up

Organizations can certainly try to run a security assessment for the whole organization, but odds are, the team will miss critical details. When determining the scope of the assessment, we recommend assessing each unit of the business before you put it in context with the larger network. Start with the departments that are most likely to be targeted, such as your payment processing system.

Talk to the Stakeholders

Every stakeholder needs to be on board with a risk assessment, otherwise, they’re liable to withhold information or rush through the steps. Their insight is key to understanding how the processes work, what happens when anomalies pop up, and whether organizers have an appropriate relationship with risk. The assessment is resource-intensive, so you need people to commit to it until it’s completed. Explaining the risks (and the consequences of a breach) can be a great way to get employees invested from the very beginning.

Create an Inventory

Knowing all the physical and digital assets of a department is a requirement if you want to protect them. So, instead of focusing on the most expensive or important assets, there needs to be just as much emphasis on assets that could be used as a backdoor to a much bigger attack. From there, you can make a diagram that accurately depicts how communication and interactivity could provide different entry points into the system.

Update Your Threats

If hackers are going to change their strategy every month, your threats are going to have to change as well. Keeping up with the news in your industry won’t tell you everything that’s happening, but it can give you clues as to which industries, geographic regions, and technologies are being targeted. You should also simplify what’s happening to keep everyone on the same page. List the threat, vulnerability, assets affected, and consequence (in layman’s terms) as a reference point that everyone can understand.

Rank the Risks

Whether a threat is relatively likely or virtually impossible, create a list that ranks both the likelihood and the magnitude of risks. Ask stakeholders to consider an attack from all angles, so the (somewhat) subjective ratings can be as accurate as possible. As you assess the security of each asset and threat, you’re likely to find risks that far outweigh their benefits. Once those are identified, you can take any of the following actions:

  • Discontinue the activity.
  • Share some of the risk by outsourcing the activity or buying more cybersecurity insurance.
  • Increase security controls or make adjustments to reduce the risk.

Explain Residual Risk and Document

The residual risk may be well understood by people in the security world, but not everyone knows the score. All stakeholders should be made aware that a risk assessment is not meant to eliminate all risk, only to control it and plan ahead as much as possible. You should also implement and enforce a risk register, also known as a full account of all cybersecurity risks. For every incident, there should be a list of the scenario, dates, security controls, treatment plans, and risk level.

Conducting a Cybersecurity Risk Assessment

Leaders that wait and hope for companies to share all of their information are likely to wait for a while. Comprehensive testing that mimics real-world scenarios is one of the best ways to test how your network performs under adverse conditions. It may also mean looking outside your organization for help. The SightGain threat exposure management platform was developed to help companies get more from every dollar they invest in cybersecurity, particularly as more people accept that the industry is only going to become more important in the coming years.