Conduct A Cybersecurity Risk Assessment For Your Business: 6 Steps
As anyone who is paying attention knows, cybersecurity is an ongoing concern for business leaders around the world.
Cyber threats change every day, and we all know that awareness and response are key elements to keeping the data of your organization and customers safe. Everyone says the first step to a more secure future is to perform a cyber risk assessment, but how do you go about it? I can help.
As engineering manager at Kelser Corporation, I help customers with this very question every day. In this article, I’ll explain where you can start and the important steps to take when evaluating your cyber risk. We’ll explore six key steps to assessing your cyber risk, so you’ll know what’s required.
I’ve worked in IT for more than 10 years and I specialize in cybersecurity, so I have a good understanding of what’s required to keep your business network and infrastructure safe from cyber threats.
What Is A Cyber Risk Assessment?
It may go without saying, but I always like to start at the top.
A cyber risk assessment is a full-blown look at your infrastructure and devices in search of gaps that could be taken advantage of by people looking to do harm. It provides an overview of the risks and the potential impact if they were to be exploited by someone from inside or outside of your organization.
6 Key Steps Of A Cyber Risk Assessment
Customers often ask me to outline the key steps of a cyber risk assessment.
Here are my top six recommendations:
1. Evaluate Your Industry Risk
Certain industries come with higher risk than others. That is usually due to the nature of information the organization possesses and stores.
For example, government defense contractors, medical providers, and financial organizations all have high levels of risk.
But this list is not comprehensive. Don’t be fooled into a false sense of security. Any organization of any size in any industry has risk.
2. Understand The Information Your Business Possesses & Stores
Understand what kinds of information your organization possesses and stores.
Here are some examples of sensitive information:
- credit cards or other financial information (taxes, bank account numbers, credit ratings, or payment histories)
- personal information (names, birth dates, addresses, social security numbers, medical records, email address, phone number)
- intellectual property (designs, secret recipes, etc.)
If you possess or store these types of information, your risk is higher than organizations that do not.
Information like this requires an enhanced level of protection.
3. Evaluate Security Tools & Technology Infrastructure Already In Place
Take an honest look at your current security tools.
Are your tools old? Have they been updated and patched?
How are your servers protected?
Do you have modern firewalls in place?
What software are you using? Is your software up-to-date? Who manages your software and installs updates?
Do you back up your data? Could you access the backups in an emergency?
Do you have policies and procedures in place? How are they enforced? Who manages and audits them?
Related article: 7 Characteristics Of Successful Of Successful Cybersecurity Policies
4. Perform Vulnerability Scans & Penetration Tests
Vulnerability scans (or “vul scans”) and penetration tests (also known as “pen tests”) are two very different IT network evaluations that yield related, but vastly distinct information.
An IT vulnerability scan is an automated tool used to determine possible gaps in security that could expose your network and devices to hacks.
The scan discovers and scans every device on your network to see what ports are open and what communication protocols are in use that could expose you to an attack.
For example, maybe your software hasn’t had all the security patches installed, leaving doors open for unauthorized people to gain access.
A penetration test is a hands-on, manual investigation that is typically conducted by an authorized IT expert. You pay them to poke around your network looking for vulnerabilities. It’s basically an authorized, ethical cyberattack.
This test identifies potential vulnerabilities and explores what the consequences would be if they were exploited by a person with malicious intent from inside or outside your organization.
These tests combined will give you a good idea of all of your vulnerabilities and weaknesses, so you can develop plans to address them.
Related article: The Differences Between Vulnerability Scans & Penetration Tests
5. Identify Industry & Contractual Compliance Requirements
Depending on your business, you may be obligated to adhere to industry or contractual requirements for cyber risk mitigation.
For example, manufacturing companies that work with the government typically need to be compliant with NIST 800-171/CMMC 2.0. Health care providers must comply with HIPAA requirements. ITAR specifically requires that data is protected and that permissions for restricting access to U.S. citizens are set up correctly.
Related article: Does NIST 800-171 Apply To My Business?
Payment Card Industry Data Security Standard (PCI DSS) has certain requirements for organizations that use and store credit card information.
The list goes on and on.
Best practice is to have one person in the organization responsible for understanding the regulatory requirements of all of your contracts.
6. Compare Current IT Infrastructure To An Existing Framework
I like to say there are two types of cybersecurity frameworks: industry-specific and general.
If your business serves a specific industry, we recommend that you compare your current IT infrastructure to an industry-specific cybersecurity framework.
This will help you identify specific things that are expected of organizations operating in your space. This exercise will help you determine what you may or may not be doing so that you can ensure you are following best practices.
If you operate in multiple industries, we recommend that you compare your IT infrastructure to appropriate frameworks for each of those industries.
Even if your business doesn’t have specific contractual or regulatory requirements, it is a good idea to use a general cyber risk framework (like the Center For Internet Security (CIS) framework to see how you measure up.
Existing frameworks are a great way to align your business with best-practice IT tools.
You can use both industry-specific and general frameworks, but I always suggest erring on the conservative side and implementing the most restrictive framework requirements in the interest of safety.
What’s The Bottom Line?
At this point, you may be wondering where you go from here. After reading this article, you have a complete picture of six steps to take to perform a comprehensive cyber risk assessment for your organization.
You may have the internal resources you need to carry out some or all of these actions. Most small and medium-sized businesses will need extra support for at least some of the steps outlined. If you are considering hiring an external IT support provider, I encourage you to consider several providers.
It may seem funny that I’m encouraging you to shop around.
Here’s the thing, in our 40 years of business we’ve learned that it doesn’t make sense to work together unless the fit is right.
While we offer a full complement of managed IT support services, we know that isn’t the best solution for everyone. The most important thing to us is that you get the IT solution you need.
And, the truth is, you have options for the kind of support you need. Read this article to learn your options for IT support.
Wondering what managed IT is all about? Learn what managed IT includes and how much it costs.
Work at a small or medium-sized business? Find out whether your organization is too small for managed IT.
Prefer to find out for yourself whether managed IT is right for your organization? Click the button below for a free checklist you can use to see if it may be a good fit for you.
Or, if you’d like to talk to an actual human (our preferred method of communication), click the button below and one of our IT solutions experts will reach out to learn more about your business, your strategic goals, and your technology pain points to discover whether we are a good fit to work together.