A major part of cybersecurity awareness is knowing how to assess your company’s cybersecurity risks. Knowing what your cybersecurity risks are, and how they can impact your business (or your customers), is crucial for optimizing your network security. After all, if you don’t know what your most important risks are, how can you be expected to cover for them?
Being able to run a cybersecurity risk assessment is crucial for prioritizing your efforts to make the most efficient use of your cybersecurity budget. Additionally, knowing what your biggest security risks are lets you proactively work to protect your business (thus, helping to minimize the impact of many cyber threats). But, how can you run a cybersecurity risk assessment?
The Difference Between a Cybersecurity Risk and a Cyber Threat
Before we get into the “how-to,” let’s start by quantifying the difference between a cybersecurity risk and a cyber threat, so there’s no confusion.
- Cyber Threats. This term generally references some kind of attack method or strategy executed by a malicious actor (whether they’re an internal threat or an external one). In other words, a cyber threat is a potential form of attack a business might face.
- Cybersecurity Risks. This term is closely related to cyber threats, but focuses more on assessing the likelihood of a threat occurring along with the impact of that threat.
For example, a phishing attack is a cyber threat; the theft of data that arises from the phishing attack is the cybersecurity risk. A ransomware attack is a cyber threat; the loss of data access it creates would be the cybersecurity risk.
A cybersecurity risk assessment helps you quantify your risks and rank them based on how likely they are to happen and/or how severely they may impact your business.
Cybersecurity Risk Assessment Step 1: Define What You Need to Protect
When trying to assess your cybersecurity risks, it can help to start by defining what you need to protect in the first place. The simple answer is “Everything!” However, there needs to be a prioritization in place so you can focus on keeping your most important network assets safe from attack.
Some companies prefer to start by focusing on their regulatory requirements—such as protecting cardholder data if they’re subject to the Payment Card Industry Data Security Standard (PCI DSS) or patient health information if they’re subject to the Health Insurance Portability and Accountability Act (HIPAA). Aside from protecting data, some organizations may be required to ensure a certain level of data accessibility, such as how, as noted on the HHS.gov site, HIPAA requires health care providers to ensure the “availability of all e-PHI they create, receive, maintain, or transmit.”
Cybersecurity Risk Assessment Step 2: Create Cyber Threat Impact Estimates
If a ransomware attack were to encrypt all of your sensitive data right now and it took you three days to recover it, what would the impact to your business be? How about a sudden power out at the data center hosting your company’s network/databases? If a hacker stole all of your customers’ most sensitive data, what would it cost you to provide identity protection services (and how much business would you lose afterward)?
When running a cybersecurity risk assessment, it’s necessary to quantify the potential impacts of different cyber threats so you know how to rank their importance to your organization. This can help you prioritize your efforts to curb security risks so you can get the biggest impact for the smallest possible expenditure.
Cybersecurity Risk Assessment Step 3: Consider the Likelihood of Each Cyber Threat
When assessing your cybersecurity risks, it’s important to analyze how likely a given cyber threat is to succeed against your network. This will often involve:
- Using threat intelligence feeds to determine how prevalent specific threats are;
- Assessing your current cybersecurity protections for each type of security risk; and
- Considering which types of attackers are the most likely to target your organization (based on threat intelligence data and historical trends in your industry).
While both the first and third bullets rely on threat intelligence feeds, there is a distinction that needs to be made. The first bullet focuses on what the most popular current strategy is to help you guard against specific attack methods—the third bullet focuses on who is going to target your business so you can better anticipate what their goals are.
Cyberattacks can have several different motives behind them—from simple greed (steal data and sell it or use it for personal gain), to political motives (foreign agents collecting information or “hacktivists” supporting a cause), to corporate espionage (theft of IP and financial data by a competitor). Knowing what kind of malicious actors are likely to target your organization helps you prepare to guard against them and to secure the specific data and systems they’ll want to target.
Cybersecurity Risk Assessment Step 4: Define Your Tolerance for Risk
No defense will ever be 100% proof against every cyber threat. The simple fact is that someone will eventually be determined, skilled, or lucky enough to find some kind of gap in your network security—whether that gap is an employee falling for a phishing attack, a previously-unknown security vulnerability, or a newly-invented attack method that there is no protection from as of yet.
When running a cybersecurity risk assessment, it’s important to define what your acceptable level of risk is for your business—i.e. what the maximum level of impact is that you can withstand.
It isn’t necessary—nor typically feasible—to lock down every system to the absolute maximum possible extent. Most businesses simply lack the resources needed to create and maintain such an extreme level of security. Instead, by defining your acceptable level of risk, you can ensure that you protect your most critical data as strongly as possible without wasting resources on systems that simply aren’t critical to your business.