When it comes to conducting security risk assessments, it can be difficult knowing where to get started. Even after identifying your scope and assets, there are a number of vulnerabilities and threats to be considered.
Add some structure to your risk assessment analysis by properly outlining all your risks. Don’t just go with your gut— develop a plan for improving your security that is realistic, timely, relevant, and follows an industry standard framework and approach.
Here are our recommendations for defining and addressing your risks in an affordable way:
Before you can hope to produce an output and receive tangible results, you must first start by defining your inputs.
Cybersecurity risk is the probability and magnitude of something bad happening at a future time. This risk is the product of a threat paired with a vulnerability: the likelihood of that threat occurring and its impact.
If any of these terms are unfamiliar, review our Risk Assessment page, which defines and shows examples of industry words like “threat,” “vulnerability,” “risk,” “asset,” “control,” “risk response,” “impact,” etc. In the world of risk management, there is a long list of terminology to understand before you can start identifying your risks, and this is the best place to start.
It’s not uncommon for companies to assume that the only things that need to be assessed are their physical assets like hardware (computers, mobile devices, servers, etc.), but that’s not the only assets you need to protect.
Consider any sensitive data you have stored, including personal, patient or financial records. It could be intellectual property to your organization, brand, reputation or code you have developed. Also consider your systems software and application tools, operating systems, etc.
Really think outside of the box and list your suppliers and vendor relationships, as well as people internally who carry knowledge about how your company operates. If these companies were hacked or leaked information that could affect your business, they are potential threats to your company.
A threat catalog is a list of the generic threats often seen in risk assessments. They include events, actions, inactions and more that could mean bad things for your information security assets and are used to match each potential threat actor with a vulnerability and asset.
This catalog will help to map out potential threat vectors and scenarios for risk, or all the different routes that bad actors or attacks may take to threaten your business security.
This threat catalog will enable you to produce a list of threats to pair with vulnerabilities— which will then be placed in a risk register.
A professional risk assessor or a qualified member of your staff will calculate the value and potential cost for each risk occurring, and organize them by priority with a risk score. This provides clarity around which risks are most important to address, as a result of the potential impact, and helps you to determine which risks take precedence over others.
Now that you have a list of the most important and most costly risks on your report, you’ll need to consider your budget. Realistically, you may not have the financial ability to mitigate all your potential risks at once, and you’ll need to establish clear timelines and treatment plans for addressing each risk.
Fortunately, you’ll have various options for addressing the neatly detailed risks in your risk register: including the choice to accept, transfer, mitigate, or avoid each. From here, you can use your impact projections on your risk assessment to justify which risk treatments are right for you and your budget.
After first receiving the risk assessment results you may be inspired to take instant action and achieve a few quick wins. But many necessary security improvements don’t happen overnight, and you need measures in place to ensure you follow through on what you start.
Whether that means setting progress meetings once a month or assigning owners to each asset to be responsible for each mitigation or follow through, keep up with your changes and set goals for new ones to come.
Identifying your risks is only the beginning of your path to better risk management. Get real value out of your risk assessment by taking these six important steps.
Let the experts at Truvantis® deliver proactive results to set you up for success improving your cybersecurity. Contact us for help performing or actionizing the results of your risk assessment, today.