SafeBits by Luci

Risk Assessment

It’s often said that the only inappropriate response to risk is ignoring it. Awareness is key to avoiding this undesirable route.

A risk assessment not only ensures visibility to the existing threats and their potentials impacts on an organisation, but it also provides a foundation to prioritise resources for information security.

Risk Assessment

What I can do for you

The output of an information security risk assessment exercise will generally contain the following:

  • an executive summary providing an overview of the state of the organisation’s cybersecurity posture, with a focus on the areas which would benefit most from an investment;
  • a comprehensive inventory of risks, detailing the appropriateness of existing security controls and, potentially, making recommendations for further control implementation.

Working alongside varied members of your organisation, I would take the following steps to guide you through this process to completion:

  1. Define the scope of the project, based on any existing security policies, compliance requirements, or desirable targets. Identifying focus areas is important to assure financial practicality, while having a worthwhile outcome.
  2. Either use a prior asset list (such as a data inventory) or generate one based on input from the relevant departments. This defines what needs to be protected and their value: physical devices, data, brand reputation, ability to conduct business, etc.
  3. Identify potential threats to your assets – these are damaging events, whether intentional or otherwise, that could have a negative outcome.
  4. Identity vulnerabilities, based on existing security controls – weaknesses that exist (e.g. a system found to be badly configured) or are theorised (e.g. an employee falling to a phishing campaign).
  5. Assess likelihood and impact of a threat materialising, which may involve some amount of informed guesswork. This combination is what defines a risk.
  6. Use well-respected best-practices to issue recommendations for further improvement.

It should be noted a security professional can never perform all these steps independently and a risk assessment is one of the activities that requires the most involvement from the organisation’s members.

Additionally, the depth of the assessment will determine the amount of effort involved from all parties; for example, a larger organisation may wish to associate actual monetary values to risks, while for an SME it may be more beneficial to use a qualitative approach (i.e. use a low/medium/high scale for asset values, likelihood and impact) and possibly even leave aside low-value assets.

Why it matters

Perfect security is snake oil. Without a clear understanding of risks, your organisation may be spending too much on a cybersecurity solution that doesn’t bring value or can be exposed to serious business-threatening events.

Periodic risk assessments are the foundation of an appropriate security posture, which can help you thrive even when faced with adverse events.

If it’s been a while since the last assessment and you would like to determine whether information security is something worth investing in, consider the worst case as a thought experiment and ask yourself what the impact would be, if any of the following events occurred:

  • You lose access to all your IT systems for a day, a week or a month.
  • You completely lose the data you have stored.
  • The data you hold is made public. If you hold personally-identifiable information or sensitive information (e.g. health data), consider the compliance requirements you have and the impact of penalties or civil lawsuits.

Fortunately, these are rare; but, less dreaded, yet much more frequent, incidents can still have their impact minimised with an appropriate security solution.

Today there are fewer and fewer businesses that can’t derive gains from an investment in cybersecurity, proportional and tailored to their needs. We can always discuss what information security can do for you.