4 Steps to Assess Your Cybersecurity Risk
from Carr, Riggs & Ingram
Do you know where an attacker could break through your company’s cyber defenses? Chances are, there are more points of vulnerability than you realize, and the stakes are high to protect what’s important.
Customers, employees, regulators, boards of directors, and many other stakeholders hold businesses accountable for securing sensitive data. Customers in certain highly regulated industries have their own downstream cybersecurity expectations to comply with, making cybersecurity risk assessments an increasingly common part of standard operating procedures.
One reason for this heightened level of expectation is that every organization is a potential target — no matter the industry or size. In many cases, a small company can be a target simply because it leads to a bigger target.
An example of that scenario is the (appropriately named) mega retailer Target. This infamous, watershed cyberattack was made possible by malware planted on a heating and air conditioning vendor’s system by a phishing email. Stealing the vendor’s credentials allowed the attackers to access a Target-hosted webpage dedicated to vendors. All they needed to do then was wait and watch to find a way into Target’s network. The attack was executed with a frighteningly low level of complexity.
Any business can find itself in the crosshairs of a malicious actor, so how can you protect your organization and its valuable assets?
4-Step Cybersecurity Risk Assessment
When businesses don’t understand their risks, they can’t effectively control and mitigate those cybersecurity risks. So how do you know what your true risks are? CRI recommends the following:
Identify essential IT assets.
Assessing cybersecurity risk starts with a clear understanding of what assets are at risk. What information and systems run the business day-to-day? What data do you have that an attacker might find valuable? If you own a retail operation, then you most likely have a point-of-sale (POS) terminal to accept credit card payments. Right there are two IT assets: the POS terminal and the personally identifiable information (PII) that it collects. Also, consider how secure the servers hosting the critical accounting and finance applications are. Patents and other intellectual property also have become hot targets for attacks.
Once you’ve identified IT assets, you can prioritize them. Consider their value to your business, as well as their value to criminals, disgruntled employees, or competitors. Next, think about the potential impact if those assets were compromised. Where could an attack result in lost revenue, business interruptions, or cause legal issues? In many cases, the reputational damage has the biggest impact on the business — even more than the direct financial impact of the loss or manipulation of the asset itself.
Understand how data flows.
While this step can seem technical and confusing, understanding how data moves through your IT system is much easier when you start with a strong understanding of the IT assets included in that system. In the retail example, credit card numbers and other financial and personal information is collected at the POS terminal. Some of that information is transferred to a third-party payer (the credit card company). Another subset of information is captured by your accounting system. Each of these “access points” — where data enters and exits the IT system — opens up chances for data theft, loss, or manipulation. Knowing where data is stored, how it is accessed, and who is using it can highlight possible weak points and help prevent a costly breach.
Another important byproduct of this step is the opportunity for good vendor management. Armed with a clear view of how data flows to vendors and other third parties, you can investigate how they are managing and protecting that data.
Evaluate current security measures.
Evaluate the policies and controls that protect what’s at risk. One common misconception among smaller companies is that they can’t afford the level of protection they need. But many of the most effective controls are common-sense practices that involve a little additional effort, but little additional cost.
One of the most effective controls is to carefully manage who can access certain critical IT systems. When was the last time you reviewed who has administrator rights to your server? Another low-cost control involves password requirements. Are you requiring longer, more complex passwords for your important IT systems? It’s true that vulnerability scans, penetration testing, and other security tools can help identify gaps in the security perimeter. But in many cases, you can build a higher fence by implementing some cybersecurity best practices. You or your fellow employees might actually be the most significant vulnerability, due to the prevalence of phishing scams. Armed with a little knowledge, you can take action to shore up those defenses through communication and training.
Prioritize investments to remediate gaps.
The goal of a risk assessment is to identify and prioritize risks so you can make the most of your budget while meeting the needs of the business. Based on an understanding of what is at risk and the current state of security, you and your fellow leaders can make informed decisions about investments in training, technical controls, and cybersecurity awareness programs. Focus on testing the most important processes most frequently and maintain a regular schedule for those less critical company processes. In doing so, your organization can maintain high-level security without an unnecessary level of effort.
Rinse and Repeat
Remember, a risk assessment is not a one-and-done project. It should be a continuous and dynamic process. Once the highest-priority risks are addressed, go back and address the next-highest priorities, and so on. Periodically, you should also circle back to monitor and review how controls are working. And of course, as new vulnerabilities are discovered, the company should assess the impact of these new risks on the company.
As you step back to consider what’s at risk, contact your CRI cybersecurity specialists to discuss how to tailor a cybersecurity risk assessment to meet your needs.