5 Steps to a Cyber Security Risk Assessment

As cyber threats continue to grow in scope and complexity, it has never been more important to understand your business’s current cyber capabilities — and where you can improve them. This is what a cyber security risk assessment aims to achieve.

A risk assessment is a critical process that allows you to identify, analyse, evaluate, and ultimately mitigate the cyber threats and vulnerabilities your business faces. And in today’s ever-changing world of remote teams and digital advancement, the need for effective risk analysis has never been greater.

To put this in context:

• Cybercrime has risen 600% due to the COVID-19 pandemic¹
• Cybercrime costs organisations $2.9 million every minute²
• The average attack costs businesses $3.86 million and takes 280 days to find and contain³

Risk assessments are a complex process. No one-size-fits-all approach exists. Having a trusted third party undertake an expert audit of your security controls could be the difference between cyber success and failure.

In this article, we’ll outline the steps we go through with our clients as part of a risk assessment. Let’s get started.

Step 1: Define your parameters

No two risk assessments are the same. For example, a small business with a handful of employees will have completely different security needs than those of a large international corporation. And that’s just one of a number of variables to consider. 

This first step is all about defining the scope of your risk assessment. Asking yourself the following questions will help you gain a better understanding of your specific needs.

1. Why are we undertaking a risk assessment? Is there a specific reason behind your decision to undertake a risk assessment? Are you aware of any weak points or identified risks? Have you suffered any cyberattacks recently?
2. What do you want to achieve through a risk assessment? What is the desired outcome? Do you have specific needs around compliance or certification? Some businesses require Cyber Essentials, Cyber Essentials Plus or ISO 27001 certification to be able to work as suppliers for other businesses, while others may be looking to achieve PSI DSS compliance.
3. What exactly do you want to assess? Some risk assessments span the entire organisation, while others focus on specific departments, teams, or processes. Your needs will likely depend on the size of your organisation and budget. The larger the company, the more difficult it is to assess everything.
4. What do our existing cyber security processes look like? What are you currently doing to identify and mitigate cyber threats? How are you protecting your critical assets? Are these processes working? Have you suffered any cyberattacks recently? If so, what went wrong?
5. What does our existing IT infrastructure look like? You can’t assess what you don’t know, so it’s critical that you map out your IT infrastructure. What systems do you use, what are they used for, and, critically, who has access to them? Don’t forget any 3rd party providers or partners that may also have access to your systems.
6. Do we have access to all the systems we need to audit? It’s important that you understand the access requirements for every IT asset you use before undertaking your risk assessment.
7. What does our data collection policy look like? Consider the kinds of data you collect, how it is stored, who has access to it, and why. If you’ve ever suffered a data breach, what happened, and what have you done since to mitigate future risk? The GDPR sets out the legitimate reasons and methods for collecting and storing data.

Step 2: Install agents

By answering the questions outlined above, you’ll be able to obtain a clear idea of the scope of your risk assessment. Now it’s time to gain a better understanding of your current systems and how they are used.

In the second step, we install software programs — known as agents — that track how, when, and where devices are being used. This helps us to identify any weak points in your technology and processes. We install agents on every device that needs assessment or protection. These agents then detect malicious or suspicious behaviour as well as issues related to human error.

At minimum, you should look for agents that provide vulnerability assessments and monitoring. Agent applications that can help include:

• Qualys: A cloud-based agent application to keep you updated on vulnerabilities in real-time. 
• SecPod: Through their SanerNow platform, you can view agent activity through one dashboard.
• Elastic: Using a single unified agent per host, Elastic Agent gives you oversight on all your devices.
• Augmentt: Focused on SaaS security, Augment’s Discover Agents provides surveillance and insight across your software. 

A note for Mac users: While comparing Mac against Windows demonstrates some security advantages for Macs, the idea that they solve all security issues by default is a common misconception. If anything, Mac users need specialist security systems built for Mac, as well as strategic partners who understand these needs. At Dr Logic, we pride ourselves on being the go-to experts for all Mac security needs.

Step 3. Assess technical and process risks

Using the data from step 2, you can now assess the specific risks your business faces. You can divide these risks into two categories: 

• Technical issues: e.g. A weak firewall or lack of an MDR system
• Process risks: e.g. Weak passwords, insecure file sharing, or phishing scams

In many ways, technical issues are easier to fix than process risks. Processes often involve people, and people are generally more unpredictable than hardware or software! 

In fact, according to the World Economic Forum, a staggering 95% of cyber security issues are caused by human error.⁴ The rise of remote work has magnified this risk, with 78% of security and IT leaders claiming that remote workers are harder to secure.⁵

The most common processes-related issues that we tend to encounter during our work include:

• Patch management issues
• Overly basic passwords
• Using the same password for multiple accounts
• A lack of multi-factor authentication
• Limited or non-existent mobile device management (MDM)

Step 4: Put assessment criteria in context

Now you have a clear understanding of your cyber security processes and identified threats you face, the next step is to understand these in the context of the current cyber security landscape and your business goals.

Understanding the latest trends in cybercrime

Cybercrime is ever-evolving. The risks change as technology and human behaviour evolves. For example, 2020 saw a 358% increase in malware attacks, while ransomware attacks grew by 435%.⁶  

By mapping your specific weak spots against current trends, you can gain a better understanding of the urgency and severity of those issues.

Relate findings back to goals and risk tolerance

You can also view the findings from step 3 through the lens of your business goals, risk appetite, and even your budget. This process can help you to understand which actions to prioritise. 

Every business will have a slightly different risk appetite. Companies handling large amounts of sensitive data will need to be particularly risk-averse and prioritise data protection, for example.

Step 5: Report your findings

The goal of any risk assessment is to come out the other end with a final report that: 

• Provides a clear assessment of your current cyber security processes
• Outlines the risks and prioritises them in terms of severity
• Provides suggestions for improving, fixing, or modifying your systems and processes. 

Essentially, you want to build a clear, actionable roadmap that will guide your cyber security strategy as you move forward. Producing this document will also help you get buy-in from key stakeholders at the board level.

Providing copies of the report could also be a requirement before your business insurance company renews your insurance as well as a pre-requisite for you gaining new business from a potential new client.

Put your security in safe hands

The importance of getting risk assessments right cannot be understated. The quality of your risk analysis will determine the quality of your cyber security strategy, which in turn could determine the future of your company. 

Again, it’s important to stress that no one-size-fits-all approach exists. The steps in this article are just a guide. In reality, your own risk assessment will be unique to your business, depending on your current capabilities, risk profile, and many other parameters.

At Dr Logic, we believe that having a strategic partner to guide you through this process yields the best results. We provide you with an objective, external view of your security setup – and the expertise to protect your business from the growing range of cyber risks.

If you’re looking to unlock a more secure and prosperous future for your businesses with a cyber risk assessment, get in contact with us today to find out how we could help you.

1. 2021 Cyber Security Statistics The Ultimate List Of Stats, Data & Trends
2. What Costs $2.9 Million Every Minute And How To Protect Yourself From It?
3. Cost of a Data Breach Report 2020
4. The Global Risks Report 2022
5. The State of Security 2022
6. Cyber Threat: Report on 2020 Shows Triple-Digit Increases across all Malware Types