How a Cyber Risk Assessment Can Prepare You for Adverse Events

Holy Social Distancing, Batman! Who would have thought and planned for in 2019 that a pandemic would shutter offices in 2020? When the COVID-19 virus struck the United States with overwhelming force, most companies were forced to scramble in reaction to the sudden business interruption. Many organizations did not plan for an event that would render their facilities or physical locations unusable and subsequently shut down their business operations.

While some organizations had performed risk assessments that identified risks to their physical structures and were better prepared to recover and sustain business operations, many companies did not. A documented and robust risk assessment program helps prepare organizations for handling and rebounding from adverse events.

A documented cyber risk assessment program identifies high risk, high impact events, and serves as the foundation for building Incident Response, Business Continuity, and Disaster Recovery programs. Having a program in place helps an organization develop its overall security posture in removing, mitigating, and managing risks, minimizing potential interruptions and downtime. A robust security program also helps with regulatory and compliance requirements and initiatives in preparation for Audit and Certification reviews.

What is a Cyber Risk Assessment?

A risk assessment is a formal procedure used by organizations to identify threats and vulnerabilities that could negatively impact their business operations and data. The program will also incorporate measures for eliminating or mitigating the organization’s highest risks.

• A threat is anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset.  
• A vulnerability is a security weakness or gap that can be exploited by a threat.  
• A risk is the potential loss, damage, or destruction of resources as a result of a threat exploiting a vulnerability, coupled with the likelihood of occurrence and imminence of event. 

The results of the risk assessment serve as the basis for the implementation and management of security controls and best practices.

How does it Work?

Performing the assessment will help with the following areas:

• Identifying critical assets.
  • Critical assets include the people, processes, and technologies that are involved in the processing, storage, transmission, and protection of sensitive information. 
• Identifying the threats to critical assets.
  • Threats may include people, the systems they use, and conditions that could cause harm. The review of previous incidents helps to identify potential threats. 
• Identifying the vulnerabilities, both organizational and technological, that could potentially expose critical assets to those threats, resulting in a risk to the organization.
  • Organizational and business-process vulnerabilities may exist because of non-existent or ineffective policies and procedures. Vulnerabilities may be identified from vulnerability assessment reports, penetration-test reports, and technical security audits.
• Developing a risk strategy and risk mitigation plan to address identified critical risks to support the organization’s mission and priorities.
  • Each threat and vulnerability are evaluated within the context of likelihood, impact, and imminence to identify an organization’s highest risks and help prioritize remediation efforts.

Where Do I Start?

You may want to start by auditing your data to answer the following questions:

• What data do we collect?
• How and where are we storing this data?
• How do we protect and document the data?
• How long do we keep data?
• Who has access internally and externally to the data?
• Is the place we are storing the data properly secured? 

Many breaches come from poorly configured access controls. Check your access permissions, or someone else will.

• What security impacts are imposed with a remote workforce?
• Are proper controls implemented for cloud-based infrastructure and applications?
• How do we control and verify proper access to resources?
• Are we monitoring access for potential misuse?

Next, you’ll want to define the parameters of your assessment. Here are a few good starter questions to get you on your way:

• What is the purpose and scope of the assessment?
• Are there any priorities or constraints I should be aware of that could affect the assessment?
• Who do I need access to in the organization to get all the information I need?
• What risk model or framework does the organization use for risk analysis?
  • NIST Cyber Security Framework
  • CIS-Top-20
  • ISO 27005

A lot of these questions are self-explanatory. What you really want to know is what you’ll be analyzing, who has the expertise required to properly assess, and are there any regulatory requirements or budget constraints you need to be aware of.

In summary, it is crucial for an organization to identify and understand potential risks to their organization and plan proactively to act if an adverse event may take place. Being prepared to address threats and risks put organizations in a much better position to sustain their business operations in a crisis or breach situation. 

If you’d like more information or to discuss your organization’s cyber security needs, please contact us at Connect@CompliancePoint.com.