Thursday 26th October
Conducting a Cyber Risk Assessment
More and more businesses are paying attention to cyber security. Hacking attacks are an increasingly common addition to national and international media. Not only that, the average business dependency on IT hardware and software is also on the rise. With that in mind, a more sharpened focus on cyber security is a must.
But is it enough?
In the interest of preparedness and prevention, businesses should be able to conduct a cyber risk assessment. Not only will a cyber risk assessment identify areas of vulnerability, it will also help a business prioritise its risks and responses thereto.
We’ve put together a cyber risk assessment summary to help you start assessing your own business’ cyber risks.
What is a cyber risk assessment?
According to the National Institute of Standards and Technology (NIST), a cyber risk assessment is designed to identify – the cyber security risk to organisational operations (including mission, functions, image, or reputation), organisational assets, and individuals”. Because of its scope, the assessment is designed to cover an entire business model from the top down. This includes internal infrastructures, external comms, company security policy, all the way down to the hardware and software individual employees use on a daily basis. The assessment then effectively becomes the launch pad for improving your prevention and response strategy.
Carrying out your own cyber risk assessment
There are 6 standard steps in a cyber risk assessment, as suggested by the NIST.
- Identify and Document Asset Vulnerabilities
- Identify and Document Internal and External Threats
- Acquire Threat and Vulnerability Information from External Sources
- Identify Potential Business Impacts and Likelihoods
- Determine Enterprise Risk by Reviewing Threats, Vulnerabilities, Likelihoods and Impacts
- Identify and Prioritise Risk Responses
Let’s look at these in turn.
Identify and Document Asset Vulnerabilities means finding out where your business is most at risk of a cyber attack. The aim here is to be as thorough as possible. You can’t plan a risk response if you don’t know where the risk are. If your business has experienced cyber attacks in the past, these would be a good place to start in identifying where your cyber security is weakest.
Identify and Document Internal and External Threats. Once you know where you’re most at risk, you need to know from whom that risk originates. This will vary depending on your business type and business size. As with asset vulnerabilities, previous cyber attacks are a good place to start.
Acquire Threat and Vulnerability Information from External Sources. You need to accept what you know and what you don’t. A robust cyber assessment revolves around knowing the tactics, techniques and procedures (TTP’s) that are the biggest threat to your business. Industry news sources and trade associations can also be a valuable resource if cyber attacks have been reported. It can also be viable in some cases to bring in a third party, such as an outside security firm, to determine a business’s resilience.
Identify Potential Business Impacts and Likelihoods. When you know the threats and their sources, you can start mapping out scenarios. Take a hypothetical cyber attack from its starting point and keep going. How will your business systems be affected? Who’s jobs will be impacted? Will any processes need to be slowed or stopped temporarily? How will these attacks affect your ability to conduct business? How will this affect your customers and your reputation? Once you have carried this out for all potential cyber attacks, you can begin ranking them by their impact and their likelihood. What you’re left with is a matrix of attacks ranked from high impact/high likelihood to low impact/low likelihood. Now you know where to focus your attention.
Determine Enterprise Risk by Reviewing Threats, Vulnerabilities, Likelihoods and Impacts. Now that you have the information you need, it’s time to assess your business in terms of how at risk it is. Enterprise risk is defined as how organisations manage risks and seize opportunities related to the achievement of their objectives. Is your business ready for these attacks? If not, how can you improve its readiness moving forward?
Identify and Prioritise Risk Responses. You know what the risks are, now you can determine your responses. Using your impacts and likelihoods matrix, develop business-wide risk responses to these potential attacks. Make sure that everyone included in the responses is aware of their role.
Once the assessment is complete…
It’s time to share your assessment with key stakeholders in the business. Ensure that all stakeholders understand the level of risk and what their roles will be in the responses to those risks.
It’s also important to determine how often you will conduct cyber risk assessments. Technology is constantly evolving so it’s vital that your business doesn’t rest on its laurels. Have a regular assessment in place and stick to it.
If you have any questions about Cyber insurance, please get in touch with our team on 01923 211290.
Categories: Risk Insights,