With cyber threats increasing in sophistication and frequency, all organizations that rely on information technology must take cybersecurity seriously. The challenge is that there isn’t a one-size-fits-all solution to implement as a defense measure because the risk profile of every organization is unique. Â
To determine your organization’s risk profile and align your cybersecurity program with it, you need to perform a cybersecurity risk assessment, a step-by-step process that identifies, evaluates, and prioritizes potential cybersecurity risks your organization faces. Â
Unlike general business risk assessments, cybersecurity assessments are not concerned with physical risks such as natural disasters and violent break-ins. Instead, they focus solely on the digital environment and the hardware, software, and data assets.
How to Perform a Cybersecurity Risk Assessment
1. Define the Scope of the Cybersecurity Risk Assessment
Do you want to assess your entire organization or a specific department or system? If you’re an SMB, performing a cybersecurity risk assessment for your whole organization may be feasible. However, attempting to do the same as a large enterprise with a complex IT infrastructure may be impossible.
Does your organization have the foundational security solutions implemented? Evaluate your cyber readiness in just 10 minutes with this checklist.
Include information about all stakeholders involved in the assessment process when defining the scope of your cybersecurity risk assessment. This typically means your IT staff, management, legal and compliance teams, and, increasingly often, third-party vendors of various software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), and platform-as-a-service (PaaS) solutions. Â
You should also clearly describe the primary goal of the cybersecurity risk assessment so that everyone involved is on the same page and marches toward the same finish line.
ExampleÂ
Your primary goal may be to comply with a data protection regulation, or you may want to identify and prioritize potential cybersecurity risks to improve your overall security posture.
2. Identify Your IT Assets
With the scope of your cybersecurity risk assessment defined, it’s time to identify the IT assets that fall within it, including:  Â
- Hardware: Servers, workstations, laptops, and mobile devices. Â
- Software: Software applications and the operating systems they run on.  Â
- Data: Digital information your organization collects, stores, and processes. Â
- Network Infrastructure: Routers, switches, firewalls, and other physical devices that manage network traffic. Â
- Cloud Services: Cloud-hosted third-party services used by your organization. Â
- Internet of Things (IoT) Devices: Internet-connected devices such as IP cameras, sensors, or smart appliances.
Make sure to dig as deep as possible because the more assets you identify, the more comprehensive your cybersecurity risk assessment will be. Â
To make the gathered information easier to understand and put to good use, we recommend you turn it into a network diagram – visually mapping out the relationships between your various IT assets and potentially revealing blind spots.
3. Uncover Asset Vulnerabilities
Now is the time to identify the vulnerabilities and threats that cybercriminals could use to target your assets. A cybersecurity vulnerability is a weakness or gap in your cybersecurity defenses.Â
You can compare it to an unlocked door a burglar can use to enter a building. On the other hand, a cybersecurity threat is a possible attack that seeks to exploit a known vulnerability.  Â
CVE Details, a database of known software vulnerabilities, currently lists nearly 200,000 known vulnerabilities, with many new ones discovered daily. During the first two months of 2023 alone, more than 5,000 vulnerabilities were found and reported. Â
But software vulnerabilities are just one of many that cybercriminals can exploit. Other vulnerabilities include misconfigured settings, weak passwords, a lack of cybersecurity awareness, or missing data encryption.  Â
Fortunately, the threats that exploit vulnerabilities are far less numerous and dynamic. You can find them listed in the MITRE ATT&CK knowledge base. Â
They include attacks and tactics like:Â
- PhishingÂ
- Access token manipulationÂ
- Network sniffing
- Browser session hijacking  
ExampleÂ
An unpatched web server with a known software vulnerability could be successfully targeted with an SQL injection attack, resulting in the threat actor gaining access to sensitive data or complete control over the server.
4. Determine the Likelihood and Impact of Known Threats
Once you know the potential threats that could exploit vulnerabilities in your organization’s IT assets, the next step is to assess the likelihood of those threats occurring and their potential impact on your business. Why? Â
Because threats that are very likely to occur and cause significant damage need addressing before the threats that are less likely to occur and less likely to cause considerable damage.  Â
The likelihood of threats materializing combined with the severity of their impact is called risk, and it typically ranges from low to very high. Â
To determine the severity, you can use a risk matrix like this one:
Rank the likelihood and severity of each threat on a scale from 1 to 5, with the likelihood being on the y-axis and the severity on the x-axis. Prioritize the threats with the highest risk scores for mitigation.  Â
At this point, it’s helpful to create something called a cybersecurity risk register. This document describes all identified risks and ranks them in order of priority based on their risk scores. Use this in the final step to document your mitigation strategies.
5. Mitigate Cybersecurity Risks in Order of Priority
Finally, it’s time to develop strategies for mitigating your cybersecurity risks. Broadly group these strategies into the following three categories.
1. Discontinue
If you have a vulnerable IT asset you don’t need, such as an old fax machine, it might be best to get rid of it. Â
It is best to consider discontinuing all IT assets whose risk outweighs their value to your organization.
2. Outsource
You can consider outsourcing parts of your IT infrastructure to a specialized third-party provider. Â
This outsourcing might mean moving your website from an in-house web server to a public website hosting service, or it can even mean moving your entire operations to a cloud provider like Microsoft Azure.
3. Strengthen
For assets that are essential to your business and cannot be discontinued or outsourced, you should strengthen your defenses by deploying additional security controls or improving existing ones. Â
ExamplesÂ
- Implementing multi-factor authenticationÂ
- Conducting employee security awareness trainingÂ
- Installing a new end-point protection solution
After you’ve mitigated your cybersecurity risks, it’s important to continually reassess your organization’s cybersecurity posture to stay ahead of new threats.
Who Should Perform a Cybersecurity Risk Assessment?
It takes expert-level skills and knowledge to perform a proper cybersecurity risk assessment by following the five steps described above. Larger organizations usually employ the necessary talent in-house, but only some SMBs use this process. Â
SMBs are not generally equipped to perform cybersecurity risk assessments. However, they must perform them or have one done by a third party. According to an ITRC report, 57% of small businesses experienced a security breach, a data breach, or both in 2021.Â
Foundational security solutions are vital to your small business’s cyber resilience and future success.
Does your organization have the foundational security solutions implemented? Evaluate your cyber readiness in just 10 minutes with this checklist.
Or contact one of our technical business advisors to discover how Teal can help empower your small business.
