How to Do a Cybersecurity Risk Assessment

How to do a cybersecurity risk assessment

Cybersecurity threats constantly evolve as hackers find new ways to infiltrate companies’ IT networks. Cybersecurity experts recommend that businesses carry out at least one cybersecurity risk assessment yearly as part of their overall cybersecurity plan.

Take the following four steps to protect your company:

1. Gather information to begin the cybersecurity risk assessment.

Cybersecurity risk assessments expose existing technical weaknesses across your IT network. However, you must have an in-depth working knowledge of your company’s hardware and software to spot them. You must also understand how to secure your business’s Wi-Fi network. 

If you or your team don’t thoroughly understand your network setup, call in a cybersecurity expert to conduct the assessment.

Whatever your cybersecurity risk assessment reveals, commit to making substantial system changes to remove all current vulnerabilities, despite any cost or disruption concerns.

“If businesses don’t have the experience, the tools or the team to conduct a thorough and accurate risk assessment, and are just trying to save costs by doing it themselves, they can experience increased costs in the future when a hack or data breach that could have otherwise been prevented occurs,” said Keri Lindenmuth, marketing team lead for business services provider KDG. “Many small businesses don’t recover from a data breach because of the financial implications and end up closing their doors forever.”

2. Map out your system and its cybersecurity risks.

Next, perform a vulnerability assessment to identify security-related issues affecting your hardware, business internet connection, website and software.

Assess your hardware and internet connection.

At the start of the assessment, identify every device that connects to the internet via Wi-Fi or Ethernet and everyone who uses them. In addition to desktop and laptop computers, list cell phones, printers and security cameras. They’re all potential entry points for hackers or malicious code – even your Wi-Fi routers.

Determine every device’s risk level and decide how to shut down that risk. Take the following steps to effectively mitigate cyber risks:

• Switch off your Wi-Fi beacon. Switch off your Wi-Fi beacon so your network doesn’t appear when people near your premises scan for available networks.
• Set strong passwords. Set hard-to-guess passwords to access your Wi-Fi routers and each Wi-Fi-connected device.
• Update firmware. Ensure all device firmware is up to date. Microsoft has a free tool to help you detect whether or not the Microsoft products on your network are all up to date.
• Enact two-factor authentication. Two-factor authentication offers another security solution. When a co-worker wants to log in, the network sends a one-time code or password to their registered mobile device. They must enter this random code to gain access. This is the same system many banks use when checking that a credit or debit card payment is authorized.
• Ensure your cloud is secure. Cloud computing is another potential vulnerability. Select a provider with strong cloud data encryption for maximum protection.
• Use encryption. Encryption protects sensitive business information sent to and from your network. If cybercriminals hack into your system, the encrypted data they intercept will be unintelligible. 
• Install firewalls. A firewall monitors patterns in the data sent to and from your network and cloud, blocking traffic it thinks is unsafe. Firewalls achieve an even higher level of protection when used with antivirus software that scans incoming data for malware like worms, trojans and viruses.

Assess your website.

If your website and company software are integrated, your customer records and other valuable data may be at heightened risk. It’s crucial to include your website in your cybersecurity risk assessment to protect that data.

Common problems with websites include a lack of SSL/TLS certificates and HTTPS, which are factors in securing a domain. 

Assess your apps and software.

Software vendors regularly issue updates or patches designed to improve security in the following ways:

• Stopping new and emerging attacks
• Protecting against a newly discovered vulnerability or back door in their software

Vendors only provide patches during their products’ lifetimes. Consider replacing software that’s no longer supported. Ensure all supported software on your system has the latest patches. Sign up for each vendor’s newsletter to receive details about forthcoming patches.

3. Build your human firewall to enhance cybersecurity.

No matter what steps you’ve taken to create a robust technical firewall, your team is likely your biggest cybersecurity weakness.

Most cyber attacks are unsuccessful. However, unwitting employees are often the entry point for successful breaches. Hackers get what they want when employees are unaware that their actions are risky or that they’ve been tricked.

The biggest threat comes from phishing, a type of social engineering attack. Here are some common phishing tactics: 

• Phishing emails. A typical phishing tactic is an email that tries to convince the recipient to download an attachment or log into an account. To increase their chances of success, hackers often make the email look like it came from a colleague using details found on LinkedIn.
• Business email compromise fraud. Cybercriminals may grab the name of your CEO or CFO. They’ll send someone in the accounting department an email pretending to be the executive demanding an urgent invoice payment. 

Social engineering attacks like these work because they take advantage of the shortened decision-making processes we all use to get things done faster. 

To train your staff to avoid phishing scams and set them up for cybersecurity success, consider the following: 

• Run phishing vulnerability tests. Run a phishing vulnerability test using an online simulator. Use the results to identify areas where you need more training. Machine learning tools to detect spear phishing are now being developed to beat very targeted attacks, but don’t put all your faith in technology.
• Enact a Wi-Fi policy. Instruct staff members to use 4G or 5G cell signals instead of Wi-Fi when they are out of the office. Many hackers set up dummy Wi-Fi networks in public areas to trick people into logging in so they can monitor users’ activity. If you want to give staff the option to use Wi-Fi, insist that they use a VPN to encrypt data sent and received.
• Don’t use physical storage media. Many companies have banned physical media like CD-ROMs and unencrypted flash drives. While one issue is that staff may lose these devices, the bigger problem is that they may introduce malicious code. For example, an employee might download something at home with a hidden virus. When they load the CD-ROM or plug in the flash drive at work, the entire network is at risk of infection. 

4. Consider potential risks and their likelihood and impact.

A truly secure network doesn’t connect to the internet. But that’s not a feasible option now. You must accept that there are risks in going online. In your cybersecurity risk assessment, consider the risk level you find acceptable.

When you find a vulnerability, consider how hard it would be to defend yourself against an attack that exploits it. Determine the damage a hacker could do if they entered your network via that vulnerability.

The importance of doing cybersecurity risk assessments

Big businesses aren’t the only ventures under threat from cybercriminals – small businesses faced $2.98 million in data breach costs in 2021, according to IBM.

In addition to costly risks from cyber attacks, some businesses must meet industry-specific cybersecurity compliance standards, such as HIPAA for healthcare businesses, FERPA for educational institutions, and PCI DSS for companies taking credit and debit card payments.

It’s crucial for businesses to budget for cybersecurity. The financial and reputational damage incurred by losing company and customer data is significant and may lead to your business’s demise. 

Andrew Martins contributed to the reporting and writing in this article. Some source interviews were conducted for a previous version of this article.