CyberSecurity Risk Assessment
What is CyberSecurity Risk Assessment?
A Cybersecurity Risk assessment is a process of identifying, analyzing, and evaluating various risks with information assets such as, hardware, systems, networks, customer data, and intellectual property, that could be affected by a cyber attack.
A risk assessment is done to inform you of the cybersecurity risks that should have a priority concern or minimal concern to avoid wasting time, effort and resources on issues that have little impact while leaving other major issues vulnerable to attack.
Performing a cybersecurity risk analysis helps your company identify, manage, and safeguard data, information, and assets that could be vulnerable to a cyber attack. However, no organization can realistically perform a risk assessment on everything. This involves identifying internal and external systems that are either critical to your operation to store, transmit, or process information that is considered protected data. This could be cardholder data, patient files, government contracts, or various other forms of data. Once this data has been identified then you can create a risk assessment schedule based on criticality and information sensitivity. These results give you a detailed list of weaknesses to be addressed and a plan can be developed to handle these risks in a cost-effective manner.
Not knowing the risk level of a cybersecurity attack to a business can leave a company vulnerable to attack. There is real threat that is impacting more companies every day and is, therefore, something you need to think about. In 2018 over 800 million malware infections were recorded with over 94% of those being sent from email. This is just one point of weakness to a company that needs to be analyzed and planned for how to mitigate a common issue. The more complicated issues take more deliberate actions to identify, classify, and mitigate.
2020 Top Cyber Attacks
DoS and DDoS
Phishing and spear-phishing attacks
SQL injection attack
A Risk Assessment is a key component to developing a plan to not only mitigate security issues but also to know where attention should be focused on addressing the most critical issues down to the least critical issues. This additionally helps companies that are mandated by regulatory compliance guidelines to pay more attention to issues that would jeopardize their certifications. A high priority issue for a PCI compliant company may be a low priority or even an informational issue to a HIPAA compliant company.
With all the information that is evaluated a system needs to be put into place to help classify issues by severity. This can be done in a number of ways using different models, but they all share similar concepts. The important item to note is that companies need to ensure that they retain any information that was documented during a risk assessment process. This would include any scans of the network, audit notes from a compliance auditor, and all remediation steps that were taken to resolve the issues.
The ISO 27005 standard provides guidelines for information security risk assessments that are used to help create a risk-based analysis of the ISMS (information security management system). The information that is collected is then categorized and rated.
Severe – A urgent threat or vulnerability that poses an immediate risk to the organization of a compromise or other action that requires immediate resolution.
Elevated – A threat that has a high potential of impacting a company exists and should be remediated as soon as possible.
Low – Most common threats that are normal application development, network design, or even physical issues. The remediation of these events is used to protect against possible attacks based on each companies industry and security requirement.
NIST Special Publication 800-39 is used for Managing Information Security Risk in companies and organizations that includes the process of framing a risk, assessing the risk, responding to risk, and monitoring each identified risk.
Most Common Data Breaches
Weak and Stolen Credentials, a.k.a. Passwords
Back Doors, Application Vulnerabilities
Too Many Permissions
Improper Configuration and User Error
24,000 Malicious Apps Blocked per day
75 Records Per second are Stolen
300,000 New pieces of Malware Created Per day
30,000 Hacked Websites per day
46% of Web Apps have Vulnerabilities
30% of Web Apps are XSS Vulnerable
87% of Websites have Mid-Level Weaknesses
When should a CyberSecurity Risk Assessment be done?
If you have never performed a risk assessment of your IT footprint then you should consider doing this soon. There is plenty of information on the Internet and vendors that offer many services and perspectives on how these should be completed and when they should be done. We encourage our clients to be well educated on the risks that are present and future risks to their companies.
We will perform our risk assessment of your external and internal footprint. We check your physical and logical entry points to your network and provide a detailed list of areas and their risk value. In some instances, companies are governed by various compliance regulations such as NIST 800-171, HIPAA, PCI, FISMA, and others that have special guidelines. We take these into consideration when factoring the risk calculation.
These reports are then used as a guideline for how a company should proceed forward to ensure their compliance is maintained.