Performing Cybersecurity Risk Assessment

Cybersecurity incidences are on the rise.

Some researchers report that average large company experiences up to 200,000 attempts on their network by hackers trying to get in. There was a study by researchers at the University of Maryland that found out that, approximately every 39 seconds on average, there is a hacker attacking computers with internet access. These cyber incidents are not slowing down.

• Recall back in 2018, that Facebook faced some vulnerabilities where hundreds of millions of user’s information was found to be vulnerable and accessible on the web. In recent times, it was discovered again that 500 million Facebook accounts were for sale on the dark web.

• What about the story of Marriott customer, there was a hack of Marriott in April 2020 where 5.2 million guest accounts were opened and stolen?

• Both Jack Daniel’s and Honda cars were hit by ransomware attacks in 2020.

• What about Twitter user who saw in the summer of 2020 where Elon Musk and several other wealthy individuals accounts were hacked, and the hackers offered twitter users $2,000 bit coin for users that will send them $1,000 in Bitcoin but it was all a scam. I mean, why will somebody like Elon Musk or these wealthy individuals ask you to send them $1000, so they can send you $2,000? It really didn’t make any sense. But people fall for it every time.

There is currently a big shift from reactive to proactive security strategies that look after protecting and securing our organizations rather than responding after a problem has occurred.

Now, questions i would like to ask you, is have you done an IT risk assessment of your organization? What if you were hit today with a cyber-attack? Do you know what IT assets you have that are most vulnerable, the one that are most valuable, do you have a plan of action to protect them, have you tested your plan to be sure it will stand the test of time should a breach occur on your organization today?

Secondly, have you calculated the potential financial costs you’d incur if key systems were to go down?

These are questions that need real and unambiguous answers. They are critical questions for every organization to answer. A good place to start the journey in your organization if you haven’t already is to take a look at IT risk assessment of your organization.

So, what is Cybersecurity Risk Assessment?

Risk assessment is primarily a business concept, and it is all about money. You have to first think about how your organization makes money, how employees and assets affect the profitability of the business, and what risks could result in large monetary losses for the company. After that, you should think about how you could enhance your IT infrastructure to reduce the risks that could lead to the largest financial losses to organization.

IT risk assessment is the process of identifying security risks and assessing the threat they pose to your organization. Ultimately, the purpose is to prevent security incidents and compliance failures. No organization has the resources to identify and eliminate all cybersecurity risks and because of that, IT professionals need to use security risk assessment to provide direction to where the organization should channel its resources in order to prevent a catastrophic incident from happening. The more clearly an IT security unit can articulate its plan to reduce the most critical vulnerabilities across the organization’s network, the better you can justify your business case and the more likely you are to get funding for an effective security program from your management.

To begin risk assessment, take the following steps:

1. Identify and catalog all company assets

The first step in a risk assessment is to make sure that you have a comprehensive list of your organization’s informational assets. It’s important to remember that different roles and different departments will have different perspectives on what constitute an important asset to them, so get input from more than one source at this stage. It is also important to ask yourself, departments and the organization these questions, what financial Loss or reputation, Data loss, System or application downtime, Legal consequences losses will my organization suffer if a given asset were to be compromised or damaged. The answers you get will tell you the criticality of those assets and their ranking in the scale of importance. Some examples you should look out for: For example

• Salespeople, the most important information asset might be your company’s CRM,
• IT likely will see the servers, websites, switches and routers and the network apparatus they maintain as a higher priority,
• HR’s most important information asset is confidential employee information.
• Other types of important assets are Client contact information, documents relating to Partners, shareholders, Trade secrets of the organization
• Customer data, PII (personally identifiable information), credit card

2. Identify threats and their level. 

A threat is anything that might exploit a vulnerability on an organization’s asset to breach security and cause damage to the organization and hackers are usually top of mind, but threats to business’s information security come in many different forms. Therefore, you need to take into consideration many different threat types when compiling a list of all the unique threats your business faces. For example,

• Not just malicious human interference (like the ex-employee of Cisco who deleted 456 virtual machines that were supporting Cisco’s video conferencing software WebEx Teams, actions that resulted in the temporary deletion of more than 16,000 Webex accounts. It took Cisco two weeks to recover the accounts and rebuild its systems, costing the company more than $2.4 million, with $1,400,000 in employee time and $1,000,000 in customer refunds). Full Story but also accidental human interference, such as employees accidentally deleting information or clicking on a malware link in an email.
• What about Natural disasters like tornados hitting the building or flood(if your office is located in such high prone areas)
• System failure, server crashes, power failure, fire outbreaks

3. Identify vulnerabilities and assess the likelihood of their exploitation.  

A vulnerability is a weakness that can be taken advantage of by a threat to breach the security of the organization and cause harm to an asset. It is a weakness in your system or processes that might lead to a breach of information security.

• For example, a card processing company that stores customers credit card details but isn’t encrypting it, or isn’t testing that encryption process to make sure it’s working properly, that will be considered a significant vulnerability.
• Weak passwords, failing to install the most recent security patches on operating system or software, and failing to restrict user access to sensitive information or granting privileged access to those who do not need to have it, or employees working with hard copies of sensitive information or use company electronics outside of the office, are behaviors that will lead to the misuse of information and leave your business’s sensitive information vulnerable to attack.
• It could be old equipment that can’t be upgraded either in terms of the hardware or the OS running on them; some old computers cannot run windows 10 and some newer ones too cannot run windows 11 because there is a minimum hardware requirement for all of them.
• It could be problems with software design or configuration

You can find vulnerabilities through audits, penetration testing, security analyses, vulnerability assessment using a tool like Nessus from Tenable, great tool for vulnerability assessment . The National Institute of Standards and Technology (NIST) provides a comprehensive, repeatable, and measurable seven-step process organizations can use to manage information security and privacy risk. NIST Risk Management Framework

For more information on each RMF Step, including Resources for Implementers and Supporting NIST Publications, select the Step below.