How to Perform a IT security Risk Assessment
A robust cybersecurity program relies on understanding the organization’s risk posture. In today’s digitally connected world, data breaches have become an issue of when an organization will experience one, not if it will happen. With that in mind, evaluating and measuring risk is critical to becoming cyber resilient. Knowing how to perform a risk assessment and understand how it enables resiliency is mission-critical.
What is a cybersecurity risk assessment?
A cybersecurity risk assessment documents an organization’s process of:
- Identifying digital assets
- Reviewing for sensitive data
- Detailing potential threats
- Determining the likelihood of a data breach
- Setting a risk tolerance
- Establishing controls to mitigate risk
A risk assessment acts as the security program’s foundation because it provides the roadmap for how to set controls.
Why do organizations need a cybersecurity risk assessment?
Documenting the risk assessment process enables organizations to prove the governance necessary for compliance purposes. It also ensures that the organization has an established and repeatable processes for identifying and managing risk.
Many compliance requirements focus on mitigating cybersecurity risk. Some examples of these compliance frameworks, standards, and mandates include:
- The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)
- International Organization for Standardization (ISO) 27000 series
- European Union General Data Protection Regulation (GDPR)
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standard (PCI DSS)
A cybersecurity risk assessment’s real value is that it gives the organization a way to structure its approach to establishing and enforcing security controls. As cyber threats continue to evolve, security teams need to know how to prioritize their activities, and the risk assessment helps guide those decisions.
When do organizations need to perform a risk assessment?
Organizations need to perform risk assessments at three significant points in time.
Security Program Establishment
Before an organization creates a security policy or program, it needs to engage in a risk assessment. This assessment acts as the foundation for everything that comes later. Organizations need to know the risks associated with their IT landscape. Without the risk assessment, organizations may fail to put proper controls in place.
This assessment is usually the most time-consuming because the company needs to engage in detailed asset management, review, and control-setting practices.
Changes to the Technology Stack
Another time that organizations need to formally review their risk assessment is when they plan to adopt new technologies or make significant changes to their IT stack. Although compliance mandates rarely define “significant changes,” understanding how adding or removing technologies can impact cybersecurity posture matters.
For example, some events that might trigger the need to review risk include:
- Onboarding a new Software-as-a-Service (SaaS)
- Migrating a database from on-premises to cloud
- Adding new on-premises servers to a network
- Adding new firewall providers
Under most compliance mandates, organizations should review their risk assessments at least once per year. To prove governance, executive leadership and the Board of Directors should review the risk assessment during a meeting and document the review in the minutes.
How to Perform a Cybersecurity Risk Assessment
Performing a cyber risk assessment takes time, but the outcome enables the organization to mature its security and compliance programs.
Create a Team
No single person can manage an enterprise cybersecurity risk assessment. Organizations should consider creating cross-departmental teams to ensure that they identify all risks.
Some members of the team could include:
- Chief Information Security Officer (CISO)
- Chief Technology Officer (CTO)
- Risk and Compliance team
- Internal auditor
- Department managers
- Human resources
Creating a cross-functional team ensures that the organization understands the different types of risks arising from line-of-business technology use.
The first cybersecurity risk assessment phase is the identification step. For many organizations, this is the most difficult part of the assessment process. Increased cloud and Internet of Things (IoT) device adoption leads to visibility issues.
Organizations need to identify all the devices connected to their networks that store, transmit, collect, and process data. Some devices to consider include:
- Network devices like routers, switches, bridges, and modems
- IoT devices like printers, coffee makers, security systems, and card readers
Scanning the network can often provide visibility into connected devices. Creating and maintaining an up-to-date asset inventory enables a more robust risk assessment.
Not all data poses the same security risk. While compliance requirements often define sensitive data as personally identifiable information (PII), other data types should be included as well. Some data types that pose a greater security risk include:
- Social security
- Bank account numbers
- Credit card data
- Customer IP address
- Biometric data like fingerprints or face ID
- Health data
- Education records
- Employee personal information
- Genetic data
- Corporate financial records
- Intellectual property
Cybersecurity and privacy compliance requirements tend to focus on PII because threat actors often target this data because they can sell it on the dark web. However, organizations also need to consider malicious insider threats, which is why organizations need to make sure that they focus on corporate sensitive data.
Locations that store, process, and transmit data
As organizations increasingly migrate data and processes to the cloud, identifying locations that store, process, and transmit data becomes more challenging. Development teams can create and erase workloads in under a minute, making it difficult to detect them using traditional methods.
When thinking about these locations, organizations need to consider:
- On-premises data centers
- Cloud services like Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) providers
- Social media accounts
- Email servers
- SaaS applications
- Collaboration tools like Slack or Microsoft Teams
- Shared drives like OneDrive, Google Drive, or SharePoint
All of these locations need to be evaluated to appropriately evaluate risk.
The rise in credential theft attacks means that organizations need to focus more intensely on identifying users who increase their cybersecurity risk. Another challenge organizations face is that “users” may not always be people. Machine identities, like robotic processing automation (RPAs), can also pose risks.
When identifying risky users, organizations should consider:
- IT Administrators
- Service accounts
Assessing risk means understanding the risk that each identified device, data type, location, and user poses.
Generally, organizations assign risk along a spectrum based on impact. For example:
- High risk: being compromised would cause an extremely negative
- Medium: being compromised would have a negative impact
- Low: being compromised would have little to no negative impact
For example, if threat actors gained access to a document containing a draft blog post, the risk is low because it poses little negative impact to the organization. If threat actors gain access to a database containing credit card data, then the risk is high because it has a large negative impact on the organization.
Risks associated with devices include:
- Known vulnerabilities
Risks associated with locations that store, transmit, and process data include:
- Data stored in plain text
- Man-in-the-middle attacks
- SQL injection attacks
Risks associated with users include:
- Excess access
- Credential theft
- Poor password hygiene
- Shared passwords
- Privileged access
The risk assessment gives visibility into specific types of risk arising from assets and users. However, the risk analysis moves toward a more holistic look at risk impact to the organization’s financial stability.
Risk analyses usually use a variation of the following equation:
Risk = Probability of Event x Impact to the Organization
The risk analysis is the quantifiable part of the assessment. Impact to the organization includes looking at the:
- Financial risk: how would a data breach impact financial stability?
- Compliance risk: would a data breach lead to fines or penalties from a compliance violation?
- Reputation risk: how would customer churn impact the organization after a data breach?
The final part of the risk analysis process usually includes creating a heat map. A heat map is a graphical representation showing the spectrum of risks with one axis labeled impact and the other labeled likelihood.
Define Risk Tolerance
The organization’s risk tolerance ultimately drives the controls that an organization needs to put in place to mitigate risk.
Organizations can make one of four decisions. They can choose to:
- Accept risk: the impact is so low to the organization that it costs more to mitigate the risk than the impact would cost
- Deny risk: the impact is so high that mitigation strategies fail to reduce cost enough to make the technology worthwhile
- Transfer risk: someone else, like a cyber risk insurer, covers the potential impact of the risk
- Mitigate risk: put controls in place that help limit a risk’s likelihood or impact to the organization
Set Risk Mitigation Controls
Every organization needs to set controls to reduce the impact of a given risk. These controls act as the first step toward establishing the security program.
Data Risk Mitigation Controls
Most controls that protect sensitive information are done by limiting user access and managing where data is processed, stored, or transmitted.
However, before the organization can put those controls in place, it needs to classify sensitive data. This step is different from the data identification phase. Now, the organization is not just noting it has sensitive data, it is purposefully classifying and tagging the data so that it can apply additional controls.
Device Risk Mitigation Controls
Mitigating the cybersecurity risks associated with devices has become even more challenging with more people working remotely and using personal devices.
Some typical controls include:
- Installing anti-virus software on devices
- Creating a security patch update policy and process
- Requiring users to authenticate to a device
- Encrypt devices to mitigate the risks arising
- Hardening systems
Storage, Processing, and Transmission Risk Mitigation Controls
As organizations adopt more cloud-based services, protecting sensitive data often means securing code-based locations and working to secure networks.
Some risk mitigation controls include:
- Network segmentation
- Virtual Private Networks (VPNs)
- Network scanning
User Access Risk Mitigation Controls
Cloud adoption also changes the importance of user access controls. Identity and Access Management (IAM) is more important than ever. When users connect to a network from inside the company’s firewall, the organization has more control over what they access and how they access it. Today, even users in an organization’s physical offices access applications using the public internet.
Some user access risk mitigation controls include:
- Limiting access according to and enforcing the principle of least privilege
- Requiring users to authenticate to networks and applications
- Establishing and enforcing Segregation of Duties (SoD) controls
- Using Role-Based Access Controls (RBAC)
- Using Attribute-Based Access Controls
- Enforcing strong password policies
- Using multi-factor authentication (MFA)
Why are cybersecurity risk assessments challenging?
In modern, interconnected IT ecosystems, risk assessments can be difficult for many reasons.
Inability to Maintain Asset Inventory
Organizations and users introduce new devices to the corporate network regularly. While this can streamline business operations, it also makes maintaining an accurate asset inventory difficult.
Additionally, IoT devices use different connection points, ports, from traditional IT. Many companies use network discovery scanners to detect new devices, but these scanners do not always review the ports that IoT devices use. This means that companies may have “blind spots” when it comes to IoT.
Lack of Visibility into Third-Party Vendor Risk
Every technology that connects to the corporate network is a third-party vendor. As threat actors increasingly target supply chains, companies need greater visibility into their technology vendors’ security.
However, these intricate ecosystems not only include a company’s vendors, they also include the vendors’ third-party technologies. While an organization may be able to control their own risk, they lack the ability to know or control the downstream risks.
Every company experiences changes in its workforce. New people join. Workforce members move to different departments. Some people leave the organization. Each change impacts the risks associated with user access.
For example, when people move from one department to another, they may bring their access with them. However, people who work in sales may not need the same access as those on the marketing team. This creates a risk of someone having more access than necessary. Another risk occurs when people leave an organization. If the organization fails to terminate access in a timely fashion, threat actors may use the dormant account as a way to gain access to systems and networks.
Risk assessments tend to provide a snapshot of an organization’s risk posture at a given moment in time. Although organizations need to undertake additional assessments when they make significant changes to their IT stack, this only covers their technology choices.
Software vulnerabilities or changes in attack methodologies also impact the organization’s risk posture. Unfortunately, these changes can come at any time, not just on a predetermined schedule.
As industry standards and regulatory compliance requirements change, many are requiring organizations to engage in continuous monitoring. This means that companies need to move away from the point-in-time assessments and find ways to look proactively for new risks. In order to continuously mitigate risk, organizations need to continuously monitor for it.
Protect Data with Robust Risk Assessments
A cybersecurity risk assessment is the foundation of strong security and compliance programs. Whether an organization is trying to pass an audit or reduce its risk of experiencing a data breach, it needs visibility to meet mission-critical needs.
Many organizations are concerned with addressing compliance effectively and accurately as they introduce public cloud vendors where that they do not firsthand experience. For those customers, it would make sense to bring on a Managed Detection and Response (MDR) provider that has the experience in cloud security and can act as a single vendor for 24/7 risk visibility, threat detection and compliance coverage via a single security platform and global SOC.