How to Assess Cybersecurity Risks in Your Organization

Today, news headlines are filled with stories of major data breaches, ransomware attacks, and other reminders that having a reactive approach to security is a recipe for disaster. Regardless of the industry, understanding and mitigating your cyber threats begins with a thorough risk assessment. But how can you move beyond the guessing game and build a truly resilient defense system? In this blog, I outline a six-step process that provides the essential steps your organization must take to be able to identify, analyze, and manage its cybersecurity risks effectively. 

Step 1: Identify assets that need protecting 

When evaluating your assets that need protecting, it could be helpful to break them into several categories. For example: 

  • Physical assets 
  • Laptops, prototypes, cellphones, servers, physical data centers, and workstations 
  • Digital assets 
  • Trade secrets, intellectual property, proprietary software, client databases and records, employee records, financial records, and cloud-based applications 
  • Human assets 
  • Key personnel, executives, and third-party vendors or contractors with access to sensitive information 

Step 2:  Identify what harm could come if those assets are compromised 

Now that assets have been identified, the next step is to determine what would happen should those assets be compromised. This needs to be a detailed analysis that goes beyond the obvious “bad things would happen.” I recommend utilizing the CIA Triad. The CIA Triad has evolved since its early stages of development in the 1970s, but today the CIA Triad stands for confidentiality, integrity, and availability. This is a widely used model for developing cybersecurity policies across various industries. Here are some ways you can break down and classify your assets, based on the triad: 

Confidentiality: What if sensitive data was stolen or exposed? Think of assets such as employee or financial information, client data, or proprietary information. This can lead to legal issues, reputational damage, and competitive disadvantage. 

Integrity: What if data, such as product designs or financial records, was corrupted or tampered with? This could lead to critical operational failures and reduce the trustworthiness of the company. 

Availability: What if your systems or data suddenly became inaccessible because of a denial-of-service or ransomware attack? This would halt operations company-wide, impact productivity, and lead to substantial financial losses due to the downtime. 

Once identification has occurred, it’s now time to apply that hacker mindset and work towards understanding your adversaries. To do this, a threat model exercise can assist. Threat modeling forces you to acknowledge the who, why, and how when it comes to your potential attackers. By understanding these threats, you can then tailor your defenses more effectively. If you need assistance in implementing a threat model, check out our downloadable threat modeling exercise (and if you want to take it a step further and work with an ethical hacker to build out a threat model for your organization, reach out today!) 

Step 3: Determine controls that will help protect those assets (industry or internally created) 

Controls are the precautions that you put in place to protect your assets and mitigate any identified risks. There are a variety of controls that a company can put in place, but here are the broad categories: 

Administrative Controls: Incident response plans, policies, procedures, and security awareness trainings 

Physical Controls: Access badges, environmental controls, locked server rooms, security cameras, and even security guards if appropriate  

Technical Controls: Antivirus software, access controls, encryption, firewalls, intrusion detection/prevention systems (IDS/IPS), multi-factor authentication, and password managers 

Step 4: Assess the human and the operational perimeter  

This may come as a surprise, but it’s the people who interact with your data that are both your greatest vulnerability as well as your most important line of defense. A robust risk assessment must look beyond the “what”, and focus on the who, and the how

People interact with your assets in a variety of ways, and while it’s important to know what those ways are, it’s also important to assess the individuals as well. To minimize risk, users should only have the necessary permissions to perform their daily tasks and no more. Access should not be granted based on convenience. An individual on the sales team should not have access to employee records at the organization that employs them. A member of the development team should not have access to company financial records. By enforcing a “need-to-know” system within your organization, you ensure that if one account becomes compromised, the reach of the attacker is strictly limited. With this, the IT department should be periodically reviewing who has access to what and that they immediately revoke access when an employee is no longer with your organization. 

Additionally, running regular security trainings and enforcing a strong security culture can help your staff learn secure practices. This can help your team recognize phishing attempts, social engineering, and more. However, training the team is only half of the battle; this must be backed by a culture where employees will feel empowered to report suspicious activity without fear of ridicule or reprisal.  

It is important to note that it’s not just the people, but also the processes, configurations, and policies that also need to be looked at.  You can’t fault a person for something that there isn’t a policy or process for, so it is important to evaluate what you have, so you can figure out what is missing. For example, 

  • Are you revoking access the moment an employee leaves your company? 
  • Is your software regularly patched? 
  • Does your software follow modern security standards? 
  • Do you have a policy for visitor sign in? 
  • If not, then you have unauthorized access. 

It is important to continue this list and constantly question what you have. Ultimately, the content of assessments will vary based on your industry and needs. This could range from looking at things like vaults and physical asset needs, to all digital reviews that involve networking, cybersecurity, and other domains. At Start, we suggest considering industry standards as a good baseline for your company and industry needs. 

Step 5: Remediate shortcomings 

It’s impossible to remediate everything at once. So, it’s important to create a priority list of which vulnerabilities need to be addressed first. A risk matrix could assist your team in mapping out risks based on their likelihood of occurring. It can also outline the impact that the risk would have and how severe the consequences would be. You can use the risk template below as a template for your organization. You can download a PDF version of this template below

Start Risk Assessment Matrix (1)Download

Suggested For You

How to Assess Cybersecurity Risks in Your Organization

Today, news headlines are filled with stories of major data breaches, ransomware attacks, and other reminders that having a reactive approach to security is a recipe for disaster. Regardless of the industry, understanding and mitigating your cyber threats begins with a thorough risk assessment. But how can you move beyond the guessing game and build a truly resilient defense system? In this blog, […]

The Business Case for Investing in TPRM Software

Around the world, many organizations rely on hundreds to thousands of external partners who introduce operational, financial, and reputational risks to your company. When you utilize third-party risk management (TPRM) software, your team can better manage increasingly complex vendor ecosystems with greater efficiency, resilience, and confidence. TPRM software provides you with a centralized and structured way to identify, assess, monitor, […]

Why Most TPRM Programs Fail (and How to Fix Them)

Despite the growing reliance on third party organizations to assist in the delivery of core functions to a business, most third-party risk management programs (TPRM) fail to deliver meaningful protection. SaaS platforms, managed service providers, contractors, cloud providers, and supply-chain partners now sit deeply embedded within enterprise environments. These suppliers bring a variety of positives to a business, but they also introduce a […]

To top