Conducting A Security Risk Assessment
What Is A Security Risk Assessment
A security risk assessment looks at each of the potential risks that can impact your business, categorizing the type of risk, the impacts of the risk, and the probability of the risk.
With a detailed security risk assessment in place, a risk treatment plan can then be implemented to begin addressing and reducing the risks to your business.
This process as a whole is the risk management process. The process of identifying and treating potential risks before they can occur.
Benefits Of A Security Risk Assessment
Conducting a security risk assessment has multiple benefits that can help your business improve:
- Help to improve the security of your business,
- Take effective actions to reduce your company’s overall risk
- Make informed risk management decisions in cost-effective ways to reduce risks to critical assets
- Meet compliance standards and requirements such as ISO 27001.
What Are Some Types Of Risk
Risk is an inherent part of any business. Risks can be categorized into many different areas including:
- Economic risks,
- Supply chain risks,
- Cyber Security Risks
- Potential risks to physical security and physical assets
- Risks that impact the recruitment process, and
- Risks that impact data security and the services you use or offer
There are also any number of risks that can impact your specific business:
- The market you are working in could change impacting the products or services you offer
- Your equipment or products could be stolen
- The country or world as a whole can face economic issues that impact your business
- You could suffer from a cyber security threat or data breach
To improve the security of your business and your likelihood of success over time, it is important to fully understand each of the risks that can impact your business and, where possible, put in place strategies and solutions to remove or reduce your risks.
The Four Stages Of A Security Risk Assessment
1. Keep Track Of Your Assets
To accurately manage each of your risks, it is important to track every asset so that all of the potential risks that can impact your business and your assets can be considered.
Your assets can be made up of several different elements within your business, such as:
- Devices
- Services
- Data
- Employees
Every asset can have its own set of associated risks so understanding what and where all your assets are is important for the ongoing functionality of a business.
2. Identify Security Risks
Identifying risk can be dependent upon the sector you work within and also each business can face its own specific risks based upon several factors.
There are also risks that are more general across most companies, however, the priority, and risk treatment strategy you put in place to manage a risk may vary with each business.
Although there can be a wide array of risks that impact physical equipment, locations, and staff members, for technology infrastructure there can be several main areas to consider.
- What are the risks and impacts if an account is compromised.
- What are the risks and impacts if your data is compromised.
- What are the risks and impacts if your device/system is compromised.
Working through these major risk areas can help to understand where the biggest risks are which can impact your devices, services, accounts, and data and allow you to implement solutions to reduce their potential compromise.
3. Prioritize Your Risks
With each of the risks identified that can impact your business, the next step is to prioritize your risks based on their likelihood and their overall impact on your business.
It is also important to create a consistent method and risk ranking system so that the process can be repeated and the same likelihood of risk derived.
Maintaining a risk matrix with a scoring system from 1-5 or 1-10 and a detailed key explaining the impacts and probability of each number allows for the reported prioritization score to be understood by everyone.
4. Develop A Risk Treatment Plan
After prioritizing your risks, it is important to determine a plan of action to address each of the identified risks and put appropriate security controls in place.
It can be the case that not all risks will be treatable. Some potential threats that may impact the business might be outside of your control. Where this is the case, although the risk cannot be fully resolved, it may be possible to minimize the impact.
For example, in the event of a power cut and your office becoming inaccessible, this could have a prolonged detrimental impact on the business’s day-to-day operations. This scenario might be outside of your control, and it may not be possible to reduce the likelihood of this.
However, managing the impact of this scenario is possible through several solutions:
- Issuing laptops and work mobile phones to each of your employees allows day-to-day operations to continue with a home working setup.
- Using data centers or cloud environments to run critical business services rather than onsite solutions can also ensure that business operations can continue regardless of a central office becoming inaccessible.
Documenting Your Risk Analysis
As risks are identified and categorized, it is important to maintain detailed documentation for each particular threat within a risk register to ensure that any progress on risk reduction can be tracked over time.
This can help improve the ongoing process of threat analysis and ensure that each risk is being addressed as intended.
Identified security risks can have the following types of information documented as part of the ongoing effort to improve security:
- Document the assets that are impacted by the security issues
- Define the typical location and owner of the asset
- Describe the specific risk that can impact the asset
- Outline the impact that the risk will have on the asset and the business
- Define the likelihood and impact score for the risk
- Describe any existing security measures which may affect the described risk
- Define any actions and solutions that can be implemented to mitigate the risk
- Outline the expected reduction in likelihood and probability from the recommended actions
- Outline the expected costs and impacts of the recommended actions
- Define any residual risk that may be in place once the mitigation actions have been taken
- Document if the risk mitigation strategy has been approved to be carried out
- Define the security officers and risk owner assigned responsibility for addressing the risk
- Document the dates as actions are taken to address the risk
Working Through The Security Risk Assessment Process
An Example Of A Security Risk Assessment
As an example of a risk that impacts most businesses, Phishing can be used as a security risk. Phishing has grown in volume over the years and is projected to see continued growth with the development of AI.
A security risk assessment can help us identify the likelihood of Phishing, and the impact and solutions available to address this risk.
Determining The Likelihood
There are an estimated 3.4 Billion Phishing emails that are sent out each day and Phishing attacks are largely automated, targeting different industries or countries. So the likelihood of receiving a Phishing email is High.
Determining The Impact
The Phishing attack itself could attempt to deliver malware, compromising a device and potentially other devices, compromising accounts, and compromising any other systems to which those devices and accounts have access. So the potential impact of a successful Phishing attack is also High.
Prioritizing The Risks
As Phishing has a theoretically High impact and there is a High likelihood of receiving Phishing emails, it can also be considered a high priority.
While the exact priority in relation to other risks may vary between businesses, assuming there are currently no mitigating factors in place to address this risk, Phishing can be considered a High priority.
Risk Treatment Plan
As Phishing has both a High Probability and High Impact, there are several actions that can be considered to reduce both of these factors.
- Security Controls and Anti-Phishing policies can be enabled for the email system.
- This can automatically identify likely Phishing emails and quarantine them before they arrive in a user’s inbox. Office 365 has options to enable anti-phishing and security policies. 3rd party products are also available to integrate into existing systems to provide these features.
- Restricting the file types and file sizes that are permitted in emails can also limit the potential for emails containing malware to arrive in a user’s inbox.
Implementing solutions such as this can reduce the likelihood of Phishing but doesn’t change the potential impact of a successful Phishing attack.
In the event a Phishing email is received and contains malware which is then executed, it is important to reduce the potential impacts of this. There are multiple strategies that could be followed to reduce the potential impact on your assets, such as:
- Anti-virus software can be installed on devices to reduce the likelihood of malware executing.
- User accounts for all devices can have their permissions reduced to minimal requirements. This can ensure that any malware that does execute also has minimal permissions.
- Devices can be aligned with security best practice guidelines and security controls to minimize any security misconfiguration that may be present within the affected device.
- Updates can be maintained for the device and all installed software. This can limit the potential impact malware may have on a single device, as malware can often attempt to exploit outdated vulnerable systems.
- Any services or devices that are accessible can be set up with unique authentication credentials to limit the reach that malware may have to impact other systems.
- Data can be stored in an encrypted format to limit the extent of information that any malware may be able to access.
- Devices can be set up with Endpoint Detection and Response (EDR) solutions. This can help to identify unusual activity and signs of malicious behavior, which can then be acted upon to prevent the issue from causing further impact.
Assuming an Office 365 solution is already in use, the costs to implement each of these strategies could be limited to just the EDR solutions and Anti-virus software, as the other options can be implemented through freely available security guidelines and tools.
This type of solution can therefore greatly reduce the probability and impact of Phishing at minimal cost to the business.
Additional security measures can also be implemented to further reduce risks, such as through a security awareness training program which can help to improve overall security within multiple areas.
Maintaining Security And Reducing Risk
A security risk assessment process and risk treatment plan can help to improve the overall security and longevity of an entire organization by proactively planning for the most likely threats your business will face.
However, the risk assessment process should not be considered a single point-in-time exercise but instead a continuous process to minimize threats and implement security requirements within your company.
As your business changes and developments in the world occur, new threats may arise and security incidents can occur which each need to be accounted for.
Current threats and each security control in place will also need to be re-prioritized to continuously apply an accurate risk rating.
An effective security risk assessment process should be conducted at least once a year, with regular reported updates to make sure risk treatment strategies have been implemented promptly and have effectively addressed the intended risks.
Where you have any further questions regarding different cybersecurity solutions, our consultants are available to address any concerns you may have.