Protect Your Organization With A Security Risk Assessment

April 2019 | Michael Wetherald

It's Dangerous Out There

Cyber security threats are facing your organization at all times. As technology advances, so does the complexity. As complexity grows, so do mistakes, bugs, and unexpected side-effects. Each of these mistakes is a crack waiting for an adversary to come along and compromise your organization. Individuals and hacking groups continuously scan the internet looking for vulnerable systems to exploit.

All it takes is one mistake, one crack in the infrastructure for these adversaries to compromise an organization. From there they perform actions based on their individual motivations. Political hacktivists may target their political enemies in order to leak information, or they may desire to bring down the infrastructure and disrupt operations. Cyber thieves have increasingly been using ransomware, a type of software which renders systems inoperable until the criminals receive a ransom payment.

Every few months we hear of another large organization being involved in a costly security incident.

• In 2016 it was disclosed that all 3 billion Yahoo accounts were hacked in the 2013 breach. (Oath.com)
• In 2017 147.9 million consumers data was stolen in the Equifax Breach. (Equifax)
• In the 2013 holiday season, Target reported hackers stole data from up to 41 million credit and debit cards from shoppers. (NBC)

But smaller organizations are constantly involved in security incidents as well. Reports suggest one of every five small to medium size businesses annually becomes a victim to a cyber security incident and a staggering 60 percent of those business go under within six months of the attack. (BizJournals.com)

How Do I Protect My Organization?

One of the first steps to protecting your organization is with the use of a security risk assessment. A risk assessment determines what threats are most relevant and impactful to your organization. This allows your organization to intelligently and effectively determine where to apply the resources necessary for protection. No organization can protect itself from all possible threats, but a risk assessment provides your organization with the information it needs to focus its efforts and effectively add protective measures to mitigate the risk your organization faces.

What Does a Risk Assessment Look Like?

During a risk assessment we determine which cyber security threats are relevant, and the likelihood and impact those threats could have on your organization. We do this by first establishing the key assets of your organization. Are there hardware assets which are crucial to business operations? What information would be catastrophic to lose? Is there information you are legally required to protect, and how are you doing so? From there we determine who the likely adversaries might be. What are their motivations and capabilities? Once we have defined those threat sources and security events they are capable of, we determine the likelihood and impact those security events would have on your organization. With this threat model we can prioritize and recommend how to effectively apply resources to the threats which are of highest likelihood and impact to your organization.

A good risk assessment provides you with the information necessary to intelligently and effectively invest in protecting your organization. If you operate a small business, defending yourself from threats only capable by nation-state attacks does not make sense because the likelihood of such an attack is very low. However, threats from hacking groups and individuals are attempted on smaller organizations constantly. With a clear picture of the threats and impacts facing your organization, you can calculate the amount of risk your organization is willing to tolerate and apply an appropriate amount of resources to mitigate risk your organization is unwilling to tolerate. Prioritizing your security expenditures on high impact remediations is only possible with a risk assessment.

Is Your Risk Appropriately Managed?

Risk is an inherent part of any operation. As the leader of your organization, it is your responsibility to recognize where the risks to the organization lie and to mitigate those risks. Fortunately, most adversaries look for low hanging fruit. A risk assessment can determine where your organization is exposing low hanging fruit to these criminals, a first step toward mitigating the risk of a security incident.

If your organization would benefit from a risk assessment we’re here to help. Contact us today for a free consultation.