What is a cyber security risk assessment?
Very simply, it’s a risk assessment of your cyber security systems, to establish what you have in place, what your business needs to protect data, and to identify potential vulnerabilities.
The risk assessment should be done in conjunction with your IT team or IT support partner. If you don’t have either of these, it’s worth doing some research before you start.
Make sure you share the outcomes of the assessment with all staff members and any external, relevant suppliers, and keep them informed of any changes or updates to systems and servers. This will help to make your team feel involved and more engaged in the importance of security.
Why should you have one?
By having a defined plan for identifying risks and putting steps in place to consider the level of threat your company faces, you’re being proactive and reducing the risk of a cyber-attack. A formal procedure helps you to look at each department, tool and aspect of your business to make sure that nothing is overlooked.
The risk assessment process also encourages you to look at the software, hardware and storage you’re using in your business and identify the best way to protect them. It can also save you money, as it means your cyber security solution can be tailored exactly to your needs, and you’re not paying to protect yourself from something that’s not really a risk.
A risk assessment is also a key part of ISO 27001 cyber security accreditation, and you need to have a clear process documented. Clause 6.2 of the standard states that you must: “Ensure that repeated risk assessments produce consistent, valid and comparable results”, so make sure you allocate time in the diary to review your plan.
As with other aspects of cyber security protection, a risk assessment demonstrates professionalism, commitment to data confidentiality and information security, and shows you’re ensuring compliance. Legislation around data is constantly changing, so it’s essential to keep up to date.
What to include in your cyber security risk assessment
The risk assessment should form a key part of your incident response plan. In our blog on the topic "How to write a cyber security incident response plan for SMEs", we highlighted things to think about when you put your plan together. There are a couple of points from it that you should consider including in your risk assessment.
The first is a single point of failure – anything within your system that could cause everything to fail if it breaks or is compromised. The single point (or points) of failure are those which could have the biggest negative impact on the future of your business.
The other thing to bear in mind is your risk potential. While this is important for all businesses, smaller companies with limited budgets, no dedicated IT support team or a lack of understanding about the importance of cyber security are especially at risk.
This can include any organisation that participates in a supply chain or which holds sensitive client data. It also refers to businesses which are reliant on free or public cloud storage, free email and accountancy tools or which uses personal devices for work purposes (or allows staff to do so).
The risk assessment process should look at each process, tool and piece of hardware or software, where it’s from, who has access to it and what data it uses. Identify potential threats to each, and the consequences of a data breach, hack or other compromises. You also need to establish how likely each type of threat is.
What can happen to your business without one?
We’ve seen that not carrying out a risk assessment can result in your business non-compliant, but it can also damage on your reputation. There are also transactional risks – your ability or otherwise to deliver your product or service.
And there are operational risks – anything that could damage your day to day business activities, including your staff’s ability to do their work. This varies depending on the type of work your company does.
ATG’s expert team is able to support you through the entire process of preparing for and carrying out a cyber security risk assessment.
We can help you identify business priorities, what you need to ensure business as usual, and crucially, enable you to spot and resolve vulnerabilities effectively.