Why Companies Need a Cyber Risk Assessment

For companies getting serious about cybersecurity, a typical first recommended step is to obtain a risk assessment. That’s good advice. A comprehensive risk assessment allows companies to take a hard look at their current cyber state. From there, they can identify their areas of strength and weakness, take steps to prioritize and remediate their vulnerabilities, and develop cybersecurity policies and procedures appropriately tailored to their specific ongoing needs and risks.

Without a doubt, companies with demonstrably sound risk-based cybersecurity practices have a leg up on their competition in today’s digital economy.

What does a cyber risk assessment cover?

A comprehensive cybersecurity risk assessment should enable the enterprise to: (a) identify cybersecurity risks to the company’s systems, assets, data, and capabilities; (b) implement steps to protect the enterprise and ensure continued operations; (c) develop the ability to detect a cybersecurity incident; and (d) implement appropriate steps to respond to a cyber event. 

Even the least technical business leader would likely appreciate that a risk assessment should evaluate the entity’s network security. But a comprehensive risk assessment also should address a variety of additional areas, including the following, that can impact the company’s overall cyber risk:

Third Party Risk Management

Third party entities with access to a company’s computer networks or protected information need to be appropriately vetted and managed to reduce the risk they pose to the company. Some of the most high profile breaches over the past several years started with a third party vendor.  Since today’s enterprises routinely entrust their information or provide network access to large number of vendors and business partners, the adoption of sound and robust policies, procedures and vetting mechanisms is vital in order to manage this massive risk.

Supply chain risks

Companies need to have adequate procedures in place to guard against compromised software and hardware arising from their supply chain.  Common supply chain concerns are counterfeit or compromised hardware and software security vulnerabilities.  This risk continues to grow as companies become more connected, mobile and data dependent.

IT asset management  

IT assets — data, software, hardware, mobile devices, etc. — should be identified and inventoried throughout their entire lifecycle. Companies can’t appropriately protect information or hardware if they don’t know what they have and where it lives within the enterprise. 

Information Governance

The manner in which a company governs its information, from the time of creation or collection until the information’s ultimate disposition, has a direct relationship on the company’s cybersecurity risk. Companies should know what information they have and where it is stored. Steps should be taken to dispose of information that has no legitimate business, legal or regulatory purpose. Sensitive, confidential and protected information should receive the appropriate level of security.

Access controls

Access to enterprise information should be strictly on a need-to-know basis. Companies should operationalize access control changes that arise upon changes to an individual’s job responsibilities.

Identity Management

Companies should have procedures to authenticate the identity of individuals with access to enterprise data or networks. Additional protections, such as multi-factor authentication, may be appropriate for individuals having access to sensitive, confidential or protected information.

Data Privacy

All companies need to implement policies and procedures to ensure compliance with the patchwork of domestic and international laws and regulations concerning data privacy and protection. Failure to do so can result in regulatory fines, lawsuits and bad PR, even in the absence of a breach. 

Physical security and environmental controls  

Procedures to control physical access and environmental threats to enterprise information and networks are vital to every cybersecurity program. Fundamental practices around clean desk policies, shredding and locked doors may not be high tech, but they are necessary components of every company’s cyber defenses.  

Systems and network monitoring

Monitoring is invaluable because it allows companies to uncover and investigate unusual activity by employees or external actors and to detect intrusions, allowing companies to prevent or limit the damage of a security incident. 

Human resources controls

Individuals with access to network information and information systems should be appropriately vetted based on their job responsibilities and the sensitivity of the data to which they will have access. Procedures should be implemented to revoke access when responsibilities change or employment is terminated. 

Training and awareness 

History shows that employees, whether negligent or noncompliant, continue to be the weakest link in enterprise cybersecurity. Employee training and awareness should be a foremost corporate priority to mitigate this persistent risk.  

Incident response planning and preparation 

All enterprises should have an incident response plan that is practiced and updated on a regular basis. A breach response team compromised of relevant stakeholders, including legal, compliance, IT, and HR, should be formed before a security incident occurs.

Business continuity and disaster recovery 

A company’s ability to take a cyber punch and keep going is a key indicator of its cybersecurity readiness.  Since 100% cyber security is not possible, cyber resiliency is a critical component of an enterprise’s cyber risk profile.

Final Thoughts

Companies that understand their security risks and have implemented appropriate policies and procedures are best suited to survive and thrive in today’s digital world. All things being equal, clients, customers and business partners prefer to engage with entities that verifiably prioritize cyber risk mitigation.
Obtaining a risk assessment is a vital first step towards addressing cyber risks and achieving demonstrably sound cybersecurity.