5 Common Mistakes Made with IT and Cyber Risk Assessments
Organisations must regularly conduct cyber risk assessments to test their preparedness for cyber threats and ensure they have the best possible remediation strategies.
But not all cyber risk assessments are created equal.
Why cyber risk assessments sometimes fail to deliver
A regular cyber risk assessment process usually boils down to just a few major steps:
#1 Identification of:
- Assets – Includes servers, sensitive data, contact information, users – anything that might derail the organisation if it would be attacked or inoperational.
- Threats – Natural disasters, human error, system issues, malicious attacks – anything that can cause an outage of operations and services.
- Vulnerabilities – Current weaknesses that are revealed through vulnerability repositories, security analysis, penetration tests, vulnerability scanners, and others.
#2 Analysis – Assessing the already existing control and how they fare against possible threats and vulnerabilities.
#3 Risk Assessment – Determining how likely it is for a specific incident to happen, and how much of an impact it would have with the current controls and strategies.
#4 Remediation – Prioritisation of identified security risks and determining adequate controls to mitigate risk for each.
There’s a notion that cyber risk assessments do not do much in terms of protecting the organisation against cyber threats, but in reality, the assessment isn’t the problem – it’s how it’s conducted.
Common Mistakes Made During IT and Cyber Risk Assessments
When the above steps are not taken correctly, major risks could go undetected. Usually, the mistakes that happen are:
#1 Going alone and not involving other teams
Nowadays, cybersecurity concerns everyone – from IT to CSO, CISO, CTO, and to all board members, as it has such a huge impact on the organisation when security is compromised. Therefore, everyone needs to collaborate during cyber risk assessments; otherwise, a huge chunk of data will be missing.
Check out our article on collaborating together here: https://www.boardish.io/unite-it-with-compliance-ciso-dpo-cio/
#2 Not quantifying impact effectively
The board can’t do much with terms like “low risk” and “high risk.” For them, the financial impact is the most important factor – knowing how much money they could lose (or save) in the long term.
Without quantifying impact, you can’t give them the full picture. When you can show them they would suffer multi-million losses after a data breach that’s identified as a high-risk threat, it will be much easier to secure $45,000 for threat mitigation!
#3 Too much focus on the perimeter
Organisations tend to test their perimeter against threats but forget all about internal security policies. Oftentimes, data loss and breach happen due to lack of access control inside the perimeter.
Internal security strategies on how is data shared, who has access to sensitive documents, and what happens if they are accessed from BYOD devices must be part of the cyber risk assessment too.
#4 Ignoring weak spots: vendors and business partners
Many cyber risk assessments don’t look extensively outside of their organisation yet grant access to sensitive data to third parties, which are often the point of entry for security breaches.
Are you making sure your partners are taking care of their cybersecurity as much as you do? Have you fortified or put mitigation in place if they are breached?
#5 Relying solely on industry averages
While something might be considered a low-risk for your industry, your particular organisation might be at high-risk because there are no good controls in place.
Risk assessments must always be conducted specifically for the company, using their numbers and values, and implemented controls. That’s the only way to get quantifiable data that is relevant and specific to your organisation.
A proactive and collaborative approach towards cybersecurity
Keeping your organisation safe against security threats requires a more proactive approach than simply having a security strategy and security software in place. Cyber risk assessments, when done correctly, help identify weak spots and remediate them effectively.