With each passing year, cybersecurity threats grow more prevalent, advanced, and ominous for your business. IBM’s “2019 Cost of a Data Breach Report” details the costs that come from a data breach as a result of various cybersecurity risks. They are eye-opening:
- The United States sees the costliest cybersecurity events – the average total cost of $8.19 million
- Healthcare organizations for the 9th year in a row had the highest costs associated with data breaches – $6.45 million
- The average overall cost of a data breach amounted to $3.92 million.
- The average cost of lost business was $1.42 million due to a data breach
- The average size of a data breach event – 25,575 records
No security mechanism is 100% effective. Eventually, a breach can and will happen. However, your organization can prepare for various types of cybersecurity threats and attacks so as to limit their cause. How? An extremely important part of overall cybersecurity planning is performing a cybersecurity risk assessment.
What is a cybersecurity risk assessment? Why is it important? Why should you perform one? What cybersecurity risk assessment frameworks are available? Let’s examine these and other questions to help secure your business.
Table of Contents
What is a cybersecurity risk assessment?
There is a level of risk involved with using technology to carry out a wide range of critical business processes. Cyber threats exist in many different types and forms. These sources include attackers, malicious software, and even your own employees.
Never before has it been more important for your business to give proper attention to cybersecurity threats and how your business can protect itself against them.
A cybersecurity risk assessment helps to shed light on the specific risks to the technology systems and data that support the business-critical functions of your organization.
The purpose of the cybersecurity risk assessment is to create visibility to the cybersecurity risks to your organization, the vulnerabilities that exist in your environment, the likelihood of an attack, and the impact to your business of various cybersecurity events. An effective cybersecurity risk analysis will help to achieve the following:
- Identify relevant threats to your organization and where these threats originate from
- Determine the External and internal threats to your organization
- Analyze the impact of a specific threat materializing
- Key in on the likelihood that a specific threat or attack will be carried out against your organization or specific business-critical system
- Determine the level of risk against your organization involving a specific attack or vulnerability
The cybersecurity risk assessment is a proactive approach. It defines areas where your cyber defenses may be weak and need improvement. This is a much wiser approach than simply reacting to cyber attacks.
In keeping in line with the recommendations of today’s common compliance frameworks such as those provided by the National Institute of Standards and Technology (NIST), the cybersecurity risk assessment is a common recommendation. As defined in NIST Special Publication 800-39, risk assessments are a fundamental component of overall security best practices helping identify, prioritize, and prepare for the common risks to your organization’s technology infrastructure and data.
The importance of risk assessment in cybersecurity
The cost of a cybersecurity breach to your business should help justify a cybersecurity risk assessment. Are cybersecurity breaches costly? Yes, they are. Very costly in fact.
As we mentioned above, the average total cost of a data breach is $3,92 million. What does this cost include?
- Detection and escalation – activities that allow detecting a breach and reporting the breach to the appropriate personnel (forensic activities, assessment and audit services, crisis management activities, etc.)
- Notification costs – activities that allow organizations to carry out the appropriate notification activities such as regulatory and other communications.
- Post data breach response – processes put in place to help repair any damage caused by the breach (help desk activities, credit reporting/monitoring, legal expenditures, product discounts, fines, etc.)
The chance that your organization will experience a data breach within two years was 29.6 percent in 2019. This was up from 27.9 percent in 2018, and roughly 7 percent higher than in 2014.
Organizations that are able to respond effectively and quickly after a cybersecurity event had an incident response plan (IR) in place. An incident response plan is comprised of a set of processes and procedures that define how to recover from cybersecurity events like a data breach, ransomware infection, data loss, and other threats that may impact business continuity.
Creating an incident response plan is part of the overall process of the cybersecurity plan and a result of performing a cybersecurity risk assessment. Organizations that perform a cybersecurity risk assessment and then develop a well-tested incident response plan saw data breach costs that were $1.23 million less than organizations that either didn’t have an incident response plan or one that wasn’t thoroughly tested.
Having an incident response plan, specifically, those that are well-tested, allows organizations to both detect cybersecurity events and respond to them much more quickly. This results in significant cost savings for cybersecurity events.
Cybersecurity risk assessment with an effective Incident Response Plan lowers costs of cybersecurity events
Why perform a cyber risk assessment?
Performing a cybersecurity risk assessment translates into millions of dollars in cost savings in terms of cyber breach damage control. Aside from saving your organization money, there are many other benefits:
- It helps to prepare your organization for future attacks
- It helps to avoid data breaches
- It helps to ensure you meet regulatory requirements
- It helps your organization avoid downtime and data loss
Prepare your organization for future attacks
Cybersecurity threats are growing more numerous and sophisticated. New technologies that are used to fight cyberattacks such as artificial intelligence (AI) and machine learning (ML) are also used by the “bad guys” to wage cyberattacks against organizations today. So, cyber-attacks are becoming much more sophisticated.
With ever more sophisticated attacks, more complicated infrastructure layouts, and public cloud Software-as-a-Service environments in the mix, performing regular cybersecurity risk assessments provides an opportunity to reevaluate environments based on current risks.
Avoid data breaches
For organizations who correctly go through the cybersecurity risk assessment checklist to better secure their data, it greatly reduces the likelihood of a data breach wherein sensitive records or personally identifiable information (PII) are leaked to the public.
Often, organizations that experience a widespread data leak or data breach have either failed to properly conduct a cybersecurity risk assessment altogether or have failed to remediate the vulnerabilities discovered in the risk assessment. A known security vulnerability that is not properly remediated may very well be the one vulnerability an attacker may use to compromise critical, sensitive data.
Meet regulatory requirements
Today’s regulatory requirements such as HIPAA, PCI-DSS, GDPR, and others are extremely important compliance regulations whose purpose is to protect customer data.
However, if you are found to be in violation of the guidelines they impose , it can lead to costly fines and other legal consequences. As an example, GDPR fines can amount to 20 million euros or 4% of the total global turnover of your business.
Making sure your organization is aligned with regulatory framework guidelines is a powerful benefit of performing a cybersecurity risk assessment and securing your data from breach and other cybersecurity events. In fact, most of the major compliance regulation frameworks require regularly performing risk assessments and other security related activities to keep customer data protected.
A cybersecurity risk assessment framework
Fortunately, you do not have to “reinvent the wheel” when it comes to defining security objectives and creating a core framework to securing your environment. In fact, cybersecurity is now recognized as a core feature of “critical infrastructure” by the United States government as well as other countries.
The Cybersecurity Enhancement Act of 2014 in the United States works with NIST to develop and facilitate cybersecurity risk frameworks. NIST has developed a core cybersecurity framework that provides a basic structure of the concepts and guidelines your organization can follow to:
- Determine your organization’s current cybersecurity posture
- Describe the improvements or target state that you want to achieve
- Identify and prioritize areas where improvements need to be made and can be analyzed in a repeated process
- Analyze and assess progress
- Provide effective communication both internally and externally about cybersecurity risks
The NIST cybersecurity Framework Core provides a set of activities that allow you to achieve certain outcomes in the overall goal to achieve a more secure environment. This framework core is comprised of five functions:
The five areas in the NIST framework core allow your organization to effectively improve your cybersecurity stance by basic activities allow gathering information, assessing risk, addressing threats and improving security based on items learned from the process.
Let’s take a closer look at each area of the framework core and see how they benefit the overall cybersecurity posture of your organization.
In the “Identify” component of the cybersecurity framework, organizations are in the discovery and information gathering phase.
In this phase, your organization gathers the needed information required to have a better understanding of the current security posture, the specific risks that exist to the technical infrastructure, systems, applications, people, data, and other business-critical resources. This also includes inventorying all assets, physical and software-based.
Here, your organization will also identify compliance, governance, and legal requirements that should dictate any and all cybersecurity policies maintained. Additionally, your organization will also define several criteria such as the risk tolerances that will be maintained.
The risk assessment will rely on information discovered in this phase and dictate the steps of the incident response. The following areas will be given attention with the Identify phase:
- Asset Management
- Business Environment
- Risk Assessment
- Risk Management Strategy
- Supply Chain Risk Management
Included in the protect function are the safeguards needed to protect and secure critical infrastructure services. It includes many aspects related to both people and technology. In the protect function your organization will develop and establish the following safeguards for critical technology infrastructure:
- Develop access control and identity management systems that secure both physical and remote work environments
- Conduct employee security awareness training
- Formulate and put in place data security protection to maintain the confidentiality, integrity, and availability of information
- Implement information protection processes which would include backing up your business-critical data and systems
- Protect resources through maintenance activities such as patching
- Implement protective technologies to ensure the security and resilience of systems and assets
In this functional area of the cybersecurity framework, you are looking to prevent a cybersecurity event altogether or to limit and contain the impact of a potential cybersecurity event. For instance, if an attacker does compromise your defenses, how do you limit the exposure to sensitive data and systems?
For today’s complex environments, this would include protecting endpoints with endpoint security and limiting lateral network movements by an attacker with effective micro-segmentation of network traffic. Both of these can help to limit what an attacker can do on compromised systems.
The detect function allows your organization to quickly and effectively identity when a cybersecurity event has occurred. Discovering a cybersecurity breach or event in a timely manner. Quickly and effectively identifying when a cybersecurity event occurs is extremely difficult.
An attacker can very covertly infiltrate systems in such a way that their movements and access to critical systems are hard to detect and identify. In the 2019 Cost of a Data Breach Report, it was found that the average breach lifecycle was considerable. Take a note of the following statistics for 2019:
- The average time to identify a breach in 2019 was 206 days
- The average time to contain a breach was 73 days
- The total breach lifecycle amounted to 279 days
- 2019 breach lifecycle is up 4.9 percent from the 2018 total of 266 days
- Breaches with a lifecycle of 200 days or less were on average $1.22 million less costly than those of more than 200 days ($3.34 million vs. $4.56 million respectively), a difference of 37 percent
There is no question, the quicker your organization can identify a cybersecurity event, the less damage is done and the costs are exponentially lower.
The detect function of the NIST cybersecurity framework will facilitate the following:
- Effectively detect and identify anomalies and events, both on-premises and in the cloud and understand the risks and impacts of each
- Enable continuous monitoring of all events in the environment to quickly detect cybersecurity events and determine if defense solutions in place are effectively mitigating these
- Provide awareness of cybersecurity events so risk management can adapt to new or existing attack vectors
Once a cybersecurity event is detected, you want the response to the event to be swift and decisive. This would include remediating what led to the cybersecurity event, containing, and isolating the impact as much as possible.
Going back to the earlier statistics mentioned, the average time it took to contain a breach in 2019 was 73 days. As part of the cybersecurity breach lifecycle, there can be monumental damage that takes place in that amount of time. With the response defined in the cybersecurity framework, it can make the difference in the damage done to both your systems and your reputation as a business.
The respond function of the framework should lead to the following:
- Appropriate actions are executed during and after the incident
- All appropriate information is communicated to business stakeholders, law enforcement, and customers as appropriate
- Analysis of the cybersecurity event is carried out including forensic and impact analysis
- The event is mitigated and remediated with all appropriate steps needed to prevent further expansion of the event and to ensure it is resolved
- Improvements and mitigations are implemented from lessons learned during the cybersecurity event to effectively improve the overall security stance moving forward
During the Recover function, your organization effectively deals with any damage or lingering effects of the cybersecurity event. This includes maintaining business-continuity with potential systems impairment and restoring any data or systems that may have been affected. During this phase, your organization will adhere to restore point objectives (RPO) and restore time objectives (RTO) defined in the disaster recovery plan.
Activities involved during this function of the framework include:
- Implement your business continuity plan including restoration of technology resources
- Disaster recovery – restore backups of data and business-critical systems that may have been impacted
- Implement improvements and document lessons learned from the event
- Establish the appropriate communication with all affected by the recovery phase
Cyber Security Risk Assessment Methodology
So far, we have looked at what a cybersecurity risk assessment is exactly and why it is a valuable process for your organization to go through. We have also taken a look at the NIST cybersecurity framework which helps to create a structure for implementing cybersecurity measures in your environment.
But how do you actually perform a cybersecurity risk assessment? Below are the main steps of the cybersecurity risk assessment process:
- Identify all technology assets and data
- Identify the possible sources of threats
- Discover your organization’s vulnerabilities
- Define current cybersecurity measures and what needs to be improved
- Determine the potential impacts on your business of potential cybersecurity events
- Determine the risk posed to your business
- Document your findings
1. Identify all technology assets and data
To understand the risks in your environment from a cybersecurity event, you must first understand the technologies which can be targeted.
A detailed inventory of all technology assets allows your organization to analyze the risks to the technologies and what types of attacks or threat sources may pose the greatest risk to your environment.
Be sure to include not only the on-premises technologies, but also cloud technologies. This can include cloud Software-as-a-Service (SaaS) offerings like G Suite and Office 365.
It is important to also understand the layout of your data. Know where your data is stored, how it is stored, and how it is protected. Again, this must include data that resides in cloud environments including cloud storage.
While cloud service providers offer powerful technologies and data storage capabilities, they also escalate the risk of cybersecurity events. This is not because cloud environments are insecure by nature, but rather, is largely due to the fact that organizations do not fully understand how to properly secure cloud environments and often don’t have the right tools to do so.
2. Identify the possible sources of threats
Now that you have carefully identified the technology assets that are used in your organization, you can start to identify the possible sources of threats in your environment.
For most enterprises these are comprised of the following:
- External threats from attackers – Hackers these days are not only looking for vulnerable networks and servers exposed to the Internet but are also carrying out highly targeted attacks.
- Malware and specifically ransomware – Ransomware is arguably one of the most dangerous cybersecurity risks today. In a matter of minutes or hours depending on the amount of data, a ransomware attack can lock your organization completely out of business-critical data and systems. This can leave your business paralyzed from carrying out any activities. Ransomware attacks are on the rise and it is increasingly a tool that attackers are using to compromise your data and potentially even steal and leak it.
- Internal threats from your own employees – Internal threats are often overlooked and can be some of the most dangerous. Your own employees can cause cybersecurity events that lead to data loss, data leakage, and disrupt business continuity. An end user can accidentally or intentionally delete data. An unscrupulous administrator with high levels of access can cause tremendous damage to systems or even steal data if proper controls are not in place.
3. Discover your organization’s vulnerabilities
At this point you have performed a total inventory of your technology infrastructure and data. You have analyzed the possible risks to your environment. It is time to put the “theoretical” risks into real world vulnerability testing. There may be vulnerabilities that you know of in the environment, however, the purpose of vulnerability testing is not only to verify the risks you know of, but uncover those that may be unknown.
Many organizations may have an internal security group that can take care of vulnerability scanning and testing. However, for smaller organizations or those that may lack the security skills and expertise required to perform their own vulnerability testing, help may be needed.
In this case, there are third-party software solutions that provide automated vulnerability scanning including the following software solutions:
- Amazon Inspector
There are also third-party companies that provide penetration testing services. There can be tremendous benefit to having a third-party company outside of your organization perform penetration testing as they will approach penetrating your network, systems, and external servers as an attacker would.
What types of scans are performed during vulnerability testing? These include:
- Network-based scans – scans for open ports or accessible systems that are unintentionally exposed. This can include both wired and wireless networks.
- Host-based scans – These types of vulnerability scans are used to find vulnerabilities in both servers and workstations used in your organization. Servers and workstations can be scanned for open ports, services and unpatched systems.
- Application scans – These are typically used on websites that have externally facing web technologies in use. This may look for known software vulnerabilities and improperly configured web applications or web servers. Improper configurations may include default management configurations, credentials, or other known attack vectors.
- Database scans – These types of scans are specific to known database technologies that may be in use in the environment. These types of scans may look for SQL injection type vulnerabilities and other improperly configured database servers with ports or credentials exposed.
4. Define current cybersecurity measures and what needs improvement
Based on the results of the vulnerability testing and scans, your organization will no doubt gain visibility to known and unknown vulnerabilities and threats in the environment.
With this information, you can then go back and see if the discovered vulnerabilities can be mitigated with additional configuration from a security solution, host, or network standpoint.
An example of the types of questions that may come from the vulnerability testing might include:
- Is there a known vulnerability in current web-facing technologies? Can it successfully be mitigated with a patch? If there is no patch available, can services or other alternate configurations be put in place to mitigate?
- Additional open network ports and services are discovered on both external and internal servers. Are these needed? Can they be closed without any other dependencies?
- An application is found to be vulnerable to a known attack. Can the application be patched or mitigated to reduce the attack surface?
The vulnerability scan will bring to light many of these types of issues. No matter how great your current cybersecurity measures are, a thorough vulnerability scan will no doubt show an area where improvement is needed in your cybersecurity stance.
5. Determine the potential impacts to your business of potential cybersecurity events
There are varying degrees of cybersecurity events that your cybersecurity risk assessment methodology should take into account.
Obviously, there will be different degrees of impact to your business based on the type of cybersecurity event. Let’s take a look at a potential list of cybersecurity events that will illustrate what we are talking about.
- An end user’s workstation is infected by a “Potentially Unwanted App (PUP)”
- A low-level employee’s password is compromised
- An end user becomes a victim of a phishing attack and their workstation may be compromised
- An administrator’s account is hacked
- Your entire data set is encrypted by a variant of ransomware
As you can see, all of these events are cybersecurity breaches in some form or fashion. However, as you work your way down the list, the impact to your business becomes much more severe.
As you work your way through the various risks and vulnerabilities found, you need to rank the cybersecurity event based on the potential impact to your business. The high-impact vulnerabilities, if they are exploited, will be the first vulnerabilities that need to be addresses and remediated.
6. Determine the risk posed to your business
Even though a particular vulnerability if exploited may have a large impact on your business, what is the likelihood that it will be exploited? Certain industries and different types of businesses may have different types of risks when compared to others.
As an example, a national government’s network infrastructure would likely suffer from a “nation-state” attack than retail business. Various industries can be targeted differently than others based on the type of data they may poses, their infrastructure, security capabilities, and what can be gained from an attack.
A simple formula of overall risk would be the following:
- (Odds of a particular risk happening) X (the impact it poses to your business)
7. Document your findings
Once your organization has gone through the steps of the risk assessment listed above, you should be ready to put all of it in writing, documenting all findings throughout the process into a cybersecurity risk assessment report. The cybersecurity risk assessment report will include the following:
- Inventory of all business-critical systems and data
- The sources of threats that will be most likely to impact your business
- The results of a vulnerability scan across your environment
- Where the current cybersecurity strategy meets the organizations needs and where improvements need to be made
- An impact analysis – Examines the most likely cybersecurity events ranked to determine their impact to your business
- A risk analysis examining the most likely threats and the impact to your business
Once the information has been aggregated into an official report, the report should be shared with management and appropriate business stakeholders. From the cybersecurity risk assessment, your organization should be in a position to create action items to work on improving the overall security posture.
Cybersecurity risk assessment tools
When conducting a risk assessment in your organization, there are many tools that can be effective. Additionally, these tools can provide automation of the cybersecurity risk assessment that allows the assessment to be carried out continually, rather than a point-in-time assessment. Let’s briefly look at the following cybersecurity risk assessment tools:
- Vulnerability assessment platforms
- Vendor tools
- Configuration management solutions
- Penetration testing tools
- Security ratings
- Cloud cybersecurity tools
1. Vulnerability assessment platform
Vulnerability assessment platforms provide the ability to perform continuous vulnerability scans on your environment. These types of tools can allow you to look for vulnerabilities in real-time.
These types of tools can be housed on-premises or in the cloud to effectively scan your environment for the latest threats known by the tool. New vulnerabilities are pulled down automatically by the assessment platform. In this way, the assessments stay up-to-date.
2. Vendor tools
Most hardware and software vendors provide their own tools to scan and assess potential vulnerabilities in their solutions. For organizations that may be working on a tight budget, these types of tools can be a great way to do vulnerability scanning in a cost-effective way.
3. Configuration management solutions
Configuration management solutions provide a way to constantly scan an environment and apply the desired state to both hosts and applications.
If an insecure configuration is applied or manually configured on a server, client, or in an application, the configuration management solution will automatically remediate the target to apply the desired “secure” state of the server, client, or application. This allows to make sure the recommended security settings and configurations are constantly kept in check and there is no “configuration drift”.
4. Penetration testing tools
We mentioned penetration testing earlier when considering the ways that vulnerabilities can be discovered as part of your cybersecurity risk assessment. During penetration testing, a “red team” group will generally attempt to penetrate the cybersecurity defenses in a way to discover vulnerabilities.
Penetration testing can be carried out by so-called “white hat” hackers that use their talents to help companies discover ways they may be vulnerable. However, there are powerful software packages and automated services that can help provide tools to perform automated penetration testing.
These tools attempt to find vulnerabilities, open ports, services, and other means that are commonly used to compromise your cybersecurity defenses.
5. Security Ratings
Security ratings are a dynamic, data-driven measure of an organization’s security posture. They are generally created by a trusted third-party security rating platform. They provide a quantitative measure of risks in the same way that a credit card score provides an overall view of your credit.
The higher your security rating, the better your overall security posture. Many organizations today are using security ratings as an effective security tool to better understand their overall security risks.
6. Cloud cybersecurity risk assessment tools
As more business-critical services and data are moved into cloud environments like G Suite and Office 365, attackers are turning their attention to these environments as targets for new types of attacks.
Organizations today must use an effective cloud cybersecurity solution such as offered by SpinOne. SpinOne provides a suite of products that allows securing, protecting, and auditing cloud environments such as G Suite and Office 365.
These include the following:
- SpinBackup – automated, secured, backups of your G Suite and Office 365 environment
- SpinSecurity – Automated AI-powered ransomware protection and cybersecurity features for the cloud
- SpinAudit – Automated audits of third-party apps and browser plugins, 24/7 monitoring, security policies, and the ability to blacklist apps or extensions
When it comes to a cybersecurity risk assessment of third-party apps that may have access to your data, SpinAudit provides the ability to assess third-party apps based on a database of behavior metrics that is driven by artificial intelligence.
If an app’s behavior is deemed risky, SpinAudit can effectively block access to your data from risky applications and even prevent them from being installed. SpinOne’s solution can also detail exactly which data is shared both internally and externally. This helps to ensure that administrators have visibility of data leak risks in the environment.
Putting it all together
By conducting an effective cybersecurity risk assessment, your organization will be much better prepared to face the threats that lie in the future for your business-critical infrastructure.
Improving your organization’s security posture is a continuous effort that requires diligence, the right tools, and a cybersecurity framework that helps guide you along the way. By using effective guidelines and tools in your environment, your organization can face both the security challenges of today and those of tomorrow confidently.