Security Risk Assessments: Find and Mitigate Risks Before a Breach in 5 Steps

Travelers T logo
By Travelers
9 minutes
Last updated 10 March 2021
Cyber Security Resources
Cybersecurity, private access with username and password to personal data

Risk assessments are an important part of any cyber security program. A risk assessment provides in-depth insight into how effectively an organisation is protecting its network, systems, and data, taking into consideration the organisation’s vulnerabilities and exposures. A risk assessment generally includes a review and analysis of an organisation’s information security strategy, including policies and procedures relating to network security, information security, and privacy.

A risk assessment can also include a review of the organisation’s IT infrastructure, including security and operational controls. The output of his process should be a comprehensive report, outlining what policies, procedures, and controls are needed to further mitigate cyber risks to key assets, together with a prioritised list of actions that can be taken by the organisation to strengthen its overall cyber security posture.

Risk assessments provide in-depth insight into how effectively an organisation is protecting its network and data.

Step 1: Strategic cyber security planning

A risk assessment should begin by ensuring that the organisation has a clearly established cyber security strategy—identifying assets that must be protected, likely (and less likely) risks to those assets, and appropriate measures for protecting those assets. Simplicity is key when formulating a cyber security strategy, especially for smaller entities with limited resources and technical expertise. During a risk assessment, cyber security professionals will evaluate different aspects of an organisation’s cyber security strategy. Although no single standard exists for formulating a strategy, a framework was initially developed by the US National Institute of Standards and Technology (NIST)1 resulting in global use including the UK Minimum Cyber Security Standard. This framework can be used to help ensure that there are no significant gaps or omissions by evaluating cyber security in five functional areas: Identify, Protect, Detect, Respond, and Recover. In evaluating an organisation’s cyber security strategy, an assessor may ask:

  • Does the organisation have a strategy for tracking its data and IT assets, and for identifying risks to them?
  • Does the organisation have a strategy for protecting its data and IT assets?
  • Does the organisation have a strategy for detecting attacks against its data and IT assets?
  • Does the organisation have a strategy for responding when a cyber incident occurs?
  • Does the organisation have a strategy for restoring operations if its data or IT assets are lost or damaged?

Each of the above functional areas (or their equivalent, if using a different standard) should be covered by an organisation’s cyber security strategy. Cyber insurance is often an important part of an organisation’s cyber security strategy, particularly with respect to response and recovery. When a cyber incident occurs, many insurers provide more than a financial backstop; they can provide ready access to vetted and experienced legal and digital forensic professionals who could otherwise be difficult to find and more costly to retain.

Step 2: Identify key infrastructure, data, and applications

A major part of the risk assessment process involves identifying existing systems and current infrastructure, data, and applications. One of the first steps may be mapping out the network. A network diagram can help to clarify the boundaries and interconnection points within an organisation’s computing environment. Once an organisation’s network has been mapped and a network diagram provided to an assessor, they may want to compare it with an inventory of network assets. This would include physical hardware, such as data centre equipment, networking appliances, and endpoints. For this reason, the inventory should be as current as possible and should include the manufacturer, model, operating system version, and other relevant information. Having an application inventory, including network protocols and databases, is critical too. In many cases, it may make sense to compile two inventories. The first should list non-critical applications for most businesses. While these applications are very useful tools, employees can easily work around a temporary outage. Second, list those applications critical to the business to ascertain focus areas. Finally, it is necessary to identify the security controls, including both hardware and applications, that are being used in the environment. This information must be assessed to determine whether controls appropriate to the perceived risk are in place. For example, is a firewall protecting the organisation from external threats? Is the network segmented and layered, with traffic between layers being controlled? There are parallels between physical security and cyber security. For instance, in order to protect the interior of a building, it is necessary to identify and protect points of ingress and egress. The same is true when protecting a computer network. One must understand the flow of traffic into and out of the network, whether through the Internet, or even through the movement of a laptop computer or other mobile device between the workplace and home. Just as visitors and employees must go through security checkpoints when entering a building, data should go through security checkpoints as well. Firewalls, endpoint protection software, and data loss prevention systems can help prevent malicious data from entering a network and help prevent valuable data from being stolen from a network.  Identifying critical systems, data, applications, and security controls is an important part of a thorough assessment.

Step 3: Plans, policies, and procedures

As in every other aspect of business, documentation is an important part of information security. Plans, policies, and procedures establish a framework that helps to ensure consistency. They also inform employees of what rules apply and what behaviour is expected. Most organisations have some contingency plans in place, such as a disaster recovery plan, but may fall short if they do not also include incident response or business continuity plans. In reviewing these materials, assessors often look for a “waterfall” effect: plans should flow into policies, policies should flow into procedures, and procedures should flow into forms, checklists, and other basic controls. All of these documents combined should make clear how IT and cyber security related operations, deployments, and configurations should be conducted. Examples of typical plans, policies, and procedures include:

Plans:

  • Business continuity plan
  • Disaster recovery plan
  • Incident response plan

Policies:

  • Acceptable use policy
  • Backup policy
  • Data retention policy
  • Electronics communication policy
  • Password policy
  • Guest/visitor access and technology use policy
  • Vendor access policy
  • Remote access policy
  • BYOD access policy
  • Personally identifiable information policy
  • Wireless communication policy

Procedures:

  • New hire/exit procedure
  • Emergency operating procedure
  • Remote access procedure
  • Vendor access procedure
  • Guest/visitor access procedure
  • Incident management procedure
  • New computer/server build procedure

The content, and degree of formality, of these plans, policies, and procedures will depend on the size and sophistication of an organisation. Nor does an organisation have to have all of these; they are examples, and different types of plans, policies, and procedures will be applicable to different types of organisations. Finally, having plans, policies, and procedures is not enough; adherence is the real key for success, and organisations should be prepared to demonstrate that they are adhering to their own plans, policies, and procedures during a risk assessment.

Step 4: Regulatory and standards review

Another important part of a thorough risk assessment should include reviewing the standards and regulations that specifically pertain to an organisation based on factors such as industry, location, and organisational structure (public or private). Standards are mostly voluntary guidelines that have been developed for an industry, technology, or process. They exist to help promote best practices for specific industries and technologies, helping organisations set operational baselines and meet minimum requirements. Regulations, on the other hand, are not voluntary; they are mandated by law. The laws were usually created to ensure that specific industries and types of information, especially personal and sensitive information of individuals, are properly protected. Applicable regulations may not only be local to where a business is domiciled, but also the jurisdiction in which the organisation does business. As such, businesses need not only be concerned about the EU General Data Protection Regulation of 2016 (implemented in the UK pursuant to the Data Protection Act of 2018), but also foreign regulation. In the United States in particular, this can be more complicated, as both federal laws, such as the Health Insurance Portability and Accountability Act of 1996 (HIPPA), and Gramm-Leach-Bliley Act of 1999 (GLBA), and various state laws will apply.

The landscape of standards and regulations is complicated, and during the risk assessment, assessors should work with an organisation to identify which standards and regulations are applicable to their situation. Assessors should also help map the organisation’s current policies, processes, and controls to the specific regulations and standards they should be following. In some cases, especially with smaller organisations, gaps may leave an organisation vulnerable not only to the possibility of being breached, but also of being out of compliance. Many times, these gaps are not intentional, but rather, due to the complexity of the different standards and regulations. Conducting periodic risk assessments can significantly reduce the likelihood that an organisation will suffer the embarrassing and potentially costly consequences of non-compliance.

The landscape of standards and regulations is complicated so understanding which ones are applicable to your organisation is critical.

Step 5: Reporting

The end product of any risk assessment should be a final report. In this phase, all of the information that was collected should be summarised and used to help categorise and quantify the possible risks found. The report should outline what methodology was used and how the risks were categorised and scored. Usually, the report identifies what systems and/or processes were in scope, and it attempts to show the threats, vulnerabilities, and controls currently being applied to them.

The report should include a high level, executive summary that sets forth the core findings for the management team, helping them understand the risk exposure specific to their organisation. At a deeper level, the report should include a more in-depth technical review which identifies and scores the impact and likelihood of possible risks, as well as a ranking of risks associated with internal processes, policies, and procedures that is coupled to specific standards and regulatory compliance gaps. Finally, a risk determination based on these many factors and the methodology should rank the overall potential risks so that the organisation can leverage the findings and recommendations as part of their mitigation strategy.

Conclusion

Risk assessments are an important exercise that organisations large and small should endeavour to conduct on a regular basis. Not only do they show a commitment to cyber security and protecting customer and employee personal information, they also show regulators and auditors that the management team, IT group, and other employees are concerned and focused on protecting valuable systems and data. Conducting regular assessments also helps identify the largest risks facing an organisation and provides a path to follow when considering which risks to address first because of their potential likelihood and severity of impact. When the results of the assessment are disseminated appropriately, it can help relevant stakeholders understand potential exposures and how their specific teams may be able to help minimise those exposures. Finally, after a few risk assessments have been conducted, the findings will hopefully show a clear improvement path that can demonstrate an organisation’s commitment to cyber security. They can also be used to help formulate strategic investments that can make an organisation safer and more resilient overall. Risk assessments are an invaluable service that can help organisations survive in an ever changing cyber threat and regulatory landscape.

Sources
1 https://www.nist.gov/cyberframework/online-learning/five-functions
https://www.gov.uk/government/publications/the-minimum-cyber-security-standard

More insights & expertise

More insights & expertise

Thinking Beyond Insurance to Manage Evolving Cyber Risks

Travelers prepares to bring new cyber services to the UK and Ireland market following its acquisition of Corvus.

Matt Waller, formerly of Corvus and now head of the combined cyber underwriting team at Travelers Europe, and Chris McMurray, managing director for cyber at Travelers Europe
5 minutes

More insights & expertise

Managing Cyber Threats in a Law Firm’s Supply Chain

If cyber threats to your law firm keep you awake at night, you’re not alone.

A businessman working late in an office.
6 minutes

More insights & expertise

Interview: Travelers Comprehensive Cyber Solutions | Chris McMurray and James Doswell

What are the top cyber threats facing UK businesses right now? This video explores Travelers’ cyber proposition in the UK.

Man holding smart phone with data security on display at office
12 minutes
Explore more articles