Last updated: 25.10.17

Cyber Security Risk Assessment

For small and large businesses alike, the potential price of cyber-crime continues to rise, which is why it’s hugely important that all companies take the necessary steps to mitigate any incidents. Though it used to be the case that minor precautions could be taken to prevent any serious incidents, it’s become essential for businesses to have a sound strategy in place. Part of this will be conducting a cyber security risk assessment, which forms the basis of any security plan. In this article, we’re going to discuss what one is, what they aim to guard against, and how you can go about implementing one.

In addition to the resources in this article, Virtual College also offers a variety of courses to help businesses protect themselves and their customers, such as our Data Protection in the Workplace Course. Click here to find out more.

What is Cyber Security Risk Assessment?

Risk assessments are a very well-known component of business operations, but traditionally they have been in relation to health and safety or even financial outlook. Most people are familiar with how a fire safety risk assessment might be carried out, and the basic principles for cyber security risk assessment are very much the same. It is your responsibility to identify the risks that your business faces in terms of information security, which will in turn allow you to take steps to reduce the likelihood of incidents. This can have numerous benefits, from reducing the likelihood of direct financial loss, to legal issues and more.

A cyber security risk assessment will generally begin with identification of all of a business’ IT assets. This will include hardware such as laptops and desktop computers, data such as customer information, accounts and email logins, and software such as accounting databases. Once these have been identified, it is time to find out how these assets could potentially be compromised, what this might mean for the business, and ultimately how these risks can be mitigated.

What is an Information Security Risk?

There are many things that could potentially constitute an information security risk, and they will vary significantly from business to business. Generally however, risks refer to any potential opportunities for the following incidents to occur:

  • Unauthorised access - This means someone gaining access to hardware, software or data when they should not have those privileges. This could be accidental, such as the wrong permissions being given, to more malicious activity where a criminal attempts forced entry.
  • Unauthorised use - More serious than merely access, something is a serious information security risk if it might allow someone to use hardware, software or information maliciously. They may attempt to steal information or money, or they may damage hardware or data which in turn damages the business.
  • Unauthorised modification - A fairly simple one that even home users will be familiar with - anything that may make it more likely for software that installs itself on a system is an information security risk.
  • Service disruption - Cyber criminals don’t necessarily need to gain access to your IT assets to cause issues. Attacks such as DOS (denial of service) aim to overload systems to the point that they cannot handle normal requests. If this happened to an eCommerce business for instance, this could cause serious financial harm.

How Do You do Risk Assessment for Cyber Security?

The process of undertaking a risk assessment on your business’ information security will vary based upon the size of the business, and indeed its exposure to potential threats, and we’ve already discussed the core principles. Below are some of the primary pieces of information, or questions that you need to ask in any risk assessment that you conduct:

  • What assets does the business have that need to be risk assessed?
  • Who is relevant to this risk assessment? Who has access to which IT assets?
  • What could happen if someone gained unauthorised access? What could they potentially do with this access?
  • When is this risk likely? Could it happen at any time?
  • What can you do to reduce this risk? Do you need to continually review this risk?
  • How effective have previous measures been at reducing this risk?

It may be very useful in the first instance to undertake a course to fully understand cyber security if you are not completely familiar, as this will help you answer the above questions and formulate your assessment. Our Introduction to Cyber Security course may be very useful for individuals and teams who are looking to build on their knowledge and learn how to keep their business safe.

Beyond this, there are also many resources available to help business owners, and those responsible for cyber security, to implement a sound risk assessment. As it is in the interests of the government, there are initiatives such as Cyber Security Essentials which cover many of the core points that should be looked at under any risk assessment. Similarly, there are standards such as ISO 27001 which detail exactly what is expected. Finally, you can also seek the help of third party IT security companies to either help you conduct your own risk assessment, or do it on your behalf.

Related resources