• Daniel McDermott

    Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.

    Comments:0

    Add comment
Daniel McDermott

Have you assessed your level of cyber risk?

Content

A cyber risk assessment is a crucial part of any company or organisation’s risk management strategy. With the increasing digitisation of our business environment, company risks now include major cyber threats which have the potential to obliterate entire companies if they’re not careful. The key to thriving in this digital landscape is preparation, which is why having a comprehensive cyber risk assessment is absolutely critical for any company’s long-term survival.
 

What is a cyber risk assessment? Why is it important?

A cyber risk assessment identifies, estimates, prioritises and documents any potential risks to your organisation. This includes any hardware, software, people, services, processes or assets your organisation uses.

The main purpose of a cyber risk assessment is to help decision-makers understand and support the proper responses to those risks. There are a number of reasons you might want to conduct a cyber risk assessment—and a few other reasons why you need to.

Why you should do a cyber risk assessment
 

  1. To identify and rectify critical security gaps. Identifying critical skill shortages and security vulnerabilities are absolutely crucial. A thorough analysis will help you triage and prioritise your key security gaps, helping you focus on the key measures which will deliver the biggest security improvements.

  2. To build a company-wide cybersecurity policy.  A cyber assessment will inform your day-to-day cybersecurity practices and build your resilience to security incidents. A thorough cyber risk analysis can improve your security implementation and point out which areas to focus on for business continuity in case of an incident.

  3. To reduce long-term business costs. Identifying potential threats and planning accordingly can limit and prevent security incidents, which protects your organisation from the potentially massive business costs of breaches, along with associated legal and crisis management costs. Cyber risk assessments should be part of any wider risk management practices your organisation follows.

Why you need to do a cyber risk assessment
 

  1. To get cyber insurance. As we’ve discussed earlier, cyber insurance has never been more critical. A single cyber incident has the potential to put your organisation out of business permanently. If you’re in the market for cyber insurance, you’ll need to perform a cyber risk analysis before you can shop for an insurance policy.

  2. To meet legal and compliance obligations. Regulated industries often have strict compliance requirements, as well as a legal obligation to perform a cyber risk assessment. Healthcare, government, legal and financial services often come with baseline requirements for cyber risk management. The ACSC offers a cybersecurity risk management framework that can come in handy when assessing your cyber risk profile.

 

How to conduct a cyber risk assessment

Before you do anything to start actually assessing risk, your first step should be a data audit, which identifies what data your company is storing and its value. Next, you need to plan for the scope of the assessment and the people who will be involved.
 

The idea is to get a sense of what you’ll be analysing, who’ll be consulted during the analysis, and if there any regulatory or budgetary preferences that need to be accounted for. Now let’s look at the specific steps to take to conduct the cyber risk analysis:
 

  1. Identify threat sources and events

  2. Identify vulnerabilities and how they may be exploited

  3. Estimate the likelihood of these threats occurring 

  4. Evaluate the potential impact if they do occur

  5. Determine the degree of risk involved

  6. Rank the risks in order of priority

  7. Prioritise actions and responses to critical risks

 

That should cover the basics. Obviously, this is just a broad overview and the specifics will vary depending on your objectives and your organisation. It might be a good idea to bring on board a team of specialists to independently conduct your assessment. It’s an investment that will pay off in spades if you ever find yourself blindsided by an unexpected cyberattack.

 

Editor, Get Cyber Resilient

Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.

Stay safe and secure with latest information and news on threats.
User Name
Daniel McDermott