Companies, government agencies, universities and hospitals are waking up to the realisation that cyber threats pose a very real, and significant, risk to their operations. They must therefore be factored into any risk mitigation strategy.
This means that, in addition to taking steps to minimise the risk of a cyber attack succeeding, effort must be devoted to assessing the level, and the nature of risk to the business resulting from cyberthreat, to enable decision-makers to understand the risks and develop appropriate responses to those risks.
This assessment needs to cover every aspect of cyber risk and especially the risk to the business itself. It needs to cover, hardware, software, people, services, supply chain processes and assets, and everything should be fully documented.
There’s an essential prerequisite to a cyber risk audit, and that’s a data audit. You need to identify all the data your company holds and determine its value.
Then, like any significant undertaking, your cyber risk assessment should start with a plan that identifies what you will be analysing, who’ll be consulted during the analysis, and if there any regulatory or budgetary preferences that need to be taken into account.
Steps to cyber risk assessment
Once that’s completed here are the steps needed to undertake a cyber risk audit.
- Identify threat sources and events
- Identify vulnerabilities and how they may be exploited
- Estimate the likelihood of these threats occurring
- Evaluate the potential impact on your business if they do occur
- Determine the degree of risk involved
- Rank the risks in order of priority
- Prioritise actions and responses to critical risks
That’s a very broad outline. The specifics will vary depending on your objectives and your organisation. It might be wise to bring on board a team of specialists to independently conduct your assessment: a fresh outsider’s view can often see things that people close to the action overlook…Click here to download the magazine.