A Guide to Performing a Cyber Security Risk Assessment

Salt and FuesselIT Security

No matter the size of your business, a cyber security risk assessment is vital to ensuring your business avoids cyber attacks that might interrupt operations or cause your business to cease operating completely.

Whilst there’s no way to completely eliminate the risk of a cyber security incident, there are many measures you can take to reduce the chance of cyber breaches and bolster your IT security so any attempted breaches can’t succeed.

In this guide, we’ll run through the main tasks involved in conducting cybersecurity assessments. We’ll talk briefly about the ACSC’s Essential 8 Cyber Security Maturity Model and the ASD’s Cyber Skills Framework, which are helpful guides for ensuring your enterprise isn’t missing any pieces of the cybersecurity risk management puzzle.

Why do you need a cyber security risk assessment?

The landscape of cyber threat is ever changing, so cyber security for a business needs to constantly be kept in check. Cyber security measures must be woven into everyday operations, so that there’s never slack allowed in systems, where threats can find avenues in and take hold.

With systems and technology constantly developing, cyber security must be at the fore of our thoughts when designing, implementing and operating systems. The ball can never be dropped on the cyber security front.

Common cyber threats

Cyber criminals have various intentions, though the most common reasons why they will engage in cyber attacks are to:

  • inflict damage in order to damage your business reputation
  • steal data
  • extract ransoms.

Cyber security incidents commonly relate to:

  • data breaches (when confidential information is stolen from an organisation, be it the organisation’s own data, or their customer’s sensitive data)
  • phishing (where users are deceived into downloading harmful messages or providing sensitive information by an email that appears to be from a legitimate source)
  • malware (malicious software that slows or destroys computer systems)
  • ransomware (malware that encrypts computer systems so that a user cannot continue to use their system unless they pay a ‘ransom’)
  • password compromise (where user passwords are obtained through ill means, such as getting users to enter passwords into illegitimate websites).

When is the best time to perform a cyber security risk assessment?

The best time to execute a cyber security assessment is when system infrastructure is being planned and developed. Performing an assessment at this early stage is the safest and clearest way for all involved teams to evaluate factors impacting internet security, and work these into an overall network infrastructure design, rather than implementing security measures retrospectively, which may be more challenging.

In saying that, it’s still vital to perform cyber security assessments on current state operations as well, so any time is a good time for a cyber security assessment.

How do you perform a cyber security assessment?

There is a great level of detail involved in any cyber security risk assessment framework, but in brief, an assessment will follow steps along the following lines.

    1. Gauge effectiveness of cyber security on existing systems
      • Identify all IT systems, applications and services used in your business.
      • Identify what data is stored and where.
      • Identify who has access to what information.
      • Evaluate how system access is granted and revoked.
      • Document the above.
    1. Identify cyber threats that could impact your business
      • Review past cyber security incidents that impacted your business, and cyber security incidents that have impacted similar businesses to yours.
      • Identify other common cyber threats and their potential impacts on your business. Remember to include test and development regions as part of this assessment.
    1. Rate impacts
      • Rate each identified cyber threat according to its potential impact on your business. I.e., would it just impact data security, or might it also impact brand reputation, amongst other things? The rating will help determine what risks should be mitigated as high priority, and will help in terms of allocating resources for the task at hand.
    1. Use a cyber security assessment framework to put findings into action
      • Use one of the many cyber security risk assessment frameworks to take action towards reducing or eliminating cyber security incidents in your workplace. See Cyber Security Assessment models below for more information.
    1. Consider employing an external agency to perform a complete cyber security assessment.
      • Whilst you may be able to do a cyber security risk assessment in-house, it does involve appropriately training your staff to perform an accurate and all-encompassing assessment, which takes time and resources. Your staff’s time may be better used on other tasks, which is why a qualified external cyber security assessor can make an independent assessment of your cyber security risk, and will be equipped with the knowledge and experience to identify the gaps you may have missed when viewing the status quo from the inside.

Cyber Security Assessment models

There are a number of models that can be used to perform cyber security assessments. Whilst they tend to be similar, (the cyber risks themselves are common), different models are set up to approach security for different operating systems.

As Microsoft Windows is commonly used amongst larger organisations, Melbourne-based Technetics uses the Essential Eight model in many situations.

The Essential 8

The Essential Eight Maturity Model is a set of strategies developed by the Australian Cyber Security Centre (ACSC) to help organisations mitigate risks related to cyber security threats.

The essential 8 were developed for Microsoft Windows-based internet-connected networks. There may be other similar models more suitable for assessing cyber risk for other operating systems, though this model can be used to assess risk in other systems too.

The essential 8 strategies involve:

  1. Application control
  2. Patch applications
  3. Configuring Microsoft Office macro settings
  4. User application hardening
  5. Restricting administrative privileges
  6. Patching operating systems
  7. Multi-factor authentication
  8. Regular backups

The Essential 8 has a number of ‘Maturity Levels’. Businesses select a maturity level matching their business’ needs. Once they complete assessments for one maturity level, they may move up to the next level, if cyber security risks deem it necessary.

ASD Cyber Skills Framework

Another useful tool in the cyber security risk management realm is the Australian Signals Directorate’s (ASD’s) Cyber Skills Framework, which is used to assess, maintain and monitor skills, knowledge and attributes of a cyber workforce.

If you’re looking to see what’s involved in all facets of conducting a cyber security assessment, the ASD Cyber Skills Framework outlines relevant cyber security roles, the core capabilities required for personnel in each role, and the tasks personnel must complete. It also outlines career, learning and development pathways for those acting in cyber security roles.

The ASD Cyber Skills Framework is a great tool, not only for ensuring staff conducting cyber security assessments are appropriately trained, but for outlining each task itself. This helps ensure you can grasp the full scope of what’s involved in cyber security risk assessment, and ensures you don’t leave anything off the checklist.

In Summary…
Cyber security is a rich and ever-transforming realm in IT and the impacts of not security your IT assets can be huge. In order to combat risk, there are many frameworks to support your organisation in conducting cybersecurity assessments, such as the Cyber Skills Framework by the ASD and the Essential 8 Maturity Model, by the ACSC. There’s also support available from external IT Security experts.

If you need assistance with cyber security assessments in your workplace, Technetics Consulting has extensive experience providing managed cyber and IT security services to businesses in various niches. We offer comprehensive and cost-effective cyber security services as part of our overall offering of IT management services in Melbourne. Contact us today.