Cyber security risk assessments for business
A cyber security risk assessment is something every business should do. A risk assessment will help you understand both your business processes, and the systems and data you need to secure. Knowing the risks your business faces can help you prevent — or recover from — a cyber security incident.
Nowadays, it's easier than ever to run your business online. And that means it's easy to access your business information online too. For example:
- most businesses now have a public website and a social media presence
- some businesses allow staff to use personal devices to access the business network
- some employees travel often, which means they have to use public wireless networks.
Having data and systems that are accessible via the internet means that anyone can access them — not just you and your staff. That increases the number of security risk decisions you need to make.
You need to look at your risks and put a plan in place to mitigate them in the same way that you do any other kind of risks. For example, as a business owner, you’ll already be familiar with your business and industry risks. Security risks are just a different type of risk that you need to be aware of.
It's important to consider your security risks alongside the other types of risk your business faces. This will drive the decisions you make around your use of technology.
Know your systems
Before you can assess what your risks are, you need to understand the business processes you have, and how your systems and data fit into them. Decide which ones are the most important to secure.
Your systems could be either external or internal to your business. You might have:
- external systems that you access through a web browser. These could be systems managed by a third party, like Xero for instance
- internal systems that you host and manage yourself. For example, if you have a business that prints t-shirts, the software that runs the printing machine would be an internal system.
It’s hard to assess everything at once. Start by considering which systems are most important to you. Focus on the systems that are critical to your business running, and the systems that store data. This could be systems that store customer details, or systems that process payments.
Identify the threats and vulnerabilities
When you’ve identified what your most important systems are, you can work out what kind of threats they face.
For most businesses, the threat of an untargeted attack against a system that’s accessible over the internet is quite likely. For example, attackers could:
- scan your business’s web server, using automated tools made to find known vulnerabilities
- attempt to access your web mail account using a database of compromised passwords.
It’s good to note that not all threats and vulnerabilities are malicious. For example, one of your employees could accidentally delete or modify some of your data. This might be human error rather than anything sinister, but it’s still important to consider.
You may want to hire a security professional to help you document threats, to make sure you don’t miss anything. Otherwise, you could research them yourself online.
Identify the risks
When you’ve identified the threats your systems face, you’ll need to work out the risk each one presents. A risk is something that could damage your data or systems — caused by a threat or vulnerability. You can break your security risks down into three categories:
- confidentiality — meaning that your system or data is no longer secret. Privacy of personal data (like customer details) is a type of confidentiality risk.
- integrity — when your system or data is no longer accurate
- availability — when systems or data are unavailable.
Common security risks for business include unauthorised access, leaked information, and production stopping. For example:
- if an attacker was scanning for vulnerable web servers and noticed that yours was missing a patch, they could exploit it. They could access your server and use it to host malicious content like malware or phishing pages. That would be an integrity risk, as the attackers could make changes to your web server without your permission
- if an attacker was able to access your web mail, they could use it to collect sensitive business information. This is a confidentiality risk. They could also direct your clients to make payments into their bank account instead of yours. That would be an integrity risk.
Remember that risk is always going to be a trade-off. There will be some risks you have to accept, and some you can manage so the risk is not as high. You need to find the balance that’s right for you.
Be aware that your balance of risk will change over time. As you learn more about your systems, and the different threats they're susceptible to, you may find that your risks change.
Define the impacts
Next, you need to think about the impact of these risks — how they'd affect your business if they happened. Impacts are usually:
- financial, and
- if you had a t-shirt printing company and an attacker compromised the printing software, that would be an operational impact.
- if an attacker got access to your customer data and leaked it, the impact would be reputational.
When you’ve documented the impact that each risk would have on your business, give them a rating too.
- Low means there would be minimal impact on your business if the risk happened.
- Medium means that the risk would cause some damage to your business, but you’d recover
- High indicates lasting damage to your business.
Our quarterly reports show the type of incidents that affect businesses across NZ. Take a look at them — they'll show you examples of the type of risks your business may face too.
Define prevention and recovery options (controls)
It’s better to prepare for something that might never happen, than have something happen and not be ready for it. Once you know what your risks are, and the impact they’d have on your business, start working out:
- how you could prevent the risks from happening
- how your business could recover from an incident.
Think about what’s critical to your business running, and what’s important. Based on that, you can start to define what you (and your staff) can do to prevent, or mitigate, the risks. Talk to your IT service provider too — see how they can help you prepare. You’ll need to think about things like:
- putting a mitigation plan in place, to make sure you’re prepared for any of the risks happening
- talking to your staff about the risks the business faces, and what they can do to keep the business secure
- creating an incident response plan, so you’re prepared in the event of an attack.
Make sure you revisit your risk assessment from time to time. Check to make sure it’s still accurate. If you’ve introduced a new system or business process since the last time you did it, it may need an update.