A cyber security risk assessment is a fact-finding mission designed to uncover and quantify the IT security risks facing an organisation.
The risk assessment itself is the process of identifying, analysing and evaluating the risks posed to business assets, processes and IT workloads. Internal and external threats are isolated, identified and scrutinised with a view to implementing controls and strategies designed to prevent, reduce and mitigate risk.
This guide details what a cyber security risk assessment is, the benefits it can deliver, and provides step-by-step instructions on how carry out an assessment and write a cyber security risk assessment report.
Cybercrime has become a diverse enterprise that wreaks havoc on small and large businesses alike. As business technology infrastructure increases in complexity, so do the techniques and methods available to hackers.
Rarely does a year go by that we don’t observe a rise in cyber security incidents and related damage. From 2020 to 2021, enterprises saw their annual cyber security costs increase by some 22.7%, and breaches increased by 27.4%, according to Accenture.
Similarly, the ONS found that a staggering 39% of businesses in the UK suffered a cyber-attack in 2022.
Of course, businesses are not entirely at the mercy of hackers, and there are effective solutions out there. One of them, a cyber security assessment or cyber security risk assessment, is a foundational tool that provides organisations with a robust description of the cyber risks they face, and recommendations they can implement to mitigate those risks. This guides them towards effective cyber risk management, allowing businesses to take control of their IT and information infrastructure and spur on the digital growth and transformation required to thrive in today’s business landscape.
A cybersecurity assessment involves identifying and analysing security risks, enabling the selection of effective controls and risk management strategies.
Assessments aim to answer fundamental business risk and cyber security questions:
With the information gained from the assessment, businesses can align their cybersecurity and data protection controls according to risk and impact levels.
Assessments also help organisations make strategic decisions about the security controls they’re lacking, the controls they need, and how to use and maintain them effectively. Controls range from technical implementations designed to monitor, detect and prevent attacks to people and process-related controls designed to reduce human error and oversight.
While basic cyber security applies to all organisations, appropriate controls vary from business to business and sector to sector.
For example, businesses operating in financial services or hosting critical infrastructure are faced by high threat levels that require them to go well beyond a foundational level of cyber security.
Cyber risk assessments bring potential risks and issues to the fore, enabling organisations to make strategic decisions based on their findings.
Here are four of the key benefits a cybersecurity risk assessment provides:
The primary motive for undertaking a risk assessment is to discover, identify and categorise risks.
The assessment aims to identify, analyse and categorise cyber security risks across the business and technology infrastructure. This involves a systematic review of IT infrastructure, assets and security technologies and procedures.
Cyber security budgets can only stretch so far.
Studies and surveys show that 69% of organisations planned to increase their cybersecurity budgets throughout 2022, and 85% of IT decision-makers expected cybersecurity budgets to increase by over 50%.
Cyber security assessments rank and categorise risk to better-allocate budgets to the highest-impact areas. This helps keep budgets focused on where they are most effective rather than a ‘catch-all’ approach that allocates cyber security budgets thinly across all control areas.
The board is taking a greater active interest in cyber security. According to Gartner, some 88% of board members view cyber security as a key business risk.
Clients increasingly are reviewing their supply chains to determine if they are cyber resilient.
A cyber security assessment can assure the board, business owners and clients that a business is cyber security secure, as well as enabling businesses to present their security credentials when forming new partnerships.
Carrying out a cyber security risk assessment is a key step towards gaining ISO 27001 certification. An ISO 27001 certified ISMS (Information Security Management System) ensures a high standard of cyber security while acting as an important business credential.
Gaining certification enables businesses to advertise their security credentials to prospective clients, customers and partners.
Carrying out a cyber security assessment and writing the report involves a multi-step process that progresses from discussions about business architecture, processes and workloads before diving into risk identification, control selection and technical deep dives on IT infrastructure.
Here’s how to write a cyber risk security assessment report in 7 steps:
Identifying cyber business risks involves working with senior leadership to understand what types of cyber incident could have a material impact on the business. For instance, how would a large data breach impact the business’s reputation and ability to sign new customers and clients?
This normally takes the form of a workshop or a series of one-to-one interviews.
The analysis is general at first - what types of risks do businesses in this sector typically face? What type of data is being stored and transferred? Has the business been the target of cyber-attacks before, and if so, what happened and why?
Additionally a cyber threat analysis can be carried out, to identify and assesses relevant threat actors such as ransomware criminals and sovereign state attackers. The output of the cyber threat analysis can be used to understand the additional types of cyber incident which might impact the business.
Moving into more detail involves rating the discovered risks to understand their relative business impacts. Impacts are generally measured financially or reputationally, and enable initial prioritisation.
Achieving an overarching understanding of cyber business risks faced by the business is fundamental to selecting controls and later on performing technical deep dives.
Cyber security controls should be chosen to mitigate the identified cyber business risks. Whilst you can start from scratch and develop your own controls, in practice it is more pragmatic to take your controls from a cyber security framework. Each framework consists of a set of controls that can be implemented across any business. However, not every control is relevant to every business.
For instance, data leakage prevention controls (DLP) may not be relevant to companies which do not process or store sensitive data.
For this reason the selection of controls depends on the identified cyber business risks. E.g. controls should be selected on the basis of their ability to mitigate particular cyber business risks. In the example above, DLP controls should be selected to mitigate risks centred around data breaches of sensitive information.
Having said that, some controls are foundational or essential. For instance, controls around passwords, use of 2FA and security patching are critical to every business and so should always be selected. Any controls which are foundational are generally identified as such within the cyber security framework.
When Nicolson Bray carries out a cyber security health check we typically use a blend of CIS Critical Security Controls and ISO 27001 Annex A Controls. In addition we customise controls or create new ones where required by specific cyber business risks.
Selected controls should then be tailored to the business’s systems and infrastructure. For instance, where tools have previously been selected for a control, the control description is modified to include this.
In the DLP example, this could mean including the tool that has been implemented at the endpoint such as McAfee DLP Endpoint, or the tool that has been implemented at the edge such as Zscaler Cloud DLP.
Checklists are created from these tailored controls. Creating a checklist ensures the assessment is carried out consistently and logically, and that information is collected and collated in one place.
You can use Excel to create your checklist, or there are a number of Governance Risk, and Compliance (GRC) tools which can be used to the same effect.
These checklists form a core part of the assessment and once complete store critical information about the security of your company. For this reason they should be kept in a secure location.
Once a checklist has been created and agreed upon, information and technology assets are identified in order for them to be assessed.
Information and technology assets interact throughout an organisation. Technology assets include both hardware systems (e.g. servers and routers) and software (e.g. databases, applications and SaaS). Technology assets often deliver critical operational processes to an organisation, such as taking bookings for an online travel agency.
Information assets are the types of data which flow through the company, such as customer data, financial data and personal data.
Two exercises can be useful to identify Information and technology assets:
This should help identify which assets should be assessed.
The control checklist is used to assess the controls on each information and technology asset. Control assessments answer the following questions:
The key here is to identify non-existent controls or gaps in controls which might lead to cyber business risk exposure. For example, a business might have a server which has been locked down well but has not been security patched for two years. This would be a problematic control gap which could lead to the service being compromised.
After identifying these gaps, it’s then possible to quantify and qualify risks to create the final report.
The rating of cyber security risks involves two critical components: Business Impact and Likelihood.
Business impact is a measure of the harm a cyber incident could inflict on the organisation's operations, assets, reputation, or financials. It involves understanding both tangible consequences, such as financial loss and legal liabilities, and intangible consequences, such as reputational damage and customer trust erosion.
Recognising actual business impacts is crucial, as it enables prioritisation based on the severity of consequences, ensuring resources are allocated where they are most needed.
For instance a website denial of service will have different business impacts dependent on the website’s function and value. Disruption to a website which is used as an e-commerce sales channel will have a much higher business impact than disruption to an annual leave booking website for staff at the same business. The technical impact is identical, but the business impact is radically different.
Likelihood is a measure of the probability of a specific cyber incident occurring. This considers factors like historical data, threat intelligence, and security controls in place. It gauges the chances of an event occurring, from highly unlikely to almost certain. Understanding likelihood allows for targeted risk mitigation efforts, focusing on scenarios with higher probabilities of occurrence.
Important to understand is that likelihood can vary over time. For instance a shift in the threat landscape can increase likelihood of a cyber incident occurring. A good example of this is the increase in ransomware threat over the past 5 years. Arguably this has increased the likelihood of cyber incidents across the board, for businesses large and small. The increase in sovereign state threat as a result of the Ukraine war is another example of this.
An example of increased likelihood due to insufficient security controls could be seen in a SaaS service where user accounts are not protected by MFA.
Once an understanding of business impact and incident likelihood has been built a cyber security risk assessment matrix is used to factor these two variables together and deliver a cyber security risk assessment, such that that overall risk rating is a consideration of both variables. This matrix rates risks based on their likelihood and potential impact, typically on a scale of low to high or critical. By plotting risks on this matrix, organisations can simply and comparatively rate risks.
Above: An Example Cyber Security Risk Assessment Matrix
It is important to present findings in an easily digestible format which is accessible to all key decision-makers. A detailed cyber security risk assessment report will do this, and should contain the following:
Ideally the cyber security risk assessment report should be peer reviewed by members of the team to verify and build consensus around the findings. Writing the report is often time consuming, however it is a very valuable exercise as it helps focus analytical thinking, and provides a blueprint for cyber security enhancements and architectural changes going forwards.
Writing an IT security risk assessment report is a collaborative exercise. Since cyber security percolates all business teams and departments, it’s vital to establish a top-down understanding of risks so key individuals can disseminate knowledge across the business.
Above: Writing a cyber security risk assessment report should involve collaboration from senior management and relevant team leaders/key members of departments exposed to the highest risk
A robust cyber security risk assessment report should involve the following individuals and teams:
After risks and recommendations are relayed and discussed, key risk management decisions can be made. Risks can be accepted, mitigated or transferred / insured against. The cyber security assessment report forms the basis for making these decisions.
The output of these decisions is used to inform and optimise cyber security budgets.
In addition the individual risks within the report should be tracked and monitored on an ongoing basis in a cyber risk register. For instance as recommendations are implemented, this should be logged and the risk level reduced accordingly.
Also any new IT and cyber security systems will need to be risk assessed as part of their implementation and any new risks logged and tracked.