Five steps to performing an effective data security risk assessment

Ram Vaidyanathan Ram Vaidyanathan
March 22, 2019 IoT & Automation

Will there ever be a time when organizations can predict and pre-empt cyberattacks before they take place? Such a utopia would need threat intelligence systems powered by deep learning. So for now, every organization should assume that someone will definitely attack them, and prepare accordingly.

However, a recent survey suggests that close to 70 percent of organizations are not prepared for a cyberattack.

Kevin Mitnick, arguably the world's most famous hacker, says, "You can never protect yourself 100 percent. What you do is protect yourself as much as possible and mitigate risk to an acceptable degree. You can never remove all risk." The ever-presence of risk makes performing IT risk assessment critical for businesses.

To perform an effective data security risk assessment, organizations must:

1. Identify all valuable data assets

The best way for a company to identify which data assets are valuable is by understanding the nature of their business. Companies should ask themselves how they generate revenue and profit – identifying the data that is critical to their day-to-day operations. Companies should consider things such as client contact information, product design files, trade secrets and roadmap documents as their most important assets. Regardless of the type of data companies identify as critical, it's necessary for them to understand how all of this data flows in their networks and identify which computers and servers are used to store this data.

To best protect these data assets, companies need a central risk team. In small and medium sized businesses, this is often made up of top executives. For larger enterprise companies, a hybrid model of risk management may be needed, where each functional head can be assigned as the risk owner for their department's function.

2. Estimate business impact due to loss

Risk and impact assessment go hand-in-hand. For each valuable data asset, organizations must estimate the corresponding negative financial impact of a compromise or loss. Apart from direct costs, loss estimates should also include intangible costs such as reputational damage and legal ramifications. A common format for documentation must be used across teams for uniformity.

3. Determine threats to the business

A threat is anything that has the potential to cause harm to the valuable data assets of a business. The threats companies face include natural disasters, power failure, system failure, accidental insider actions (such as accidental deletion of an important file), malicious insider actions (such as a rogue agent gaining membership to a privileged security group), and malicious outsider actions (such as phishing attacks, malware, spoofing, etc.). Each company should have its central risk team determine the most probable threats and plan accordingly.

4. Analyze vulnerabilities

A vulnerability is a weakness or gap in a company's network, systems, applications, or even processes which can be exploited to negatively impact the business. Vulnerabilities can be physical in nature (such as old and outdated equipment), they can involve weak system configurations (such as leaving a system unpatched or not following the principle of least privilege), or they can result from awareness issues (such as untrained staff). Similar to determining threats, analyzing vulnerabilities is also best completed by the central risk team. The team may find it helpful to use scanning tools to perform a thorough systems analysis, and penetration testing or ethical hacking techniques could also be used to delve deeper.

5. Establish a risk management framework

Risk is a business construct, but it can be represented by the following formula: Risk = Theat X Vulnerability X Business impact.

To reduce risk, IT teams need to minimize the threats they're exposed to, the vulnerabilities that exist in their environments, or a combination of both. From the business side, management may also decide to evaluate the business impact of each data asset and take measures to reduce it. The central risk team must assign risk values of high, medium, or low for the potential loss of each valuable data asset.

Using this process, a company can determine which data asset risks need to be prioritized. This is a highly-involved process and must be done carefully. Once completed, a company should come up with solutions or redressal for each identified risk, and the associated cost for each solution.

After a framework is in place, companies should determine what level of risk they're comfortable taking. Do they want to address all the risks or do they only want to address risks identified as high? The answer to this question will vary from company to company, and the estimated total cost of the solutions, along with projected return on investment, will have a huge bearing on the risk appetite. 

  • Experfy Insights

    Top articles, research, podcasts, webinars and more delivered to you monthly.

  • Ram Vaidyanathan

    Tags
    Internet of Things
    Leave a Comment
    Next Post
    Learn Enough Docker to be Useful – Part 3: A Dozen Dandy Dockerfile Instructions

    Learn Enough Docker to be Useful - Part 3: A Dozen Dandy Dockerfile Instructions

    Leave a Reply Cancel reply

    Your email address will not be published. Required fields are marked *

    More in IoT & Automation
    IoT & Automation
    Could the IoT Help End Hunger? Farmers Are Finding Out

    Internet of Things (IoT) gadgets are everywhere. Cars, buildings, roadways, airplanes, home appliances, and other items have tens of billions of sensors, processors, and internet-connected gadgets. IoT devices detect motion, regulate temperature, share and collect data, measure weather, and provide location information, power logistics, and medical research. They also enable self-driving vehicles, to name just

    5 MINUTES READ Continue Reading »
    IoT & Automation
    10 Biggest Opportunities for IoT Innovation in 2021

    IoT is a powerful economic driver. IoT Innovation is actively shaping businesses and consumer trends. Most of the technologies developed before and during the pandemic address the Internet of Things directly or indirectly. From healthcare and retail to automobile and manufacturing, IoT innovations are opening new avenues across industries.  It covers almost every segment of

    8 MINUTES READ Continue Reading »
    IoT & Automation
    10 Things to Consider When Starting an IoT Project

    One of the biggest issues companies face when starting an IoT project is deciding who should be responsible. Should it be the engineering team that is responsible for the core technicalities of the device, or should it be the product management team that is responsible for the end functionalities of the IoT product? Starting on

    8 MINUTES READ Continue Reading »

    About Us

    Incubated in Harvard Innovation Lab, Experfy specializes in pipelining and deploying the world's best AI and engineering talent at breakneck speed, with exceptional focus on quality and compliance. Enterprises and governments also leverage our award-winning SaaS platform to build their own customized future of work solutions such as talent clouds.

    Join Us At

    Contact Us

    1700 West Park Drive, Suite 190
    Westborough, MA 01581

    Email: support@experfy.com

    Toll Free: (844) EXPERFY or
    (844) 397-3739

    © 2023, Experfy Inc. All rights reserved.