Do you remember the last time your business conducted a cyber security assessment or audit? If the answer is no, then your business may be vulnerable to a variety of cyber attacks.
The Common Vulnerabilities and Exploits (CVE) database states that some of the most frequently used software and IT systems have over 11,000 known vulnerabilities. Between June 2019 and June 2020 alone, an average of 164 cyber incidents were reported to the Australian Cyber Security Centre (ACSC) every day…that works out to one incident every ten minutes! With cyber crime at an all time high, businesses in Australia and around the world are growing increasingly concerned. IBM estimates that cyber attacks cost large enterprises $3.92 million (USD) annually. According to them, 60% of these security breaches could have been prevented if a system patch had been applied.
These numbers are terrifying and put into perspective just how important it is to conduct frequent cyber risk assessments and security audits. The more you know about the threats you face, the better prepared you are to protect against them.
What Are Cyber Risks?
Cyber risks are negative disruptions to sensitive data, finance, or online business operations. In most cases, they are the result of data breaches and fall into one of the following categories: zero, low, medium and high risk. These levels of risk are dependent on three factors; What is the threat? How vulnerable is the system? What is the possible reputational and/or financial damage if breached or made unavailable? In other words, Cyber risk = Threat x Vulnerability x Information Value.
The most common cyber risks are listed below.
- Data leaks
- Insider threats
What Is a Cyber Risk Assessment?
Cyber risk assessments help businesses identify, analyse and evaluate risks. A comprehensive cyber security risk assessment takes stock of all information technology assets and infrastructure that could be potentially targeted by a cyber attack (including hardware, systems, private data, etc.) and identifies their vulnerabilities. In doing this, businesses can minimise gaps in security and implement the most optimal defence frameworks and security strategies. There are a host of added benefits to conducting a cyber security risk assessment, such as:
- Preventing data breaches and loss
- Reducing long term costs
- Improving organisational knowledge
- Avoiding regulatory issues
- Eschewing application downtime
- Providing a cyber security risk template for future assessments
This high level analysis leads to more efficient practices, saving organisations time, effort and money. For instance, defending against attacks unlikely to occur is a waste of resources that could be better spent elsewhere. On the flip side, without a proper assessment, risks can be underestimated or even overlooked entirely. An attack exploiting such weaknesses could cause significant damage and have devastating effects.
Furthermore, a security risk assessment not only prepares your organisation to defend against cyber crime, but also keeps key stakeholders and board members up-to-date on cyber security posture and day-to-day operations.
The Different Types of Assessments
Risks and Vulnerabilities
This is the most commonly used type of assessment. Its purpose is to pinpoint the gaps in your system that are most vulnerable to attack. It is a rigorous test of infrastructure, software and user ability. Specifically, this assessment determines how easy it is to access your data through prevalent hacker strategies (ie. social engineering). When completing this assessment, your team’s cyber security practices, habits and responses will be subject to intense scrutiny.
In this assessment, all security controls, tools and practices currently utilised are evaluated for their effectiveness. This often includes penetration testing, wherein cybersecurity professionals (either internal or outsourced) attempt to breach these defences and record their efforts. This method determines how resilient the current security measures are to attack, as well as the systems response and recovery time.
Operational resilience is an evaluation of an organisations ability to prevent disruptions to their daily operations or, if failing that, how long their operations are impacted by said disruptions. This assessment encompasses all IT assets and systems, not just those in regard to cybersecurity. Operational resilience is measured by how well a business:
- Adapts management strategy by learning from previous threats/attacks
- Monitors critical systems and maintains preparedness for any potential attacks
- How well they are able to continue normal operations while undergoing a cyber attack
- How fast tech infrastructure and operations can be restored following an assault
Management of External Dependencies
Nearly every organisation outsources to some extent. While you may not be able to monitor the external parts of your network, you can safeguard them by apprasing your external partnerships. To mitigate the risks of any external relationships, your organisation needs to consider:
- What strategies your organisation has in place for external dependencies?
- How are the risks related to these dependencies managed?
- Has your organisation established any management systems to stay informed about the latest risks?
- If a threat does appear, is there a plan to maintain continuity?
This assessment can be a long and complex undertaking as it will need to incorporate all parties and departments that liaise with external dependents.
What Are Cyber Security Audits?
Cyber risk assessments and cyber security audits exist as two parts of the same process. Assessments are internal investigations usually done in advance of, or in preparation for, a cyber security audit. The assessment is a diagnostic and requires informed guesswork to predict future risk. The audit, on the other hand, measures the current state of your organisations information technology, policies and controls, against a set of external standards and rigorously tests their effectiveness. This may include making sure that all obligatory policies are being adhered to; the proper documentation of all information technology security processes, clear communication of cyber security procedures and consistent application throughout the entire organization.
Cyber security audits serve an important regulatory purpose as they ensure your business is maintaining best practices and is also compliant with all government and industry regulations. It is a formal and rigid process that should be conducted by an accredited third-party auditor.
While cyber security assessments and audits are not infallible, knowing your security’s strengths and weaknesses can make protecting your organisation against cyber crime significantly less stressful. It is recommended that organisations perform a risk assessment at least once a year, as well as any time the business undergoes a major structural change that impacts the IT environment. Audits, however, typically must be completed in a specific timeframe and follow a rigid set of instructions. It is best to keep in mind that the more accurate, up-to-date information your business has access to, the easier it is to protect your organisation from cyber attack.