The first step in completing a cyber security risk assessment is observing what data your organization collects (whether through customer payment portals, surveys, or just employee operations), where you store that data, how it is protected, and how long you keep the data.
What threats do you face in your organization? Malicious actors are not the only threats to data information. You should consider natural disasters common in your area (will the disaster damage on-premise servers?), power to your critical systems, human error, and unauthorized access.
Third-party vendors have become an increasing threat to organizations, as they rarely have the same level of security. The security checklists used to audit vendors quickly become outdated, and you may not know if they change servers or leave your data without protection.
A security risk assessment multiplies the threat by the impact to determine the risk level. You should consider both the operational and reputational impact of a vulnerability exploit.
Customer or user data loss has a high reputational impact: your users no longer feel safe doing business with you, and that will decrease sales or stock prices.
The operational impact would be a two-week closure due to a hurricane, application downtime due to a power outage, or a phone outage due to a poor internet connection. Cloud storage and systems dramatically reduce the likelihood of those issues.
Your company may not have the same natural disaster risks as other companies, but you most likely face malicious actors looking to steal data.
If your business relies heavily on cloud storage (whether on your own server or through Dropbox, Google Drive, or Microsoft), do you have permissions in place to keep that data secure from the whole internet? Unintentionally, employees make folders “visible to anyone” or worse, “writeable by anyone” and expose intellectual property to the wrong people.
When businesses don’t update systems regularly, they may not catch security patches. Hackers regularly scan systems looking for those open holes.
Some PII (Personally Identifiable Information) is not actually valuable. For example, when hackers breached the audio-only social platform, Clubhouse, they released the usernames, social media handles, and other information for free. However, Clubhouse responded that “the data referred to is all public profile information from our app, which anyone can access via the app.” While users may not want all their public data available in an easy-to-search spreadsheet, Clubhouse does not consider this a valuable asset to protect.
In contrast, if your company has credit card information or social security numbers for clients, that data needs more protection.