Cybersecurity Risk Assessment Provides a Rational Strategy for Protecting Technology Assets: Large or small and in every industry, cybersecurity is vital.

• Author: Barbour, Tracy
• Position: TELECOM & TECH

Organizations of all types and sizes have been rocked by security breaches and other cyber attacks, including large corporations (Merck, Maersk, and FedEx), government agencies, and even a credit reporting bureau (Equifax). And given the growing threat from botnets, malware, ransomware, worms, and nefarious hackers, companies need an organized method for assessing and addressing cybersecurity risks.

Cybersecurity is the technologies, processes, and practices designed to protect networks, computers, programs, and data from attack, damage, or unauthorized access. A cybersecurity risk assessment identifies the gaps in an organization's critical risk areas and determines actions to close them. The evaluation typically involves considering the primary types of information being handled--whether Social Security numbers, credit or debit card numbers, patient records, industrial control system data, designs, or human resources data--and then making a priority list of what needs to be protected.

Cybersecurity assessment also entails identifying where information assets reside, such as file servers, workstations, laptops, removable media, smartphones, and databases, and then classifying them. The top-rated assets are further considered for additional risks they may face from threats such as identity spoofing, data tampering, information disclosure, or denial of service. From there, an organization can weigh the probability of a threat actually being carried out against a particular asset and the potential impact of a successful cybersecurity attack. A cybersecurity risk assessment exercise can take anywhere from one full day for smaller organizations to several days or weeks for larger firms. The cost of an assessment can run tens of thousands of dollars, depending on the size and complexity of the system as well as the time involved making the assessment.

Ultimately, a cybersecurity risk assessment can yield a comprehensive, prioritized ranking by risk of threats and vulnerabilities that can help organizations create a strategy for sensible risk mitigation. They can then focus their efforts on the most critical areas and avoid spending resources on security technologies or activities that are less essential and irrelevant to addressing the highest risks.

The Assessment Process

Cybersecurity risk assessments are often done by an organization's IT department or their internal audit groups. However, many organizations opt to use outside consultants. There are arguments for both approaches, says John Cusimano, CISSP, GICSP, CFSE. Cusimano is the director of industrial cybersecurity for Applied Engineering Solutions (aeSolutions), a provider of industrial process safety, cybersecurity, and automation life-cycle solutions and tools. "The main thing is the person facilitating the assessment should have some independence from the group that actually designs and operates the system," he says...