Barry O’Donnell, Chief Operating Officer at TSG, discusses the importance of carrying out a thorough risk assessment, to identify the systems which need protecting most urgently
Most businesses will complete regular risk assessments as standard practice. They’re crucial to reducing the threat of financial or reputational loss and give you an overview of the high-risk areas you must address.
One type of risk analysis that is critical but sometimes overlooked is a cybersecurity risk assessment. In today’s digital-first world, it’s difficult to overstate the importance of analysing and addressing threats to your IT security. Making it a regular occurrence is also advised because cybercriminals are finding new holes in your defences every day.
To address these threats, full and frequent cybersecurity audits are necessary to review:
- Weaknesses in your business systems.
- Outdated hardware or software.
- The security awareness of your employees.
Here are the basic steps you need to take to perform a cybersecurity risk assessment.
Audit your hardware and business systems
You can’t understand the risks associated with your technology if you don’t keep track of it in the first place. Maintaining a comprehensive record of all the technology in your business can sometimes be tricky. If departments in your business are making shadow IT purchases – implementing technology without sign-off from your IT team – it can quickly become unmanageable.
Identifying and auditing your most important and widely-used IT assets will help you understand which solutions make up the biggest percentage of your attack surface. For example, most of your employees will likely use your customer relationship management (CRM) software. If you haven’t tied down access rights, hackers could get in through a backdoor. Similarly, you can stop people from sharing customer information externally by limiting the number of people who can download large amounts of data.
Keeping a rolling kit of your hardware will also allow you to schedule your patching. Updating well-known security risks like unsupported devices or operating systems (OS) should be a high priority. Windows 7, which reached its end of life in January 2020, has been targeted with a password-stealing scam due to its vulnerabilities. This highlights how critical it is to patch software and hardware regularly.
Address the most likely incidents
When we think of strengthening our cybersecurity, it’s natural to focus on protecting your business from external threats like hackers. That’s important, but you also need to look at other common incidents and their risk.
With GDPR in force, data security is a high priority for most businesses. It’s important to note that business data can be compromised accidentally as well as deliberately. If your people use removable storage devices like USB sticks, there’s a risk they could be lost or stolen – like in the case of Heathrow Airport.
Equally, if cybercriminals are targeting your business with phishing emails, consider the risk level of your people clicking on the malicious links and filling in their login details. You can reduce the likelihood of these threats reaching your employees in the first place by using powerful email filtering tools. As hackers’ tools, like the highly evolved Ryuk ransomware, are continually becoming more sophisticated, you need to consider what will happen next.
Educating your workforce about the cyberthreat landscape and how they can play a role in keeping your business secure is vital. You can do this by:
- Providing digital and in-person training materials.
- Using a phishing simulation tool to test existing staff knowledge.
- Outsourcing security training to managed IT support.
Identify the level of risk and prioritise actions
A risk assessment isn’t finished once you’ve identified the most pertinent risks. Next, you need to understand how to address the risks you’ve identified.
Let’s say you know a lot of your employees take confidential information to on-site customer meetings using USB sticks. They travel via public transport and their storage devices aren’t encrypted. This means your vulnerability is high: there’s a high risk of those items being lost or stolen and accessed by a malicious third party.
This should therefore be one of the first items you address. You can split down actions into quick wins and long-term strategies. So, a quick win would be implementing a policy that states removable storage devices must be encrypted and/or password-protected. A long-term strategy could be implementing a cloud storage solution to allow your people to access their documents anytime, anywhere, and eliminate the need for USB sticks.
Don’t forget about your remote workforce
If your business has back-office staff, chances are a proportion of them will be working from home at the moment. In fact, according to a survey by IESE Business School, SD Worx and CASS Business School 65% of all British employees switched to remote working during lockdown.
That presents additional risks to the security of your business.
A study by IBM found that 53% of remote workers are working using their personal devices, while 61% say their employer hasn’t issued any guidance on securing those devices. This presents a number of risks to your security, including:
- Lower-grade security solutions on your employees’ personal devices, leaving gaps for hackers
- Hidden malware or bloatware which has been unknowingly installed
- Sensitive information accessible by non-employees.
You can easily mitigate these risks by providing employees with laptops or, if that’s not possible, enterprise-grade cloud storage solutions which add layers of protection to work files. Similarly, unsecured home WiFi networks present a risk to security. By installing a business virtual private network (VPN), you can encrypt employees’ connection to your network.
In today’s information age, cybersecurity risk assessments are an integral part of your business’ processes. Hackers are taking advantage of businesses and their homeworkers right now, meaning an increase in your attack surface. By carrying out a thorough risk assessment, you can identify the systems which need protecting most urgently. You can then create a comprehensive action plan which addresses the high-risk areas of your business first, before looking at securing every potential entry point for cybercriminals.