A strong cybersecurity program begins with a clear understanding of an organization’s risk posture. In today’s hyper-connected world, data breaches are no longer a question of if but when. This makes risk management, measurement, and evaluation essential components of building cyber resilience. Conducting a thorough cybersecurity risk assessment and leveraging its insights to enhance resiliency is mission critical.
What Is a Cybersecurity Risk Assessment?
A cybersecurity risk assessment documents an organization’s process for:
- Identifying digital assets
- Reviewing for sensitive data
- Detailing any given potential threat
- Determining the likelihood of a data breach
- Setting a risk tolerance
- Establishing controls to mitigate potential risk
A risk assessment is the backbone of any strong security program, mapping out the path to a robust defense by identifying gaps and shaping the perfect security control ecosystem.
Why Organizations Need a Cybersecurity Risk Assessment?
Documenting the risk assessment process enables organizations to prove the governance necessary for compliance purposes. It also ensures the organization has an established and repeatable processes for cybersecurity risk management and identification.
Many compliance requirements focus on mitigating cybersecurity risk. Some examples of these compliance frameworks, standards, and mandates include:
- National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)
- International Organization for Standardization (ISO) 27000 series
- General Data Protection Regulation (GDPR)
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standard (PCI DSS)
A security risk assessment isn’t just a checkbox — it’s a game plan. It gives organizations a clear, structured approach to building and enforcing security controls. With cyber threats constantly evolving, security teams need to know where to focus their efforts, and a solid risk assessment ensures they’re tackling the right priorities.
When to Perform a Risk Assessment
Organizations should perform risk assessments at three key moments: during the establishment of a security program, when implementing changes to the technology stack, and annually.
Security program establishment
Before creating a security policy or program, an organization needs to engage in a risk assessment. The assessment acts as the foundation for everything that comes later. Organizations need to know the risks associated with their IT landscape. Without the risk assessment, companies may fail to put proper controls in place.
This cybersecurity assessment is often the most time consuming, as it requires thorough asset management, detailed review processes, and the implementation of control measures.
Changes to the technology stack
Another time it’s important to formally review a risk assessment is before adopting innovative technologies or making significant changes to the IT stack. Although compliance mandates rarely define “significant changes,” understanding how adding or removing technologies can impact cybersecurity posture matters.
Some events that might trigger the need to review risk include:
- Onboarding a new Software-as-a-Service (SaaS)
- Migrating a database from on-premises to cloud
- Adding new on-prem servers to a network
- Adding new firewall providers
Annual review
Most compliance mandates require organizations to review their risk assessments at least annually. To demonstrate governance, executive leadership and the board of directors should examine the risk assessment during a meeting and record the review in the minutes.
How to Perform a Cybersecurity Risk Assessment
Performing a cyber-risk assessment takes time, but the outcome enables the organization to mature its security and compliance programs. Key steps in the process are to create a team, identify devices, data and users, and then assess risk. From there, you are able to do a risk analysis and identify risk mitigation controls.
Create a team
No single person can manage an enterprise cybersecurity risk assessment. Organizations should create cross-departmental teams to ensure they identify all risks. Some members of the team can include:
- Chief Information Security Officer (CISO)
- Chief Technology Officer (CTO)
- Risk and compliance team
- Internal auditor
- Department managers
- Human resources
Forming a cross-functional team helps the organization recognize and address various risks associated with line-of-business technology use.
Identify
The initial phase of assessment is the identification stage, which is often the most challenging for many organizations. The growing adoption of cloud services and Internet of Things (IoT) devices contributes to visibility challenges.
Devices
Organizations need to identify all the devices connected to their networks that store, transmit, collect, and process data, including:
- Workstations
- Smartphones
- Tablets
- Servers
- Network devices like routers, switches, bridges, and modems
- IoT devices like printers, coffee makers, security systems, and card readers
Conducting network scans can enhance visibility into connected devices. Maintaining a current asset inventory supports a more comprehensive risk assessment.
[Related Reading: What Is Endpoint Security?]
Data
Not all data poses the same security risk. While compliance requirements often define sensitive data as personally identifiable information (PII), other data types should be included as well. Some data types that pose a greater security risk include:
- Names
- Birthdates
- Addresses
- Social security
- Bank account numbers
- Credit card data
- Customer IP address
- Biometric data like fingerprints or face ID
- Health data
- Education records
- Employee personal information
- Genetic data
- Corporate financial records
- Intellectual property
Locations that store, process, & transmit data
As organizations continue shifting data and operations to the cloud, pinpointing where data is stored, processed, and transmitted grows more complex. With development teams able to create and delete workloads in seconds, traditional detection methods struggle to keep up.
When evaluating these locations, organizations should take into account:
- On-premises data centers
- Cloud services like Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) providers
- Workloads
- Containers
- Social media accounts
- Email servers
- SaaS applications
- Collaboration tools like Slack or Microsoft Teams
- Shared drives like OneDrive, Google Drive, or SharePoint
All of these locations must be evaluated to appropriately evaluate risk.
Users
The increase in credential theft attacks requires organizations to prioritize identifying users who elevate cybersecurity risks. Additionally, organizations must recognize that “users” aren’t always human — machine identities, such as robotic process automation (RPA), can also introduce security vulnerabilities.
When identifying risky users, consider:
- Employees
- IT administrators
- Consultants
- Customers
- RPAs/bots
- Service accounts
- APIs
[Related Reading: Why Are Humans the Weakest Link in Cybersecurity?]
Assess risk
Assessing risk means understanding the risk that each identified device, data type, location, and user poses. Generally, organizations assign risk along a spectrum based on impact. For example:
High risk: Compromise would cause an extremely negative
Medium risk: Compromise would have a negative impact
Low risk: Compromise would have little to no negative impact
If threat actors gain access to a database containing credit card data, then the risk is high because it has a large negative impact on the organization. Device risks include:
- Ransomware/malware
- A known vulnerability or multiple vulnerabilities
- Theft
Risks associated with locations that store, transmit, and process data include:
- Misconfigurations
- Data stored in plain text
- Man-in-the-middle attacks
- SQL injection attacks
User risks include:
- Excess access
- Privacy
- Credential theft
- Poor password hygiene
- Shared passwords
- Privileged access
Risk analysis
The risk assessment gives visibility into specific types of risk arising from critical assets and users. However, the risk analysis moves toward a more holistic look at risk impact to the organization’s financial stability.
Risk analyses usually use a variation of the following equation:
Risk = Probability of Event x Impact to the Organization
The risk analysis is the quantifiable part of the assessment. Impact to the organization includes looking at the:
- Financial risk: how would a data breach impact financial stability?
- Compliance risk: would a data breach lead to fines or penalties from a compliance violation?
- Reputation risk: how would customer churn impact the organization after a data breach?
The final part of the risk analysis process usually includes creating a heat map, which is a graphical representation showing the spectrum of risks with one axis labeled impact and the other labeled likelihood.
Define risk tolerance
The organization’s risk tolerance ultimately drives the controls that an organization needs to put in place to mitigate risk. Organizations can make one of four decisions, being:
Accept risk: The impact is so low to the organization that it costs more to mitigate the risk than the impact would cost
Deny risk: The impact is so high that mitigation strategies fail to reduce cost enough to make the technology worthwhile
Transfer risk: Someone else, like a cyber-risk insurer, covers the potential impact of the risk
Mitigate risk: Put controls in place that help limit a risk’s likelihood or impact to the organization
Set risk mitigation controls
Every organization needs to set controls to reduce the impact of a given risk. These controls act as the first step toward establishing the security program.
Data risk mitigation controls
Most safeguards for sensitive information are implemented by restricting user access and controlling where data is processed, stored, or transmitted.
However, before the organization can put those controls in place, it needs to classify sensitive data. This step is different from the data identification phase. Now, the organization is not just noting it has sensitive data, it is purposefully classifying and tagging the data so it can apply additional controls.
Device risk mitigation controls
Mitigating the cybersecurity risks associated with devices has become even more challenging with more people working remotely and using personal devices. Some typical controls include:
- Installing anti-virus software on devices
- Creating a security patch update policy and process
- Requiring users to authenticate to a device
- Encrypt devices to mitigate the risks rising
- Hardening systems
Storage, processing, & transmission risk mitigation controls
As organizations adopt more cloud-based services, protecting sensitive data often means securing code-based locations and working to secure networks. Some risk mitigation controls include:
- Network segmentation
- Virtual private networks (VPNs)
- Firewalls
- Network scanning
User access risk mitigation controls
Cloud adoption also changes the importance of user access controls. Identity and Access Management (IAM) is more important than ever. When users connect to a network from inside the company’s firewall, the organization has more control over what they access and how they access it. Today, even users in an organization’s physical offices access applications using the public internet.
Some user access risk mitigation controls include:
- Limiting access according to and enforcing the principle of least privilege
- Requiring users to authenticate to networks and applications
- Establishing and enforcing segregation of duties (SoD) controls
- Using role-based access controls (RBAC)
- Using attribute-based access controls
- Enforcing strong password policies
- Using multi-factor authentication (MFA)
Why Are Risk Assessments Challenging?
In modern, interconnected IT ecosystems, risk assessments can be difficult due to the inability to maintain asset inventory, lack of visibility into third-party vendor risk, staffing changes, and point-in-time problems.
Inability to maintain asset inventory
Organizations and users introduce new devices to the corporate network regularly. While this can streamline business operations, it also makes maintaining an accurate asset inventory difficult.
Additionally, IoT devices use different connection points, ports, from traditional IT. Many companies use network discovery scanners to detect new devices, but these scanners do not always review the ports that IoT devices use. This means that companies may have “blind spots” when it comes to IoT.
Lack of visibility into third-party vendor risk
Every technology that connects to the corporate network is a third-party vendor. As threat actors increasingly target supply chains, companies need greater visibility into their technology vendors’ security.
However, these intricate ecosystems not only include a company’s vendors, but they also include the vendors’ third-party technologies. While an organization may be able to control their own risk, they lack the ability to know or control the downstream risks.
Joiner-mover-leaver risk
All organizations experience changes in its workforce. New people join. Workforce members move to different departments. Some people leave. Each change impacts the risks associated with user access.
For example, when people move from one department to another, they may bring their access with them. However, people working in sales may not need the same access as those on the marketing team. This creates a risk of someone having more access than necessary. Another risk occurs when people leave an organization. If the organization fails to terminate access quickly, threat actors may use the dormant account to gain access to systems and networks.
Point-in-time problems
Risk assessments tend to provide a snapshot of an organization’s risk and security posture at a given moment in time. Although organizations need to undertake additional assessments when they make significant changes to their IT stack, this only covers their technology choices.
Software vulnerabilities or changes in attack methodologies also impact the organization’s risk posture. Unfortunately, these changes can come at any time, not just on a predetermined schedule.
As industry standards and regulatory compliance requirements change, many are requiring organizations to engage in continuous monitoring. This means that companies need to move away from the point-in-time assessments and find ways to look proactively for new risks. In order to continuously mitigate risk, organizations need to continuously monitor for it.
Protect Data with Robust Risk Assessments
A cybersecurity risk assessment is the foundation of strong security and compliance programs. Whether an organization is trying to pass an audit or reduce its risk of experiencing a data breach, it needs visibility to meet mission-critical needs.
As organizations venture into the world of public cloud vendors, ensuring compliance can be a daunting challenge — especially without hands-on experience. That’s where a trusted managed security services provider, like Fortra’s Alert Logic, comes in. With deep expertise in cloud security, Alert Logic offers a seamless, all-in-one solution for 24/7 risk visibility, threat detection, and compliance coverage—backed by a global SOC and a single, integrated security platform.
With the right reports documenting continuous monitoring activities, organizations can reduce risk and enhance their compliance posture. Organizations need to prove that they can detect new risks in a timely manner, rather than waiting for the periodic assessment. Having the right tools and business partners in place enables them to reduce the time and operational costs associated with risk monitoring while improving their cybersecurity risk posture and resiliency.
