Skip to Content
Cyber Risk Management: Risk Assessment
The first step in creating a comprehensive cybersecurity strategy is to prepare the risk assessment. Many companies often think that because they have evaluated their compliance with a particular security standard, such as HIPAA, they have conducted a sufficient assessment of cyber risk. However, generalized security audit standards, which are helpful and required for regulatory compliance, are divorced from additional and specific risks that are faced by an individual company. A proper and thorough risk assessment requires an organization to identify the specific risks it faces and to then prioritize the management of each risk.
To prepare for a risk assessment, the company’s IT, business representatives, and attorneys must collaborate and define the scope and purpose of the risk assessment. The involvement of different stakeholders in the organization – including legal, business, and technical – will maximize the effectiveness of the cyber risk management program.
The second step is to retain a third-party IT forensics company to conduct the risk assessment. Best practices dictate that an organization should use a third-party, and not its own IT department, to conduct the assessment to ensure an unbiased process and results. The third-party should identify threat sources and events, assess current vulnerabilities and predisposing conditions, including the lack of staff with forensic skills, and determine the likelihood of an occurrence along with its potential impact on the business and its operations.
The third step is to communicate the identified risks to appropriate company personnel. Communication, of course, is vital because it is one method of mitigating the risks. By way of an obvious example, because most any company will formally recognize phishing e-mails as a risk, that company must communicate this risk to every employee who uses e-mail.
Finally, it is critical to bear in mind that these risks are always evolving. A business must therefore maintain its risk management protocol as a “living” document that will, likewise, evolve over time. It is also prudent for businesses to schedule routine and formal reviews for evaluating the effectiveness of its program, and to determine whether additional action is necessary.
Cyber Risk Management: Additional Key Areas
Best practices indicate that small and mid-sized companies must also engage in additional cyber risk management activities to afford reasonable protection to business operations and to protect customers. In order to develop a culture of “cyber awareness”, companies must ensure that employees are effectively trained. It is also critical that businesses properly manage vendors and partners who have access to company data, develop and practice an emergency response plan, and evaluate the need for cyber risk insurance. Fortunately, an organization can implement these strategies at little cost.
Conclusion
The risk of a cyber-attack is pervasive, is here to stay, and is one that is faced by companies of all shapes and sizes. Fortunately, with the right efforts and team in place, any organization – large or small – can effectively manage this risk.
Segal McCambridge Singer & Mahoney would like to thank Sal D. Phillips for his efforts and contributions towards preparing this article.