Last updated Nov 6, 2023.
Cybersecurity risk assessments are essential in today’s threat landscape. Yet smaller organizations often struggle to assess their risk, particularly if they don’t have cyber security managed services. Without that expertise, it’s tough to know where to start.
Frameworks like NIST 800-171, ISO 27001:2013, and CIS RAM all offer robust protocols for identifying and quantifying risks, but SMBs often encounter a unique challenge here. Traditional gap assessments can make it appear that the organization must mitigate all risks completely. This is often impossible due to 1) limited resources, and 2) the excessive friction that this would introduce to business processes.
Clearly, SMBs need practical methods of assessing and mitigating cybersecurity risk. Ideally, these methods would define and allow acceptable risk while providing sufficient security. They should do so without forcing the organization to over-invest—and without creating extreme roadblocks for business processes.
That’s the thinking behind CIS RAM, the Risk Assessment Method jointly developed by CIS (Center for Internet Security) and HALOCK Security Labs. It’s an excellent methodology for assessing cybersecurity risk, and it’s what we recommend for SMBs here at Corsica Technologies.
Here’s everything you need to know about cybersecurity risk assessments.
Need to assess your cybersecurity risk?
1. What you gain from a cybersecurity risk assessment
As you can imagine, a cybersecurity risk assessment comes with tons of benefits. Here’s what smaller organizations gain from the process.
Enterprise-level knowledge of risk
Small businesses typically can’t afford to hire cybersecurity experts on staff. This puts them at a significant disadvantage in comparison to enterprises.
You might think a large company is more likely to be a target. Unfortunately, it’s exactly the opposite. Enterprise-class organizations have hardened their systems so well that cyber criminals are turning to softer targets. That means local manufacturers, regional banks, medical practices, county governments—even local schools.
Every organization needs enterprise-level knowledge of their cybersecurity risks. An assessment from experts provides deep insight that a smaller organization can’t get any other way.
A methodology for defining the threshold of acceptable risk
100% bulletproof security is actually impossible to attain. You don’t know what you don’t know about evolving cyberthreats. Even if it was possible, SMBs would struggle to allocate resources to maintain this security. They would also experience prohibitive friction in their daily operations.
A cybersecurity assessment provides a rubric for defining the threshold of acceptable risk. To do so, it provides a framework for quantifying risk, which makes it easier to communicate both findings and mitigation plans to stakeholders.
A clear plan for mitigating risks to acceptable levels
Since a cybersecurity assessment measures risk against a well-defined threshold of acceptability, it also helps give structure to plans for mitigating risks to acceptable levels. It really isn’t possible to do this without an assessment, since the assessment process determines both the threshold of acceptable risk and the actual quantified risk in any particular area.
A clear plan for implementing “just enough” security
Not enough security, and an organization maintains unacceptable levels of risk.
Too much security, and the organization can’t function due to the friction introduced by excessive measures.
The key, then, is to implement “just enough” security—which a risk assessment helps define. This prevents the organization from spending too much on cybersecurity or introducing too much friction to their operations.
2. Dangers of not assessing cyber risks
It’s one thing to know where your vulnerabilities lie. Then you can mitigate them.
But if you don’t even know your weak spots, you’re basically in the dark. That lack of knowledge can have catastrophic consequences. Consider even the simplest of cyber breach scenarios. Many attacks are far more sophisticated than these.
An employee enters sensitive information in a ChatGPT prompt
Believe it or not, ChatGPT is a cybersecurity risk.
Anything entered in a verbal prompt can be used to train the AI further. This means it can also leak out in the AI’s output.
This is why we recommend Microsoft Copilot rather than ChatGPT. Copilot works within your Microsoft 365 environment and rigorously protects your data (and anything entered in prompts). Read more here: Microsoft Copilot vs. ChatGPT.
Your newest employee clicks a link in a phishing email
A phishing email is one that comes from a rogue actor while appearing to be legitimate. Phishers use techniques of social engineering to create a sense of urgency and panic—so the employee reacts and clicks a link (or downloads an attachment) before thinking critically.
For example, a phishing email might claim to be from HR, saying you need to click a link to enter banking details, or you won’t get paid.
Whatever the strategy, phishing emails are incredibly dangerous.
But they also have telltale signs that employees can learn to recognize. Things like strange “from” addresses and odd URLs linked in buttons are dead ringers.
A cybersecurity risk assessment can help you uncover weaknesses in email security, as well as gaps in employee awareness. It’s the first step in mitigating the ever-present threat of phishing emails.
A weak password leads to a breach… and a ransomware attack
For legacy organizations, passwords can represent a massive liability. The older the system, the more likely it is to have a highly unsecured password and no MFA (multi-factor authentication).
How real is this threat? Consider the top 5 most common passwords in 2022, according to NordPass:
Even if an employee isn’t using such dangerous passwords, they may have one password that they use across all systems. Your organization may even have a single password that many employees use to access many different systems.
All it takes is a single breach for hackers to install ransomware or malware. Consider that the average ransomware demand hit $4.74 million in 2022 ($13.2 million for businesses). Clearly, weak passwords are one of the greatest dangers any organization faces.
Luckily, a cybersecurity risk assessment will uncover just how much risk you face here—and how you can mitigate it without making operations impossible.
Your IT team misses a server patch… and hackers install malware
This is a significant liability for legacy organizations using on-premises servers. However, even companies with cloud-based services can fall prey to missed patches if they don’t have an MSP (managed services provider) or MSSP (managed security services provider) who’s responsible for all patches.
If your team doesn’t patch a vulnerability, hackers can easily install malware on the unsecured system. This can empower them to exfiltrate data, direct website users to malicious IPs, and more.
A cybersecurity risk assessment can uncover the unpatched systems you didn’t know about. It’s crucial to preventing this type of attack.
3. Evaluating risk assessments (and getting your money’s worth)
This may work for larger organizations that have a dedicated cyber team. However, SMBs usually need a plan for mitigating risks in addition to the assessment.
This is why smaller organizations should look for comprehensive assessments. Make sure you ask for recommendations and an action plan in addition to the assessment itself.
Hint: That’s what we offer here at Corsica Technologies.
4. Cybersecurity risk assessment process
Here at Corsica Technologies, we use CIS RAM to conduct cybersecurity risk assessments. Here’s what the process typically looks like.
- Develop criteria for both risk assessment and risk acceptance.
- Model risks by evaluating the existing implementation of the relevant CIS Safeguards.
- Evaluate risks. Estimate the expectancy and impact of a breach to arrive at a quantified score for each risk.
- Propose implementation of CIS Safeguards that will reduce unacceptable risks.
- Analyze the proposed CIS Safeguards to make sure they will reduce risk to acceptable levels without introducing unacceptable friction to operations.
Risks may be modeled differently depending on how advanced your existing controls are. The sophistication of your existing controls is defined by CIS’s Critical Security Controls Implementation Groups, and CIS provides specific guidance on how to model risks for each implementation group (IG) which they define. A qualified cybersecurity risk assessor will determine your IG, and thus how your risks should be modeled.
5. Risk assessment deliverables
As we mentioned above, not every company provides a comprehensive risk assessment—i.e., one that goes beyond a mere description of the problem and provides a plan for mitigation. When working with Corsica, you don’t only get the results of our assessment. You get our recommendations, too.
- Report evaluating your current cyber risks against the relevant standards
- In-depth analysis of the report
- In-depth consultation regarding our findings with our CISO, Ross Filipek
- Detailed plan of recommended mitigation strategies based on our findings
6. Take our self-appraisal quiz
Use our self-service quiz to get a high-level understanding of your risks. This interactive tool is provided for illustration purposes only, but it can help you uncover the areas that need to be assessed.