The Nuts And Bolts Of Cybersecurity Risk Assessments

Cybersecurity Risk Assessments - Everything you need to know | Corsica Technologies

Last updated Nov 6, 2023.

Cybersecurity risk assessments are essential in today’s threat landscape. Yet smaller organizations often struggle to assess their risk, particularly if they don’t have cyber security managed services. Without that expertise, it’s tough to know where to start.  

Frameworks like NIST 800-171, ISO 27001:2013, and CIS RAM all offer robust protocols for identifying and quantifying risks, but SMBs often encounter a unique challenge here. Traditional gap assessments can make it appear that the organization must mitigate all risks completely. This is often impossible due to 1) limited resources, and 2) the excessive friction that this would introduce to business processes. 

Clearly, SMBs need practical methods of assessing and mitigating cybersecurity risk. Ideally, these methods would define and allow acceptable risk while providing sufficient security. They should do so without forcing the organization to over-invest—and without creating extreme roadblocks for business processes. 

That’s the thinking behind CIS RAM, the Risk Assessment Method jointly developed by CIS (Center for Internet Security) and HALOCK Security Labs. It’s an excellent methodology for assessing cybersecurity risk, and it’s what we recommend for SMBs here at Corsica Technologies.  

Here’s everything you need to know about cybersecurity risk assessments.  

Need to assess your cybersecurity risk?

See where you stand with our quick self-appraisal.
Free Quiz

1. What you gain from a cybersecurity risk assessment 

As you can imagine, a cybersecurity risk assessment comes with tons of benefits. Here’s what smaller organizations gain from the process.  

Enterprise-level knowledge of risk 

Small businesses typically can’t afford to hire cybersecurity experts on staff. This puts them at a significant disadvantage in comparison to enterprises.  

You might think a large company is more likely to be a target. Unfortunately, it’s exactly the opposite. Enterprise-class organizations have hardened their systems so well that cyber criminals are turning to softer targets. That means local manufacturers, regional banks, medical practices, county governments—even local schools.   

Every organization needs enterprise-level knowledge of their cybersecurity risks. An assessment from experts provides deep insight that a smaller organization can’t get any other way.  

A methodology for defining the threshold of acceptable risk 

100% bulletproof security is actually impossible to attain. You don’t know what you don’t know about evolving cyberthreats. Even if it was possible, SMBs would struggle to allocate resources to maintain this security. They would also experience prohibitive friction in their daily operations.  

A cybersecurity assessment provides a rubric for defining the threshold of acceptable risk. To do so, it provides a framework for quantifying risk, which makes it easier to communicate both findings and mitigation plans to stakeholders.  

A clear plan for mitigating risks to acceptable levels 

Since a cybersecurity assessment measures risk against a well-defined threshold of acceptability, it also helps give structure to plans for mitigating risks to acceptable levels. It really isn’t possible to do this without an assessment, since the assessment process determines both the threshold of acceptable risk and the actual quantified risk in any particular area.  

A clear plan for implementing “just enough” security 

Not enough security, and an organization maintains unacceptable levels of risk.  

Too much security, and the organization can’t function due to the friction introduced by excessive measures.  

The key, then, is to implement “just enough” security—which a risk assessment helps define. This prevents the organization from spending too much on cybersecurity or introducing too much friction to their operations.  

2. Dangers of not assessing cyber risks  

It’s one thing to know where your vulnerabilities lie. Then you can mitigate them.  

But if you don’t even know your weak spots, you’re basically in the dark. That lack of knowledge can have catastrophic consequences. Consider even the simplest of cyber breach scenarios. Many attacks are far more sophisticated than these.  

An employee enters sensitive information in a ChatGPT prompt

Believe it or not, ChatGPT is a cybersecurity risk. 

Anything entered in a verbal prompt can be used to train the AI further. This means it can also leak out in the AI’s output. 

This is why we recommend Microsoft Copilot rather than ChatGPT. Copilot works within your Microsoft 365 environment and rigorously protects your data (and anything entered in prompts). Read more here: Microsoft Copilot vs. ChatGPT

Your newest employee clicks a link in a phishing email 

A phishing email is one that comes from a rogue actor while appearing to be legitimate. Phishers use techniques of social engineering to create a sense of urgency and panic—so the employee reacts and clicks a link (or downloads an attachment) before thinking critically.  

For example, a phishing email might claim to be from HR, saying you need to click a link to enter banking details, or you won’t get paid.  

Whatever the strategy, phishing emails are incredibly dangerous.  

But they also have telltale signs that employees can learn to recognize. Things like strange “from” addresses and odd URLs linked in buttons are dead ringers.  

A cybersecurity risk assessment can help you uncover weaknesses in email security, as well as gaps in employee awareness. It’s the first step in mitigating the ever-present threat of phishing emails.  

A weak password leads to a breach… and a ransomware attack 

For legacy organizations, passwords can represent a massive liability. The older the system, the more likely it is to have a highly unsecured password and no MFA (multi-factor authentication).  

How real is this threat? Consider the top 5 most common passwords in 2022, according to NordPass: 

  • password
  • 123456
  • 123456789
  • guest
  • qwerty

Even if an employee isn’t using such dangerous passwords, they may have one password that they use across all systems. Your organization may even have a single password that many employees use to access many different systems.  

All it takes is a single breach for hackers to install ransomware or malware. Consider that the average ransomware demand hit $4.74 million in 2022 ($13.2 million for businesses). Clearly, weak passwords are one of the greatest dangers any organization faces.  

Luckily, a cybersecurity risk assessment will uncover just how much risk you face here—and how you can mitigate it without making operations impossible.  

Your IT team misses a server patch… and hackers install malware 

This is a significant liability for legacy organizations using on-premises servers. However, even companies with cloud-based services can fall prey to missed patches if they don’t have an MSP (managed services provider) or MSSP (managed security services provider) who’s responsible for all patches.  

If your team doesn’t patch a vulnerability, hackers can easily install malware on the unsecured system. This can empower them to exfiltrate data, direct website users to malicious IPs, and more.  

A cybersecurity risk assessment can uncover the unpatched systems you didn’t know about. It’s crucial to preventing this type of attack.  

3. Evaluating risk assessments (and getting your money’s worth) 

Not all cybersecurity risk assessments are created equal. Some vendors will provide only the assessment findings, with no recommended action plan to mitigate risks. 

This may work for larger organizations that have a dedicated cyber team. However, SMBs usually need a plan for mitigating risks in addition to the assessment.  

This is why smaller organizations should look for comprehensive assessments. Make sure you ask for recommendations and an action plan in addition to the assessment itself.  

Hint: That’s what we offer here at Corsica Technologies.  

4. Cybersecurity risk assessment process 

Here at Corsica Technologies, we use CIS RAM to conduct cybersecurity risk assessments. Here’s what the process typically looks like.  

  1. Develop criteria for both risk assessment and risk acceptance.
  2. Model risks by evaluating the existing implementation of the relevant CIS Safeguards.
  3. Evaluate risks. Estimate the expectancy and impact of a breach to arrive at a quantified score for each risk.
  4. Propose implementation of CIS Safeguards that will reduce unacceptable risks.
  5. Analyze the proposed CIS Safeguards to make sure they will reduce risk to acceptable levels without introducing unacceptable friction to operations.

Risks may be modeled differently depending on how advanced your existing controls are. The sophistication of your existing controls is defined by CIS’s Critical Security Controls Implementation Groups, and CIS provides specific guidance on how to model risks for each implementation group (IG) which they define. A qualified cybersecurity risk assessor will determine your IG, and thus how your risks should be modeled.  

5. Risk assessment deliverables 

As we mentioned above, not every company provides a comprehensive risk assessment—i.e., one that goes beyond a mere description of the problem and provides a plan for mitigation. When working with Corsica, you don’t only get the results of our assessment. You get our recommendations, too.  

Here are the deliverables you receive: 

  • Report evaluating your current cyber risks against the relevant standards 
  • In-depth analysis of the report 
  • In-depth consultation regarding our findings with our CISO, Ross Filipek 
  • Detailed plan of recommended mitigation strategies based on our findings 

6. Take our self-appraisal quiz 

Use our self-service quiz to get a high-level understanding of your risks. This interactive tool is provided for illustration purposes only, but it can help you uncover the areas that need to be assessed.  

Ross Filipek
Ross Filipek is Corsica Technologies’ CISO. He has more than 20 years’ experience in the cybersecurity industry as both an engineer and a consultant. In addition to leading Corsica’s efforts to manage cyber risk, he provides vCISO consulting services for many of Corsica’s clients. Ross has achieved recognition as a Cisco Certified Internetwork Expert (CCIE #18994; Security track) and an ISC2 Certified Information Systems Security Professional (CISSP). He has also earned an MBA degree from the University of Notre Dame.

Related Reads

MDM vs. MAM: Which one is right for you? - Corsica Technologies

MDM vs. MAM: Which One Is Right For You?

How should you handle mobile devices that have access to company data and systems? This is a crucial question for today’s on-the-go, hybrid workforce. Maybe you give your team company-owned mobile devices. Or perhaps your employees find it more convenient

Read more
Managed Network Services - Everything You Need to Know - Corsica Technologies

Managed Network Services: Everything You Need To Know

For overworked IT teams, managed network services are a lifesaver. Rather than monitoring network logs, troubleshooting switches, and working overtime to mitigate vulnerabilities, you can engage a trusted partner to manage your network for you. But not all providers are

Read more

Sign Up For Our Newsletter

Stay up-to-date on the Managed Services and Cybersecurity landscape, and be the first to find out about events and special offers.