TL;DR
This guide shows you how to find out what threats your organisation faces and how likely they are, whether you already have cyber security measures in place or not. It’s broken down into simple steps.
1. Identify Your Assets
What’s important? This isn’t just computers; it includes data, reputation, even physical items. Make a list of everything you need to protect.
- Data: Customer details, financial records, intellectual property, employee information.
- Hardware: Servers, laptops, desktops, mobile phones, network equipment (routers, switches).
- Software: Operating systems, applications, cloud services.
- People: Employees, contractors – anyone with access to your systems.
Document where these assets are located and who is responsible for them.
2. Identify Potential Threats
What could go wrong? Think about the things that might harm your assets. Common threats include:
- Malware: Viruses, ransomware, spyware.
- Phishing: Emails or messages trying to trick people into giving away information.
- Social Engineering: Manipulating people to bypass security measures.
- Data Breaches: Unauthorized access to sensitive data.
- Denial of Service (DoS): Making your systems unavailable.
- Insider Threats: Harm caused by current or former employees.
Use threat intelligence sources like the National Cyber security Centre to stay up-to-date.
3. Assess Vulnerabilities
What weaknesses exist that threats could exploit? This is where you look for holes in your defences (or lack of them).
- Software Updates: Are all systems patched with the latest security updates? Use a vulnerability scanner like Nessus or OpenVAS.
- Password Strength: Are passwords strong and unique? Consider using a password manager.
- Access Controls: Who has access to what data? Review user permissions regularly.
- Network Security: Is your network protected by a firewall? Check firewall logs for suspicious activity.
sudo iptables -L(Linux example)
- Physical Security: Are servers and computers physically secure?
If you have existing countermeasures, test them! Try to bypass your own security – this is called penetration testing.
4. Analyse Risk
How likely is each threat to happen, and what would be the impact if it did? This combines likelihood and severity.
- Likelihood: How probable is the threat? (Low, Medium, High)
- Impact: What damage would it cause? (Low, Medium, High – consider financial loss, reputational damage, legal consequences).
Create a risk matrix. A simple example:
| Low Impact | Medium Impact | High Impact | |
|---|---|---|---|
| Low Likelihood | Low Risk | Low-Medium Risk | Medium Risk |
| Medium Likelihood | Low-Medium Risk | Medium Risk | High Risk |
| High Likelihood | Medium Risk | High Risk | Critical Risk |
Prioritise risks based on their level (Critical > High > Medium > Low).
5. Develop a Mitigation Plan
What will you do to reduce the risk? This could involve:
- Implementing Security Controls: Firewalls, antivirus software, intrusion detection systems.
- Training Employees: Teach them about phishing and social engineering.
- Data Backup & Recovery: Regularly back up your data and test your recovery procedures.
- Incident Response Plan: What will you do if a security incident occurs?
Document the plan clearly, including responsibilities and timelines.
6. Review and Update
Cyber security risk assessment isn’t a one-time thing. Threats change constantly, so your assessment needs to be reviewed regularly – at least annually, or more often if there are significant changes to your organisation or the threat landscape.