cyber security IT Services

How to Do a Cybersecurity Risk Assessment to Protect Your Company

As cyber attacks continue to rise in regularity and severity, it’s critical for organizations to evaluate their readiness in the event of an attack or data breach. According to the FBI’s Internet Crime Complaint Center (IC3) report for 2023; “IC3 received a record number of complaints from the American public: 880,418 complaints were registered, with potential losses exceeding $12.5 billion. This is a nearly 10% increase in complaints received, and it represents a 22% increase in losses suffered, compared to 2022.”

To make the situation worse, the report also admits that the figures “are conservative regarding cybercrime” because a high percentage of victims do not report attacks. This new reality of digital risk requires a new literacy in cybersecurity, especially for companies and their employees. A basic step to improve your security fluency is performing a cybersecurity risk assessment. Cybersecurity risk assessments help organizations identify vulnerabilities and threats within their IT environment. This is a crucial step to taking stock of your systems and readiness.

“Conducting regular cybersecurity risk assessments is a fundamental part of safeguarding your business and maintaining operational integrity,” says Maria Chamberlain of Acuity Total Solutions, INC. “And a basic assessment is not necessarily difficult, but it does require an investment of time and focus to complete properly.”

Even businesses with limited funds and staff to allocate can perform a basic assessment. Below are some fundamental tasks that you can take to better understand your security position.


Step 1: Perform a Data Audit and Prioritize Based on Value

The first step is to understand what you have and what you need to protect. This requires a comprehensive audit of all digital assets. Digital assets include anything that the business uses, such as websites, mobile apps, databases, file servers, cloud storage, and software applications. You should classify these assets based on how important they are to the business. In other words, how sensitive is the information that these assets hold? How much reach do they have in your day-to-day workflow? What assets would cripple your business if they were to stop working? What information would destroy your client’s trust in you if it were stolen?

This audit should include inventorying endpoints, or any computer, device, printer, point-of-sale system or any other device, remote or local, that connects to your system. You should also inventory cloud systems, applications, and user accounts. Prioritize these assets based on their value and sensitivity to the business. This inventory will identify the company’s “crown jewels” so that you can clearly see how to prioritize your security measures.

Step 2: Identify Cyber Threats and Vulnerabilities

In this step, you identify any potential cyber threats and vulnerabilities in your system. This step requires an understanding of common threats like malware, phishing, and DDoS attacks. “Recognizing the specifics of potential threats is half the battle in mitigating them,” according to Maria Chamberlain.

Using malware as an example, your audit can now identify potential inroads for malware based on your endpoints inventory. Malware, or “malicious software,” is an umbrella term that describes any malicious program or code that is designed to harm or breach your systems. It’s most often introduced to a system by accidental downloads from an email attachment or a link clicked in an email.

So, what endpoints use email or download information that could spread to your company systems? These are critical gateways that need to be identified and cross referenced with your inventory.

While malware, phishing, and DDoS attacks represent the most common forms of attacks, you can also include risks outlined in the free MITRE ATT&CK database. MITRE ATT&CK® is a globally-accessible knowledge base found at https://attack.mitre.org/.

Step 3: Assess and Analyze Associated Risk

Now it’s time to assess the risk associated with the identified vulnerabilities and threats. This involves calculating the likelihood and potential impact of each risk. Tools such as risk matrices can help in quantifying these risks effectively.

Here’s how risk matrices work:

After identifying sensitive areas in your systems, and the associated risks, you will put a value based on your preparedness to the risks. For example:

Step 1: Data Audit Prioritized Based on Value

All the critical assets in your office environment. These can include:

  • Servers
  • Workstations
  • Databases
  • Network devices
  • User accounts

Step 2: Identify Cyber Threats and Vulnerabilities. Common threats include:

  • Malware
  • Phishing attacks
  • DDoS attacks

Step 3: Assess and Analyze Associated Risk

Determine weaknesses within your IT environment in comparison to the threat technique. These could include:

  • Unpatched software
  • Weak passwords
  • Lack of multi-factor authentication
  • Poor employee awareness

Severity Assessment: Estimate the level of tolerance your company could withstand if the system was compromised. You can categorize this as:

  • Acceptable: This system could be down or slowed.
  • Tolerable: While inconvenient, this system could be down for a time.
  • Undesirable: This is an important system and could disrupt business if lost.
  • Intolerable: This is an essential system that cannot be disrupted.

Likelihood Assessment: Estimate the probability of the threat occurring. You can categorize this as:

  • Improbable: Highly unlikely to occur.
  • Possible: Could occur occasionally.
  • Probable: Expected to occur frequently.

Impact Assessment: Determine the potential impact of a threat exploiting a vulnerability. Consider the following:

  • Low: Minimal disruption, easily manageable.
  • Medium: Some disruption, may require significant effort to address.
  • High: Major disruption, significant resource investment needed to recover.
  • Extreme: Severe disruption, potentially affecting business continuity.

Step 4: Implement Security Controls

Once the risks are assessed, you can now plan the appropriate security controls to mitigate them. Controls can include data encryption, multi-factor authentication, employee training, and regular updates and patches for software and hardware. The security controls will be based on the correct understanding of the techniques employed by the threat.

“Your choice in security controls require you to do your research on the method of the threat,” emphasizes Maria.


Step 5: Monitor and Document Results

After identifying your needs in your audit, and implementing your new controls, you will need to continuously monitor their effectiveness and update them as necessary. Documenting all findings and the measures taken create a historical record, which can be invaluable for future assessments. Employee contribution is important in this process.

“Continuous monitoring and documentation should include even failed attempts that employees spot. Catching and deleting a phishing email is great, but documenting how bad actors are attacking you can help you evolve your cybersecurity measures successfully,” remarks Maria Chamberlain.


Performing a cybersecurity risk assessment creates a living document that is part of an ongoing process to maintain a company’s security. And as attacks become a regular part of doing business, having an ongoing assessment procedure is critical to protecting your systems.

For many small to medium-sized businesses, this procedure can pay dividends in protecting themselves and their clients. Of course, some companies may simply be too large or complex to accurately assess their risks and needs. In these situations, cybersecurity is far too important to leave to guesswork or superficial effort.

“Cybersecurity is an evolving field, and staying ahead of risks can be nearly impossible for companies being targeted by experts,” concludes Maria. “Companies experiencing aggressive attackers, or just seeing their systems expand quickly, should seriously consider investing in professional cybersecurity services.”

Whatever your company size, if you’re connected to the internet, you’re at risk. Use this tutorial to get a better understanding of your preparedness for a cyber attack and be in a better position to protect your company and employees.

Author

Acuity Manager

Acuity Total Solutions provides complete facility support from IT solutions to Cybersecurity, and Landscaping to Custodial. From Dirt to Data, Acuity is the total solution.