Risk assessment should be the backbone of your startup's cybersecurity approach

by Karla Cloete

With cyber-attacks becoming more frequent and complicated your company's approach to cybersecurity needs to become more sophisticated than ever. From network security to data loss prevention, firewalls, encryption, antivirus programs, and end-use education for your team, it feels almost impossible to keep up as a startup. So where should you start?

Well, it’s hard to know what services and programs you need without knowing what your biggest risks are. This is where risk assessment comes in.

Assessing your business as a cybersecurity risk is a process of analyzing your organization's ability to keep information safe and to protect systems from cyber threats. This not only helps you better understand your risks but also helps you prioritize the most important ones. Risk assessment considers the impact that data breaches and other security risks might have on stakeholders like your clients, who trust you with their potentially sensitive data. It's hard to make informed decisions about your company's cybersecurity if you don't know what your risks are.

A thorough cyber risk assessment can prevent long-term damage to the company. Identifying threats and vulnerabilities can help reduce the long term costs of the damages that would be incurred in the event of a cyber-attack, as well as protect the company's assets and reputation. Data breaches not only cost a lot of time and money, but they can also mean that your company risks losing insider information and trade secrets to competitors, not to mention the trust of your clients. Lastly, there are legal implications to data breaches, especially if a company is found negligent in the protection of their customers’ sensitive data.

Finding the scope

As a company, you might want to enlist a third party who specializes in risk assessment to help you through this process. Whether you are enlisting help or going it alone, you need to define the scope of your risk assessment. Do you want to assess a specific aspect, a specific asset, or a process, or do you want a risk assessment for the entire organization?

You also need to know what your risk tolerance is and what you are not willing to compromise on. Lastly, you need to know the industry standards and laws that do or don't apply to your company, such as HIPAA.

TechTarget also recommends familiarising yourself with cybersecurity concepts before your risk assessment: 

“It is well worth reviewing standards like ISO/IEC 27001 and frameworks such as NIST SP 800-37 and ISO/IEC TS 27110, which can help guide organizations on how to assess their information security risks in a structured manner and ensure mitigating controls are appropriate and effective.”

Identify risks

You need to know not only what is most worth protecting within your company but also what assets are most likely to be targeted by Internet ne'er-do-well.

Firstly, you need to identify your company's assets. These are digital, physical, and logistical assets that are most likely to be targeted by a cyber attacker. This can include sensitive data, proprietary information, and processes, as well as intellectual property and programs used within your company.

Next, you will want to identify the threats your company are most likely to be targeted by. This includes the kinds of techniques, methods, and tactics that might be used by a cyber-criminal. Building up a knowledge base of potential threats helps you identify potential weak points within your organization. Cybersecurity risks include data leaks, ransomware, malware, insider threats, cyber-attacks, and phishing schemes.

Lockheed Martin’s Cyber Kill Chain® framework is an excellent place to get started in this process. This doesn't just include threats from third parties; it also includes system failures. human error, and natural disasters, which can all cause data loss and security breaches.

There are three important factors to consider when assessing the vulnerabilities within your own organization: 

What is the threat? 

How vulnerable are your systems? 

What would the financial damage be if a breach occurred?

Upguard recommends the following method for calculating cyber risks:

Cyber risk = Threat x Vulnerability x Information Value

 Prioritize prioritize prioritize

A 5x5A risk matrix is a fantastic tool used by professionals to conduct thorough risk assessments. This tool helps to simplify the various risk, while also decreasing the amount of quantitative analysis needed to be done within a company.

On the X axis is probability—how likely such an attack is, while the impact is on the Y axis— how serious the consequences of such an attack would be.  Numeric values are assigned from one to five on both axes. Then probability times impact will give you an approximate risk level.

Act on the risk

After determining what your company's risk tolerance level is, there are three possible courses of action when assessing your company’s specific risks:

The first is avoidance. If the risk of a certain process or program far outweighs the benefits, then new programs or processes should be put into place in order to prevent high-risk scenarios.

Or a company can transfer risk to other parties, such as bringing in a third party like cyber insurance or a risk management service or putting in place processes to deal with the potential data breach in the event that it occurs.

Lastly, there is the mitigation of risk. This involves employing certain measures, rules, and security protocols that can decrease the likelihood of a cyber attack.

Keeping track and staying on track

A risk assessment process can produce a lot of information and data about your organization. Your company will want to document all these findings, which would include risk levels and risky scenarios as well as existing control plans to adjust these controls, keeping track of progress, and assigning responsibility to individuals to rectify risks. Identifying risks is not enough; actionable plans need to be created, and responsibility needs to be assigned.

Cybersecurity plans should target the most important risks, and be in line with the company's goals and values, which include all important stakeholders.

If you want to learn more about cybersecurity for startups, check out this blog. If you’d like to learn more about how Atara Partners can help your startup grow, find out more here.