Cyber Risk Assessments: Why organizations need them and what they entail

By Michelle Drolet, CEO, Towerwall


Businesses today are doubling down on their investments in digital. While technology is greatly helping to improve speed, agility, competitiveness and profitability, it’s also expanding and altering the overall risk landscape for businesses. Cyber risks like malware, ransomware and data breaches have become increasingly frequent, sophisticated, complex and damaging. Organizations need a proactive risk management approach that mitigates risks before they become active threats or security incidents. The best way to do this is by getting knowledgeable third parties and cybersecurity experts to perform regular cybersecurity risk assessments.

Key Benefits of a Cyber Risk Assessment:

Having an awareness of the cyber risks and vulnerabilities that exist in the business is the first step to improving cybersecurity standards. Not knowing the scale or types of risks you face is a major cybersecurity risk in itself.

There are four main reasons why businesses must regularly conduct cyber risk assessments. The first one is obvious: cyber assessments help reduce cybersecurity risks.

Technology environments are continuously evolving, introducing new threats and vulnerabilities or amplifying existing ones. That’s why businesses must routinely evaluate their attack surface and identify, quantify and prioritize their risks regularly.

Secondly, research has shown that billions of dollars are lost every year due to cyberattack induced downtime. Risk assessments minimize the possibility of a potential disruption and associated business damages.

Third, security assessments help streamline security investments. While the average business uses 20 different security solutions, research shows that reduced complexity can boost cyber resilience. Annual assessments can help reduce security complexity and help identify priority areas for investment. They can also help create more efficient workflows since IT systems are usually pieced together over time and this can lead to security complexity and hidden vulnerabilities. You want to build a solid foundation with repeatable processes.

Lastly, if your business is subject to heavy regulations such as healthcare or finance, most regulations such as GDPR, HIPAA, CCPA, PCI DSS and NY DFS mandate regular security assessments. Non-compliance with such regulations can not only prove extremely costly but also involve legal ramifications and loss of customer confidence.

Main Types of Cyber Risk Assessments

Deciding on what type of security assessment might be best suited depends on many factors such as the size and type of your enterprise, the end goal of the evaluation, the evaluation experience and capabilities of the cybersecurity assessment partner and the type of infrastructure being evaluated. Security assessment can include a range of initiatives such as:

    1. Cyber Framework Assessments
      There are also cybersecurity frameworks such as ISO 27001, NIST 800-53, NIST CSF, CIS and others that can be used as part of your cybersecurity strategy planning.  The framework is the foundation of any information security program plan (ISMP).  Many have a number of domains, such as strategy, maturity, vendor risk, awareness, classification, roles and responsibilities, incident response and others.  As in any decision in cyber security everything is based on risk. This is the foundation for any cyber program and what to test against.
    2. Data Classification and Discovery
      Data security is now on the priority list of almost all organizations. However, with such a high volume of data flowing into the business every day, it can be extremely difficult to identify and prioritize sensitive information. A data classification and discovery assessment can help the business uncover sensitive and critical data across a range of structured and unstructured data sources. Once data is identified, your cyber security partner can evaluate existing controls and recommend security solutions to monitor and control the movement of sensitive data.
    3. Penetration Tests
      Penetration testing helps to evaluate the effectiveness of existing security controls and aid the organization in determining their defense capabilities when facing real-world cyberattacks. Security teams leverage modern hacking tools, tactics, procedures and attack vectors to determine the level of protection behind the target system, process or application.

    4. Vendor Risk Assessments
      More and more businesses are turning to third-party suppliers, vendors and outsourced services to carry out their business. Supply chain attacks are known to serve as entry points to data breaches and major extortion scams like ransomware. Vendor risk assessments help streamline security across the entire ecosystem, identify and prioritize vendors based on potential vulnerabilities, and assess their security posture against well-known regulations and frameworks. Building a vendor risk program plan with questionnaires and response times is key for success.
    5. Application Risk Assessments
      Undetected flaws in your application code can lead to major security loopholes and performance issues. Application risk assessments against your Secure Development Lifecycle (SDLC) program plan help analyze application architecture and source code, making it easier to identify security vulnerabilities early in the development lifecycle keeping costs down for remediation.
    6. WiFi Risk Assessments
      Any wireless network serves as a potential entry point for attackers looking to access your resources and data. WiFi assessments help determine security gaps, rogue access points, policy misconfigurations and inconsistencies in wireless implementations. This not only boosts wireless security but also increases WiFi performance and helps meet compliance requirements.
    7. Cloud Risk Assessments or a WAR (well architected review)
      While the world is witnessing a rapid surge in the use of cloud technology, storing valuable data on someone else’s storage systems can surely cause a feeling of insecurity. Cloud risk assessments can help identify risks emerging from misconfigurations, user accounts, access management and permissions, etc., and can provide visibility on strengths and weaknesses in the current architecture.
    8. Physical Risk Assessments
      Physical security assessments help uncover problems related to physical systems such as human guards, physical locks, entry and exit points, fences, CCTV systems, alarms, lighting, etc. Such assessments help highlight general concerns and provide a risk summary of current weaknesses and deficiencies. In the case of regulated industries, such tests help enable adherence to strict regulatory guidelines.
    9. Security Awareness Assessments
      Human error is responsible for 88% of all security breaches and is considered the weakest link in the security system. Security awareness assessments help organizations gauge the current level of security maturity among employees. Workers can be measured and scored against a variety of knowledge areas such as phishing alertness, incident reporting, internet use, mobile devices, passwords and authentication, awareness and social media use.

It’s impossible to make strategic cybersecurity decisions without having knowledge of security gaps and a suitable strategy to bridge them. This is where cyber risk assessments come into play. For organizations to become truly cyber resilient, they must strive to make risk assessments an integral part of their governance and overall risk management strategy.

About the Author

Michelle Drolet is CEO of Towerwall, a specialized cybersecurity firm offering compliance and professional onsite services with clients such as Foundation Medicine, Boston College and Middlesex Savings Bank. Founded in 1999 in Framingham, MA, Towerwall focuses exclusively on providing small to mid-size businesses customized cybersecurity technology programs. Reach her at Linkedin:


Please enter your comment!
Please enter your name here