Streamline your cloud experience and maximise your cloud investment with Microsoft Azure-aligned public cloud services.
Host all of your workloads in the most appropriate location while experiencing the simplicity of one cloud from Six Degrees.
Enhance your cyber security and safeguard your organisation with our cyber security strategy and advisory, consultancy, and managed services.
Connect your business through a comprehensive connectivity portfolio delivered via our owned and operated core Next Generation Network (NGN).
Secure your productivity on any device, anywhere, any time.
Streamline your hosting with comprehensive colocation services delivered from three UK data centres.
Gain clarity and control of your 5G estate, ensuring ongoing cost efficiencies are managed on your behalf through our managed service.
Gain confidence in your cloud direction and achieve accelerated time to value through our assured and optimised cloud services.
Master today’s complex threat landscape and protect your business with our intelligence-led security services.
Videos and webinars are a great way to digest the latest technology insights.
Our eBooks and whitepapers provide in-depth insights from our experts.
Our thought leaders publish regular blogs on up-to-the-minute topics.
Learn all about the latest news from Six Degrees as we continue to evolve.
We host regular in-person and virtual events for our clients.
Discover how Six Degrees has driven success for others.
Learn how we enable our clients to achieve more; providing superior secure solutions, powered by our passionate people.
We are proud to partner with many of the world’s leading vendors, enabling you to leverage our continual investment in difference-making technology.
Learn how CNS at Six Degrees delivers intelligence-led security services that protect organisations in today’s hostile landscape.
We are committed to operating in an environmentally and socially conscious way. Learn more about our commitments as a business.
We are proud of our secure cloud credentials. Learn why we’re one of the most highly accredited providers in the UK.
We are a friendly and passionate bunch here. Whether you want to work with us or for us, we think you’ll enjoy the Six Degrees experience.
Home » Blogs » How to Conduct a Cyber Risk Assessment: 5 Steps to Success
Fundamentally, a risk assessment requires answering questions like:
By answering these questions, you can develop a strategy for action. Remember, cyber security isn’t about guarantees — it’s about priorities and informed choices. A risk assessment is about identifying those priorities and putting risk in context.
In this article, we are going to explain how to build a framework that will allow you to systematically ask the right questions about your organisation and understand the risks your face.
With that said, it’s important to remember that a cyber risk assessment is part of a wider cyber journey. That journey requires assessing risk, but it also means developing solutions, testing outcomes and monitoring progress in a continuous feed-back loop. “Cyber security” isn’t a destination, it’s a process.
At Six Degrees, we can take you through the risk assessment process and help you contextualise it within your cyber journey. For more information on that, and the critical process of presenting your finding to leadership, check out our free resources — The Board Presentation ToolKit: Cyber Security and Risk Management.
Not all risk assessments are undertaken for the same reason. The first thing you need to do is take stock of what you are analysing and why. This is about defining the scope and purpose of your assessment — including determining which assets you’re going to be assessing.
This is an especially important part of the risk management process within large organisations that have a large number of assets, personnel and process. Do your due diligence and prioritise your assessment to develop a cost-effective plan.
The scope of your assessment will look slightly different depending on your business and its goals. But at a high level, any business undergoing a cyber risk assessment will want to answer the following questions to determine scope:
Once you’ve determined the scope of your assessment, the next step is identifying any threats to the security of your data. We define a threat as any instance where your data could be compromised with negative consequences. That could include:
This list is far from exhaustive. Depending on your business and industry, there may be other cyber threats that exist. It’s critical that you get a little creative in this step and think outside-the-box.
At this stage, identifying threats is more of a brainstorming exercise than anything else (we’ll identify risk in the next step). And we always recommend starting threat identification as a team, where you can collectively bounce ideas off each other and everyone can contribute from their own perspective.
This helps you identify potential security gaps that you might otherwise miss individually when you’re assessing your systems and process. However, if you’re struggling to create a comprehensive list, our specialists can provide an outside perspective and help drill down on the critical threats to your business.
Once you’ve developed a list of potential threats, the next step is to take your hypothetical threats and compare them against your actual systems and processes to determine their impact and the likelihood that they would actually occur.
We call those threats that have a high probability of occurring with negative consequences vulnerabilities. Vulnerabilities typically come in two forms:
There are several ways to identify vulnerabilities in each category as you’re doing your assessment.
Let’s address systemic vulnerabilities first. Typically, these will be identified through penetration testing, or intentionally trying to exploit your technical systems to gain access and find potential gaps.
However, it’s important to note that running an effective penetration test is as much an art as a science.
Just like identifying threats, penetration tests require experience and outside-the-box thinking to identify all of the potential ways your data could be maliciously accessed. So it’s critical that your tests are done by experts who are up to date on all of the ways that your security controls could be compromised (this changes quickly in today’s world). Get in touch if you want penetration testing help.
Otherwise, your risk analysis may not be as revealing as you want it to be and sensitive information could still be vulnerable.
Studies show that human error accounts for almost 90% of data breaches. So you’ll want to be extra diligent with regards to identifying environmental vulnerabilities.
These vulnerabilities could include negligence on the part of your employees (leaving a laptop open in public or having it stolen all together), or policies around how data is accessed (can data be downloaded onto a zip drive and taken home?).
You’ll also want to review any changes in the cyber environment as they pertain to your industry during this step as well.
A good place to start with this is the National Institute for Standards and Technology (NIST) vulnerability database. This lists any reported vulnerabilities by month and year and will help you stay up to date with new risks.
Suggested reading: We regularly publish cyber-threat analysis reports.Cyber Threat Intelligence OverviewCNS Cyber Intelligence Report: Trends in Ransomware Attacks against Legal and Accountancy SectorCNS Cyber Intelligence Report: Threats to UK Financial Services
Once you’ve identified all of your vulnerabilities, the next step is determining which ones present the greatest risk and what actions you should take to mitigate them.
Fundamentally, there is almost always a cost associated with addressing vulnerabilities. So you need to weigh the cost of preventing that vulnerability against the cost of failure and the likelihood of failure.
When considering damage, think both long-term and short-term. For example, an immediate inability to continue business operations, or fines/lawsuits that may be likely. Long-term, do not underestimate potential reputational damage — something that is not always readily quantifiable, but often more financially impactful in the long run.
Here are a few questions to get you thinking about which vulnerabilities require action and when:
From there, it’s a simple matter of building a scorecard that ranks each vulnerability on a scale of low, medium, or high (you don’t have to be scientific about this — just as long as everyone in your organisation is on the same page).
The goal of any assessment is to produce a report that records your findings and makes suggestions about actions in a clear and concise way (so that your board can understand why it’s worth spending to address, for instance).
In that respect, we find it’s always best to present the action in the context of damaged businesses outcomes if no action is taken, and the opportunities that effective action will open if taken.
If you need help with this, we’ve produced a board presentation template to help cyber security managers and leaders demonstrate the value of cyber to their board of directors.
Additionally, if you need help identifying potential risks to your organisation, we’re here to help. Our penetration test teams are some of the most highly regarded in the industry and we’d be happy to help you find and contextualise any risks your organisation may be facing. We can then construct an ongoing framework that will let you continue to improve the safety and security of your organisation.
Remember: this risk assessment is just a starting point for your cyber security journey. You need to use the information you uncover to feed an ongoing process that will help you maintain a secure outcome every step of the way.
Changes to the way we work are creating new uncertainties and opportunities. By sharing information and strategic choices, we can make a safer cyber-community overall. Good luck, and start assessing.
As the UK continues to phase out 3G networks, businesses…
Whether they admit to it or not, most of your…
We are proud to announce that Six Degrees has not…
The Digital Operational Resilience Act (DORA) entered into force in…
More information on our Privacy and Cookies Policy can be found here: https://www.6dg.co.uk/privacy-cookies/. You can update how we contact you in the future by visiting our Communications Preference Centre here: https://www.6dg.co.uk/preference-centre/.
