Security Risk Assessment: How to Protect your Practice from Cyber Security Risks
What Does a Security Risk Assessment Evaluate?
Why is security assessment important?
It is important to do a thorough security assessment to identify potential risks/ vulnerabilities. Identification of these risk areas is needed to mitigate your risk of breach. These risks/ vulnerabilities can be in your company, your processes and your technology. Understanding what controls you have in place, or need in place, to safeguard against security threats is a vital component of the risk assessment process.
What are common names for a security risk assessment?
A risk assessment may also be referred to as a security risk audit, security audit, risk assessment, cybersecurity risk assessment, security risk analysis (SRA), HIPAA Privacy/ Security Risk Assessment or an IT infrastructure risk assessment.
Are security risk assessments required?
Usually, security risk assessments are required by compliance standards, such as: PCI-DSS standards for payment card security. AICPA requires security risk assessments as part of a SOC II audit for service companies There are also security requirements for HIPAA, HITRUST and ISO 27001 and others.
Who conducts a security risk assessment?
A Security Compliance Officer or a 3rd party Security audit vendor performs the assessment and involves others within the company as part of the discovery process to evaluate all systems in your business to identify security risks such as weak passwords, firewall configurations, insecure business processes, information security management, etc…
The size of your business often determines who leads the risk assessment effort. In larger companies they may use their internal IT team and involve team members across the departments where threats and vulnerabilities are found. In smaller companies without an internal IT team this assessment of risk can be outsourced to a business that specializes in IT risk assessments like SecureVitality.
What is the first step in performing a security risk assessment?
The first step is to identify the scope of the security risk assessment. It is important for the risk management process to identify all the information assets used within the business that need to be protected.
It is also a good practice to refer to the management’s previous cybersecurity and risk audits, remediation requests, security plans and any monitoring or relevant security event logs.
What are Information Security Risks?
1 – Phishing Attacks
Phishing attacks use social engineering to request sensitive data from a user or business. Traditionally these cyber attacks occur through an email pretending to be an authentic message. The user then accidentally gives away this information by pressing on a link.
2 – Zero-Day Exploits
Once a “zero-day vulnerability” is uncovered by an exploit targeting an attack against a network, system or software. This cyber attack takes advantage of the unidentified security problem to cause unusual behavior, a change, deletion or breach of information.
3 – Ransomware Security Risk
Ransomware installs on a network or a system and stops access to functionalities until a ransom is paid by the organization to the hacker.
4 – Malware Security Risk
The most popular risk to security is malware. Malware is when a malicious software installs itself on a system causing abnormal behavior which can cause breaching information, deleting files, creating inaccessible programs and infecting other systems. It is not only important to have the best anti-virus and anti-malware programs installed but make sure employees are trained properly not to click on malicious files, websites or links.
5 – DDoS Security Risk
Distributed Denial of Service is when a server is overloaded with traffic by a malicious party. When the server cannot handle the amount of traffic, the website slows down, is unusable or shuts down.
6 – Cross Site Attack
In a Cross Site Attack (XSS attack) a third-party will target a vulnerable website (usually unencrypted) and load dangerous code on the website. Then, when a user accesses this security risk website, that payload is delivered either to their system or browser and will cause unwanted actions such as disrupting services, access or stealing information.
7 – Password Theft
An unwanted intruder has stolen your security password and may have stolen sensitive data making it difficult to log back in and possibly reset your password. This can be done by a hacker using “brute force” programs to cycle through security passwords until they figured out yours. Another vulnerability is when social engineering tricks a user to give up their password. Two-factor authentication (ie bi-factor authentication) is an excellent security risk protection method as long as it is not done by emailing a user as the second way of authentication since the email could be hacked as well on the computer.
8 – SQL Attack
A SQL attack is when a malicious 3rd party intervenes with a string of code to a server to access private information. This type of security risk could have been prevented by a smart firewall.
9 – Trojan Virus
Trojan malware is disguised as legitimate software and deliver it’s payload. Once downloaded, the malicious tool will execute the task the attacker designed it for, such as gain backdoor access to corporate systems, spy on users’ online activity, or steal sensitive data or information.
10 – MitM Attack
A Man-in-the-Middle attack is when the hacker hijacks a session between a host and client. The hacker accesses with a spoofed IP address, disconnects the client, and then requests information from the client.
11 – Traffic Interception
When a third-party “listens” to info sent between a user and a host (aka eavesdropping) and is usually used to steal logins and other important data. Helpful tips to avoid this are using a VPN and avoiding compromised websites.
12 – Water Hole Attack
Water hole attacks occur when a hacker infects websites a particular organization uses by loading a malicious payload from the infected sites.
13 – Drive-By Attack
A drive-by-attack is when malicious code is downloaded onto a system or device without an interaction by the user.
14 – Cryptojacking
Cryptojacking is an attempt to install malware which forces the infected system to gain crypto-currency by performing “crypto-mining”.
15 – Social Engineering
Social engineering is used to gain users into giving away sensitive details. The hackers can go through great lengths (such as stealing social media info) to steal data and can be done on any platform.
What are the 4 elements of a risk assessment?
Threat — A cybersecurity threat is any event that could harm a company’s assets, systems, people or clients.
Likelihood — Likelihood is the probability a cybersecurity threat will happen.
Vulnerability — A vulnerability is any potential weak point that could allow a cybersecurity threat to cause damage. For example, outdated anti-malware software is a vulnerability that can allow a malware attack to succeed. Having a server room in an unlocked room can increase the risk of it being stolen. Other examples of vulnerabilities include volatile employees and outdated software or systems no longer being supported on the technology asset.
Impact — Impact is the total damage the company would suffer if a vulnerability were exploited by a cybersecurity threat. For instance, a ransomware attack could result in disclosure of client data, loss of existing and future clients returning, trade secrets revealed, attorney costs, productivity loss and data recovery expenses and compliance penalties.
How do you assess risk?
Risk = Vulnerability x Threat x Asset.
For example, you want to assess the risks associated with hackers compromising a particular system in your enterprise. If your network is very vulnerable (perhaps because you have no firewall and no antivirus solution), and the asset is critical, your risk to security is high. However, if you have good defenses and your vulnerability is low, and even though the asset is still critical, your risk to security will be medium.
Threat is the frequency a threat is likely to happen. For example, what is the frequency based on a clients’ location that their server could be ruined due to a flood .01%.
Vulnerability is a threat will happen leading to the likelihood a vulnerability will be exploited. Then, based on the parameters put in place how likely can this be mitigated if a breach does occur. The more employees in an organization can likely put an increased risk a threat can occur.
Cost is the total financial impact of a security incident including:
- Hardware assets
- Software costs
- Trade secret loss to competitors
- Client / patient information loss leading to a loss of existing and new business once they are informed or see it in a publication
- System(s) or application(s) downtime — If a system fails to perform its primary function, customers may be unable to place orders, employees may be unable to do their jobs or communicate, and so on.
- Legal costs — fines can be given by legal bodies as well and additional legal costs because of failure to be in compliance with the data protection security requirements of HIPAA, HITRUST, ISO 27001, PCI DSS, etc…
The risk assessment factors in the relationship between the three elements. For example, suppose you want to assess the risk associated with the threat of hackers compromising a particular system. If your network is very vulnerable (perhaps because you have no firewall and no antivirus solution) and the asset is critical, your risk to security is high. However, if you have robust perimeter defenses that make your vulnerability low, your risk will be medium, even though the asset is still critical.
Employee Security Awareness
EEmployee security awareness training is essential to avoid having a breach. Risk training can be done live via security seminars, individually or by using a software that has security risk education followed by a series of assessment questions to be answered by the employee. Employee training for risks should at least be done annually. Additionally, it is helpful for the security training to be customizable to the business based on the policies and procedures. Additionally, it is helpful when you can have simulated social engineering attacks, spear phishing threats and ransomware cybersecurity attacks to identify users that fall for these vulnerability attacks to identify users that need additional training and information about how to avoid security risks.
Identify Security Gaps
It is essential for a business to conduct a security risk assessment to identify their security gaps in order to understand what needs to be mitigated to avoid a breach of security.
What are the types of security risk assessment?
A security risk assessment can identify quantitative risks and/or qualitative risks. A quantitative risk assessment can represent the information gathered numerically. Whereas, a qualitative risk assessment determines risks by interviews and observations and are expressent on a risk assessment scale from low to medium to high. A risk assessment can be further broken down as generic, site-specific or dynamic. These three risk assessments can be qualitative or quantitative.
HIPAA Privacy & Security Risk Assessment
National Institute of Standards and Technology (NIST) has a toolkit to help organizations understand the HIPAA Security Rule requirements, implement these requirements, and assess those implementations in their operational environment. Organizations that need to be in compliance with these requirements are HIPAA covered entities, business associates, and other businesses such as those providing HIPAA Security Rule assessment, implementation, and compliance services.
HHS Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC) efforts put together a HIPAA Security Risk Assessment SRA Tool to aid in compliance. The tool’s risk assessment framework features make it useful in giving guidance to small and medium-sized health care practices, providers and business associates in the industry complying with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule to secure electronic PHI.
What is the risk assessment framework?
- Identify your scope for a risk assessment.
- Identify and document all your informational assets that may present a security risk or be vulnerable to threats.
- Identify cybersecurity risks that can compromise the confidentiality of data, availability of data and integrity of data impacting the business.
- The asset (the value needed to be protected).
- The threat (which affects the asset).
- The vulnerability (the breach that allows the threat to affect the asset).
- Analyze the security risks
- Identify vulnerabilities
- Analyze internal controls in place for cybersecurity.
- Determine the likelihood threats will occur.
- Assess an impact a threat would have to your business.
- Document the results along with a mitigation plan to prioritize the risks to your information security
Reasons for Performing a Security Risk Assessment
Threat Identification
Natural disasters can effect servers and appliances by destroying data. Therefore, as part of the assessment it is important to think of areas to hold servers or back up servers away from areas of hurricanes, tornadoes and floods.
Hardware failure can happen by accidentally deleting important files, clicking on a malicious email link or a drink spilling on a piece of equipment that holds data.
Malicious behavior has three types of threats:
- Interception security threats occur when someone steals your information.
- Interference security threats occur when somebody causes damage to your business by stealing a piece of hardware that holds information, deleting or changing information, or engineering DDOS against your website.
- Impersonation security threats occur when a person misuses someone else’s credentials, usually acquired by purchasing it off the dark web, social engineering or brute-force attacks.
Will the Risk Assessment Report Provide Ways to Address Risk?
AAs part of SecureVitality’s Security Risk Assessment Report we provide you with a detailed Mitigation report that identifies the vulnerability and how it can cause a threat to your environment, the likelihood of the threat, the impact it would have to your organization, the overall risk level and the safeguard to put in place to mitigate your risk. If you would like, SecureVitality can help you mitigate your vulnerabilities if you would like our support.
Risk Assessment Process with SecureVitality
How does SecureVitality perform a Security Risk Assessment?
SSecureVitality Security Risk Assessment (SRA) for a client covers all aspects of the company where IT touches the departments from IT to Accounting to HR to Operations to the Front Office. The length of the SRA depends on the scope and size of the client. Our clients usually start out doing annual SRAs and continue on annually, whereas others may want them done more frequently based on the findings in the initial SRA.