Download your IT & Cybersecurity Buying Guide just in time for Cybersecurity Awareness Month

Cybersecurity Risk Assessments 101

Blog Home » Cyber Security » Cybersecurity Risk Assessments 101


The first step to a more secure business is to assess your risk: recognize the threats to your assets, identify your vulnerabilities, then put an action plan in place to address your small business needs. You might have heard this before, get a cybersecurity risk assessment, protect your data, secure your business. But what does that mean? You’re a small business, do you REALLY need a risk assessment? What exactly does one consist of? And of course, how much will it cost? In this guide you will learn:

What Exactly Is A Cybersecurity Risk Assessment

A cybersecurity risk assessment provides an intimate look into an organization’s systems and processes, and allows you to review the strength of the business’ security. Whether good or bad, it will reveal whether systems and information are being kept secure, or highlights areas in need of more attention. It is a questionnaire designed to identify physical security controls, systems, policies, procedures, and data. The answers provided to each question is then examined, and for any that show weakness a remedial action is recommended. At the conclusion of the assessment, a report is generated with grading in key areas and remediation steps for improvement.

One of the best ways of lowering the chance of a data breach is to perform a cybersecurity risk assessment. Ideally, risk assessments are done early in the cybersecurity improvement process to identify vulnerabilities and determine the appropriate fixes. It is recommended to perform an assessment 1-2 times per year or after any major system or policy change to verify a strong security profile.

Cybersecurity-Challenge.png Any valid security risk assessment should:

  1. Identify where personally identifiable information (PII) and an organization’s sensitive information is stored, accessed or transmitted. This could be in a customer relationship management (CRM) system, stored on laptops, or within emails.

  2. Determine how your organization is currently protecting PII and sensitive data. For example performing regular data backups, providing security training to all employees, or encrypting laptops that contain PII.

  3. Define the risks to PII and sensitive data. These could include hackers stealing PII, an employee losing a smartphone with PII, or a fire destroying systems that contain PII.

  4. Provide recommendations to lower the risk to PII and sensitive data. These recommendations might include additional security like stronger passwords or encryption, administrative steps to lower the risk of unauthorized access, or physical security such as storing all servers that contain PII in a locked closet or server room.


Why Small Businesses Need A Risk Assessment

Many large businesses conduct routine risk assessments on a regular basis. As a small business, you might believe that due to your size, hackers have no interest in breaching your security. This couldn’t be further from the truth. In reality, as a small businesses you are an ideal target for cybercriminals, and should continuously assess how to protect yourself. In addition to identifying threats, a risk assessment provides a host of other benefits to small businesses:

Can reduce long-term cost: By identifying potential weaknesses early, you can work quickly to mitigate the risk and prevent potential security incidents, saving your organization money in the long run.

Provides a template for future assessments: Continuous improvements are a sure way to keep your organization ahead, and the same goes for cybersecurity assessments. Whether you did poorly or scored well on your assessment, the information is valuable to keep your company’s security profile healthy by recognizing which areas of your network could use a little more attention, or by replicating security processes where you have strengths.

Provides your organization with greater self-awareness: Understanding where your security posture could use more attention can help give you a better idea where resources should be concentrated for improvement.

It satisfies regulatory compliance requirements: In some industries that are especially vulnerable to cyber attacks, a risk assessment is required by law. The Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Security Standards Council (PCI SSC), and the Federal Information Security Management Act (FISMA) are just a few of the bodies that require a risk assessment.

You should never be satisfied with running the assessment only once. Best practice is to run the assessment initially as a baseline, then work to correct any risks discovered. Once you’ve worked to fix your issues, it’s wise to run the assessment again to double check that you have the right controls in place. Though you can’t mitigate all risk completely, you can minimize risk by continually assessing it, and working to implement safeguards to lower the likelihood and impact of a security event.

What Is Included


The risk assessment consists of questions from the following areas which help identify the strengths and weaknesses of your organization’s security:

  • General Information: “Do you have access to a professional who helps you address cybersecurity questions and concerns?”

  • Network: “Do you have an alarm system on your network that alerts you if there is suspicious activity?”

  • Data: “Have you categorized the types of data you have and where it is stored?”

  • Security Aids: “Do you regularly hire a hacker to try and break into your systems and report on potential holes to fix?”

  • Policies and Procedures: “Do you have any financial coverage or insurance to help you in the case of a data breach or cyberattack (e.g. ransomware)?”

  • Physical: “Do you have at least one server that is physically located in one of your buildings?”

The assessment is based on various Control Frameworks:

NIST CSF - The National Institute of Standards and Technology (NIST) Cybersecurity Framework

Published in 2014 by the National Institute of Standards and Technology (NIST), the Cybersecurity Framework (CSF) is a set of recommended best cybersecurity practices for private sector companies. The NIST CSF is intended to be a resource to help organizations strengthen their cybersecurity posture and help prevent, identify, detect, respond, and recover from a cyberattack.

NIST-171 - The National Institute of Standards and Technology (NIST) 800-171

The National Institute of Standards and Technology (NIST) 800-171 is a set of mandatory guidelines put in place to help keep sensitive federal data confidential, and applies to government contractors that process, store, or transmit government Controlled Unclassified Information (CUI), commonly from the Department of Defense. NIST 800-171 sets regulations for many components of security, including risk assessment and accountability, employee training and security, physical protection, and incident response.

NIST-53 - The National Institute of Standards and Technology (NIST) 800-53

The National Institute of Standards and Technology (NIST) 800-53 is a set of mandatory guidelines put in place to help keep sensitive federal data confidential, and applies to federal agencies. NIST 800-53 is part of the Federal Information Security Management Act (FISMA), and sets standards that help keep federal information systems secure and confidential through management, technical, and operational safeguards.

NIST-Framework-e9d5ed.png *National Institute of Standards and Technology (NIST) Framework

CIS 20 - The Center for Internet Security (CIS) 20

The Center for Internet Security (CIS) 20 is a set of 20 recommended critical security controls that organizations can implement to improve their cybersecurity posture. Developed by the SANS institute, these key actions are a resource to help organizations protect themselves and their data from known cybersecurity risks. The CIS 20 prioritizes specific and actionable steps that have high pay-off.

HIPAA - The Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA) is a mandatory regulation covering the privacy and security of protected health information (PHI). HIPAA applies to organizations working in the healthcare space, including healthcare providers, pharmacies, and health insurance providers. The regulations specify steps organizations must take to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting PHI.

GDPR - The General Data Protection Regulation

The General Data Protection Regulation (GDPR) is a set of rules that governs how organizations collect, store, and protect the personal data of European Union (EU) citizens. GDPR applies to organizations doing business within the EU, as well as any organizations worldwide that offer goods or services to EU citizens. GDPR places significant responsibility for data protection and incident response on the organization.

How To Get Started

Ideally, your organization will have in-house personnel conduct the risk assessment. Some questions may be quite technical in nature, so having a member of your IT staff or someone tech-savvy alongside an executive who understands various information flows and potentially proprietary organizational information is the recommended method of conducting the checkup. If your small or medium-sized business (SMB) doesn’t have an IT staff, good practice is to enlist the help of a 3rd party consultant when doing the assessment.

Additional Scans

On its own, a risk assessment provides invaluable data for any business, large or small. In addition to the risk assessment, however, there are various scans that can be performed that will provide a more complete cybersecurity picture to companies wanting to assess, maintain, or improve their cyber risk profile. These include:

Dark Web Scan - By taking a dive into the depths of the Dark Web, a scan is performed that searches for the presence of your organization’s email domain. Compromised data will vary depending on the type of data breach it was acquired from, and can include names, addresses, and passwords in addition to emails. Cybercriminals on the Dark Web work hard to keep law enforcement and good-guy hackers from uncovering compromised data. This isn’t a problem that is contained within borders – it’s growing every single day, which is why you need to conduct ongoing monitoring of the Dark Web. Dark Web Scans show:

  • Breached accounts

  • Stolen passwords

  • Dates when compromised

Website Scan - A website scan searches for malware and viruses, finds out-of-date software and plugins, and detects security and configuration issues.These weaknesses can be exploited, and backdoors can be left in your website, giving hackers access to data, or possibly having them take control of your website. This scan also checks website blacklist status; When search engines such as Google review websites for malware, websites with positive detections are flagged and removed from search results to keep users from visiting them. It also recommends security measures to further harden your system. Website scans show:

  • Malware

  • Out-of-date software

  • Security configuration issues

  • Website blacklist status

Network Vulnerability Scan - Vulnerability scanning is used as a management control to identify systems that are susceptible to attacks. This type of scan can identify weaknesses and known security issues that an attacker could exploit. It is also used to locate missing security controls, such as out-of-date software or lack of antivirus software. A network vulnerability scan is run from the outsider’s perspective, meaning there is no access into the network which is being scanned. Once these vulnerabilities are discovered, they are only reported so the system administrator can apply the appropriate fix. Network vulnerability scans show:

  • Open ports

  • Out-of-date software

  • Weak passwords


Cybersecurity Risk Assessment Recommendations

Determine your cybersecurity risk assessment needs based on the size of your business, type of systems and applications used to conduct and operate your business, complexity of your network, the type of data collected and stored, website and e-commerce platform, industry and industry compliance requirements.

Cybersecurity Health Check with Scans (bi-annual) - Recommended for small businesses with 1-10 employees without a complex network and includes:

  • Breach Cost Calculator

  • Dark Web Scan

  • Website Scan

  • Cybersecurity Health Assessment

  • 30-Minute Consultation

  • Educational Materials & Guides

  • Remediation Steps and Work Plan for Identified Risks

Cybersecurity Health Check Plus with Scans (bi-annual) - Recommended for businesses with 10-25+ employees who have a more complex IT infrastructure and includes:

  • Breach Cost Calculator

  • Dark Web Scan

  • Deep Dive Security Health Assessment

  • Network Vulnerability Scan

  • Website Scan

  • 1-Hour Consultation

  • Educational Materials & Guides

  • Remediation Steps and Work Plan for Identified Risks

HIPAA Risk Assessment and Compliance (mandatory annually) - For healthcare providers, covered entities, and business associates that process and manage patient health information:

  • HIPAA Security Risk Assessment

  • HIPAA compliance snapshot

  • Threat analysis and risk determination

  • Remediation and workplan


  • HIPAA Security Awareness Training

  • HIPAA Security Policies

Additional Vulnerability Testing and Support

  • Dark Web Scan

  • Website Scan

  • Network Vulnerability Scan

  • Vetted Network of Managed IT Security Service Providers

What Is The Cost

The cost of a risk assessment is relatively inexpensive when compared to the cost of cybersecurity breach. Small and medium-sized businesses can afford, and should budget for a risk assessment and various scans to assess for vulnerabilities. You can then use the information to develop a plan, and further budget to fix the gaps uncovered, not only to protect your business, but also to protect your customers who rely on you to keep their information and/or assets safe.

Taking Action

Now that you know how a comprehensive cybersecurity risk assessment can help protect your business, how will you take next steps? Will you start with a Dark Web Scan and Website Scan? Or maybe you want to learn your full risk profile with a comprehensive assessment and remediate your exposure with a work plan. Either way, we’re here to assist you and answer any questions you may have.


Check out related blog posts

Employees of the Future: How to Secure Your New Hybrid Workforce

Employees of the Future: How to Secure Your New Hybrid Workforce

Pivot! (Again). It doesn’t seem that COVID-19 is going away any time soon, and businesses are beginning to make working from home more than a...

You Clicked the Link. Now What?
How to Respond to a Cyber Attack

You Clicked the Link. Now What? How to Respond to a Cyber Attack

![You_Clicked_The_Link_Now_What_Image.png](/uploads/You_Clicked_The_Link_Now_What_Image.png) The COVID-19 situation has inspired a new normal: working from home. We’ve traded corner offices for a spot at the dining room table, business...

Work From Home: Security Best Practices

Work From Home: Security Best Practices

![Work-from-Home-Security-Best-Practices.png](/uploads/Work-from-Home-Security-Best-Practices.png) While working from home does come with its perks, there are many new cybersecurity risks created when employees make the transition from a trusted...

Ready to get started?
Engage with your new tech provider today
Find A Provider