A security risk assessment could be the worst thing you ever do. Trying to list things that could go wrong can be intimidating, and leave you either terrified or too numb to improve.
We have done plenty of them over the years, so here are our tips.
1. List what you have.By this, I mean your systems, suppliers, software and data. I know it seems dull, but it doesn't take that long and is helpful. It can be tempting to go into too much detail, but remember that something is better than nothing. Here’s an example I have used before:
2. Note how big an issue it would be if you suffered a breach of each asset.
We can go into detail on what 'security' means, but maybe start with 'how much would my heart rate increase?' (a lot, a bit, not at all). Mark this on your sheet (example below):
3. Think of what kind of things could go wrong in theory.
Don't go too detailed - there are only a limited number, whatever other people say. For example, (1) something breaks, (2) someone makes a mistake, (3) you get a virus, (4) something is stolen, (5) someone outside breaks in and (6) someone inside breaks in. These are your threats.
4. Think how likely the threats are to happen.
If you don't know, think how often they have happened in the past. Then rate them high (e.g. at least annually) to low (never). Here’s an example:
5. Now, think about how the high likely threats impact your important assets, the things that raise your heart rate.
What are you going to stop these things happening? What else do you need to do? Focus any investment, monitoring and improvement on these first, and keep managing the lists (say every quarter). Here’s a completed example:
There can be a lot more to it, and the above is an example (so, please don’t copy – it’s not complete or necessarily logical), but your aim here is to focus your effort in the right places rather than trying to do everything at once. If you are looking for a more absolute measure of whether you are secure, then I'm not sure a risk assessment will help you much. look at a defined standard (Cyber Essentials and IASME Cyber Assurance are good places to start as a small business). More on that later, though!
To help, we have templates for risk assessment we're happy to share if you get in touch. If we can help you run though this exercise, please let us know and one of our specialists will be in touch for a chat. Click here