Cybersecurity Risk Assessments

Roger Walton from PCG, a managed services and security provider talks about the importance of cybersecurity assessments. On this Tech Tuesday episode, he talks with John Maher about the assessment process and how often businesses should look at and mediate their risks.

Portsmouth Computer Group · Cybersecurity Risk Assessments

John Maher: Welcome to Tech Tuesday brought to you by PCG, a managed services and security provider in Portsmouth, New Hampshire. I’m John Maher. With me today from PCG is Roger Walton. Welcome, Roger.

Roger Walton: Hi, John. Great to be with you.

Why Do Businesses Need Risk Assessments?

John: Thanks. So Roger, today we’re talking about cyber security risk assessments. What are risk assessments and why do businesses need them?

Roger: A risk assessment is a process of going through the potential threats to a business that are going to impede its operation. Now, depending on the type of business you are, you may have different types of threats. So, if your factory is at the bottom of a volcano, then you may be very concerned about the volcano erupting and burying your factory. So your risk assessment may be rather focused on the problem of the volcano.

Unfortunately, perhaps, these days for almost every business, the IT world is littered with volcanoes of different types because there are many ways in which a cybersecurity event can create very serious consequences for the business.

The risk assessment is a systematic process of looking at, this is your business, these are the assets you have, these are the information assets that you have, these are the threats that you feel that you face. And going through and trying to understand what are the biggest risks to your business? What are the opportunities to remediate them? And then coming up with a plan so that you have, to the extent possible, approaches to remediate all the different kinds of risks.

Why Are IT Risk Assessments So Important?

John: And why are risk assessments so important in IT specifically?

Roger: This really comes to where the internet, the development of the internet, has brought us over the last couple of decades. Obviously, it’s a huge boon to be able to do business efficiently and effectively, but it’s also put us all in the neighborhood where there’s a bunch of criminals. And there are a lot of threats there and we think of ransomware that is going to lock up all your IT assets potentially and prevent your business from functioning. There are financial frauds where any money that you have in a bank account may potentially find its way into someone else’s bank account, depending on the type of fraud that’s perpetrated. These things are very serious.

There are other types of risks. If information about your business gets out, it could damage your reputation. That could also be an existential threat for your business. There are many different kinds of risks out there. If you have information on your employees that is meant to be private that becomes public, so that’s, yes, it’s a reputational risk. It’s also a potential legal risk. And these things can hurt your business in many different ways. So there’s a lot of different things to think about.

Who Should Be Responsible for Doing a Risk Assessment?

John: And who should be responsible for doing a risk assessment?

Roger: At the end of the day, the folks that run a business are the only folks that can decide what are the most important risks as far as they’re concerned? What are the types of risks they are more comfortable with? What are the things that they’re not comfortable with and therefore they want to remediate?

So, at the end of the day, the folks that own the business really need to own the risk assessment, but that doesn’t mean that they need to be the ones doing all of the work. They will certainly engage members of their management team and potentially outsiders, especially in the case of smaller businesses that are going to do much of the work that’s involved in the actual process of the risk assessment.

What Is the Risk Assessment Process?

John: So go into a little bit more detail on that, if you would, on the process of running a risk assessment and how that works.

Roger:  Risk assessments should typically start by talking about the business. And in a very systematic way, thinking about what the business’ assets are and if it’s an IT focused risk assessment, which is primarily what PCG is involved in, then we’re looking at what are your IT assets? What are the things of value that you have in your IT department, that if you lost access to them, either because they were drowned in a flood, or because they were locked up by ransomware, then it would have consequences on your business.

We look at assets, we look at threats. What are the ways in which those assets could be harmed? We look at vulnerabilities. What are the ways in which they would be open to harm? And that may consider things like, are you at risk from employees doing harm to some of your IT assets?

Certainly, hackers would be one of the things that we talk about, but there are also people that… There are other types of risk that can certainly impact the company and must be thought about as well. Insider threat being certainly one of those or even people making mistakes. Typically, we go through a questionnaire.

The questionnaire that we use will typically come from a cybersecurity framework from NIST. And what that does is it goes through the different kinds of controls in the industry, but basically processes and practices that you need to have in different parts of your organization to protect you from the various types of threats that might be out there. And we go kind of systematically through those. We identify what you have in place and therefore what you don’t have in place. Some of the things you don’t have in place we would look at as being vulnerabilities and those vulnerabilities in turn would relate to the threats and assets that we talked about at the beginning.

What Questions Do You Ask During a Risk Assessment?

John: So in terms of the questions that you ask during a cybersecurity risk assessment, does that all come from, like you said, the NIST cybersecurity framework? Or are there additional questions that we should be asking?

Roger: Certainly the NIST cybersecurity framework is very important. It’s important within the context of your business. So the starting point, as I said, is really to understand your business framework and that provides a context for all of the cybersecurity focused questions that we are asking

What Happens After the Risk Assessment?

John: And then what comes after the risk assessment? What’s sort of the next step, if you will, that a company needs to take after that risk assessment is completed?

Roger: Typically, what we do is we end up with a list of vulnerabilities that we are together concerned about. That you as a business owner and we as your advisor, agree are things that put your business at risk in some respect. And for each of those vulnerabilities, there are various remediations that we consider. So we go through those remediations and make recommendations. And then typically we will also be prioritizing them again, based on what’s important to you, based on the types of assets you have, and the threats that you face.

John: Right. You’re taking a look at all of those threats and you’re saying, “Okay, well, the ones that are the most important for us to really lock down or say the software that we use every day for our customer or something like that. If we lost access to that, or we lost the data in our database, that would just shut us down completely for weeks or something along those lines. And so that’s the most important thing we need to make sure that’s locked down first.” And then you kind of go down the list from there and tackle the most important things first, and then make your way down. Is that sort of the process?

Roger: Yeah. And it’s about, which is most time critical? And then here, we take into consideration that everything in security is an investment in either money and/or time, and probably also a distraction from your core business. And this stuff isn’t cheap. It’s really important to know what are the things that we really have to do now? And what are the things that we can consider spreading out over the following quarters or years? And what are the things let’s look hard at and see if they really are important to you as a business, in the context of the other things that are going on.

Why Do You Need to Repeat Risk Assessments?

John: And then do risk assessments need to be repeated periodically? And if so, how often?

Roger: The answer should be yes, because obviously the threat landscape changes, your business changes, the assets change. Most frameworks recommend coming back to it at least once a year. That doesn’t necessarily mean that you must go through the whole process from soup to nuts every time, because it’s really an evolution rather than going back to square one.

But of course, you may also do additional risk assessments when there are additional events. If you make an acquisition, you have a new business, you may want to look at that separately or do an additional risk assessment focused on that new asset. Or if there are other changes in your business, maybe the same thing would apply.

John: So if a big change like that happens, maybe that would trigger another risk assessment, even if it’s not the yearly one that’s scheduled?

Roger: Exactly. Yes.

Contact PCG for More Information

John: Right. Right. All right. Well, that’s really great information, Roger. Thanks again for speaking with me today.

Roger: Been a pleasure.

John: And for more information, visit the PCG website at or call 603-431-4121.