Risk Assessments (Video)

In this video, Roger Walton talks about the importance of cybersecurity for businesses of all sizes. Then, he explains how PCG does a risk assessment to guide its cybersecurity plans for clients.

YouTube player

I’m Roger Walton, and I’m going to be talking about risk assessments.

Until fairly recently, most small businesses could safely ignore cybersecurity. Just taking a few basic precautions was sufficient. But unfortunately, that’s no longer true. Since the cost of being a cyber criminal has dropped dramatically by virtue of the tools now available on the dark web, pretty much every business is a potential target for relatively small scaled criminals. Businesses need to take much more thorough precautions against cyber crime.

Since there’s almost no limit on the amount that you could spend on security, a big question becomes determining your priorities. Will you get more benefit from training? Should you emphasize data protection tools? Should you engage a monitoring service? And how much effort should you put into documenting your practices? Answering questions like these is the job of a risk assessment. A risk assessment is a formalized process by which we help you systematically review the threats to your business, the potential vulnerabilities in your infrastructure and practices, and develop recommendations on exactly what steps you should take to meet your security needs, and with what priority.

The risk assessment is divided into three phases. In the first phase, we learn about your business from the perspective of a potential cyber criminal. We ask questions like, what information assets do you have, and where do they live? We review what threats are out there and that you should be considering, and we set the context for phase two. In the second phase, we leverage the cybersecurity framework from NIST, the National Institute of Standards and Technology. We go through about 70 questions to determine what gaps you have in your defenses, whether they point to a significant vulnerability, and if so, how it can be remedied. The third phase is to take this information and to create a report that lays out clearly your vulnerabilities to cyber incidents, and provides a prioritized set of recommendations on what you should do about it.

In summary, a risk assessment is a critical part of ensuring that your business gets the best possible protection from the time and money you invest in cybersecurity. Every cybersecurity authority recommends businesses start with a risk assessment and follow up with annual updates to tune their responses as the cyber crime and the available defenses evolve.