Techfive primary logo - white

How to do a cyber security assessment of your business in 2021 [a step-by-step guide]

Max Pierce - December 14, 2021

Cover image showing 3 glowing icons indicating success, trends, and failures while performing a cyber security assessment.

As your business grows and adopts new technologies, your risk of being targeted by a cyber attack grows substantially. Performing a cyber security assessment will help your organization understand, control, and mitigate all kinds of cyber threats.

It is absolutely critical as an organization (especially one that is very lucrative to cyber attackers) to stay on top of your cyber and network security assessments year-round. These risk assessments are nothing new but in our experience are a component of cyber risk management that is often unfortunately overlooked.

In the modern world, EVERYBODY relies on information technology (IT) to do business on a day-to-day basis.

When we all rely on something, it becomes a lot more lucrative to attack. That is the trend we are seeing in 2021 and will likely continue to see in 2022. Performing a comprehensive cyber risk assessment can greatly help to mitigate your business’s risk of attack.

Important: Doing a cyber security risk assessment of your business is not trivial, I will do my best to guide you through the general process but we would highly recommend working with a cyber security company.

With that being said, let’s dive into it

What is a cybersecurity risk assessment?

A cybersecurity risk assessment is the analysis of your company assets and procedures to identify gaps that could make you vulnerable to a cyber-attack.

Once you have identified those gaps, you can then rank them from highest and most immediate threat to least.

This will allow your organization to go perform your risk mitigation process in order of importance, saving critical resources and maximizing efficiency.

Here are the important questions you will be asking when you perform the assessment:

  • What are the most important technological assets in my business?
  • What is the most sensitive data my organization stores?
  • What cybersecurity threats does my organization face? Is there any reason we may be a larger target than other businesses?
  • What would the impact on my business be if an attack was successful?
  • What are the largest vulnerabilities of my organization? Both external and internal.
  • What is the likelihood a threat actor will exploit those vulnerabilities?
  • What level of risk is acceptable to me and my organization?
  • How can we address the identified vulnerabilities?


Answering these crucial questions gives you an excellent, top-to-bottom view of your organization’s current cyber posture.

We can then highlight the largest areas of concern by performing a risk analysis.

As a final step, we combine our findings into a dedicated strategy to mitigate those vulnerabilities in a cost-effective manner.

Cyber security risk assessment tools:

A great way to go about conducting a cybersecurity risk assessment is to follow the official guidelines set forth by a cybersecurity framework.

The NIST Cybersecurity Framework and the ISO 27000 are 2 popular examples of proven assessment frameworks. This is a great starting point towards becoming a secure organization and I would highly recommend exploring further.

Tip: If your business is part of the military-industrial complex, look into the CMMC security framework.

CMMC is a “training, certification, and third party assessment program of cybersecurity in the United States government Defense Industrial Base aimed at measuring the maturity of an organization’s cybersecurity processes.”

Why perform a cybersecurity assessment?

Let’s get technical.

A comprehensive cybersecurity assessment is a critical component of determining an organizations cybersecurity posture.

The goals of an assessment are as follows:

  1. Identify vulnerabilities and mitigate gaps in your security. Save your business from substantial financial loss and protect your reputation.
  2. Avoid data breaches
  3. Losing your critical data typically has a huge financial impact on any business. If we can avoid this, we should.
  4. Give you a baseline risk assessment template for future assessments
  5. Cyber risk assessments are made to be repeatable, this is not a one-and-done kind of situation. For this practice to be effective is must be repeated.
  6. Stay compliant and avoid costly regulatory issues
  7. Avoid losing customer data being stolen because you failed to comply with HIPPA regulations.
  8. Avoid data loss
  9. Losing critical data could mean losing business to your competition.
  10. Keep your systems up and running
  11. Downtime is bad for everyone. Keeping your systems up and running is critical.

You then can use your findings to make informed decisions about how security strategies can be implemented in your business.

Tip: You may see the term “cyber security posture” quite a bit, the official definition is: “the strength of your cybersecurity controls and protocols for predicting and preventing cyber threats, and the ability to act and respond during and after an attack.”

How to perform a cyber security risk assessment of your business

An effective assessment will likely vary quite significantly from one organization to the next. Your business industry, location, and regulatory requirements will change your specific process. The core foundation of an effective cyber security assessment does however remain the same, regardless of the aforementioned complexities.

Follow these 5 steps when conducting your cyber security assessment:

  1. Figure out the scope of your assessment
    This will be a lesson in thoroughness. You will need to identify every asset that will be evaluated in order to accurately determine the full scope of the project.

    We would recommend starting small with a single asset type and moving systematically through in that fashion.

    Once you have chosen your asset type, you will need to figure out any other devices or information it touches in any way.

    Take your time on this step of the process as this will ensure you are getting a comprehensive look at your entire network. Cutting corners here could mean critical vulnerabilities being unintentionally ignored.
    The likelihood is that you will find that your network is a complex spider-web of information (this may lead to you feeling super overwhelmed). This is the point where we would recommend getting in touch with a partner with tons of experience doing these types of assessments. We handle these types of assessments for our clients all of the time at Techfive :).

  2. Figure out how valuable each asset is
    Once you have completed step 1, it’s time to talk value.

    It’s important to remember that the value of an asset likely extends beyond just the cost of the hardware/software. Consider the intangible cost of an asset and the cost of the loss of an asset to your business.

    Typically we find most assets’ actual value extends well beyond the expectation. We live in an interconnected world and your business is no different.

    For each asset, gather specific information where applicable such as software, hardware, end-users, purpose, criticality, and any security policies in place.

  3. Identify gaps in your security
    This is where a lot of the complexity comes in. It is nearly impossible to do this without having a background in cyber security or information security.

    What you are going to want to do is calculate the likelihood of various business loss scenarios. Essentially you are looking to identify security holes, calculate the impact that an exploit would have on your organization, and mitigate those risks.

    The most common threats that affect every organization typically include:

    Unauthorized access: from attackers, malware, or employee error.
    Misuse of info by authorized users: data may be altered, deleted, or used without approval.
    Leaked data: identifiable information being leaked intentionally by attackers or unintentionally by poorly configuring systems.
    Business disruption: loss of revenue/reputation damage due to business downtime.

    I have oversimplified the process here. I would recommend visiting the NIST framework page to get a much deeper dive into cyber security practices.

  4. Perform an info value vs cost of prevention analysis
    This is the way you figure out what to prioritize first and what is most immediately beneficial.

    What we are looking for is to assess the importance of securing a category of your data compared to the relative cost for your company to do so.

    To do this, you take the likelihood of a threat and its potential impact against the cost of preventing it and compare them against each other. We can then produce a plan for which holes need to be patched first.

    Something to remember is that the impact of a cybersecurity incident extends beyond just money. It is common for a brand’s reputation to be negatively affected after suffering from a cyber incident. Take this into consideration when performing your information value vs cost of prevention analysis.

Insider Insight: If you are involved in a cyber attack, be very careful of what you say to your customers, coworkers, etc. You could cause significant additional damages by saying the wrong thing (or anything). Keep a cool head and follow your cyber incident response plan.

  1. Establish security controls (and continuously monitor them)
    Once again, this is a complex task requiring multiple skill sets to complete and do well. The key here is continuous monitoring of security controls.

    Threat actors aren’t static threats, they are constantly finding the newest vulnerability/angle to attack from. To stay ahead of the curve you have to constantly monitor and adjust your threat mitigation strategies.

    A good practice is to update your cybersecurity assessment roughly once per year.

    For the third time we are going to recommend working with a company specifically geared towards cyber security. The importance of getting this right can’t be overstated.

  2. Document your findings!
    This report doesn’t mean a lot if you cant reference it later. This report will serve as an invaluable tool you can use to develop new (and more effective) security practices.

    You can also use your report as a training tool for new hires coming into your organization.

    Take your time here. Meticulously organize your findings, you won’t regret it.

Cyber security risk assessment graphic

Techfive can help you complete your assessment (and much more)

At Techfive, we are security-first technology managers for our clients across 4 states. We provide world-class managed security services with transparent pricing.

The way I like to explain it to our new clients is that we are managed service partners built for the modern world with a security-first mentality baked into every step of our processes.

We can help you handle compliance, cyber risk management, work-from-home tech and so much more.

If you would like to know more, please schedule a free demo by clicking here.

My Closing Thoughts

Performing a cybersecurity risk assessment is an integral part of the process of becoming cyber incident adverse. We would highly recommend taking the time as an organization to discuss and plan for the inevitable cyber incident.

In 2021 and 2022, cyber incidents in small businesses have and will continue to increase at a dramatic rate. Being the low-hanging fruit is asking to be attacked. It’s time to get serious about cyber security. Especially if you are a small business with less than 50 employees.

That’s it for this my rundown on cyber risk assessments. Be sure to grab a subscription to our newsletter, it’s worth it.

Thanks for reading.

Max Pierce profile picture. Man sitting in chair with hand in fist on chin.

WRITTEN BY

Marketing Manager @ Techfive | Working to make B2B brands more personable & human.

Let's upgrade your tech game

Get great tips, answers to big questions, and expert advice right to your inbox 2x a month.

Up Next

At Techfive, we are all-in-one strategic partners for cyber-aware companies. We offload time-consuming tech management and help our partners become more cyber aware and secure.

Google Logo

5.0

5/5

"Always prompt on response whether in person or by phone! Very nice and friendly employees and very helpful!"

Google My Business profile icon

Ashley Harrison