Why Every Company Needs A Risk Assessment

by | Apr 25, 2019 | Risk Assessment | 0 comments


Cybersecurity is becoming a key area of business that is core to the health and survival of the business. Having a Risk Assessment preformed on the business is a great way to understand areas of risk, options for mitigating those areas and how to plan the company’s strategy and expenditures in light of this knowledge for the coming year.


All organizations benefit from doing a Risk Assessment, small businesses especially. Small businesses often have a greater need for a Risk Assessment because they lack internal IT capabilities and rely heavily on cloud based services or the internet. While 27% do not report having any IT support,  “92% of small businesses are using one or more cloud-based solution.” A National Cyber Security Alliance and Symantec survey from 2012 reported that 71% of small businesses claimed they were somewhat or very dependent on the Internet, a number that has undoubtedly grown.


Even a brief shut down of services or operations could sink a small business. “60 percent of small businesses will go out of business due to inability to recover within six months of experiencing a cyberattack.”  And, currently, small businesses are a favorite target of hackers.


Top 3 Reasons to have a Risk Assessment 
  1. Identify the Types of Threats
  2. Prioritize the Threats based on Risk
  3. Strategize the Cybersecurity Action Plan for the next 12 months for the organization.


An organization cannot protect against what it doesn’t know about. If an employee always left a backdoor of a warehouse unlocked, executive management would probably not know that the physical security of the office or warehouse was at risk. They didn’t know the employee wasn’t locking the door. Applying that idea to cybersecurity helps explain why a Risk Assessment is so critical. You don’t know what you don’t know.


The first step to managing anything is understanding and evaluating the critical areas. A Risk Assessment is the critical process that happens before that risk can be effectively managed.


All Risk Assessments should include the following basic types of threats:

  1. Unauthorized Access: Whether malicious or accidental, unauthorized access can result from malware, purposeful cybercrime or even internal threats.
  2. Misuse of Information: When an authorized user makes changes to data without permission.
  3. Data Leakage: Sharing sensitive or private information accidentally. This can happen through phishing attacks, sending an email to the wrong person, or transmitting files through unsecure means.
  4. Data Loss or Corruption: All critical data should be backed up and protected by being duplicated.
  5. Disruption of Service or Productivity: What happens when systems fail, access is granted to malicious actors or disaster strikes? Would ransomware cripple your company or is it set up to defend against different types of malware attacks?
  6. Location of Information: Cloud computing and storage is on the rise. There are many advantages to using the cloud but remember you are giving your data to a third party. If a cloud company is breached, your data could be breached because of their system failure.
  7. Cyber Threats: Cyber threats are continuing to increase in complexity and frequency.  There can be both internal and external threats to the organization’s systems. Malware and viruses are designed to gain access to data that is often behind firewalls and encrypted.
  8. Mobile Devices Threat: The shift to smartphones and laptops has made lost or stolen devices a real security issue. This is a significant issue for both small and large organizations alike.
  9. Privacy and Security Regulations: There are dozens of different regulations that contain rules for data loss prevention and how to report an incident or breach. Some regulations include: GDPR, PCI, HIPAA, FERPA, CCPA, GLBA, etc….


A Risk Assessment is a tool that is key to any organization managing and understanding their risk in this ever changing world of cybersecurity threats. Ensuring the organization is understanding and meeting the essential security basics will ensure preparedness for when cybersecurity attacks come.