As more and more sophisticated crime operations spread across the globe, and as new software vulnerabilities are discovered and exploited by cyber criminals, companies have an increasing obligation to assign experts and analysts to systematically identify and remediate threats. One invaluable tool for creating and implementing an effective security program is a detailed and comprehensive Threat and Risk Assessment (TRA).
- 1 What is a Threat and Risk Assessment?
- 2 The goals of Threat and Risk Assessment
- 3 When do you need to assess the risk of insider threats?
- 4 NIST Risk Assessment Guide
- 5 PCI DSS Risk Assessment Guide
- 6 Guidance on Risk Analysis Requirements under HIPAA
- 7 Five Key Steps for Assessing Insider Threats
- 8 Conclusion
What is a Threat and Risk Assessment?
A TRA is a process used to identify, assess, and remediate risk areas. The result of this process will be to, hopefully, harden the network and help prevent (or at least reduce) attacks.
Threat and Risk Assessment provides a more thorough assessment of security risk than the standard assessments, such as studying threat statistics or conducting a facility walk-through. The analyst takes information and data from many methods and then combines these pieces, forming an extensive plan for sound security management, while also assessing a company’s compliance with industry practices and applicable laws.
The goals of Threat and Risk Assessment
The main objective of Threat and Risk Assessment is to protect organizations against liabilities by identifying and understanding the various risks facing the client property and community. Threat and Risk Assessment identifies exposures by determining potential security weaknesses and taking the appropriate actions to reduce the impact of threatening events and manage the risks.
When do you need to assess the risk of insider threats?
Not only does the TRA assess external threats, but it can also be effective in assessing and protecting from internal threats. If you are an organization that works with sensitive data, you should also assess the risk of insider threats. No one wants to imagine that their employees can be a security risk, but an estimate of 63% of cyber attacks are internal. There are three steps to assess the risk of insider threats:
- Audit your organization’s cybersecurity
- Apply for cybersecurity insurance
- Comply with laws, regulations, and security standards
Audit your organization’s cybersecurity
Risk assessment is an essential part of risk management strategy. aside from being part of a regular routine, here are just a few of the times when your organization should perform an assessment:
- To plan for reorganization or expansion of a business
- An abnormally high increase in cybersecurity incidents within your industry
- A known attack on your organization
Apply for cybersecurity insurance
Just as we insure our buildings and businesses for risks such as fire, theft, and natural disasters, it’s advisable to also insure your company for cyber attacks. As with most insurance, the insurance company may require an assessment before issuing the policy, and in order to help define the terms of your coverage. The risk assessment method used by insurers for analyzing an organization’s risk level includes:
- Client meetings
- Underwriting questionnaires
- Risk audits
- Open-source intelligence
- Threat intelligence
- Third-party assurance reports
Comply with laws, regulations, and security standards
There are many laws and regulations that directly involve the security of data. Whether it is dealing with PCI, HIPAA, or organizations such as ISO and NIST, assessing the risk of insider threats is mandatory. Below, we will run through a few of these regulatory requirements:
NIST Risk Assessment Guide
The National Institute of Standards and Technology (NIST), suggests the following steps:
- Prepare for the assessment
- Here you define the scope and purpose of the assessment, as well as constraints (you may, for example, limit the assessment to only the customer-facing network). Further, it explains the risk model you are comfortable with, sources of information, and which analytical approaches you will use.
- Conduct the assessment
- At this stage, you identify the relevant sources of threats and events, together with any vulnerabilities that could be exploited. Further, you determine the potential and likely impact of the specific threat events.
- Share and communicate risk assessment information
- To support risk responses, communicate risk assessment results to decision-makers and other relevant personnel.
- Maintain the risk assessment
- This includes remediating vulnerabilities (such as updating and patching software, or monitoring known, but low-level risks (using an IDS)).
PCI DSS Risk Assessment Guide
The PCI Guide offers pages of guidelines and assessment values to consider. Here are just a few of the most important tips:
- All data should be encrypted, both in-transit and at-rest
- Monitor and assess networks on a regular basis
- Only store customer data when necessary (for example, keeping a card on file at popular retail websites)
Guidance on Risk Analysis Requirements under HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) requires that health organizations conduct a regular risk assessment. During this assessment, auditors should check for:
- Malicious software installation
- Computer- and network-based attacks
- Inaccurate data entry
- Unauthorized access to electronically protected health information
Five Key Steps for Assessing Insider Threats
As we mentioned at the beginning of this article, while external threats are certainly a risk, a large number of attacks come from internal sources. For this reason, it is vital to assess your organization’s security from the inside, as well. The five critical steps of insider threat risk assessment are:
Identifying essential assets of an organization
Risk assessment starts by distinguishing the valuable assets that insiders can compromise in an organization. It would help if you, therefore, focused on:
- Access to admin accounts and servers (both physical and cloud)
- Confidential information, such as trade secrets
- Employee’s sensitive data
- Subcontractors’ and partners’ data
- Crucial services and systems
Defining the possible insider threats
Activities done by legitimate users but with negative connotations are referred to as insider threats. These include:
- Sensitive data disclosure
- Misusing, changing, or deleting data
- Malware uploads (both intentional and unintentional)
- Failure to follow the principles of least privilege
Here, you determine which risks most threaten your business, both in terms of profitability and customer confidence. A risk matrix can help you determine the level of each risk. Here are the four factors that you should analyze:
- How critical the threat is
- Importance of the at-risk assets
- Likelihood of an occurrence
- System vulnerability
Create a risk assessment report
Wrap your risk assessment results into a comprehensive report. This will help to simplify the decision-making processes at the further stages of the management strategy. The report can help you to:
- Communicate results of risk assessment to decision-makers
- Share the risk-related information with your employees
- Adjust your risk management approach (updating software more regularly, making password requirements more stringent, etc.)
Make insider risk assessment a common practice
You should note that with time, organizations tend to change either software and tools, or expand their departments and their practices. Such changes create new vulnerabilities, and your organization should therefore conduct a risk assessment regularly.
Risk assessments collect essential information and expose weak cybersecurity spots. They also provide an organization with the tools they need to evaluate the consequences of potential security incidents. Lastly, they also help an organization improve its security practices, helping to prevent incidents in the future. While it is impossible to prevent all incidents, risk assessments are a vital tool for protecting any organization from the ever-growing threat of cyber criminals