7 Reasons Companies Can’t Avoid a Security Risk Assessment

If you’re a company with the view that cybersecurity is largely an IT issue, you may take the attitude of “We’ve got this.” Hold that thought. When did you last have a security risk assessment (SRA)? Also known as a security risk analysis, the comprehensive information security threat assessment is hugely beneficial, no matter what your product or service is.

Are you ignoring the benefits just because you think it's not a regulatory requirement for your company or industry? That’s a risk in and of itself.

A thoroughly documented security risk assessment is essential for most types of companies because:

1. If you handle sensitive data such as Personally Identifiable Information (PII) it is likely required by law.  Even if you operate in an ‘unregulated’ industry fair trading rules may still apply related to any claims you make to your customers about protecting their data.
2. It will provide a central place to track and monitor risk so you can measure your risk posture over time.  
3. It will enable you to increase the visibility of risk to relevant stakeholders so they can take appropriate action, including assisting with remediation and/or contingency planning exercises.  Risk Management is not a one time exercise and so by tracking the Initial state, Current state and Target state for all risks identified a company can ensure progress is being made to reduce risk to an acceptable level within an appropriate timeline.  
4. It should help facilitate a conversation about ‘acceptable risk’ within the management team and board.  It is impossible to eliminate all risk and still operate effectively and so having a conversation about setting reasonable risk objectives is imperative.
5. It will give you a mechanism to prioritize your immediate efforts on the higher risk areas. You can't do everything at once and mitigating the most serious risk factors should be your first priority. Companies should start by defining the scope of the assessment.  For example what systems, departments, locations, people and third parties are in scope. Use an industry accepted risk management framework such as SCF Risk Management Framework.
6.  It will help determine budgets which should be set in accordance with acceptable risk thresholds and what the anticipated cost of mitigation will be.  Some risks can be mitigated cheaply, but others may take significant time and effort. The threshold for each company will vary based on many factors including industry and the type of information stored.
7. It may not eliminate the risk of a data breach, but it will significantly reduce the likelihood of one happening and the impact to the organization if it does.

Plus, if your company does fall under any of the most common data protection regulatory requirements, you can't avoid an SRA in order to be in compliance. Many regulations include a risk assessment as a mandatory requirement. For example, you'll need an SRA if:

1. You’re involved in credit card processing, because you fall under PCI requirements for an annual risk assessment.
2. Your company touches ePHI, because you must comply with the HIPAA Security Rule.
3. You plan – ever – to go for certifications like SOC2 or ISO/IEC 27001; in this case the first thing your professional information security consultant will do is conduct a security risk assessment.
4. You touch personal data of any kind from people who live in the European Union; whether they’re EU citizens or not, GDPR’s requirement applies.

Notice a theme? It's likely that you'll need a Security Risk Assessment if you aren't already doing one.

Risk Management is a shared responsibility because everyone touching personal data is responsible for its security. Talk to Ostendio about our security risk assessment services. Our professionals take you through the entire process. When it’s done, you and your company will not only know your specific risks, you’ll have a working plan to fix them.