Data Breach Risk Assessment: A 10-Point Checklist

The Quick Guide to Conducting the Perfect Data Risk Assessment

Is your business at risk of a data breach? 

A data breach risk assessment helps you to understand how vulnerable your business is, and to take measures to mitigate the risks that your business is experiencing.

It’s a bit like a personal health check. Only when you check your physical health will you really know if you’re in tip-top condition: and if you aren’t, the early warning could be what you need to get back to full health.

Here are five steps to execute an effective data breach risk assessment, and a 10-point checklist to help ensure it is successful.

Step #1: Define the scope of your risk assessment

The first step in a risk assessment is to define its scope. Is it to be conducted on the whole organization, a business unit, or a team? Is the assessment needed for a single location or a specific business function?

You should review which standards you must comply with (for example, ISO 27001 or SOC 2), and understand how this impacts the risks to your business and the mitigation needed. This said, if you only fulfill the requirements as laid out by compliance regulations you are unlikely to be comprehensively protected.

Step #2: Identify the security controls already in place

Whether you have formally implemented security controls or not, it is probable that you have some in place. It’s crucial to know where you stand currently before you seek to move forward.

Controls may be implemented through technical and non-technical strategies, covering:

• Preventative controls, which reduce the likelihood of a security breach

• Compensating controls, which are alternatives to those controls explicitly required by regulations but that also reduce the likelihood of a security breach

• Detective controls, which alert you to a security breach that has occurred

Examples of technical controls include hardware, software, multi-factor authentication, and intrusion detection software. Non-technical controls include things like security policies and physical means like controlled building/office access.

Step #3: Identify potential threats and vulnerabilities

It’s also crucial to identify all potential threats and vulnerabilities.

Threats to your data security come in many forms. It’s easy to be consumed by cyber threats such as malware, ransomware, cybercriminals, and other digital risks. However, you should also be mindful of other risks that could compromise your data security, including:

• Natural disasters

• System failures

• Human error

• Third-party vulnerabilities

Your business could be threatened by data leaks, your customers, your employees, service disruptions caused by data breaches, and reputational risk caused by misuse of information.

Vulnerabilities are ways in which threats could occur. The chance of a threat occurring is increased ─ or made possible ─ by vulnerabilities. A vulnerability is a weakness that can be exploited to breach your security, steal or misuse sensitive data, and damage your business. Examples include poor software management and outdated applications, weak passwords, poor building design or inadequate premises access control, and lost computers.

Step #4: Determine the risk

This step requires you to estimate each threat that could exploit each vulnerability. As you do so, it’s crucial to calculate the impact on your business should the vulnerability be exploited, and the threat becomes a reality. An effective way to do this is to build a matrix, estimate the possibility of each threat vs each vulnerability, and score against impact.

The associated risk for each threat/vulnerability pairing can be calculated by:

Likelihood x Impact = Risk

As you build your matrix, take care to consider all risks that include:

• Physical harm

• Monetary loss

• Identity theft/fraud

• Psychological distress

• Reputational damage

Once you have these calculations completed, you can then prioritize which threats and vulnerabilities are most important to mitigate.

Step #5: Mitigate the risk

Prioritizing risks allows you to decide which are your most valuable assets, how to protect them, and in which order to protect them. For example, you may decide on three levels of risk:

• Elevated risk, for which corrective measures must be implemented as soon as possible

• Medium risk, for which corrective measures must be implemented in a reasonable time

• Minimal risk, for which you must decide whether to accept the risk or mitigate it later

Measures that you may take to mitigate risk include:

• Initial and ongoing employee data security training

• Implementing real-time monitoring of network traffic

• Enforcing a strong password policy

• Installing patches and updates

• Ensuring data is encrypted in all its states

• Ensuring implementation of physical security measures

• Ensuring you attain the minimum required by data security regulations

10-point checklist for a risk assessment for data breaches

During and at the end of the risk assessment, there are 10 points you should be questioning. Only when you can answer each of these 10 questions fully can you consider your risk assessment to be completed:

1. Is the information in the breach extremely sensitive and could it be potentially harmful?

2. Is any of the personal information that is revealed sensitive, such as related to children or vulnerable adults?

3. Does any of the information uncovered by the breach relate to vulnerable adults or children?

4. Does the information allow individuals to be identified?

5. What is the level of risk associated with the data should it be compromised?

6. Could even seemingly unharmful data be used maliciously ─ or is it available to someone who could use it maliciously, or intend to do so?

7. How many items of information/records/people could be affected by the data breach?

8. Would access to the data require specialist knowledge, or is it easily accessible? How much of the data is already accessible to the public?

9. Would people want their personal information to be kept private?

10. How would a data breach impact your business, and is it likely to cause damage to you or others?

6 Questions to ensure your data risk assessment has been good

Here are six questions you should answer to ensure that your data risk assessment has been good:

1. Was the scope of the risk assessment properly defined as to what was and wasn’t to be assessed?

2. Was an inventory of all hardware and software created?

3. What was the data security risk assessment methodology used?

4. Was the risk assessment conducted by a security professional, and when was it conducted?

5. Did the risk assessment test all the threats and vulnerabilities identified?

6. Did the risk assessment propose suitable recommendations, and do these recommendations address the risks identified?

The bottom line

Identifying, prioritizing, and mitigating risk is at the heart of a fit-for-purpose security strategy. Whatever the size of your business, it is crucial to benefit from a professional data breach risk assessment. Without this, your business will be at risk of cyber-attack from increasingly sophisticated cybercriminals.

Can you list current threats and vulnerabilities in your business IT infrastructure, hardware, software, and people?

To learn more about data security risk assessments, and how you can leverage data security experience and expertise in your business, contact Millennium Tech today.

Error: Please complete all required fields!

First Name:

Last Name:

Email:

Sign Up!

We will never spam or share your email with 3rd parties, promise!