business Conducting a Cyber Risk Assessment: FAQs January 30, 2018 Does your organization have holes in its cyber risk management? A risk assessment might be a good idea. Learn more about how you go about conducting a risk assessment here. You can't protect what you don't know how to protect. If your organization has never had a cyber risk assessment, you might consider getting one done. This will help your business pinpoint gaps in your existing practices and find ways to mediate these issues. Frequently Asked Questions: Risk Assessments Generally, how does a risk assessment work? Whom do you go to? What services are provided? If the organization does not have the internal resources to perform a risk assessment internally, then we typically seek out a professional services firm that has experience in the performance of a Cyber Risk Assessment. There are several benchmarks or frameworks that are used in performing such a risk assessment. A common one that is generally well accepted in the industry would be the NIST’s (National Institute of Standards and Technology) Framework for Improving Critical Infrastructure Cybersecurity. Although the framework is still in its comment period (through January 19, 2018), it was developed using a risk assessment approach and identifies controls for the five risk assessment concepts (functions) of Identify, Protect, Detect, Respond and Recover. What does a risk assessment generally cost? The costs vary widely based upon the size of the organization, its industry, its potential cyber exposure and the amount of internal resources that are available to augment third party services. For small to mid-size organizations, this range could be between $20,000 and $75,000. What are the positive results from getting a risk assessment done? The obvious benefit is having an objective identification of the organization’s exposure to risk and a roadmap to remediation of potential gaps. A secondary benefit is that with the risk assessment, the organization is setting a positive tone at the top regarding its commitment to internal controls over its environment that, in turn, will cause its employees to take a more active posture towards maintaining security over operations. We can help you get started with a risk assessment. Reach out to me or any member of the Information Security Services Team today.