Creating a Cybersecurity Risk Assessment

Barry O’Donnell, Chief Operating Officer at TSG, walks Top Business Tech through the importance of carrying out a thorough risk assessment, and how to identify the systems which need protection most urgently.

Most businesses will complete regular risk assessments as standard practice. They’re crucial to reducing the threat of financial or reputational loss and give you an overview of the high-risk areas you must address.

One type of risk analysis that is critical but sometimes overlooked is a cybersecurity risk assessment. In today’s digital-first world, it’s difficult to overstate the importance of analysing and addressing threats to your IT security. Making it a regular occurrence is also advised because cybercriminals are finding new holes in your defences every day.

To address these threats, full and frequent cybersecurity audits are necessary to review:

·       weaknesses in your business systems.

·       outdated hardware or software.

·       the security awareness of your employees.

Here are the basic steps you need to take to perform a cybersecurity risk assessment.

Audit your hardware and business systems

You can’t understand the risks associated with your technology if you don’t keep track of it in the first place. Maintaining a comprehensive record of all the technology in your business can sometimes be tricky. If departments in your business are making shadow IT purchases – implementing technology without sign-off from your IT team – it can quickly become unmanageable.

Identifying and auditing your most important and widely-used IT assets will help you understand which solutions make up the biggest percentage of your attack surface. For example, most of your employees will likely use your customer relationship management (CRM) software. If you haven’t tied down access rights, hackers could get in through a backdoor. Similarly, you can stop people from sharing customer information externally by limiting the number of people who can download large amounts of data.

Keeping a rolling kit of your hardware will also allow you to schedule your patching. Updating well-known security risks like unsupported devices or operating systems (OS) should be a high priority. Windows 7, which reached its end of life in January 2020, has been targeted with a password-stealing scam due to its vulnerabilities. This highlights how critical it is to patch software and hardware regularly.

Address the most likely incidents

When we think of strengthening our cybersecurity, it’s natural to focus on protecting your business from external threats like hackers. That’s important, but you also need to look at other common incidents and their risk.

With GDPR in force, data security is a high priority for most businesses. It’s important to note that business data can be compromised accidentally and deliberately. If your people use removable storage devices like USB sticks, there’s a risk they could be lost or stolen – like in the case of Heathrow Airport.

Equally, if cybercriminals are targeting your business with phishing emails, consider the risk level of your people clicking on the malicious links and filling in their login details. You can reduce the likelihood of these threats reaching your employees in the first place by using powerful email filtering tools. As hackers’ tools, like the highly evolved Ryuk ransomware, are continually becoming more sophisticated, you need to consider what will happen next.

Educating your workforce about the cyberthreat landscape and how they can play a role in keeping your business secure is vital. You can do this by:

·       providing digital and in-person training materials.

·       using a phishing simulation tool to test existing staff knowledge.

·       outsourcing security training to a managed IT support organisation.

Identify the level of risk and prioritise actions

A risk assessment isn’t finished once you’ve identified the most pertinent risks. Next, you need to understand how to address the risks you’ve identified.

Let’s say you know a lot of your employees take confidential information to on-site customer meetings using USB sticks. They travel via public transport and their storage devices aren’t encrypted. This means your vulnerability is high: there’s a high risk of those items being lost or stolen and accessed by a malicious third-party.

This should therefore be one of the first items you address. You can split down actions into quick wins and long-term strategies. So, a quick win would be implementing a policy that states removable storage devices must be encrypted and/or password-protected. A long-term strategy could be implementing a cloud storage solution to allow your people to access their documents anytime, anywhere, and eliminate the need for USB sticks.

Don’t forget about your remote workforce

If your business has back-office staff, chances are a proportion of them will be working from home at the moment. In fact, according to a survey by IESE Business School, SD Worx and CASS Business School 65% of all British employees switched to remote working during lockdown.

That presents additional risks to the security of your business.

A study by IBM found that 53% of remote workers are working using their personal devices, while 61% say their employer hasn’t issued any guidance on securing those devices. This presents a number of risks to your security, including:

·       Lower-grade security solutions on your employees’ personal devices, leaving gaps for hackers

·       Hidden malware or bloatware which has been unknowingly installed

·       Sensitive information accessible by non-employees.

You can easily mitigate these risks by providing employees with laptops or, if that’s not possible, enterprise-grade cloud storage solutions which add layers of protection to work files. Similarly, unsecured home WiFi networks present a risk to security. By installing a business virtual private network (VPN), you can encrypt employees’ connection to your network.


In today’s information age, cybersecurity risk assessments are an integral part of your business’ processes. Hackers are taking advantage of businesses and their homeworkers right now, meaning an increase in your attack surface. By carrying out a thorough risk assessment, you can identify the systems which need protecting most urgently. You can then create a comprehensive action plan which addresses the high-risk areas of your business first, before looking at securing every potential entry point for cybercriminals.

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

Barry O'Donnell

Barry O'Donnell is the Chief Operating Officer at TSG, offering managed IT support in London, with expertise across a range of areas including Office 365, Dynamics 365, document management and business intelligence.

Ab Initio partners with BT Group to deliver big data

Luke Conrad • 24th October 2022

AI is becoming an increasingly important element of the digital transformation of many businesses. As well as introducing new opportunities, it also poses a number of challenges for IT teams and the data teams supporting them. Ab Initio has announced a partnership with BT Group to implement its big data management solutions on BT’s internal...

WAICF – Dive into AI visiting one of the most...

Delia Salinas • 10th March 2022

Every year Cannes held an international technological event called World Artificial Intelligence Cannes Festival, better known by its acronym WAICF. One of the most luxurious cities around the world, located on the French Riviera and host of the annual Cannes Film Festival, Midem, and Cannes Lions International Festival of Creativity. 

Bouncing back from a natural disaster with resilience

Amber Donovan-Stevens • 16th December 2021

In the last decade, we’ve seen some of the most extreme weather events since records began, all driven by our human impact on the plant. Businesses are rapidly trying to implement new green policies to do their part, but climate change has also forced businesses to adapt and redefine their disaster recovery approach. Curtis Preston,...