Are you doing a real Cyber Security Risk Assessment?

The Department Of Health and Human Services enforcement division recently fined a small neurology practice over $25,000.00. Following a ransomware attack that exposes the PII of several thousand patients, the OCR investigation determined that the practice “failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to its electronic protected health information.”

It turns out this is a common issue for many firms. They confuse a “cyber assessment” with a real Cyber Risk Assessment. This this article we discuss the difference and help you avoid additional regulatory risk.

What is a Cyber Risk Assessment?

In the world of cyber security, a “cyber risk assessment” has a specific meaning. It is a formal process whereby an organization identifies the potential “risks” to systems and data and then makes choices about how to mitigate the risk. It uses some fancy terms like “threats” and “likelihood.” Let’s look at a real-world example of Risk Event.

Example Cyber Risk Event – Lost Laptop with PII

Let’s say that a small healthcare practice has Doctors working on laptops. It some cases the laptop may contain Personal Health Information (PII). If the Doctor gets his/her car broken into and the laptop is stolen, this is how it can be modeled:

Risk Event: Laptop Lost Containing PII

Threat Agent: Thief

Likelihood: HIGH (very common to lose laptops)

Impact: HIGH (lost or exposed PII triggers a data breach.)

Risk Score: HIGH (90.0.)

In summary, a Risk Event is the measurable impact of something bad happening. The Risk Score is typically a number based on the “likelihood” (chances) of something happening times the “impact” (how bad is it.)

A Cyber Risk Assessment is a full accounting of these possible risk events, using scoring and ranking to prioritize each one.

A Cyber Risk Assessment is a full accounting of these possible risk events. Risk “mitigation” is the process of reducing the likelihood or impact of an event so the score comes down to some acceptable level. Both are required for a complete risk management program.

What is a Cyber Control Assessment?

A Cyber Control Assessment (or sometimes called an Audit or Framework Assessment) is a different concept. A “control” assessment determines if the organization has actually implemented a specific cyber control. For example:

Control Assessment: Has the organization implemented two-factor authentication when accessing sensitive data.

This is common “control” because 2-factor authentication can dramatically reduce the chances (“likelihood”) of unauthorized entities gaining access to systems. A Cyber Control Framework is group of these controls that make up your entire cyber program.

A Control Assessment or Audit is NOT a Risk Assessment

A Control assessment is NOT a Risk Assessment. Unfortunately, even some cyber security professionals will confuse clients by using these names interchangeably. For example, an assessment of your cyber program against NIST CSF is a “CSF Audit” or “CSF Assessment.” It is a measure of control compliance, not risk. While a Control Assessment or Cyber Audit is key part of cyber governance, neither are the same as a risk assessment. But they ARE related.

Cyber Controls Reduce Risk

Let’s take the same scenario and consider what “controls” could make a difference. For example, if the firm has implemented full laptop encryption, then the “impact” of this event can be reduced. The thief may not be able to access the data at all.

Control: Laptop Encryption – Reduces the “Impact” of a lost laptop.

Other types of cyber Controls reduces the likelihood of a Risk Event. In this example, the Firm could implement Security Awareness Training that helps educate employees on how to protect laptops.

Control: Security Awareness – Reduces the “Likelihood” of a lost laptop

That being said, there are different ways to perform a risk assessment. The most formal process is outlined in NIST SP 800-30 “A guide to Risk Assessment”. The point is this: Don’t confuse a Control Assessment (“Audit”) with a Risk Assessment.

Make sure you are doing a real Risk Assessment

Cyber Risk Assessments form the foundation of most cyber security frameworks. They are required in many common regulatory frameworks such as HIPAA, ISO 27002, NIST CSF, SEC, FTC and many others. Don’t do a simple control assessment and call it a Risk Assessment. Regulators and qualified auditors are trained to know the difference. Not only will your cyber program be lacking a critical process, your overall liability will increase – as we have seen with recent enforcement actions.

Simplify Your Cyber Risk Assessment

A formal risk assessment can be complicated. Information Shield has dramatically simplified the risk assessment and mitigation process using Compliance Shield. A built-in library of threats, assets, and risk events streamlines the entire process. The Risk Wizard takes you each step to get started. Get a FREE TRAIL today and see how much time and effort you can save.