In this blog article, we take you through the 6 steps of a risk analysis so you know what the biggest risks are and what impact they can have.
Before you start analyzing the cyber risks for your organization, it is important to have a clear picture of all involved stakeholders. After all, a good risk analysis is not something you do alone, it must be carried out together with the stakeholders in your organization. Moreover, you will not be able to fill in all steps of the analysis (completely) by yourself, so involve the relevant stakeholder(s) directly.
As soon as you have mapped all stakeholders, follow the 6 steps in this blog article to create a solid risk analysis for your organization.
Step 1: Threat Analysis
There are many forms of cybercrime and the risk (or impact) of this also varies greatly. The most common cyber attacks are:
- Data leaks: If company information falls into the wrong hands, this can lead to, among other things, identity theft or loss of intellectual property. In addition, this can lead to (major) financial loss in combination with extortion by criminals or fines from authorities.
- Ransomware attacks: In this case, your systems are encrypted, which means that the processes that depend on these systems can no longer function. This also often happens in combination with extortion by cyber criminals.
- DDoS: A DDoS attack overloads the organisation's servers. This results in reduced or no accessibility of all services delivered via the internet.
- Supply-chain attacks: In this case, access to systems is obtained by an attack in the supply chain.
- Attack on vulnerable systems: Especially in the OT and IoT domain, it can happen that the equipment connected to the internet is directly attacked. This can lead to major operational problems. In addition to vulnerable IoT devices, configuration errors on firewalls or Cloud environments, missing patches or outdated certificates also pose a risk.
- CEO fraud: By impersonating senior executives in the organization, financial resources or sensitive information can be stolen.
Go and see to what extent these cyber attacks pose a threat to your organization and keep them at hand as you go through the next steps.
Step 2: Determine critical processes
Once you have determined the risks, it is time to map the main processes of the organization. When defining these processes, do not only look at the systems that are used for this, but also at the necessary workplaces, equipment or essential employees that are relevant for carrying out these processes.
Step 3: Determine the maximum downtime
After how much time does it really become critical when you can no longer perform the organization processes of step 2? That is the 'maximum downtime'. And then we are not talking about it becoming 'difficult' to perform certain tasks, because in that case there is often still a workaround to be invented to still provide the organization services.
So, the maximum downtime is about the processes where a workaround is not possible or sustainable and it really becomes critical. Think of time intervals of 4 hours, 1 day, 2-3 days, 1 week or 2 weeks (if the time interval is 1 or 2 weeks you can of course ask yourself whether that is really critical…).
Step 4: Determine the impact on your customers
Determine to what extent the failure of business processes affects the customer. So, what is the impact on the customer when the process is down? Not being able to deliver, for example, has a direct impact on the customer, while not being able to purchase will have consequences for the customer much later. In addition to direct impact on the customer, there can, of course, also be reputational damage when you cannot deliver to customers, or when customer data from your organization becomes public.
Step 5: Determine the financial impact on your own organization
When you can no longer carry out processes, this can bring high recovery costs. Recovery costs are not only the costs to resolve the issue, but also sales that you miss out on or the spoilage of stocks with limited shelf life.
Step 6: Make a priority list
Based on the results of the above steps, you can determine which process disruptions have the greatest impact on your organization. Go through your analysis with the organization's stakeholders and decide together what you need to prioritize to ward off the risks you have identified in this analysis.
Finally
When the risks of disruption to critical processes have been identified, you then have the basis to develop a cybersecurity roadmap. Consider appropriate measures to reduce the risks, or reduce the impact of a disruption.
In an ideal case, you kill several birds with one stone: measures against cybercrime that have a positive effect on multiple processes. In any case, from this analysis you know who benefits from these measures, which helps to create support.
