E-BOOK

2019

BUILDING A
CYBERSECURITY
RISK
ASSESSMENT
PLAN
INTRODUCTION
Businesses and organizations have learned to always be
prepared for a cyberattack – and rightly so. According to
Juniper’s CyberCrime and the Internet of Threats 2018
report, by 2023 U.S. companies and organizations will be
targets of more than 50% of all cyberattacks.

Why do cybercriminals attack? They’re in it for the

money, and there’s lots of money to be had. Keeper
Security says that a cyberthief can net anywhere from
$1.00 for a stolen Social Security account to more than
$1,000 for bank login credentials by selling that stolen
data on the dark web.

It’s simple and yet frightening. The more personal data

a business stores, the more attractive the company is as
a target.

Of course, it’s not just big companies that are targets.

Small and medium-sized businesses also store valuable
data, and often are more attractive to hackers; Symantec
reports that 43 percent of all cyberattacks target small
businesses. Because smaller businesses often employ
less exhaustive security measures than do their larger
brethren, they are easier targets to infiltrate.

2
In short, any organization of any size can be the target
of a cyberattack, which is why companies need to
seriously address security concerns – before the next
attack occurs. Many organizations do this by building
dedicated cybersecurity teams, separate from traditional
IT staff. The cybersecurity team, typically led by a Chief
Information Security Officer (CISO), is responsible not
only for post-attack incident response but also for
creating and implementing all pre-attack security plans.
An essential part of any enterprise security plan is an
analysis of the organization’s current security status
and possible weaknesses. This analysis – called a
Cybersecurity Risk Assessment Plan – is crucial in
understanding how a company can improve its data
security and protect against future attacks.

3
WHAT IS A CYBERSECURITY
RISK ASSESSMENT PLAN?
What can organizations do today to be better prepared
for an attack tomorrow? When it comes to IT security, it
all starts with a Cybersecurity Risk Assessment Plan.

This plan is actually a two-part process. The first part,

the cybersecurity audit, is an evaluation of a company’s
current data security activities in relation to potential
threats. It identifies information assets across the
enterprise that could be targeted by cyberattacks and
then categorizes risks that could affect those assets.
Based on this evaluation, a risk assessment plan is
developed that suggests preventative measures and
policies to address the identified vulnerabilities. It’s like a
business plan for the protection of the enterprise’s data, a
roadmap for improving IT security.

The National Institute of Standards and Technology

describes risk assessment as the “process of identifying
risks to organizational operations (including mission,
functions, image, reputation), organizational assets,
individuals, other organizations, and the Nation, resulting
from the operation of a system.”

The entire audit and risk assessment process enables

companies of any size to get a handle on the data risks

4
they face. Companies use the results of this process to
inform the organization’s decision-makers and to prepare
appropriate preventive measures. First, a company
identifies the threats, and then they protect against them.

WHY COMPANIES NEED A

CYBERSECURITY RISK ASSESSMENT
PLAN

Juniper Research estimates that cybercrime will cost

businesses worldwide 2.1 trillion dollars in 2019, and
the average cost of a single data breach will exceed $150
million. Not surprisingly, cyberattacks are particularly
harmful to smaller businesses. The U.S. National Cyber
Security Alliance reports that 60 percent of small
businesses who have experienced a cyberattack go out of
business within six months of the attack.

This is why a Cybersecurity Risk Assessment Plan should

be an essential component of any organization’s data
security strategy. Data has value, whether it consists of
internal documents or customer information. Protecting
that data is of utmost importance, and the first step in
doing so is performing a cybersecurity audit and resultant
risk assessment. In terms of data security, an organization
needs to know how much is at risk and what that risk
entails, to construct the appropriate risk management
strategy.

5
By conducting an exhaustive audit and identifying
potential threats, a company can significantly minimize
the risk of future security incidents and thus reduce long-
term costs. Staff and management will be more aware
of IT security weaknesses and thus more amenable to
budgeting and enacting necessary security measures.
More critical, developing this plan creates a corporate
mindset that recognizes cybersecurity risks and
encourages stronger data security.

6
BUILDING A
CYBERSECURITY ANALYSIS
AND RISK ASSESSMENT
PLAN
In most organizations, the cybersecurity analysis
and risk assessment plan is the responsibility of the
cybersecurity team and CISO. If an organization does
not have a dedicated cybersecurity team, the plan may
be the responsibility of the IT department and CIO.
Some companies hire consultants to help them prepare
the plan.

Whoever conducts the audit and creates the plan must

have a deep-seated understanding of the organization’s
data and network infrastructures work. Also, the
company’s highest-level executives must buy into the
need for the plan and instruct their staff to cooperate in
its creation.

The analysis and plan should proceed in a step-by-step

fashion. The company’s data security situation should
first be evaluated, then potential risks to that data should
be assessed.

7
DATA AUDIT

The first step in conducting a cybersecurity analysis is to

perform a data audit – an extensive and formal overview
of an organization’s security systems and processes. In
essence, the audit needs to detail what data is stored by the
company, the value of that data, and the costs involved if
that data gets stolen, damaged, or destroyed. These costs
can consist of revenue lost when data is inaccessible (or
when customers defect after hearing of a breach), legal costs
against potential lawsuits, and the loss of reputation and
public relations efforts necessary to restore that reputation.

While preparing the data audit, the following questions

should be asked:

What data is being collected?

Where and how is this data stored?
How long does the data need to be stored?
How is the data currently documented and protected?
Who has access to this data - and why?
Which of this data, if stolen, would cause the most

harm to the organization – financially, legally, or in

terms of reputation?

SECURITY ASSESSMENT

Next, the organization should assess the current state

of its data security. A security assessment examines

8
an organization’s security preparedness and includes
checking for vulnerabilities in IT systems and processes.

Several tasks should be completed during a security

assessment, including the following:

Hardware Assessment
This should be a detailed examination of the
company’s hardware infrastructure, including
network and data storage capabilities. Particular
attention should be paid to the age and condition
of key hardware, as well as the suitability of
current hardware for future needs.

Access Control Assessment

This is an evaluation of how the organization’s data is
assessed. It should include a detailing of who has
access to what data, what authentication methods
are used, current access policies, and related issues.
Particular attention should be paid to any holes in
current access policies.

Vulnerability Assessment
This is an evaluation of what parts of the company’s
IT infrastructure are most vulnerable to attack. It
involves identifying potential weaknesses in the
organization’s computer systems, network
infrastructure, software, and other key elements.

9
RISK EVALUATION

Next up is an evaluation of the risk to the

organization’s data and systems. The following
questions should be asked:

Who might attack?

The goal is to identify potential threat sources. Is the
company’s data of interest to competitors, criminals,
or disgruntled former or current employees? What
about foreign governments or cyberterrorists? Most
organizations have multiple potential threat sources
that should be identified and ranked.

Why might they attack?

Do potential attackers want customer data,
intellectual property, or business secrets? Do they
want to ruin the company’s reputation or disrupt
its business activities? Alternatively, do they just
want ransom money? The risk assessment needs to
identify and categorize all potential threat events,
no matter how unlikely they might seem.

How might they attack?

Are attackers likely to conduct a brute-force distributed
denial-of-service attack? Will they use phishing tactics or
stolen credentials? Alternatively, will they try to gain access
via a compromised third party? All systemic weaknesses
that attackers could exploit must be identified.

10
Once all potential risks have been identified, those risks
need to be prioritized. It’s important to know what risks
are most likely, as well as those that would have the
highest impact (financially or otherwise) on the company.
To this end, a type of cybersecurity risk matrix should be
created. This matrix should rank risks from most likely
and highest impact to least likely and lowest impact.

Developing this matrix requires some degree of

subjective interpretation. For example, management may
need to decide whether a high-impact risk with a low
probability takes priority over a low-impact risk with a
higher probability. The ranking is not entirely objective.
Once the team has prioritized the risks, a strategy
can then be developed to protect against them. As
cybersecurity budgets and staff are not infinite, the plan
will need to address the highest priority risks first.

11
DISASTER RECOVERY PLAN

Many organizations, as part of their cybersecurity risk

assessment plans, also develop a disaster recovery plan
for their data and IT assets.

This plan should include explicit instructions for:

Identifying and stopping ongoing cyberattacks
Bringing compromised systems back online
Recovering lost or damaged data
Restoring any damaged apps or systems

The goal of any disaster recovery plan is to return the

organization to normal operating status as quickly as
possible. By identifying various types of cyber risk, an
organization can better construct a disaster recovery plan
to address the effects of those potential attacks.

COMPLIANCE AUDIT

While developing the cybersecurity risk assessment

plan, any compliance audits required by government or
industry entities should also be addressed. The audit and
risk assessment should incorporate necessary regulatory
requirements, such as HIPAA, PCI-DSS, and the Sarbanes-
Oxley Act (SOX).

12
HOW CAN UNTANGLE HELP?
After an organization has conducted its internal audit
and risk assessment, what comes next? It’s all about
implementation.

A risk assessment and security audit should not only

identify IT risks and vulnerabilities, but it should also
serve as a roadmap for future cybersecurity activities.
The next steps involve identifying and implementing
technology solutions, policies, and plans that address
each company’s data and network vulnerabilities.

At this stage, Untangle’s NG Firewall can play a significant

role, providing a unified threat management solution in
an all-in-one platform.

13
PROTECT

Proactively block malware, phishing, spam, hacking and

other exploits from reaching users and devices on the
network.

FILTER

Get a handle on every rogue application, encrypted web

request, malware distribution point and rash of spam.

CONNECT

Maintain visibility and control over remote workers, branch

offices, and guest Wi-Fi, keeping users safe no matter their
location.

MANAGE

Create policies by user, group, device, and more to

control who can access websites, data, or apps.

CONFIGURATION BACKUP

NG Firewall’s Configuration Backup app enables

companies to recover from unavoidable hardware failures
and unforeseen disasters by safeguarding policies and
other settings in the cloud.

14
LET US HELP YOU
Improving your company’s cybersecurity doesn’t need to be
difficult. After you’ve accessed your security risks, consider
mitigating those risks with Untangle’s NG Firewall and
related dashboard, apps, and reports.

Let us help you improve your organization’s cybersecurity –

contact us today for a free consultation.

15
 ABOUT US
Untangle is the most trusted name in solutions
specifically designed to help small-to-medium
businesses and distributed enterprises optimize
their networks while safeguarding their data
and devices. Untangle’s Network Security
Framework provides cloud-managed security
and connectivity options that work together
seamlessly to ensure protection, monitoring,
and control across the entire digital attack
surface from headquarters to the network edge.
Untangle’s award-winning products are trusted
by over 40,000 customers and protect millions of
people and their devices. Untangle is committed
to bringing open, innovative and interoperable
solutions to its customers through its rapidly
growing ecosystem of technology, managed
services, and distribution partners worldwide.
Untangle is headquartered in San Jose, California.

For sales information, please contact us by phone

in the US at +1 (866) 233-2296 or via e-mail at
sales@untangle.com.

©2019 Untangle, Inc. All rights reserved. Untangle and the Untangle logo are registered marks or trademarks
of Untangle, Inc. All other company or product names are the property of their respective owners.