Performing A Cyber-Risk Assessment | Helion Technologies
Call Us Today! 443-541-1500
FacebookTwitterLinkedinYouTube

Steps To Performing A Cyber-Risk Assessment

The FTC Safeguards Rule now requires that dealerships perform an annual cyber-risk assessment.  This requirement shouldn’t be viewed as just another government regulation that is a big hassle with little benefit.  This isn’t the case.

To effectively defend against today’s growing cybersecurity threat, dealerships must understand, manage, control, and then mitigate the cyber-risk their businesses face.  You simply can’t do these things in the dark.  To mitigate your risk of falling victim to an attack you must have insight into your dealership’s cybersecurity vulnerabilities and how to address these vulnerabilities.  Armed with this information you can then make intelligent, strategic decisions that best protect your business assets.  This is what a cyber-risk assessment provides.

The National Institute of Standards and Technology (NIST) defines a cyber-risk assessment as a “risk assessment used to identify, estimate, and prioritize risk to organizational operations, organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.”  Basically, a cyber-risk assessment is the process of identifying both internal and external threats, evaluating the potential impact of these threats, estimating the costs of suffering a cybersecurity incident, and determining a set of appropriate defenses that can mitigate the risk of an attack.  With this information, dealership executives can then tailor the cybersecurity controls they implement to match their cyber-risk tolerance.

Steps To Performing a Cyber Risk Assessment

Step 1:  Identify & Prioritize Assets – Assets include things like consumer information, servers, sensitive documents, etc. For each asset, you then need to understand the following:

  • Software
  • Hardware
  • Data
  • Users
  • Purpose
  • Criticality
  • Functional Requirements
  • IT Security Policies
  • IT Security Architecture
  • Network Topology
  • Information Storage Protection
  • Information Flow
  • Technical Security Controls
  • Physical Security Environment

Step 2:  Identify Threats – The National Institute of Standards and Technology (NIST) defines a cyber threat as “any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.” Common examples of cyber threats include:

  • Unauthorized access from external threat actors due to malware, employee negligence, ransomware, phishing, etc.
  • Data leaks caused by disclosure of personally identifiable information (PII), sensitive data or via misconfiguration issues
  • Data lose due to poor replication or backup
  • Loss of revenue and/or repetitional damage
  • Insider attacks caused by negligent insiders, third-party vendors, privileged insiders

Step 3:  Identify Vulnerabilities – In this step, the goal is to uncover and prioritize vulnerabilities and the associated threats that cause the vulnerability. Then, the task is to determine whether there are controls in place to mitigate these vulnerabilities and whether these controls are sufficient.

Step 4:  Determine Likelihood and Impact – Assess the probability that a vulnerability might be exploited and the impact it could have on the organization. This is done by looking at the types of vulnerabilities that exist, the capability of the threat, and the existence and effectiveness of related controls.

Step 5:  Prioritize Risks and Recommend Controls – The objective of this step is to assign a risk level to each risk identified. The following levels are typically used:

  • High Risk – the dealership should implement corrective measures as soon as possible.
  • Medium Risk – the dealership should develop corrective measures within a reasonable time frame.
  • Low Risk – the dealership should decide whether to implement corrective action or to accept and live with the risk.

Step 6:  Prepare Cyber Risk Assessment Report – this should be a written report that is delivered to the stakeholders of the dealership. It is important for the stakeholders to hear the findings of the report directly from those who have performed the assessment.  Otherwise, key elements of the findings can get “lost in translation.”

Defending against today’s cyber threat requires much more than just the implementation of some anti-virus software.  An appropriate defense begins with an understanding of your dealership’s cybersecurity vulnerabilities and a strategy for how to protect your business.  This is the objective of a cyber-risk assessment.

Helion

Interested in finding out more about CCPA and how to get prepared?

Check out our eBook!
Ebook
2022-02-21T13:35:44-05:00

Related Posts