Carrying out a cyber security risk assessment

Ben Rose
Chief Underwriting Officer
23 January 2019
4 minute read

To effectively protect your business from cyber-attacks and data breaches, you must first identify the biggest threats and vulnerabilities you face. That means carrying out a risk assessment.

It sounds complicated, but it doesn’t need to be. Too many businesses wait until they’re hit by a cyber-attack or data breach to start thinking about security, by which point the damage is already done. And with legal and compensation claims, system downtime and reputational damage to think about, the fall-out could be significant. That’s why it pays to put the groundwork in early – and get protected. And it will actually make securing your systems a whole lot easier going forward.

What is a cyber security risk assessment?

As the name suggests, a cyber security risk assessment enables you to identify the cyber risks facing your business and then analyse their importance. Going through this process enables you to develop the most appropriate solutions to protect your systems against the biggest risks. It also helps you to focus your budget and resources on the areas that need the most attention.

What is a cyber security risk assessment framework?

It sounds fancy, but it's actually just a methodology - or a list of actions - to help you structure your thinking and develop an approach to cyber security risk management. In this article, we try to keep things as simple as possible, providing a basic route to follow when carrying out a risk assessment for your business.

Cyber security

How to carry out a basic cyber security risk assessment

Identify your cyber security risks

Cyber security is all about protecting your data, so the first step is to identify all the most vulnerable, sensitive and at risk in your business if it was lost or stolen. This is likely to include personal details and contact information for your customers and clients, any financial data, along with private and confidential information relating to your own company. Make a list of all this data, along with where and how it is stored on your systems, and who has access to it.

Consider the types of risks you face

Next, consider all the possible threats that could cause that data to be lost or stolen, including external attacks, data breaches and social engineering, as well as failures and oversights in your internal systems and human error by your employees. A good way to approach this is to think a potential incident, for example, customer data is leaked, and then list all the events which could possibly lead up to that eventuality. It can also help to research the cyber incidents that have affected other companies, to give you an idea of what can go wrong. There are plenty of news reports out there to refer to!

Prioritise by likelihood of these risks

Now you’ve terrified yourself by just how risky the world can be, it’s time to be realistic and rank those based on three factors: how likely they are to happen, how much damage they could do, and how much control you have over preventing them. Some risks might have the potential to create worlds of damage but, as they’re very unlikely and completely out of your control, they’re not worth spending time and money on. The important risks are those that have a high chance of happening and that you have a good chance of preventing, so as to avoid a big problem for your business.

Think about knock-on effects

It’s also important to look at how controlling a certain risk could have unexpected consequences in other parts of the business, and thereby create other risks. For example, if implementing an additional layer of security on your website is going to drive customers to buy elsewhere, then you may decide that the risk is worth taking to avoid the potentially catastrophic loss of revenue for your business.

Consider solutions

Now you should have a good idea of the risks you’re your business needs to focus on, it’s time to research the technology and processes that will help protect your most important and vulnerable data. Our guide to cyber security is a great place to start, but it also helps to research what your peers have in place, as chances are you should too. And if you really don’t know where to start, or have particularly complex needs, it’s probably best to consult a specialist security consultant.

Monitor and update

Cyber security isn’t something you can just tick off your list and forget about. If you’re a growing business, then the data you hold is likely to be constantly evolving. Plus, cyber criminals are constantly developing new tricks to bypass your defences. So, ensure you track the effectiveness of your security practices and review your risk assessment regularly - at least annually - or more frequently if you’re hit by a specific incident.

How can Superscript help you?

If the worst does happen, cyber insurance can protect you for a breach of data protection laws (where insurable by law) and your liability for handling data. It can also provide cover for extortion, system rectification costs, plus PR expenses and financial loss due to system downtime. To find out more, drop us a line at, or give us a call on 0333 772 0759 +31 10 8080 889.

More about cyber insurance and security

Share this article

We've made buying insurance simple. Get started.

Related posts