Conducting internal cybersecurity risk assessments is crucial for all businesses to safeguard their digital infrastructure against potential threats. To ensure the most comprehensive protection, it’s important to start by asking the right questions. By addressing critical queries up front, businesses can effectively evaluate potential vulnerabilities and threats within the company’s internal systems to foster a more resilient and secure digital environment.
Below, Forbes Technology Council members discuss some key questions for business leaders to consider and factors to explore when conducting internal cybersecurity risk assessments. Understanding these elements—from the vulnerabilities within systems to the effectiveness of current threat detection and mitigation protocols—can help an organization significantly bolster its cybersecurity defenses and maintain the integrity of its digital infrastructure and systems.
1. Where can the organization assume risk?
It is very difficult to protect all assets in an enterprise. Therefore, companies must assess and articulate their “crown jewels” and the critical functions needed to sustain business operations, and then dedicate resources to securing and protecting the most important systems. – Robert Bair, Team Cymru
2. Where are the biggest risks across the enterprise?
The most critical question to answer for any cyber risk assessment—internal or external—is, “Where are the biggest risks across the enterprise, and how can I manage and mitigate them?” This means having a clear, single view of risks across business divisions and geographies, along with a quantified understanding of how much exposure risks represent in dollar terms. Governance, risk and compliance platforms and artificial intelligence can help. – Gaurav Kapoor, MetricStream
3. What is the ‘MVB’ operation after a failure or breach?
What constitutes a “minimum viable business” operation for my organization in the face of a failure or breach recovery can be summed up in this question: “Can I identify those assets (data and people) and assure (through testing and validation) their return to business operations in the fastest possible time frame?” The risk of not being resilient in the face of a cybersecurity incident is one of the most critical planning factors. – Richard Cassidy, Rubrik
4. Who needs to be involved in the risk assessment?
Many organizations make the mistake of labeling cybersecurity an IT issue, but properly assessing the risk also involves risk management, business continuity, the C-suite and more. Consider the controls in place, assign accountability and train everyone to identify issues. And make sure you are realistic about recovery time. – Jim Wetekamp, Riskonnect
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
5. What are the most critical assets of the business?
The question of which assets matter most is critical, as it will enable the business to prioritize security initiatives and allocate resources to protect its most critical assets. The output of a comprehensive impact analysis will paint a clear picture of where the business should focus its efforts. – Shane Henszey, Cortrucent LLC
6. Is every industry best practice being leveraged?
Do you consistently audit your organization to ensure you’re leveraging every industry best practice? Although no one can guarantee 100% security, whether routine audits were carried out to ensure every current industry-specific best practice was in place may have been the billion-dollar question that wasn’t asked before the latest healthcare system attack. – Virgil Bretz, MacroHealth
7. What risk methodology is being used?
The type of risk methodology is crucial because the risk assessment process must be consistent, repeatable and reproducible. This is most important in creating measurable risk scores that allow an organization to design an appropriate risk-response system, complete with processes and procedures to address any incident. – Dr. Obadare Peter Adewale, Digital Encode Limited
8. Who has access to data during AI implementation?
Right now, many companies are conducting risk assessments related to AI adoption, and for good reason: A new study found that 45% of organizations experienced data exposures during AI implementation. When you’re preparing to adopt AI, you need to closely monitor and control who has access to your data. Without extra protection, your enterprise data is extremely vulnerable during these transitions. – Dr. TJ Jiang, AvePoint
9. How should this information be leveraged?
A risk assessment is supposed to drive action, so you need to be able to explain to stakeholders how to use the information it provides. Leaders are busy, and teams have plenty on their plates already. If you aren’t prescriptive about how information from an internal cybersecurity risk assessment is to be leveraged, you risk it becoming “shelfware.” – Oritse Uku, Northwestern Mutual
10. What are all the possible threats to the system?
A vulnerability without a threat may not warrant action. Risk assessments begin with a threat analysis, and vulnerabilities that don’t have an associated threat may represent a lower priority for taking action, which requires budget and resourcing. – Will Sweeney, Zaviant
11. How will we recover when the network is compromised?
How will you recover when—not if—your network, systems and data are compromised? Even though it’s important to implement preventative controls to reduce the risk of threats being realized, the fact is that even the most thorough cybersecurity is eventually going to fail. How an organization responds to and recovers from that will determine how the business and its customers are affected. – John Linkous, Phalanx Security
12. What is the impact of the risk on end users?
The most critical step is to understand the impact of the risk on the business and its end users. This enables the business to take a more targeted approach and focus on mitigating the most significant risks. It also facilitates effective planning, prioritization and resource management. – Swetha Singiri, Meta
13. Could a hacker exploit a human vector?
We readily invest in securing our systems and adding multiple safety layers, and yet hackers exploit our weaknesses. Often, the weakness is the knowledge employees possess and the way they protect that knowledge. – Bobbi Alexandrova, Loopio
14. What are the potential consequences of a breach?
“What are the potential consequences of a cybersecurity breach for our organization?” This question is crucial because it prompts businesses to evaluate the potential impact of a breach on their operations, finances, reputation and compliance obligations. Understanding consequences allows organizations to prioritize cybersecurity efforts effectively. – Michelle Drolet, Towerwall, Inc.
15. Is there complete visibility into all network traffic?
Businesses should ask themselves, “Do we have complete visibility into all network traffic and potential blind spots?” Without that answer, businesses are leaving themselves open to substantial risk. In fact, 93% of malware hides behind encrypted traffic, enabling cybercriminals to traverse laterally within an organization’s network, often going undetected for weeks to months before attacking. – Chaim Mazal, Gigamon
16. How are the most valuable assets protected?
A critical question for cybersecurity risk assessments is, “What are our most valuable assets, and how are they protected?” This is a vital question for prioritizing resources and managing limited budgets. For instance, a bank would assess protections around crucial customer data to identify weaknesses, ensuring that the most sensitive assets receive the strongest, most cost-effective defenses. – Tushar Vartak, RAKBank
17. How frequently will assessments be conducted?
Assessment is not a one-time activity, and businesses should decide on the frequency of intervals, according to their needs. The process of evaluation is not about filling out a questionnaire; it is about understanding what the risks are, who (teams versus individuals) owns them, and how the organization is prepared to overcome likely occurrences. Avoid dependence on any individual’s brilliance and take zero trust seriously. – Karthick V G, DigitusVerto
18. How are employees being educated about threats?
“What are we doing to educate employees about cybersecurity threats?” Human mistakes account for about 90% of breaches. Companies must ensure they deliver engaging, impactful awareness training and evaluate its effectiveness. Cybersecurity preparedness is not one-size-fits-all. Effective education requires targeted content and outreach done at regular intervals. – Suresh Kannan, Model N
19. How effectively does the current infrastructure shield against evolving threats?
Manual audits and in-house training have their place, but often fall short in dynamic cyber landscapes. Partnering with a trusted provider offering a robust platform and meticulously vetted packages is crucial for proactively fortifying defenses to safeguard against emerging vulnerabilities. – Rob Futrick, Anaconda
20. Are the security tools provided to employees convenient and easy to use?
Cybersecurity is often treated as a technical issue to be solved through technical means, but we shouldn’t forget that humans are the central element of the business. User experience should be a key consideration. Are the security tools provided to employees convenient and easy to use? If not, it is essentially inviting trouble by encouraging employees to work around security tools. – Song Bac Toh, Dell Technologies
Successful CIOs, CTOs & executives from Forbes Technology Council offer firsthand insights on tech & business.
This article was originally published on Forbes.