30 November 2020

Why Perform a Cyber Security Risk Assessment?

Why Perform a Cyber Security Risk Assessment?

Cybersecurity should be your top priority. November 1988 – the Morris Worm ravaged the internet precursor, ARPANET. Experts scrambled to halt its progress, partitioning network sections and cleaning individual machines. This famous malware event showed the vulnerabilities inherent in the fledgling internet, some of which still exist to this day.

Over 30 years later, November 30 is now hailed as International Computer Security Day (ICSD). ICSD helps remind IT professionals and users alike about the importance of protecting personal and enterprise computing resources.

The stakes have never been higher as cyber-attack rates continue to rise globally. It’s not surprising – technology is continually advancing, and many businesses are going through massive shifts in processes and infrastructure.

The result is that up to 90% of Australian businesses report being targeted by cyberattacks within the past year. Earlier in 2020, Prime Minister Scott Morrison stated during a press conference that even the Australian government were being targeted by what we now call “copy/paste” attacks. And with a new cyberattack reported every ten minutes – and that was back in 2019 – this figure is set to grow. The sheer volume of attacks should be a wake-up call for any organisation that may still have the mentality of “this will never happen to me.”

90% of Australian business report being targeted by cyberattacks

So, what can you do? Start by having a quick look at what’s happening in the world of cybersecurity – the changes, the threats, and discover the actions you can take to counter them.

Why every business needs to make cybersecurity a focus.

It’s not just the number of threats that have increased. It’s the breadth of entry points. During the COVID-19 pandemic, businesses all over the world struggled to ensure their employees could work from home. In many cases, the methods used followed a “build first, secure later” mentality that left them vulnerable.

To help drive the point home, imagine that you are travelling on a road that you take regularly. The road has speed cameras. You know where the cameras are, and you know the penalties that apply if you start taking risks. Make sense so far? Good.

Now imagine you’re taking an unfamiliar road. You can spot some of the speed cameras – but they don’t have signs, you can’t see the speed limits – and if you set them off, they take money from you, your company, and everyone in your address book.

This is what it’s like in the new world of cybersecurity. Networks change. New threats pop up all the time. And with each new productivity development – such as network access to enable work-from-home arrangements – you create another potential point of failure.

It’s this combination of cyber threat evolution, increase in attack rate, and new work-from-home setups that have turned cybersecurity from a box that management needs to tick, to an ongoing essential process. And failing to follow up can have dire consequences.

A fake Zoom meeting invite let cybercriminals walk away with over $8 million cash.

For example, a hedge fund in Sydney had to close operations after it was a victim of a cyberattack. The entry point was a fake Zoom meeting invitation that let attackers access the company’s email system. The attackers used this access to send a range of fraudulent documents and invoices – some from the director’s email account – and walk away with $8.7 million.

Stop plugging gaps, start proactive maintenance.

This story highlights precisely why cybersecurity is non-negotiable for any business. It’s as necessary as a lock and key for your house – you might not be hoarding gold bullion, but that doesn’t mean you want people snooping through your stuff. However, some enterprises in specialised fields house vast quantities of valuable data and information.

Industries such as finance, government agencies, and healthcare maintain large customer databases and have a greater responsibility to ensure data stays safe. And that starts with running the latest cybersecurity checks.

Many of these businesses are bound by law to have specific cybersecurity measures in place. While legal compliance gives the impression of being well protected, the only way to know – without experiencing a cyberattack – is through real-life testing.

This is where an IT Security Assessment becomes essential.

What is an IT Security Risk Assessment?

An IT Security Assessment is a risk analysis of your IT network and cybersecurity infrastructure. It helps you determine how protected you are from a range of cyberattacks and lets you plan out how you can improve.

A security risk assessment will effectively reverse engineer the hacking strategies used to target your business and its most valuable data. Professionals perform a full-scale evaluation of your network, identifying critical areas of weakness and make recommendations that help close any vulnerabilities in your systems.

One of the most useful and wide-spread frameworks used to help close these gaps is the NIST Cybersecurity Framework. Developed by the National Institute of Standards and Technology (NIST), the Framework is now a standard in countries across Europe, Asia, and the Americas.

What does the NIST framework cover?

The NIST Cybersecurity Framework’s popularity comes from three key factors – it’s scalable, easy to understand, and maps to international standards. Essentially, the NIST Framework offers a balanced framework that addresses cybersecurity end to end.


There are five main components addressed by NIST IT Security Assessment:

  1. Identify – an overview of your business’s infrastructure and assets, highlighting at-risk data.
  2. Protect – install safeguards to minimise threats to critical services.
  3. Detect – develop methods to identify cybersecurity events.
  4. Respond – implement activities that help contain the impact of cybersecurity events.
  5. Recover – install resilience protocols that determine how a business can recover from a cybersecurity event.

Even with NIST, an IT Security Assessment is not just a one-time check-up. The world of cybercrime is always changing as cybercriminals use more sophisticated methods. To protect your business assets and sensitive data from these threats, you must implement IT risk assessments regularly.

When should you get a Security Risk Assessment?

It’s best practice to carry out an IT Security Assessment regularly – at least once a year is recommended. But the frequency will largely depend on the size of your business, the types of data you process, and the general threat levels in your industry.

However, it’s also essential to reassess your security after significant changes within your company or industry. Especially as businesses go through substantial changes. Even the best-laid plans can leave holes in previously secure systems, making them vulnerable to attacks.

For example:

  • installing new software.
  • expanding business processes.
  • shifting employees to remote work arrangements.

All these activities can potentially open your business up to threats. Each time your business changes, your cybersecurity needs to as well. Ideally, you should work with IT professionals to create an action plan before any significant transition. This will keep your systems secure throughout the process and beyond.

Some useful security measures include:

  • requiring multi-factor authentication for sensitive interactions.
  • installing virtual private networks to access internal documentation.
  • conducting regular employee education sessions on cybersecurity.
  • developing and documenting cybersecurity reporting processes.
Get an IT Security Risk Assessment Now

International Computer Security Day has grown over the years. These days it not only covers computer networks but focuses on connected devices and personal security habits as well.

If your company has not had a security risk assessment recently, shifted to remote work or are planning another significant change, consider this a sign to act. We recommend getting a professional security assessment as soon as possible.

At First Focus, we can give you an in-depth analysis that will help you eliminate the gaps in your security. Our NIST-based approach can help you to work proactively to identify gaps, cover vulnerabilities, and build a plan that enables you to respond to future attacks.