Cybersecurity Risk Assessment First Steps

Sam Bloedow
filing cabinet coming out of laptop screen

Identify, Inventory and Classify Your Information

Even though companies are creating and storing large amounts of data in the course of daily business operations, some executives still wonder if their information has value to a would-be cyber attacker. You can begin a cybersecurity risk assessment with a detailed analysis of your information inventory to determine the value of your corporate data, predict the potential business impact were there to be a breach, and use information classifications to guide the allocation of resources used to secure them.

Identify Information Assets

It’s instinctive to start your information inventory with the transactions that take place between your company, and customers and suppliers. This could include financial information, designs, contracts, quotes and data associated with the sources of material that you use in the process of producing your products or implementing your services. Depending on your business, you could also be storing sensitive data that belongs to your customers within these records.

Get information you can use today to improve the cybersecurity of your business with "Cybersecurity Guidelines for Secure Behavior Online and in the Office."

Internally, your company uses and stores different types of data. Employee records include everything from social security numbers and payroll data, to performance evaluations and personal contact information. Bank account information, financial statements, marketing plans, and operational documents should be included in the inventory, as well as the contact information collected about sales leads and prospects. Any digital communications like email and voice mail archives should also be considered company information.

Make an Inventory

The process of identifying information assets goes hand in hand with creating a record of where the data resides. The company data center or servers and backup systems are likely locations for business information. Consider how information travels when thinking about the many places where data lives. The use of mobile devices and third party file sharing services can place sensitive information outside visibility of the corporate perimeter as can software platforms in the cloud and within the files outsourced service providers. The inventory should include the owners of the information (for example employees, departments, or business units) which is helpful when classifying information and providing access to the appropriate employees.

Classification Guides Control Levels

Classification of data is vital to determining the level of control needed to secure it both internally and externally. Some common classifications are:

  • Public information
  • Internal use only
  • Confidential/sensitive
  • Restricted/highly sensitive

The more sensitive or regulated the data, the more resources are needed to secure it. Classifying business information is preparation for backup and security measures but it should also be used to guide assignment of access levels, and instruct employees on how to handle the information. Regulated data, such as personally identifiable information, might be the easiest category to label because its security is mandated. When categorizing other types of information, it’s helpful to think about the potential business impact if the data was lost or stolen.

Increase Awareness of Exposure to Risk

Going through a data identification, inventory and classification process might seem time consuming but the risk of a cyber incident with its financial, operational, legal and reputational ramifications is all too possible. Learn more about how you can improve the cybersecurity of your business by downloading our E-Book: Cybersecurity Guildelines for Secure Behavior Online and in the Office.

Get the E-Book Cybersecurity Guidelines

STAY UP TO DATE

Subscribe to our email updates

STAY UP TO DATE

Subscribe to our email updates