Here is Tip #5 for National Cybersecurity Awareness Month: Perform a risk assessment.

Generally, a risk assessment provides the information necessary to make informed decisions as to the risk-vs.-benefit of each key business decision β€” and that includes cybersecurity decisions.

For example, a decision to use a free, ineffective antivirus solution comes with a higher risk that hackers can breach your system. A decision based upon a risk assessment can help you decide the cost of a more secure program is worth the lower risk.

Similarly, choosing whether to encrypt a database should be based on understanding the value of the data contained within it and the impact of having that breached.

Steps you can take

Risk assessment reporting should be integrated into key reports to senior management and the board of directors.

Risk management decisions are best facilitated with an understanding of the likelihood of a bad event happening as well as the business impact if it does happen.

With that information, senior management can make decisions on risks to avoid, mitigate, accept or transfer.

Effective risk management is only possible with risk assessment results tailored to meet the needs of the organization, so it is important to identify any regulatory of statutory expectations.

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) includes in the Identity Function and Risk Assessment (RA) Category the description: β€œThe organization understands the cybersecurity risk to organizational operations (including mission, functions, image or reputation), organizational assets and individuals.”

The Category of Supply Chain Management (SC) includes a focus on risk assessment for suppliers and third-party partners of information systems, components and services to identify, prioritize and assess using a cyber supply chain risk assessment process.

For financial institutions, the Federal Financial Institution Examination Council (FFIEC) IT Examination Handbooks outlines its compliance expectations for risk assessments.