top of page

Cybersecurity risk assessment

Understanding the vulnerabilities you have as a foundation for your organisation to protect its-self.

GettyImages-1126511268_edited.png

Overview

A cybersecurity risk assessment identifies security vulnerabilities and gaps.  It is an exercise to identify and prioritize the risks associated with the sensitive information and data that an organisation holds.  I.e. risks that could lead to breaches of data confidentiality (i.e. leaking of data), data integrity (i.e. manipulation of data) and/or data availability (i.e. ability to access the data).​​​​​​​​​​​​​

Benefits of Holistic Cyber's unique assessment

  • Developed specifically for small and medium enterprises (SMEs)

Holistic Cyber uses a cybersecurity risk assessment framework specifically tailored to the expertise, time and resources available to smaller organisations

​

Fortunately, the "80/20 rule" (a.k.a. the ““Pareto Principle”) applies to cyber security.  I.e. 20% of all the possible measures you could put in place will return 80% of the security benefits.  The 20% and 80% figures are just a rule of thumb.  The key point is that a few well-chosen measures can result in dramatic improvements to your security.​​​

​

The assessment does not waste time on considerations that are beyond the means of smaller organisations that by their nature have limited IT expertise, resources and budget.  Using the 80/20 principle it prioritises considerations that will give the biggest return on effort and expenditure. 

​

Amongst the thorough, comprehensive and detailed assessment, it will probably uncover some quick wins that by themselves could pay for the assessment exercise!

​

  • Holistic approach

Recognising that the vast majority of cybersecurity breaches can be traced to human error, Holistic Cyber's risk assessment extends far beyond the technical.  It covers a broad range of considerations across technical, policy, process, procedure, staff awareness and training. 

​

Risks are prioritised according to the likelihood of each risk occurring and the potential impact if it does occur.  Assessment of potential impact consider factors such as impact to business operations and continuity, customers, suppliers and reputation.

​

  • Clear and actionable recommendations

In some cases, it can be fairly obvious how to address a security risk, but many can be less clear.  Some may be more technical in nature, and/or have more than one possible solution, possibly involving trade-offs.

​​

For a modest fee, the report will contain associated recommendations on measures that can be put in place to address each security risk.  These recommendations will be prioritised according to the relative severity the risk, balanced against the expertise, time and resources that your organisation can devote to protecting its-self.

​​​​​​​​​

  • Methodology aligned with the ACSC

Holistic Cyber's risk assessment framework aligns with the  Information Security Manual (ISM) and Essential Eight (E8) from the Australian Cyber Security Centre (ACSC), but also incorporates world's best practice from other leading frameworks from international frameworks including but not limited to CIS and NIST in the USA, and the NCSC in the UK. 

​

  • Confidentiality assured

Unless explicitly agreed otherwise with a client, once the risk assessment has been completed and delivered, all information shared by the client will be permanently and irretrievably deleted from Holistic Cyber's systems.  E.g. answers to fact-finding questions, records of meetings and conversations, and any documents shared such as managed service provider contracts.

​

The report its-self may contain sensitive findings and associated recommendations that the client may want to hide from prying eyes.​​  Clients can choose whether they want to receive a digital copy of the report for them to store in their own file system and/or document repository.  If a client chooses to receive a copy of the report, they can choose whether they want Holistic Cyber to also store a copy, and for what period of time (after which it will be permanently and irretrievably deleted from Holistic Cyber's systems).

​

Alternatively, a client can choose to not receive a copy while still being able to view it online at any time from a highly secure Microsoft Azure cloud server with Microsoft Purview data loss prevention technology.  There is no charge for this storage and sharing, regardless of whether the client wants Holistic Cyber to maintain a copy for just a few months or the maximum seven years.

​

How the risk assessment works

The heart of the security risk assessment is a fact-finding exercise, i.e. a guided conversation to dig into a range of security related considerations, split into three categories, broadly categorised into:

​

  • Policy and process – including:
     

    • Human factors such as staff awareness and training on cybersecurity threats and hygiene, policies and practices, authentication policies and practices.
       

    • Data governance considerations such as data sharing, data retention and data sovereignty, contracting of suppliers and partners.
       

    • Business continuity considerations such as disaster preparedness, incident response and service restoration.

​

  • Information Technology – i.e. focusing on the technology that has been chosen and deployed to store, access, share sensitive data, and associated security “controls” such as encryption of data at rest and in transit, WiFi security, Intrusion Detection and Intrusion Prevention systems. 

​

The amount of time required to work through this fact-finding exercise will depend to some extent on your answers to various questions, and whether they prompt the need to dig deeper.  Allow at least half a day to work through all three categories.  This is best spit into several workshop sessions over a week or two, as there may be some questions that you want time to consider, find the details, and/or consult your IT services provider if you have one.

​

Non-invasive assessment, not an audit

​​The security risk assessment and associated advice relies on information voluntarily provided by you, under strict confidentiality agreement.  It is not an audit where facts are independently collected and verified (which would be a much more invasive, time consuming and costly exercise).

​

No attempts are made break in, access, or test your systems.  Engaging the services of an ethical hacker to see if they can find a way to break in, is usually quite costly due to being time intensive.  It doesn't make a lot of sense to move straight to vulnerability and penetration testing without first going through a cyberseurity risk assessment that can identify the majority of issues with less effort and cost.  Using a bricks and mortar analogy, it wouldn't make a lot of sense to commission someone to try to break into your premises before having considered and addressed access policies and procedures, and whether you have sufficiently robust locks, cameras and sensors in all the right places.

Deliverables

After the fact-finding exercise is complete, you will receive:

​

  • A report containing:
     

    • Security ratings on a scale of 0 to 10, for both policy and process, and technology.
       

    • A list of cybersecurity related risks facing the client, prioritised according to the likelihood of each risk occurring and the potential impact to the organisation if it does occur, considering factors such as impact to business operations and continuity, customers, suppliers and reputation.  This will include an explanation of each risk in language intended for leaders and managers that are not IT and Cyber Security experts, with a focus on articulating the associated business risk.
       

    • (If requested) A set of recommendations on measures that the Client can put in place to improve overall security by addressing vulnerabilities, i.e. gaps and weaknesses.  These recommendations will be prioritised according to the security risks that have been identified, balanced against Client resources such as any budget and/or staff (e.g. administrative and IT) that could contribute to cybersecurity.  

​​​

  • ​An overview meeting to talk through the findings and (optionally) recommendations, with time for questions and clarifications.

​

Example Report Card​

Cyber report card image.png

Example Risk Summary​

(client can click through to a longer summary, and to the full detail)​

Risk summary - example.png

Comprehensive and self-contained

The cybersecurity risk assessment and associated recommendations give a solid overview of each risk using plain language intended to be understandable and actionable by business owners and managers that are not IT or cybersecurity experts.  It should give you enough to know the next steps to take without relying on additional expertise and advice.

​

Tailored to your organisation

Both the risk assessment and the recommendations will consider the nature of your organisations business, operations, the information and data that it holds, the market it operates in, the threat landscape it faces, its customer base, competition, any unique circumstances and/or challenges, and any applicable laws and regulations such as privacy and data protection.

​​​​​​​​​

Affordable options starting from less than $2000.

Three affordable packages are available to suit your needs and budget, i.e. bronze, gold and platinum, starting from less than $2000 ex. GST.  If you like what you are hearing and seeing as we work through the assessment, you can upgrade at any time during (or after) the engagement for a nominal upgrade fee.​​​​​​​​

Price structure
bottom of page