Cyber security risk management framework

Written byBen Rose
Updated 23rd January 2019

To effectively protect your business from cyber-attacks and data breaches, you must first identify the biggest threats and vulnerabilities you face. That means carrying out a risk assessment.

Cyber security

It sounds complicated, but it doesn’t need to be. And it will actually make securing your systems a whole lot easier going forward.

Here we’ll provide a simple framework that you can follow.

What is a cyber security risk assessment?

As the name suggests, a cyber security risk assessment enables you to identify the cyber risks facing your business and then analyse their importance. Going through this process enables you to develop the most appropriate solutions to protect your systems against the biggest risks. It also helps you to focus your budget and resources on the areas that need the most attention.

What is a framework for cyber security risk assessment?

It sounds fancy, but a risk assessment framework is just a methodology, or a list of actions, to help you structure your thinking and develop an approach to cyber security. Here, we try to keep things as simple as possible, providing the basic route that you should follow when carrying out a risk assessment in your business.

Cyber security

A basic framework for cyber security risk assessment

  • Identification: Cyber security is all about protecting your data, so the first step is to identify all the most vulnerable, sensitive and at risk in your business if it was lost or stolen. This is likely to include personal details and contact information for your customers and clients, any financial data, along with private and confidential information relating to your own company. Make a list of all this data, along with where and how it is stored on your systems, and who has access to it.

  • Threat modelling: Next, consider all the possible threats that could cause that data to be lost or stolen, including external attacks, data breaches and social engineering, as well as failures and oversights in your internal systems and human error by your employees. A good way to approach this is to think a potential incident, for example, customer data is leaked, and then list all the events which could possibly lead up to that eventuality. It can also help to research the cyber incidents that have affected other companies, to give you an idea of what can go wrong. There are plenty of news reports out there to refer to!

  • Prioritise: Now you’ve terrified yourself by just how risky the world can be, it’s time to be realistic and rank those based on three factors: how likely they are to happen, how much damage they could do, and how much control you have over preventing them. Some risks might have the potential to create worlds of damage but, as they’re very unlikely and completely out of your control, they’re not worth spending time and money on. The important risks are those that have a high chance of happening and that you have a good chance of preventing, so as to avoid a big problem for your business.

  • Balance: It’s also important to look at how controlling a certain risk could have unexpected consequences in other parts of the business, and thereby create other risks. For example, if implementing an additional layer of security on your website is going to drive customers to buy elsewhere, then you may decide that the risk is worth taking to avoid the potentially catastrophic loss of revenue for your business.

  • Solutions: Now you should have a good idea of the risks you’re your business needs to focus on, it’s time to research the technology and processes that will help protect your most important and vulnerable data. Our guide to cyber security is a great place to start, but it also helps enormously to research what your peers have in place, as chances are you should too. And if you really don’t know where to start, or have particularly complex needs, it’s probably best to consult a specialist security consultant.

  • Monitor and update: Cyber security isn’t something you can just tick off your list and forget about. If you’re a growing business, then the data you hold is likely to be constantly evolving. Plus, cyber criminals are constantly developing new tricks to bypass your defences. So, ensure you track the effectiveness of your security practices and review your risk assessment regularly - at least annually - or more frequently if you’re hit by a specific incident.

Cyber security

Too many businesses wait until they’re hit by a cyber-attack or data breach to start thinking about security, by which point the damage is already done. And with legal and compensation claims, system downtime and reputational damage to think about, the fall-out could be significant. That’s why it pays to put the groundwork in early – and get protected.

And don’t forget, if the worst does happen, cyber liability insurance can protect you for a breach of data protection laws (where insurable by law) and your liability for handling data. It can also provide cover for extortion, system rectification costs, plus PR expenses and financial loss due to system downtime. To find out more, drop us a line at, or give us a call on 0333 772 0759.

Share this article

Related Posts

12th August 2019
1  minute read

Business risk management

Risk is a necessary part of any endeavour, and it is impossible to run a risk-free business. You can, however, reduce the risk of risk.

21st June 2019
1  minute read

Top 5 benefits of data privacy for startups

Startups are not immune to the threat of data breaches and have a responsibility to protect their customers’ data. That’s why startups need to intensify their efforts to gain their trust.

19th June 2019
1  minute read

The biggest cybersecurity threats of 2019

As cyber-crime becomes more common-place, all businesses – even small ones – need to be prepared.