Businesses that are subject to GDPR can only process personal data if they do so securely. This means they need to have appropriate measures in place to protect data from unauthorised processing or accidental loss. This ‘security principle’ is fundamental to proper GDPR compliance, and its importance is strengthened further by the ‘accountability principle’, obliging businesses to be able to clearly show the processes they have in place to process data securely.
An effective way to meet these twin security and accountability requirements is to perform regular cyber security risk assessments designed to:
- Identify any shortcomings in your data processing activities that could lead to a cyber-attack.
- Precisely establish what information and technological systems you use and their vulnerability to attack.
- Swiftly implement procedures to deal with these data security weaknesses.
Here we look at cyber security risk assessments, asking why your business needs to perform them, what’s involved, and how to respond to the results of the risk assessment.
We will look at the following:
- What is a cyber security risk assessment?
- Why conduct a cyber risk assessment?
- How to perform a cyber risk assessment
- Documenting findings and next steps
What is a cyber security risk assessment?
If cyber security means reducing the risk of attack and protecting your internal networks then a cyber security risk assessment is the way you examine the cyber security measures your organisation has in place and assess how you can improve them.
Without carrying out these risk assessments at regular intervals you will be unaware of new threats to your data security. You could also miss opportunities to remove unnecessary, expensive cyber controls that are disproportionate to the risks you face. With this in mind it’s clear that cyber security risk assessments are a vital part of any organisation’s data protection and privacy law endeavours.
Why conduct a cyber risk assessment?
Often businesses have no choice but to perform cyber risk assessments. Article 35 of the GDPR states:
'Where a type of processing in particular using new technologies…is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall…carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.'
But in the context of a commercial world largely driven by data, many of our clients carry out cyber risk assessments even where there is no legal obligation to do so. That’s because most businesses are susceptible to a cyber attack to some degree. And the fallout from an attack that results in a data breach can have significant repercussions: your business may face punitive ICO fines and it may lose significant consumer trust.
How to perform a cyber risk assessment
Article 35 of the GDPR indicates that cyber risk assessments should be carried out ahead of processing high-risk personal data. For most businesses this means assessments need to be carried out regularly with any key takeaways and lessons learned implemented as soon as possible.
Any comprehensive cyber risk assessment should involve the following:
Setting goals for the assessment
It’s important to set limits for the risk assessment so that it doesn’t become too unwieldy and time consuming. Before you start, ensure that everyone involved is clear about the purpose of the assessment and its scope. At this stage any potential hurdles to carrying out the assessment should be identified. For example, is senior management on board with the decision to perform the assessment?
Identifying all assets
You won’t be able to quantify the level of threat to your data and information systems without a clear picture of what you actually have in terms of data, systems, and hardware. So any assessment should start with a detailed data protection audit, establishing how you collect and store data, identifying the categories of data you hold and specifying the purposes you hold the data for. You should then make an inventory of the information assets you hold, chiefly your IT systems and computer hardware and make an assessment of which of these assets are vulnerable to cyber attack.
Determining the value of the data you hold
By attaching a value to the data your organisation controls you are better able to establish the level of risk associated with losing that data. Valuing the data also lets you weigh up the cost to your business of losing the data (or of it becoming the subject of a breach) against the outlay involved in implementing data systems to eradicate these risks.
While it’s often difficult to put a precise value on data you should consider for example:
- What would a competitor pay for the data?
- Would a breach cause expensive disruption to the business?
- What would the ICO be likely to fine your business if you were to lose the data?
- Would your business suffer damaging publicity if the data were lost?
Identifying potential threats and areas where you could be vulnerable
Recognising potential threats to your data storage and management systems is the crux of any analysis of your organisation’s cyber security. You should consider in particular whether your data systems are vulnerable to hackers, computer viruses or malware. Other threats include the impact of a natural disaster, total system shutdown and employee errors in data processing.
Prioritising risks and subsequent actions such as staff training
Once you have identified risk you need to calculate what, if any, steps you are gong to take to reduce or eliminate that risk. This means creating a high, medium and low hierarchy of risks as follows:
- High risk – indicates you need to address the threat immediately
- Medium risk – should be tackled within a reasonable time frame
- Low risk – may be addressed or company may shoulder risk without taking any remedial steps
Note that as part of your risk assessment you will have valued data and worked out what the cost to the company would be if you were to lose it. If the actions required to address the risk cost more than losing the data, it may well be worth assuming the risk.
One of the most common threats to cyber security is human error. And it is also the type of threat that can be most effectively addressed by regular staff training and the implementation of relatively straightforward protocols internally. For example, encrypting data where possible, always upgrading IT systems and installing upgrades and fixes when advised to, using effective data retention policies and carrying out security checks on new staff. These are the sorts of actions typical cyber security risk assessments should highlight as being necessary to confront any threats identified.
Remember that every business now faces the risk of cyber attack and no risk assessment will permanently eliminate all risk. Indeed the government’s own National Cyber Security Centre (NCSC) points out – in a guide to the basics of risk management – that when you make a commercial decision to introduce new technology to your operation you must recognise the possibility that it may be compromised or destroyed by cyber criminals.
Documenting findings and next steps
Your impact assessment should identify all risks, estimate how likely it is that a threat could become real, and list recommendations on how to mitigate the risk.
Compiling an impact assessment report detailing your findings will serve as a highly useful internal tool for all those involved in data processing and for managers who need to take spending decisions. But it may also provide useful evidence of GDPR compliance if you ever come under regulatory scrutiny. After all, it demonstrates compliance with the all-important accountability procedure.
As your business grows and develops, the type of cyber risk you face will change. For many companies, cyber security risk assessments aren’t a strict legal obligation. But as we’ve shown, regular risk assessments provide tangible commercial benefits: they can reduce the cost of data processing in the long term, minimise the possibility of regulatory sanctions, and improve consumer trust in your business. In practice, they will often be an important feature of your data protection policies.