Some organizations feel that relying on last year’s approaches to cybersecurity risk assessment would provide insufficient preparation for this year’s advanced cyberattacks. I respectfully disagree.
Cyber risk assessment is something that many organizations still do not do at all: doing an assessment on at least an annual basis can prepare you for what is to come. Good assessments are based on your organization’s assets, they’re not based on everything that can happen to the company — just what can happen to your assets. If you take those steps, you will be better protected.
A formal risk assessment must take into account that some of these threats are stealthier and more difficult to discover and mitigate than others. It must include a questionnaire outlining controls that can detect malicious activity that hides and disguises itself as ordinary behavior.