What is a security risk assessment and how to conduct one

Protecting a business from cybercrime has become key in today’s landscape. This includes ransomware, malware, data breaches, phishing, and social engineering hacks.

A report on the future of cybercrime has found that the global cost of cybercrime is estimated to rise from $8.4 trillion in 2022 to $23.82 trillion in 2027¹, with statistics showing that attacks from malicious external actors being the most common breaches. This means taking proactive security measures and conducting vulnerability assessments can be essential for businesses of all sizes².

What is a security risk assessment?

A security risk assessment (SRA) helps a business identify and analyze risks and implement security measures to mitigate them.

An SRA is a compliance requirement of the Payment Card Industry Data Security Standards (PCI DSS), the International Organization for Standardization (ISO), and the Health Insurance Portability and Accountability Act (HIPAA).

It’s best practice to conduct a security report annually and immediately after a security incident. Thorough security evaluations can help a small business cut down on threads, protect its valuable data, meet regulatory requirements, and maintain its reputation.

Benefits of conducting an SRA

• Cost-effectiveness. The average cost of a data breach for an organization in 2023 was $4.45 million.³ These costs include ransom payments to hackers, fines from regulators, legal fees, and downtime losses. Post-hack investigations and reactive security measures can also be both expensive and time-consuming.
• Proactive approach to security. Cyberthreat prevention is one of the biggest risk assessment benefits for small businesses. Attackers look for weaknesses to exploit, but an SRA can help identify future problems and rectify them before malicious actors take advantage. Data shows that a predominantly remote workforce can add $173,074 to the average cost of a data breach.²
• Regulatory compliance. Organizations need to conduct an annual SRA of their payment environment to comply with PCI DSS. Other industry-specific, national, and international regulations require organizations to risk-assess their entire digital environment. For example, healthcare businesses need to assess databases of private health information to comply with HIPAA.

Key steps in conducting an SRA

Identify assets and resources

First, an organization should identify its business assets and resources, including data, physical technology, and intellectual property, as well as where they are stored. Asset identification enables a business to classify data sets, establish the level of protection needed, and decide who is responsible for it.

Threat identification

Each asset can be individually risk-assessed. It’s best practice to consider the many ways potential hackers could gain access to a business’s network and what damage they could inflict. Cyber threats can affect a business’s physical security and hardware, as well as its digital data environment, with rogue actors potentially both external and internal.

Specific types of attack can also affect some industries more than others. In 2022, manufacturing and finance businesses experienced more cyber attacks than any other industry.⁴ The cost of security damage can also be higher for some industries – for example in a report on 2023, breaches affecting healthcare businesses were the most expensive, costing an average of $10.93 million per business.³

Vulnerability assessment

Cybercriminals specialize in vulnerability exploitation, and a report on cybersecurity statistics found that more than half of all cyberattacks are aimed at smaller businesses.⁵

A business’s main vulnerabilities to security attacks are unsecured networks, unpatched or outdated operating systems, and incorrectly configured firewalls. Businesses are also susceptible to social engineering hacks, which rely on human error - phishing, for example, is the most common form of cyberattack globally, according to the latest statistics on phishing.⁶

Risk analysis

Once vulnerabilities are identified, it’s best practice to outline various risk scenarios, the prevalence of a threat, how often it could occur, and what the costs and consequences could be.

A risk assessment matrix can also help organizations identify the probability, severity, and likely impacts of a range of cybersecurity risks. The most severe risks and those deemed most likely can be prioritized.

Risk mitigation strategies

Once risks are identified, organizations can use a security risk assessment to set out response strategies. Each threat can be matched with appropriate security controls and risk mitigation strategies like staff training, improved network access controls, and firewall installation.

Businesses with firm risk mitigation strategies in place can act fast if a breach does occur. The quicker a security team deals with a data breach or cyber incident, the less costly it can be for a small business.

Documentation and reporting

Risk assessment documentation allows businesses to record each annual SRA and monitor how their risk mitigation strategies have been implemented over time. It’s best practice for a risk assessment summary to include a comprehensive report of the risks identified and how the business can protect itself from hackers. A security report can also include a timeline for implementation, stakeholders, and budgets.

Using PayPal’s tools and resources for security

PayPal Business security assessment tools include risk assessment resources powered by risk intelligence and machine learning technology. PayPal’s risk intelligence may help protect your small business from the most common types of payment fraud.