Small charities: How to carry out your own cyber security risk assessment

Carrying out a cyber security risk assessment involves six steps:

1.) Understand your IT setup

The first step is to identify which IT systems are critical to service delivery, fundraising, financial operations, customer data security, and any other activities which are critical to the functioning of your charity.

Once you understand this you are in a position to assess the various cyber security risks that they face.

2.) Identify cyber security threats

Cyber security is all about risk management, and to manage cyber security risks successfully, you need to be able to identify and assess them first. The most common types include:

• Hacker attacks: network intrusions can lead to data loss and disrupted operations such as service delivery and fundraising
• Insider attacks: disgruntled staff with access to digital systems can steal money or delete data
• Phishing attacks, malware and ransomware infections: these can lead to financial loss and interruption to operations
• Data leakage: accidental digital data loss through the use of unencrypted USB sticks, emailing sensitive data to the wrong people or losing a laptop can lead to loss of data and regulatory problems

3.) Determine the impact if a threat actually transpired

Using some of the examples above, this step aims to assess how bad it would be for your charity if there was a successful ransomware attack, or if a staff member lost their laptop.

In most cases it is sufficient to assign one of three impact levels to an event:

• High: this would have a substantial impact on the ability of your charity to provide its services or continue to operate at all
• Medium: the impact would be damaging, or costly, or very inconvenient, but the charity would be able to continue to function
• Low: there would be very little impact on the charity aside from some inconvenience

You may find it more appropriate to take a more granular approach using four or five levels, e.g.

• Very high: could lead to charity ceasing to exist
• High: very substantial impact on operations
• Medium: impact would be significant, but measures (such as data backups) are in place to ensure that operations would only be affected for a limited period
• Low: impact would be of minor concern and inconvenience
• Very low: impact would be so small as to be not worth worrying about

4.) Assess the likelihood of each threat happening

The next part of the puzzle is to work out a likelihood rating for each risk.

That means, for example, how likely are you to fall victim to ransomware and lose access to your data, despite the anti-ransomware software (if any) that you have, and the data backups (if any) that you have. Clearly, if you do not have any anti-ransomware software and any backups then your operations are much more likely to be disrupted by ransomware than if you have both of these in place.

Rather than an exact figure, you can use a likelihood rating system like:

• High: the threat source (such as a ransomware criminal) is credible and capable, and your existing security measures are inadequate or non-existent. For example, although ransomware is a clear and present threat, you do not have any security measures to mitigate it
• Medium: although the threat source is credible and capable, security measures in place are likely to impede them from being successful. For example, although ransomware is a clear and present threat, you have anti-ransomware software which should detect most ransomware attacks
• Low: the threat source lacks capability, or your security measures will prevent, or at least significantly prevent, any disruption from the threat. For example, you have anti-ransomware software, and in any case, you carry out regular data backups to the cloud so that if you fall victim to a ransomware attack you should be able to recover your data within a few hours, causing minimal disruption

As with your impact ratings, you may also choose to use a more granular likelihood rating system with four or five levels, rather than the three described above.

5.) Work out your risk rating score

Your risk rating score for a given risk = impact x likelihood

To calculate this you can assign (semi-arbitrary) values to impact, like 100 for high, 50 for medium, and 10 for low, and also to likelihood, such as 1 for high, 0.5 for medium, and 0.1 for low.

You will then end up with a table of risk ratings that could look like this:

6.) Draw up a risk mitigation action plan

The resulting table with risk rating scores is the key takeaway of a cyber risk assessment. That’s because it summarises all the risks you have identified, the impacts they could have, and the likelihood that they will come to pass in spite of any existing cyber security or other mitigation measures you have in place.

The risk rating scores allow you to identify the most critical threats that you need to address and focus your resources on mitigating them as a matter of urgency rather than wasting money and other resources on cyber security activities which are less important.