3 Keys to Security Risk Assessment: Devices, Data, and People

Defending your organization from cyber attacks can be daunting. For small and medium enterprises, the problem is exacerbated by limited resources and funding. Evaluating and assessing your risk of a breach can often take a back seat to react when it does happen.

There are three macro-categories you need to look at, and a handful of leading questions in each category. Even a simple risk evaluation is better than none at all!


Your endpoints, servers, and network hardware are always at risk of attack. Whether it’s an unpatched system, an application vulnerability that gets exploited, or an improper configuration at your firewall, devices are the main avenue to get at your customer data and intellectual property. 

When you’re ready to evaluate your risk level in this category, ask the following questions:

  • Do you have an automated process to patch all of your endpoints, servers, and network hardware?
  • Are you subscribed to critical security updates for all of your business-critical applications? Most vendors provide a notification system that will help you with this, take advantage of those services.
  • Do you have a process to protect devices for telecommuting or high-travel employees? If you have even a modest number of these types of workers, it’s important to have a process, policy, or system in place.
  • Do you have a system in place to plan your time and priorities effectively?
  • Is any of your network equipment near end-of-life status, or in need of a refresh?
  • Does your organization use one or more cloud applications? If so, look into a cloud-based security solution to help block known bad websites and locations on the internet.


Data has developed more value over time, and is the main asset that cybercriminals are after. Whether they try to hold you data for ransom, steal identity data on customers or employees, or exfiltrate company secrets, this is the main commodity that the bad guys want. 

When it comes to protecting your data, ask yourself the following:

  • Do you use strict user access control tools and/or processes to limit access to your most sensitive data to as few people as possible?
  • Do you need an archiving solution to help offload less used and potentially confidential data in a secure place?
  • Is your CRM system locked up tight? Consider implementing SSO between your CRM and your Active Directory system so that users can only log in if they’re employees. This system in particular has vital data in it.
  • Do you have a strategy to recover customer and employee data if/when it gets stolen, ransomed, or if you have a massive hardware failure?
  • Can you protect company sensitive data for an employee on the road who’s logging in to a guest network at a hotel, airport, or coffee shop?
  • Do you allow third party services or providers access to critical data? What protections in place do you have for third party access control?


WeI’ve saved the worst for last. People are the lifeblood of your business, but they’re human. Humans can be tricked into clicking a bad link, falling for a phishing scam, or giving people access to company data through bad personal security hygiene. 

People are often the point of failure when it comes to breaches, and it’s usually a lack of knowledge or a non-technical asset that causes a breach. People are also the number one attack vector that cybercriminals take when trying to exfiltrate data from your business. 

Ask yourself the following:

  • Do you allow users to bypass anti-virus updates, critical security patches, or operating system updates, because they complain about rebooting too much?
  • Do you schedule any training sessions and offer training materials to help your users understand how to spot social engineering, phishing, or other people-focused attacks?
  • Do you have proper systems in place to route known bad email domain senders into the users’ junk folders, and mark those email messages as spam?
  • Do your non-technical employees have the same level of access to their systems as your computer-savvy employees?
  • Do you allow workers to access any website they want while at the office?
  • Do you have all of your business-critical applications attached to the users’ network logins? If no, do you have a process or policy to remove access to non-SSO systems when an employee departs the business?

Finally, if these questions raised doubts, you should evaluate further, and seek aid in assessing your risk, cost, and performance, and advise on how to bolster your cyber defense strategy.

Leave a Comment