IT and legal teams play key role when assessing cybersecurity risks


While cybersecurity remains a burning issue for organizations in 2019, many businesses and nonprofits don’t plan on or budget for a cybersecurity risk assessment. However, once organizations understand the value of their data and reputation, assessments often become a regular component of their tech management strategies.

The basic steps of any cybersecurity risk assessment are to identify the risks and vulnerabilities in your network, rate how severe they are, and determine the effectiveness of your current security resources.

You should then triage the vulnerabilities and define your risk threshold, or what amount of risk you are willing to take, in order to create an efficient cybersecurity solution.

Your IT team will best understand your network, and can help assess the risk factors and provide recommendations about which solutions will protect against the top threats.

“Do not waste money protecting all of your information and systems equally from every threat,” the Extension School at Harvard recommends in its report on tips for assessing cybersecurity risks. “By taking the time to understand the realistic risks to your business, you can more effectively work with your IT team to design security into the systems that handle your most valuable data, defend you against probable events, and hopefully keep your business from being the next cybersecurity headline.”

Experts suggest that cybersecurity risk assessments become a continuous process, conducted at least every two years.

Points of vulnerability in most assessments for small businesses and nonprofits are employees, web pages and physical devices that connect to the Internet, an article at notes.

And because people are the first and last line of defense with any cybersecurity protocols, buy-in by all employees is critical for the success of both the assessment and implementation of new security solutions.

While most organizations engage the IT team and employees for the assessment and implementation of cybersecurity, often overlooked is the role lawyers should play in this process.

In an article at, an online legal resource, the Association of Corporate Counsel encourages the use of legal personnel when conducting cybersecurity risk assessments for several reasons: “For many companies, legal obligations will determine whether a particular framework should be used, and counsel will need to understand the underlying legal obligations and implications. In other companies, counsel will need to work with internal IT and (if applicable) third-party assessors to find the right match.”

In some cases, the results of an assessment could expose a company to legal repercussions, so the Association of Corporate Counsel suggests organizations protect their assessments from disclosure. Involving legal counsel in the assessment process could also help protect an organization from allegations of inadequate security should a breach occur.

Cybersecurity risk assessments should be an important part of your overall tech strategy, whether handled in-house or through a service. They will help you discover some of the most obvious and immediate risks to your network, and help inform an effective plan to secure your data.

Want tips on how to create a culture of security in your organization?

Learn more about data security best practices and policies with our free download, “Oh, the humanity! The role people play in data security.”

Download for Free