by The Computing Australia Group | Understanding Risk
Assessment in Cybersecurity
In a world where cloud apps, connected devices, and remote work are the default, every organisation – especially those handling sensitive health or personal data – needs to know exactly where it’s vulnerable and what to do about it. That’s the job of a cybersecurity risk assessment.
This guide rewrites and expands your draft into a modern, practical playbook. It’s written for leaders, IT managers, and compliance stakeholders in Western Australia (and beyond) who want a repeatable, defensible approach to identifying risks, prioritising fixes, and proving due diligence to clients, boards, and regulators.
Cyber risk: a quick, practical definition
Cyber risk is the potential for loss or disruption to your organisation’s operations, finances, legal standing, or reputation due to incidents involving information systems and data. In plain English: anything that could expose, alter, destroy, block, or ransom your data – or shut down critical systems.
Common categories:
- Human-driven threats: phishing, social engineering, credential stuffing, malicious insiders
- Malware & ransomware: encryption and extortion, data theft, double extortion leaks
- System & configuration issues: unpatched software, misconfigured cloud buckets, weak identity policies
- Third-party & supply chain: vendor data handling, integrations, managed service providers
- Operational & physical: device loss, inadequate backups, inadequate DR/BCP, physical access gaps
- Environmental: fire, flood, power failure impacting on-prem servers or clinics
Why risk assessments matter (beyond “best practice”)
1. Find and fix what matters most
Identify exploitable vulnerabilities, quantify business impact, and prioritise controls that reduce the biggest risks first.
2. Prove compliance and due diligence
In Australia, the Privacy Act 1988 (Australian Privacy Principles) and the Notifiable Data Breaches (NDB) scheme require strong privacy/security governance and incident notification. A risk assessment evidences that you took reasonable steps to protect data.
3. Track progress year over year
Annual or semi-annual assessments show maturity gains, budget ROI, and control effectiveness (e.g., Essential Eight maturity levels).
4. Strengthen decision-making
Translate technical gaps into board-ready language about impact (revenue, legal exposure, patient safety, reputation), enabling smart budget and policy decisions.
5. Reduce downtime and costs
Preventive controls (MFA, patching, EDR, immutable backups) are vastly cheaper than incident response, ransom negotiations, or regulatory penalties.
The 6-step cybersecurity risk assessment (how to run it)
Step 1: Identify and classify assets
Catalogue anything that stores, processes, or transmits important data – and who uses it.
Examples of critical assets (medical/SMB context):
- Practice Management System (PMS) and EHR/EMR
- ePrescription, My Health Record integrations
- Finance/ERP, CRM, HR systems
- Cloud storage (e.g., Microsoft 365/SharePoint), email, Teams
- On-prem servers (if any), network equipment, Wi-Fi
- Endpoints: laptops, desktops, mobile devices, imaging devices
- Data sets: patient records, billing data, Medicare & insurance, identity docs
- Third-party platforms: telehealth providers, pathology, billing gateways
- Backups and disaster recovery tooling
Classify by critical, major, or minor using questions like:
- If this asset is unavailable, what’s the business/clinical impact?
- Would its exposure trigger legal or contractual penalties?
- Could a competitor or criminal misuse the asset?
- How hard or costly is it to rebuild or restore?
Tip: keep this inventory living – tie it to joiners/movers/leavers, procurement, and change management so new assets are captured automatically.
Step 2: Identify threats
Think beyond “hackers.” Consider:
- External attackers: phishing, credential stuffing, ransomware-as-a-service, web app exploits
- Internal (malicious or accidental): mishandled data, misdirected emails, oversharing in M365
- Third-party/supply chain: vendors with access to systems/data; cloud misconfigurations
- Operational: mislaid devices, no offsite backups, shadow IT
- Environmental: fire, flood, power outages (relevant for any remaining on-prem kit)
For each asset, ask: who or what could compromise this, and how?
Step 3: Analyse vulnerabilities
A vulnerability is a weakness that could be exploited by a threat. Common examples:
- No MFA on email, VPN, or high-privilege accounts
- Stale, shared, or weak passwords; lack of password managers
- Missing or delayed patching; end-of-life systems (e.g., old Windows builds)
- Misconfigured Microsoft 365 (over-permissive sharing, legacy protocols enabled)
- Unprotected admin interfaces (firewalls, hypervisors, cloud consoles)
- Flat networks; no segmentation between admin, clinical, guest Wi-Fi
- Backups not tested, not immutable, or connected to the same domain
- EDR/AV absent or not centrally managed
- Inadequate logging/monitoring; no alert triage or response runbooks
- Third-party contracts lacking security clauses or right-to-audit
- Human error exposure due to insufficient security awareness training
Gather evidence with:
- Configuration reviews (M365 Secure Score, Azure AD, endpoint baselines)
- Vulnerability scanning (internal/external) and patch status reports
- Penetration testing (as appropriate for scope & risk)
- Interviews and walkthroughs with IT and business owners
- Policy/documentation checks (incident response, DR/BCP, access reviews)
Step 4: Evaluate likelihood and impact
Score each risk on two axes:
- Likelihood: How probable is occurrence in the next 12 months, given current controls and threat activity?
- Impact: If it happens, how bad is it - financially, operationally, legally, and reputationally?
Use a 1-5 or Low/Med/High scale. Then place items on a risk matrix to prioritise.
Sample 5×5 risk scale
| Impact \ Likelihood | 1 Very Low | 2 Low | 3 Medium | 4 High | 5 Very High |
|---|---|---|---|---|---|
| 5 Catastrophic | M | H | E | E | E |
| 4 Major | M | M | H | E | E |
| 3 Moderate | L | M | H | H | E |
| 2 Minor | L | L | M | M | H |
| 1 Negligible | L | L | L | M | M |
Legend: E (Extreme) H (High) M (Medium) L (Low)
Document assumptions and evidence for your scoring (e.g., “no MFA on email + active phishing attempts observed in M365 logs”).
Step 5: Select and implement controls (risk treatment)
For each priority risk, decide whether to reduce, avoid, transfer (e.g., cyber insurance), or accept the risk. Most actions will be reduce via controls. Map your choices to recognised frameworks (e.g., ACSC Essential Eight, NIST CSF, ISO/IEC 27001/27002, ISO 27005 risk management).
Control categories
- Identity & access: MFA everywhere, conditional access, SSO, least privilege, role-based access, quarterly access reviews, password manager
- Device & endpoint: full disk encryption, MDM, EDR with central policy, app allow-listing (E8), local admin lockdown, OS hardening
- Email & collaboration: phishing protection, safe links/attachments, DLP rules, external email banners, disabling legacy auth
- Network & cloud: segmentation/VLANs, zero trust access, firewall hygiene, VPN hardening, secure M365/Azure baselines, disable unused protocols, private endpoints
- Data protection: classification & labelling, retention rules, encryption at rest/in transit, secure file sharing
- Backup & recovery: 3-2-1 backups, immutable copies, MFA/segregated admin, quarterly restore testing, RTO/RPO aligned to business needs
- Monitoring & response: centralised logging, alerting, MDR/SOC, incident response (IR) runbooks, tabletop exercises
- Governance & people: security awareness training (phishing, data handling), onboarding/offboarding, vendor risk management, policies and attestations
- Physical & environmental: server room access controls, CCTV, UPS, offsite replication, asset disposal
Quick wins with high impact (often Essential Eight aligned):
- Turn on MFA for email, remote access, and admin accounts
- Enforce automatic patching with SLAs (e.g., 14–30 days, critical faster)
- Deploy EDR to all endpoints; block macros from the internet
- Lock down backups (immutable, offline) and test restores quarterly
- Disable legacy authentication in Microsoft 365; enforce conditional access
- Implement privileged access workstations (PAWs) or just-in-time admin
- Segment guest Wi-Fi / IoT from corporate and clinical networks
Step 6: Report, roadmap, and re-assess
Produce two deliverables:
1. Risk Register – your source of truth for each risk item
2. Executive Report & Roadmap – business-friendly summary and action plan
Sample Risk Register (abbreviated)
| ID | Asset | Risk description | Likelihood | Impact | Rating | Controls / treatment | Owner | Due |
|---|---|---|---|---|---|---|---|---|
| R-07 | M365 tenant | No MFA for staff; active phishing attempts | High | Major | Extreme | Enforce MFA & conditional access; disable legacy auth; user training | IT Manager | 30 days |
| R-12 | Backups | Backups not immutable; restore untested | Medium | Catastrophic | High | Add immutable tier; quarterly restore tests; separate credentials | Head of IT | 45 days |
| R-18 | Vendor: Telehealth | No security addendum; API access unscoped | Medium | Major | High | Update contract; limit scopes; audit logs; breach notification clause | Compliance | 60 days |
Include budget, dependencies, and milestones. Track progress monthly in IT governance meetings.
When to reassess
- Annually at minimum (semi-annually for higher-risk environments)
- After major change: new system rollout, office move, cloud migration
- After incidents: phishing campaigns, outages, near-misses
- When laws or contracts change: privacy law updates, new client requirements
Australian context: compliance & frameworks at a glance
- Privacy Act 1988 & Australian Privacy Principles (APPs) - govern handling of personal information; requires reasonable steps to secure data.
- Notifiable Data Breaches (NDB) scheme - obligation to notify OAIC and affected individuals if a data breach is likely to cause serious harm.
- ACSC Essential Eight - practical baseline for mitigation strategies with maturity levels; widely referenced for SMBs and clinics.
- Industry specifics (health) - obligations related to My Health Record, secure messaging, and sector guidance from the Australian Digital Health Agency (ADHA).
- Contracts & cyber insurance - often require documented risk management, MFA, EDR, backups, and IR plans.
If you’re a medical practice, align your assessment outputs to Essential Eight controls and keep proof of implementation and testing – insurers increasingly request this.
Mini-case study: Perth medical practice (condensed)
Context: A 12-clinician practice using cloud PMS/EHR, Microsoft 365, and in-house imaging PCs.
Top findings:
- No MFA on staff email; legacy protocols enabled
- Imaging PCs on same VLAN as admin and clinical systems
- Backups contractor stores snapshots in same cloud tenant; no immutability
- Telehealth vendor contract lacks breach notification clause
Treatment plan (60 days):
- Enforce MFA + conditional access; disable legacy auth
- Segment networks: guest/IoT separate; VLANs for admin vs clinical
- Switch backups to immutable storage; quarterly restore drills
- Update vendor contract; restrict API scopes; add audit logging
- Run phishing simulation + targeted training for reception and billing teams
Outcome:
Risk ratings reduced from Extreme to Medium/Low for email compromise, ransomware impact, and vendor exposure. Insurer provided premium discount at renewal.
Practical tooling (SMB-friendly)
- Microsoft 365: Secure Score, Conditional Access, DLP, Defender for Office 365, Purview sensitivity labels
- Endpoint: Defender for Endpoint, CrowdStrike, SentinelOne (managed EDR options)
- Identity: Azure AD (Entra ID) P1/P2 features for conditional access & PIM; Okta as alternative
- Backups: Veeam with immutable repositories, object lock (S3-compatible), or vendor-managed immutable backup as a service
- Monitoring: Microsoft Sentinel/MDR service, or third-party SOC with clear SLAs
- Vuln management: Qualys, Tenable, Defender Vulnerability Management
Choose based on environment size, budget, and in-house capability. Managed services can be cost-effective for 24×7 monitoring and response.
Common pitfalls (and how to avoid them)
- Treating risk assessment as a checkbox → Make it continuous; tie actions to budget and KPIs.
- Focusing only on firewalls → Identity, email, backups, and endpoints are usually your biggest wins.
- No restore testing → Backups that don’t restore quickly are a false sense of security.
- Ignoring vendors → Add security clauses, right-to-audit, breach notification, and minimum control sets.
- Underestimating people risk → Invest in targeted, scenario-based training; measure click rates and improvement.
KPIs to track maturity
- Treating risk assessment as a checkbox → Make it continuous; tie actions to budget and KPIs.
- Underestimating people risk → Invest in targeted, scenario-based training; measure click rates and improvement.
- MFA coverage (% of users/apps)
- Patch SLAs met (critical/important)
- Phishing simulation failure rate (↓ over time)
- EDR coverage and mean time to respond (MTTR)
- Successful restore tests (RTO/RPO met)
- Essential Eight target maturity achieved (e.g., Level 2 → Level 3)
Jargon buster (plain English)
- ARPANET: A pioneering network run by the US ARPA; a precursor to today’s internet.
- Encryption: Turning information into unreadable code that only authorised parties can decode.
- MFA (Multi-Factor Authentication): Requiring two or more proofs (password + phone prompt) to verify identity.
- EDR (Endpoint Detection & Response): Advanced antivirus that detects suspicious behaviour and helps contain attacks.
- RTO/RPO: Recovery Time/Point Objectives - how fast you must restore, and how much data loss is tolerable.
- Zero Trust: “Never trust, always verify.” Every request must be authenticated and authorised.
FAQ
How often should we run a risk assessment?
At least annually. Semi-annual for higher-risk environments or those with frequent change. Always reassess after significant incidents or system changes.
We’re a small clinic - do we really need all this?
Yes, but right-size it. Start with MFA, patching, EDR, immutable backups, and basic segmentation. Document decisions and revisit quarterly.
Do cyber insurers require specific controls?
Increasingly yes: MFA, EDR, secure backups, privileged access controls, and an incident response plan with testing evidence.
What’s the difference between a vulnerability scan and a penetration test?
A scan automates detection of known flaws; a pen test simulates an attacker to exploit weaknesses and assess real-world impact.
How do we prioritise?
Use the risk matrix. Tackle Extreme/High risks first – typically identity/email, backups, and patching – then address Medium/Low items.
