Cybersecurity isn't just about technology; it’s about ensuring that technology and human behavior work together to protect an organization's assets, so that it will achieve its goals securely.

Anything that prevents an organization from achieving its goals securely, is considered a risk to that organization. To prevent risks from slowing down progress, we must first identify them, then take steps to mitigate or weaken them. These steps also shape habits that individuals and organizations must form to ensure risks do not interfere with their goals.

Risk Assessment is the ongoing process of identifying potential risks which we will also call threats to an organization, that could prevent it from achieving its goals securely. It involves understanding the risks, deciding which ones are most important, and taking steps to reduce or prepare for them, even if they still happen.

We will now look at the risk assessment process and how we can apply it to real scenarios for small businesses and schools, and at the end, you should have something that you can take and apply to your unique scenario and improve your cybersecurity posture.

Risk assessment can be broken down into four phases:

1. The identify assets phase
2. The threat evaluation phase
3. The vulnerability assessment phase
4. The prioritizing of risks phase, where we put risks in order of urgency.

Identifying Assets

MarySues Tropical Café
Mary the owner of a small business café called “MarySues Tropical Café”, wanted to attract more customers so she decided to build a website listing her menu and features available like free Wi-Fi, lounge area for customers to relax, and a merchandise section where persons could buy mugs, t-shirts and other items. For convenience everything could be ordered online.

So, she found the cheapest website hosting company she could find and a talented teenager to build the website for her at a good price.

A few weeks after the website went live and new customers were coming in and placing their orders online, Mary’s sister Leana who has been helping with the point of sale (POS) system noticed in the POS system, payment reversals and missing transaction logs.

When Mary was told about the situation, she called a friend, Timothy, a cybersecurity consultant who recommended listing all the important assets needed to keep the café operational:

• Customer Data: names, addresses, payment information
• Financial Records: bank statements, transaction data
• Brand Reputation: the café’s loyal customers
• Key Equipment: POS hardware and software and café’s laptop

After identifying the assets Timothy updated the POS system and laptop operating system to fix vulnerabilities. He also made some recommendations for the security of the website to prevent potential risks.

When Mary identified her assets, she was able to put the focus protection on the right things. Not knowing what your assets are prevents you from knowing what to protect.

1. Examples of Identified Assets

For small businesses this could be:

• Customer Data: Names, addresses, payment information (e.g. E-commerce or POS system).
• Financial Records: Bank statements, invoices, payroll details.
• Brand Reputation: Negative news about a cyber-attack can hurt customer trust and future sales.
• Key Equipment: Laptops, smartphones, POS terminals (used during work hours).

For Schools this could be:

• Student Records: Personal information, grades, and health records.
• Staff Records: Teachers’ personal and payroll data.
• IT Infrastructure: Computers, projectors, student portals (e.g., for homework submissions), and administrative systems.
• Reputation/Trust: A cyber-attack could hurt trust of parents, students, and the wider school community.

Threat Evaluation

Maersk
Maersk a global shipping company lost its operations to a cyber-attack from the malware known as NotPetya.

The attack was from an accounting software update whose servers were compromised by cybercriminals.

The malware encrypted the computer’s boot record, preventing them from starting and encrypted files making recovery impossible.

Whenever we do a threat evaluation in risk assessment, it helps us to understand who or what could take advantage of weaknesses in an organization's assets. The who or what could be hackers, staff, or natural disasters, so this is not limited to technology.

Using the Maersk's situation as an example, we can identify nine recommendations that could have mitigate or prevent this cyber-attack:

• Network Segmentation e.g. separate the shipping operations from logistics & supply chain or sales & business and other areas, would prevent the spreading of a malware to all computers.
• Sandbox Testing of Updates to test updates before applying them to all computers would prevent them from being affected by a failed or compromised update.
• Strict Access Controls & Least Privilege could reduce the effect of an attack when users have only permission, they need.
• Robust Monitoring & Detection would provide early detection of attacks for faster response.
• Multi-Factor Authentication (MFA) prevents unauthorized logins if a password is compromised.
• Vendor Vetting / Supply Chain Risk Assessments to ensure that software vendors you use also do their own risk assessment and take cybersecurity and privacy seriously.
• Regular Software Updates and Secure Settings could have prevented the malware exploiting a known Windows vulnerability.
• Regular, Tested Backups to help with faster recovery with having more recent backup.
• User Education & Incident Response to educate staff about social engineering and how to respond in the event of an attack.

So always ask yourself who or what could break into your systems and check with your business partners and their security habits, watch for unusual network activity and stay alert to signs of an attack.

2. Examples of Evaluating Threats

For Small Businesses this could be:

• Phishing and Ransomware Attacks: Hackers send fake emails to employees, tricking them into giving away credentials or installing malicious software.
• Insider Threats: A disgruntled or careless employee who might improperly access or share sensitive data.
• Financial Fraud: Cybercriminals may attempt to change invoice details or trick the business into wiring money to fraudulent accounts.

For Schools this could be:

• Unauthorized Access to Student Data: Hackers or even curious students gaining entry to portals with sensitive records.
• Vandalism or Theft of Devices: School laptops or tablets may be stolen, especially if they’re used in multiple classrooms or lent out to students.
• Disruption of Online Systems: A denial-of-service attack could shut down the school’s website or learning platforms, halting virtual classes or online grade submissions.

Vulnerabiltiy Assessment

Student Hacking School's Portal

A school, let’s call it The Elem School, had always been one of the first schools in its area to be fully computerized and using technology to improve the learning experience of students.

The e-learning platforms was a major plus enabling students to have access to homework resources from the comfort of their home.

Although the Elem school was on the cutting edge in terms of technology, they had some shortcomings in terms of security which created a problem that the school’s administration was not aware of.

Although everyone had their own user accounts, because all logins gave access to the e-learning platform, many teachers and students would share their logins or leave their accounts logged in for convenience. This made it impossible to track who accessed sensitive information.

Another problem was that the server room was never locked, and from time to time students and staff would, out of curiosity enter to see what servers and the network rack looked like. On top of that the e-learning platform had not been updated in years.

One day, James one of the eldest students, who was very familiar with computers, decided to test a hacking technique he learnt about on YouTube. Because the e-learning platform was outdated, there was a vulnerability that made it very easy for him to access the sensitive sections and he was able to read the emails of the teachers.

His actions were soon discovered by a teacher who reported it to the Principal who met with him and reprimanded him. Although he did not cause any major damage, the school’s administration understood the risk if someone with bad intentions took advantage of vulnerabilities and with the help of a cybersecurity professional, began doing vulnerability assessment to solve the following problems:

• Shared Logins: Everyone was instructed to only use their personal accounts and never share accounts again. Multifactor authentication was implemented which helped to discourage the sharing of login credentials.
• Physical Security Gaps: A lock was placed on the server room’s door to keep it secure and only allowing authorized persons get in.
• Outdated E-learning Platform: A regular schedule was setup to have the e-learning platform updated, including the operating system for all the computers at the school. This would help to address any vulnerabilities.

The Elem school also started having quarterly cybersecurity training for teachers and students with regular tests to see if anyone started doing the right things. As a result of the vulnerability assessment, The Elem school improved its cybersecurity posture when they used their security breach as a learning experience.

3. Examples of Vulnerability Assessment

For Small Businesses this could be:

• Outdated Software: Not installing the latest updates (patches) on point-of-sale systems or office computers.
• Weak Passwords: Reusing simple passwords or having them stuck on a sticky note near the register.
• Lack of Training: Employees unaware of phishing signs or the importance of secure Wi-Fi settings.

For Schools this could be:

• Shared Logins: Teachers and students sometimes share generic accounts to access certain resources, increasing the risk of unauthorized access.
• Physical Security Gaps: Server rooms or IT equipment not locked, allowing anyone to enter.
• Unpatched Education Platforms: E-learning software might have known vulnerabilities if not regularly updated.

Prioritizing Risks

Securing School's Website

So, we now have another story about a school and technology. Let’s call this school the May Pen High School, where technology was even more a part of their daily running, more than The Elem school.

They did not just stop at using technology for teaching but also for student grades and doing exams from the school’s online portal. With their state-of-the-art integration of a camera, students who were sick or unable to be at the school, could do their exams online. The cameras would ensure that they were not doing any type of cheating to answer questions.

One day, during a monthly IT meeting where an alumnus who specialized in cybersecurity was present, they pointed out, identified risks, and to better understand their seriousness, prioritized them:

• Critical and Likely: The administrative portal holding student data was not fully secured.
• Moderate Risk: The possibility of technical disruptions during the next online exam.
• Lower Priority: Staff receiving spam emails, which were annoying but posed no immediate danger.

From the meeting’s conclusion the school prioritized securing the administrative portal first. Then installed encryption protocols, ensuring logins were secured and including multi-factor authentication to prevent unauthorized logins, and limited access to sensitive data, based on the user’s role. A few weeks after this meeting, the server logs revealed a failed hacking attempt which motivated the school to quickly implement the new recommendations.

While addressing the portal, the team also prepared for online exam disruptions by conducting system checks and created backup and recovery procedures. Spam emails were less critical and were managed after, with simple email filters.

4. Examples of Prioritizing Risks

For Small Businesses this could be:

• Critical and Likely: Phishing leading to a customer data breach—can cost a business its reputation and fines from regulators.
• Moderate Risk: A new or untested software plugin on the website that could expose financial info—less likely but high impact if it happens.
• Lower Priority: Minor spam attempts that don’t affect daily operations—monitor these, but devote fewer resources compared to bigger risks.

For Schools this could be:

• Critical and Likely: Unsecured administrative portals containing student data—could cause major compliance and privacy issues if breached.
• Moderate Risk: Tech disruptions during online exams—may not always happen, but if it does, it impacts academic scheduling.
• Lower Priority: Generic spam emails received by staff—annoying, but typically less damaging than a full-blown hack.

Ready to strengthen your cybersecurity defenses?

Subscribe to our FREE MasadaOffensive Guide and gain access to a comprehensive cybersecurity kit with actionable steps and advice on securing your small business or school. For more advanced strategies and step-by-step guides on implementing solutions with a low budget in mind, explore our paid MasadaOffensive Mastery subscriptions, available in monthly or annual plans.
We are continuously adding new guides to help you strengthen your defenses, such as howTo: Deploy DMARC on a $0 Budget. tart building a more secure foundation today!