June 08, 2017

How to Make a Security Risk Assessment Work for You

An information security risk assessment is an effective way to identify your workplace's biggest security gaps. 

A surprising 70% of organizations in a recent global Enterprise Risk Intelligence survey are unaware of their critical assets and vulnerabilities. A security risk assessment identifies information security risks as well as safeguards and processes to help mitigate those risks. They are often a requirement of specific privacy laws too.

Cyber security risk is one obvious area that needs to be evaluated in the workplace but a security risk assessment will also delve into other areas including document security, employee training, data storage and destruction practices, and remote protocols.

Last year, nearly 2,000 reported data breaches in the United States exposed more than 2.9 billion user records, according to Risk Based Security’s annual data breach report.  The U.K. had the second most reported breaches with 203.  

While data breaches can do irreparable damage to a company’s reputation and customer loyalty, every year the cost of fraud continues to grow, according to Shred-it's 2017 State of the Industry Report.  Last year, the average cost of each lost or stolen record in North America was between $200 and $300.

Here is how to implement an effective security risk assessment.   


A risk assessment should look at all systems that contain sensitive information and are critical to operations.

  • First, a company must do an extensive review of the type of confidential information it collects and handles (i.e., personally identifiable information, HR data, intellectual property).  
  • Then a risk assessment will evaluate how the information is handled by people, information processes, and systems applications. The assessment can be a simple checklist with ‘Yes’ and ‘No’ answers or a more comprehensive document.


Improve information security best practices based on security risks.   

  • To address cyber security risks, for example, implement authentication processes, intrusion detection, encryption and other IT controls. Update and patch security software.
  • To reduce employee error, educate employees about appropriate handling and protection of sensitive data in and out of the workplace.  
  • To mitigate office document risks, prioritize the protection of data in all forms. Partner with a document destruction expert for more secure disposal of confidential information. Introduce a Shred-it All Policy so all documents are securely destroyed.  
  • To address legacy hard drive risks, introduce more secure protocols for the storage and destruction of hard drives.


Use the risk assessment to make better-informed decisions around information security.

  • Appoint a Chief Information Security Officer (CISO) to be responsible for information security.
  • Create a culture of security in the company.
  • Implement policies that standardize security such as a Clean Desk Policy.
  • Create a comprehensive breach response plan.
  • Avoid collecting information that isn’t needed. Purge data regularly.
  • Schedule regular security risk assessments – to stay on top of new areas or levels of risk.  

Start Protecting Your Business 

To learn more about how Shred-it can protect your documents and hard drives, please contact us to get a free quote and security risk assessment.