Cyber risk assessments 01

Why You Can't Always Trust Cyber Risk Assessments

By Ashlyn Eperjesi

Mar 8, 2021
Let’s begin with a reality check – your company will be the target of a cyber-attack. It’s no longer a question of if, but a matter of when.

One way to measure your risk of experiencing an expensive attack is through a cyber risk assessment.

These assessments can be intensive and thorough, covering every aspect of your business and security. Unfortunately, not all of these assessments are created equal. Some “free reports” offered are simply scans with outdated information, that are then packaged to sell a product or service. Beware of any promises of complete protection, dark web scans, or assessments that can be done in minutes. If it sounds too good to be true, it normally is.

However, let’s make it clear that not all cyber risk assessments are worthless. Depending on the provider, an assessment can offer trustworthy, valuable insight that could help mitigate your cyber-attack risk. Your company can gain heaps of information from quality in-house assessments as well. We want to help you get the most value out of your next cyber risk assessment, so read below for more information on what to look for.

Where Cyber Risk Assessments Can Go Wrong:

You should know exactly what aspects risk assessments are measuring, and what is being excluded. Exposed passwords or “dark web scans” are not enough to accurately portray your company’s risk levels, since there are other areas of opportunity for attackers. Your systems and physical equipment offer entry points for hackers. Even vendors and your employees pose risk to your cybersecurity. Each of these areas should be analyzed and assessed to ensure accurate data is reported. If not, you could experience more than a waste of money, time, and resources.

An incomplete risk assessment can also spell disaster for your cyber insurance. Poor risk mitigation on your end could mean little to no coverage in the event of a security breach. Much like home insurance, your coverage is dependent on you keeping your systems protected. If you lock your front door when you leave your home, why wouldn’t you do the same for your sensitive digital data?



Insurance providers may offer their own risk assessments for your business, but these often only look at the tip of the iceberg.
Underneath, there are countless other risk factors lurking.



Sometimes, no matter how secure your system is, login information will find its way out. Illusive “dark web scans” will say that your account information is exposed all across this hidden side of the internet. While this could be true, the information could also be outdated. Your exposed password could be completely different from your current password, but the report won’t show that. If you are following proper password etiquette and changing them frequently, dark web reports offer little value to your overall risk report. Don’t be tricked into believing these are reliable measures for a cyber risk assessment.

How Cyber Risk Assessments Can Help:

In a proper, detailed cyber risk assessment, every aspect of your company is assessed. This involves much more than your IT department or out-sourced team. High-level executives are a prime target for many cyber-attacks, so their security practices are analyzed. Company-wide cybersecurity policies, or the lack thereof, are examined. Everything down to how frequently an employee changes their password is reported. If properly performed, the results can offer valuable insight into various aspects of your risk mitigation and your business as a whole.

For instance, a quality cyber risk assessment can pinpoint potential weaknesses in your system. And your business is only as secure as your weakest access point. This could be a vendor that has access to more than they should. Or perhaps your equipment is outdated and finally needs that upgrade.

Thorough assessment results can also highlight foundational concerns, such as a lack of a company culture focused on risk mitigation. Something so core to your business, like the culture, can make or break future attempts to minimize risk. Employees should be aligned on the purpose of all security protocols, from enabling MFA to updating devices frequently. If it’s discovered that your team doesn’t regularly follow safe password policies, there are countless growth opportunities. It could mean your employees aren’t familiar with your policies. This would be a perfect time to schedule employee cybersecurity training.


Cyber risk assessments can be a beneficial tool for your company if you choose a quality, trustworthy source. For many small to medium businesses, this often means utilizing an outsourced assessor. Seek out highly recommended vendors that are transparent about their procedures. If you decide to seek internal help for your assessment, thoroughness, and honesty are key to a reliable report.

You can’t trust every cyber risk assessment, but you can learn to decipher the valuable from the useless. Still have questions? Reach out to our team at [email protected]

Related Blog Posts

© 2021 Fixed Fee IT • Privacy Policy Site by Daylight