Learn how to perform a data risk assessment that finds real risks.
• A data risk assessment identifies what data you have, where it lives, and what threatens it. Most companies skip the classification step and end up protecting everything equally, which means protecting nothing well
• The five steps: scope your data, classify by sensitivity, identify threats, evaluate your current controls, and prioritize by risk level. Most teams get stuck between steps 3 and 5
• Credential exposure is the risk most assessments miss. Your employees’ passwords may already be on the dark web. Credential monitoring finds these exposures before attackers exploit them
• Annual assessments aren’t enough. Reassess whenever you add vendors, change infrastructure, or discover a breach. Your risk profile changes faster than your assessment cycle
IBM’s 2025 report found that breaches cost $4.44 million on average. Most of that cost traces back to risks that were known but not prioritized.
The problem with most data risk assessments is that they produce a spreadsheet nobody acts on. They catalog risks without ranking them by what actually matters to your environment.
A useful assessment tells you where your biggest exposures are and what to fix first.
This guide walks through how to perform a data risk assessment in five steps.
You can’t protect data you don’t know about. A risk assessment tells you what you have, what threatens it, and what to do about it.
A Data risk assessment is the process of identifying what sensitive data your company holds, evaluating what threatens it, and prioritizing which risks to address first. It covers data classification and risk scoring. The output is a ranked list of what to fix first.
Most companies do some version of this, but the results rarely change anything. A useful assessment ranks risks by actual business impact so your team knows where to focus. The assessment feeds directly into your data security strategy and is the starting point for a broader data risk management program.
The Verizon 2025 DBIR found that stolen credentials were the #1 initial access vector, involved in 22% of breaches. If your risk assessment doesn’t evaluate whether your employees’ passwords are already on the dark web, you’re missing the most likely attack vector.
Five steps. Each one builds on the previous.
Start by mapping what sensitive data you hold and where it lives. This sounds basic, but most companies can’t answer it completely. Data spreads across cloud services and employee devices. Vendor systems add another layer.
Focus on the data that matters most: customer PII, employee credentials, and financial records. Don’t try to catalog everything at once. Start with the data that would cause the most damage if exposed.
Not all data needs the same protection. A customer’s Social Security number is more sensitive than your company blog drafts. Classification determines how much you invest in protecting each data type.
Data classification is the process of categorizing data by sensitivity level – typically public, internal, and restricted. Classification determines which security controls apply to each data type and what notification obligations you have if that data is exposed.
Map each data type to a classification level. Then map each classification level to specific controls: who can access it, how it’s encrypted, and how long you retain it.
What’s most likely to compromise each data type? The answer varies by industry and infrastructure.
For most companies, the top threats are:
Credential theft. Stolen passwords from third-party breaches and infostealer malware give attackers direct access. IBM found that credential-based breaches cost $4.67 million on average and take 246 days to detect.
Phishing. The second most common breach vector at 16% of all incidents. Attackers trick employees into handing over credentials or installing malware.
Cloud misconfiguration. Public databases and open S3 buckets. These aren’t attacks – they’re mistakes that expose data to anyone who looks. See our guide on data leaks for examples.
Third-party vendors. Your vendors have access to your data. When they get breached, your data is exposed. Supply chain breaches cost $4.91 million on average and take 267 days to resolve.
Insider threats. Both accidental (sending data to the wrong person) and malicious (stealing data deliberately). Insider breaches cost $4.92 million – the most expensive attack vector.
For each threat, assess what controls you have in place and how effective they are.
Ask these questions:
Be honest. A control that exists on paper but isn’t enforced doesn’t reduce risk. An MFA policy that has exceptions for executives is weaker than it looks.
This is where most assessments fall apart. You’ve identified 50 risks. Now what?
Score each risk by likelihood (how probable is this?) and impact (how bad is it if it happens?). Multiply them to get a risk score. Then rank by score and address the highest ones first.
High likelihood + high impact = fix immediately. Employee credentials on the dark web with no MFA on VPN access? That’s a breach waiting to happen.
Low likelihood + high impact = plan and prepare. A nation-state targeting your company is unlikely for most businesses, but if it happened the damage would be severe. Have a plan but don’t over-invest.
High likelihood + low impact = automate. Phishing emails hitting your team daily? Automate email filtering and run regular simulations.
The goal is a prioritized action list, not a color-coded spreadsheet. Every item should have an owner and a deadline.
Traditional risk assessments focus on internal controls. They check your firewall rules and encryption settings. But some of the biggest risks are external and invisible to standard assessments.
Credentials already on the dark web. Your employees’ passwords may have been exposed through third-party breaches or infostealer malware months ago. Your internal controls look fine, but attackers already have valid login credentials. Dark web monitoring catches these exposures. Without it, your risk assessment is incomplete.
Shadow IT. Employees sign up for SaaS tools using corporate email without IT approval. Those accounts don’t appear in your data inventory. When those services get breached, your credentials leak through a system you didn’t know existed.
Password reuse across personal and work accounts. An employee uses the same password for their corporate VPN and their personal Netflix account. Netflix gets breached. Now attackers have your VPN password. Your internal controls can’t prevent this because the exposure happened on a system you don’t manage.
Cyber insurance gaps. Your insurer scans for your credential exposure during underwriting. If they find hundreds of exposed passwords, your premiums go up or your coverage gets denied. Most risk assessments don’t account for how external exposure affects insurance.
Annual assessments are the minimum. But your risk profile changes faster than once a year.
Reassess when:
Between formal assessments, keep your data inventory updated and run continuous monitoring. The point of a risk assessment isn’t to produce a document. It’s to maintain an accurate picture of your risk so you can act on it.
If you’re in a regulated industry, risk assessments aren’t optional. Multiple frameworks mandate them.
GDPR requires a Data Protection Impact Assessment (DPIA) when processing is “likely to result in a high risk” to individuals. This applies to large-scale processing of sensitive data, automated decision-making, and systematic monitoring. A data privacy risk assessment under GDPR must evaluate the necessity of the processing, the risks to data subjects, and the measures you’re taking to address those risks.
HIPAA requires covered entities to conduct a risk analysis of potential threats to protected health information (PHI). The Security Rule specifically mandates that you “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.” This isn’t a suggestion – it’s an enforceable requirement.
PCI DSS requires a formal risk assessment at least annually and after any significant change to your cardholder data environment. The assessment must identify threats to cardholder data and evaluate the effectiveness of your current controls.
SOC 2 Trust Services Criteria require risk assessment as part of the Common Criteria. Your auditor will look for evidence that you’ve identified risks and implemented controls to address them.
The common thread: every framework wants to see that you’ve identified your risks and can prove you’re managing them. A well-documented risk assessment satisfies multiple compliance requirements at once.
Use this as a starting point. Adapt it to your environment.
Scope and inventory:
Classification:
Threat identification:
Controls evaluation:
Prioritization:
You don’t need a dedicated GRC platform to do a useful risk assessment. But some tools make specific parts easier.
For data discovery and classification: Tools like Varonis or Spirion help map where sensitive data lives across your systems. This automates the inventory step.
For vulnerability scanning: Nessus, Qualys, or your cloud provider’s built-in tools identify technical weaknesses.
For credential exposure: Credential monitoring checks whether your employees’ passwords are already circulating on dark web markets. This covers the external exposure that internal tools miss.
For cloud configuration: AWS Security Hub and Azure Security Center flag misconfigurations automatically.
For vendor risk: SecurityScorecard and BitSight provide external risk ratings for your vendors. These complement (but don’t replace) your own vendor assessments.
The best risk assessment combines automated tooling with human judgment. Tools find the risks. Your team decides which ones matter most.
Book a demo to see how Breachsense fits into your data risk assessment by monitoring the dark web for your organization’s exposed credentials.
It’s the process of identifying what sensitive data you hold, what threatens it, and how well your current controls protect it. The output is a ranked list of risks with specific actions for each one.
At minimum annually. But also reassess whenever you onboard new vendors or change cloud infrastructure. A breach or expansion into markets with different notification requirements should also trigger a reassessment.
A data security risk assessment focuses specifically on the technical controls protecting your data – encryption and access controls. It’s one component of a broader data risk assessment, which also covers compliance and vendor risk.
At minimum: a data inventory with classification levels, a threat catalog relevant to your industry, and a risk scoring matrix (likelihood x impact). Add a prioritized action plan with owners and deadlines. The format matters less than making it specific to your environment.
A vulnerability assessment identifies technical weaknesses in your systems (unpatched software, open ports). A risk assessment is broader – it evaluates the likelihood and business impact of those vulnerabilities being exploited. A critical vulnerability on an isolated test server is lower risk than a medium vulnerability on your production database.
Most risk assessments evaluate internal controls but miss external exposure. Credential monitoring checks whether your employees’ passwords are already circulating on criminal marketplaces. If they are, your access controls are already compromised regardless of how strong they look on paper.
Data Breach Prevention Credential Monitoring Dark Web Monitoring Cybersecurity
What is data breach prevention? Most security tools watch for attackers inside your network. By then, it’s often too …
Threat Intelligence Dark Web Monitoring Infostealer Malware Ransomware Identity Security
What 2025 actually looked like Breachsense has indexed 90+ billion identity records across third-party breaches, …