Don’t leave your front door unlocked, and don’t waste time and money before assessing and addressing your small business’ cybersecurity risk—a risk with an exponentially climbing cost. In 2018, the average ransom fee after a ransomware attack was $5,000. Last year, the average was around $200,000[i]. What is your risk?
Vision, passion, and discipline are essential to running a successful small business. Our goal is to help you be passionate about cybersecurity while implementing disciplined, straightforward risk mitigation steps. One of the first disciplined, prudent steps to take is to conduct an assessment of the real cybersecurity risks facing your business. Most of us have to work hard to implement good habits, and we hope you will make a periodic—even quarterly—risk assessment habitual to your organization.
Running a Baseline Assessment
Understanding your risks is essential in preparing for them. Most small businesses avoid cyber risk assessments because it feels too complex and too resource-intensive. It doesn’t need to be. We have completed holistic cyber risk assessments for firms with reasonable (i.e., defensible) mitigation steps, both low cost with high impact, in a matter of hours. While there are several free and well-designed assessment frameworks to choose from (e.g., CIS Controls), here is the condensed process we use:*
Gather a few leaders/managers with a broad understanding of key business operations/functions (e.g., Ops, Marketing, Sales, Distribution).
Catalog your information assets: Know what is in your technological care (e.g., data sets, computers, servers, telecommunications).
Assess risk: while normative “scoring” frameworks exist, start with asking, “what would the impact to my business be if this asset (e.g., POS, client data, supply chain) were compromised or deleted?
Analyze risk: How likely is this going to happen? Just as you would other business risks (e.g., weather, traffic, legal, supply base).
Have a conversation with a cybersecurity specialist to define the most efficient and effective “controls” to address the viable risks (e.g., a threat that can exploit a vulnerability) to your IT and data.
Set Security Controls to reduce your risks to acceptable levels: Don’t overthink “acceptable”; start the conversation, and let it mature over time. These controls include everything: from password managers (sound familiar?), secure backups, employee training, extra care for credentials, to locked doors. Most of these are free or nearly free measures.
Monitor and Review Effectiveness: Malicious actors are innovative, so keep the conversation going with your IT provider and a cyber specialist you trust. Unless you are subject to specific cyber standards (e.g., CMMC, ISO 27001, NIST 800-171) this does not need to be a rudely expensive endeavor, either.
Create your Plan of Action and Milestones
With the information you have uncovered in either your internal or external risk assessment or an external audit, create a plan. Without it, you will likely spend time and money in areas not proven to be the best “bang for your buck” for cyber defenses and resilience (how well you can recover from an attack). Just like you would any business endeavor, you can mobilize and align your team with goals, deliverables, responsibilities, and a timeline.
Risk assessment is necessary but does not have to be unduly expensive or obtuse. Just as you seek advice on various insurance policies to address risks (e.g., “don’t insure what you can afford to lose”), we strongly recommend you set aside a few hours a year to give this the attention it is due. A ransomware attack against a small business occurs every 11 seconds. Through manageable habits and easily implemented steps, you can take strides to protect your small business from cybercrime like ransomware.
[i] National Security Institute (n.d.). The Growing Ransomware Wave. Security Sense. Retrieved on 17 November 2021 from Employee Cyber Security Awareness – National Security Institute (nsi.org)