Risk Assessment

The security of your information systems is essential to the continued success of your small business. With so many security threats and vulnerabilities, where do you start? Can you identify the threats faced by your company? Have you identified your company’s specific network vulnerabilities? What is the probability that your company will fall victim to an attack exploiting those vulnerabilities? What are the financial implications?

Most large organizations with dedicated IT departments and risk management functions find these questions difficult to answer. As a small business owner, what is the chance you can answer these questions all on your own? Like most areas of cyber security, a little effort can go a long way.

Threats come in many forms, and it does not make sense to try to protect against all of them. Instead of becoming overwhelmed and giving up, why not start out simple? First, focus on implementing the essential controls that most organizations should have. These are based on best practices and are designed to protect your business from the majority of threats by establishing a baseline level of security. The following is a list of essential actions a small business should take to protect their information systems and networks as described in NIST IR 7621.

  1. Protect systems from damage from viruses, spyware and malicious code
  2. Provide security for your Internet connection(s)
  3. Install and activate software firewalls on all business systems
  4. Patch and update your operating systems and applications
  5. Backup your business data and information
  6. Control physical access to your systems and network equipment
  7. Secure your wireless networks
  8. Train your employees in basic security principles
  9. Require individual accounts for each employee on business computers and applications
  10. Limit employee access to data and information and limit authority to install software

Once the basics are covered, you can focus on addressing areas of unacceptable risk to your business by adding controls that go above and beyond your security baseline. A risk assessment should analyze the type of data your company collects and stores on its network, the size and reach of your network, and the types of threats that exist that are unique to your business. A risk assessment will allow you to identify vulnerabilities and prioritize your response to these vulnerabilities by determining the probability that they will be exploited and quantify the damage if they are. This is a key point. “Quantify the damage”….when you lose data, do you lose customers? Do you lose an edge in attracting new customers? Do you lose your own proprietary data or intellectual property? Each of these has monetary value. You need to spend time estimating these values because this will help determine what you might be willing to spend to protect them.

In the end, the result of your risk assessment should be a list of risks to your business, prioritized by loss potential.