Just opening the topic of cybersecurity for a small business can be a daunting task. A business leader, or owner can see cybersecurity as a VAT on their business. An erosion of profit without a clear way to quantify the benefit. I get it. And indeed this is the challenge for Chief Risk Officers, Boards, and C-level executives as well as IT and Cybersecurity leaders. How much protection is enough?
A very clever leader I had once said to me ‘Rigour is the skeleton of an organisation. Too much and you can’t move. Too little and you collapse’. If there is anything you take away from this article, I hope it’s that. The amount of cybersecurity risk you take should be guided by the size and complexity of your organisation. This is what we call Risk Quantification.
To gain a good understanding of your businesses risk, it’s really a small number of steps. Ask yourself these questions:
Identify Assets: Do I understand what assets my business needs to protect, including hardware, software, data, and intellectual property?
Threat Assessment: What are the potential threats to my assets? Such as malware, phishing attacks, insider threats, etc. Consider both external and internal threats.
Vulnerability Assessment: Can I assess the vulnerabilities that exist within our systems and processes that could be exploited by threats? This includes software vulnerabilities, misconfigurations, weak passwords, etc.
Likelihood Assessment: Am I able to evaluate the likelihood of each threat exploiting a vulnerability and causing harm to our assets? Consider factors such as historical data, industry trends, regulatory, and the effectiveness of current security controls.
Related: Integrity360 announces return of its annual Security First Conference to Belfast
Impact Assessment: What would be the potential impact on our business if a threat successfully exploits a vulnerability? This includes financial losses, reputational damage, operational disruptions, regulatory fines, etc.
Risk Calculation: Can I calculate the risk? This could be as simple as ‘probability score / impact score’. This will help prioritize which risks pose the greatest threat to our business. Take a business approach to this. Protect the things that mean the most to your business.
Risk Mitigation: Are there steps I can take? Some of these will be simple and easy. Can I limit the number of people who can access this critical system? Can I make it only accessible from inside my network? Develop and implement strategies to mitigate the highest priority risks identified in the risk assessment. This may include implementing security controls, training employees, updating software, etc.
Monitoring and Review: I wish I would tell you this is a ‘once and done’ effort, but vulnerabilities come out every day and attacks change as well. Monitor your systems and processes for new threats and vulnerabilities, and regularly review and update your risk assessment to ensure it remains relevant and effective.
Continuous Improvement: Continuously improve your cybersecurity posture based on lessons learned from incidents. Taking the time to make back up copies (stored off like) is a great personal insurance policy. And patch. Those software updates that come out from time to time are a key defence.
Like a car breaking down, all of us should have a plan for a cybersecurity incident. That plan should be equal to the complexity and scale of your business. Like a fire drill, practice helps. Get some advice from experts if you can. And remember those overarching principles.
Cyber controls are the skeleton of an organisation. Too much and you can’t move. Too little and you collapse.
About the author: Keith Lippert was most recently Deputy Information Security Officer for Allstate insurance e company globally. Located here in Belfast, Keith has expertise in financial crime prevention, anti-terrorism, sanctions, money laundering, and fraud prevention. Before joining Allstate, he served as the Legal Chief Operating Officer for Barclays Bank in London and as the Vice President of International Fraud Prevention for American Express. Keith has also held the position of Chairman at banks in Russia, India, Mexico, and Canada and served as an officer of two national banks in the United State
