Understand Your Company’s Cyber Security Risk Posture

Are you guessing about your cyber risk? Ignoring cybersecurity completely? Or making decisions for your business without data to back you up? While cyber risk assessments have been rising steadily over the past few years, only 59% of companies apply a formal process to identify and evaluate their risk, according to a recent Aon study. I suspect the number of small businesses with fewer than 50 employees conducting risk assessments is even lower, yet the risk of being attacked is higher.

All businesses need to manage risk, but small businesses have more to lose if risks turn into reality. A data ransom attack, for example, might slow an enterprise company down for a day or two as they shore up defenses and restore data from backups. The same kind of attack could shutter a small business immediately if they haven’t prepared for it. 

Let’s look at four steps you can take to better understand and control your company’s cybersecurity risk posture.

1. Inventory and prioritize your cyber risks

In every business, cyber risk is concentrated at potential entry points. These are the interactions between people, your IT systems, and other systems. Identifying all of those points and your IT assets is a good place to start. 

Inventory may be as simple as counting how many devices and applications you have. Don’t forget about employee cell phones (if used to access email or other apps for work), printers, and POS systems. 

For each device, note what kinds of data are accessed and any protection in place, such as passwords, multifactor authentication, and scheduled software updates.

Next, prioritize the assets that are critical for conducting business. What would you not be able to live without? It might be QuickBooks, your Google suite, or Slack that keeps things humming. Give each asset a priority number.

This exercise alone might be enlightening for some small business leaders. Often we forget how many convenience technologies we use in a day. If these tools were to go away, would your business be able to continue operating? Would your productivity drop? Would you lose the ability to serve customers?

2. Identify your cyber vulnerabilities 

For the next step, you’ll need to think like a hacker. You’ll want to consider the known attack vectors cybercriminals could use to compromise each of the assets you listed. Although attack strategies are changing all of the time, risks still fall into some broad categories:

Ransomware: Ransomware is a type of malware that prevents or limits businesses from accessing their data and/or systems, either by locking the system’s screen or by locking files until a ransom is paid.

Social Engineering: Social engineering occurs when businesses are contacted by email (phishing), telephone (vishing), or text message (smishing) by someone posing as a legitimate individual or institution to lure them into providing sensitive data, such as personally identifiable information, banking, and credit card details, and passwords. The information is then used to access those important accounts.

Malware: Malicious software is a blanket term for viruses, worms, trojans, and other harmful computer programs hackers use to harm your business and gain access to sensitive information.

Distributed denial of service (DDOS): DDOS attacks target websites and online services, overloading them with unmanageable traffic that renders the server or network inoperable. It may be combined with an extortion threat of a more devastating attack unless the company pays a ransom.

Data breach: A data breach may expose confidential, sensitive, or protected information to an unauthorized person.

Mobile device vulnerabilities: These are collective flaws built into the software or hardware of a device that can be exploited in order to expose your data, files, or system.

Internal threats: These risks are from employees who knowingly access data or systems for financial gain or vengeful damage. Although rare in companies with a healthy culture, it’s important to consider whom you’ve given access to.

Vendor and third-party threats: Any company or supplier that is connected to your business through a shared portal or login needs to be carefully considered. Small businesses often skip the step of screening their vendors for security risks. Read more about third-party threats here.

This exercise allows you to understand where you have vulnerabilities, leading you to ask, “How do I fix these?” 

3. Budget for cybersecurity 

Before you can tackle cyber protection, you need a budget. Small businesses with tight margins might not have anything earmarked for security, but it is fast becoming an operating expense that all businesses need to consider, like payroll and rent. 

To determine your budget, you need to determine your level of acceptable risk. No solution is 100 percent, but you must decide what you can live with. The best test is asking yourself if you would feel confident sharing your security plans with employees, customers, partners, and vendors.

Consider what other businesses spend on cybersecurity:

• A recent survey of 600 U.S. small businesses shows that they spent more on cybersecurity in 2022 than they did before the pandemic.
• The number spending over $500 monthly went from 24% to 26%, while those spending $1,500 – $1,999 monthly rose from 19% to 24%. 
• It’s estimated that, on average, SMBs spend 5% to 20% of their total IT budget on security – that includes computers, software, servers, AND security.

What kinds of solutions should you be budgeting for? Your vulnerabilities will determine where you need protection. Consider how these common cybersecurity solutions would help:

• Cyber Insurance
• Business Grade VPN
• Employee Security Awareness Training
• Phishing Simulation
• Password Management
• Identity Theft Protection
• Website Scans 
• Antivirus

4. Address cyber vulnerabilities one by one

Use your prioritized list to address vulnerabilities one by one, within your budget. You’ll be protecting your most critical operating resources and planning ahead in one step.

Cybersecurity is iterative. It’s nearly impossible for small businesses to be able to address all of their cybersecurity needs at once. And since businesses change, your risks and solutions will change over time too. But taking steps to start the process, and getting some protections in place, is certainly better than doing nothing. 

In order to protect your business, you will need a true understanding of the risk and potential magnitude of a cyber event, which is why I encourage you to repeat these steps regularly. Too often, small business leaders accept risk because they don’t have the time or resources to address it properly. Periculus gives business leaders the tools they need to learn, assess, mitigate, and manage a variety of digital risks. Visit us to consider our solutions at www.periculus.com.