It’s easy for a small-to-mid sized business (SMB) to get overwhelmed when it comes to figuring out what they need for adequate cyber security protection. Here's a simply risk assessment cheat sheet to get you started.
To be honest, SMBs are in a somewhat challenging position when it comes to cyber security.
With so many cyber incidents being splashed over the media, your clients and partners may well have the expectations that you have enterprise-grade security in place, which in the past has been difficult for most SMBs to afford.
Additionally, many businesses also have to take into consideration regulatory compliance, which will be an important part of our cyber security strategy.
You want the best cyber security protection possible, but it's often hard to figure out how to prioritize a limited budget - what should you focus on first?
In order to make an educated decision, you need to start with a risk assessment.
We're providing a a simple cheat sheet for you to do this on your own, keeping in mind that a formal risk assessment performed by a cyber security professional goes much deeper!
So lets get you started with a few tips and tricks.
First Step: Understand Your Data
The first step in any data risk mitigation strategy is “understanding your data,” which is fundamental to every cyber security program.
What do we mean by understanding your data?
Well for starters, people can’t steal what you don’t have, so eliminating any unnecessary data you have hanging around is super important.
To do this, you need to understand where your data is, how long you need to keep it, and who really needs to access it - often way too many people have access to data they simply don't need.
Documenting all this is not a fun task. but eliminating the storage of unnecessary data and restricting access to it, are two of the most basic things you can do in reducing risk.
Second Step: Understand Your Risks
But these NIST frameworks are really designed for large federal systems or organizations with big budgets, and are unsuitable for most SMBs.
What you CAN do is use these frameworks to create a simplified plan, while maintaining the intent of the guidelines as much as possible.
There are 3 terms you need to understand and think about before you begin this.
- Threats. This can be an attacker or a hurricane, but is something that could negatively impact your business.
- Vulnerabilities. This is a gap in your protection that potentially allows a threat to harm you, e.g. an unlocked door or lack of a firewall.
- Risks. This is the likelihood that a threat can exploit a vulnerability. For example, a risk would be having the chance of having a virus infect your computer due to a lack of anti virus software.
Now let's move on to assessing your risks and conducting the actual risk assessment.
Third Step: Basic Security Risk Assessment
Below is a cheat sheet which lists some of the most important items you need to think about when doing your own risk assessment.
The answers to these questions will help you define what you need to protect, and how much you need to spend to do it.
(Note: David delivered a webinar called "Gourmet Cyber Security on A Fast Food Budget" a few months ago, and this is an excerpt from that webinar. Feel free to watch the entire webinar as well.)
Watch the Video: Risk Assessment Cheat Sheet
Want more information behind the cheat sheet?
Watch the video below to learn the details behind each of the checklist items.
Finally: Do Some Basic Due Diligence!
Once you have determined your risk level, and determined where you think the most important areas are for you to invest in to reduce this risk, you need to do some basic due diligence.
These are the basic items that – god forbid – if you are ever on the witness stand somewhere, you will be able to say, “Well of course our company does that!”
What Are Managed Cyber Security Services?
You should also be aware that from a budget perspective, a lot has changed when it comes to cyber security solutions for SMBs.
As an example, Managed Security Services are one of the most cost-effective ways to get access to sophisticated security solutions, completely managed for you and billed on a monthly recurring basis.
Managed Security Services, also referred to as Security-as-a-Service, eliminate the need for large capital outlays, ongoing maintenance, and of course the need to recruit and maintain expensive cyber experts in-house.
Need more assistance? Reach out to us and we'll help you figure out the best cyber security strategy for your business and your budget.
Stay cyber safe!