Where To Start – The Cybersecurity Risk Assessment
Is your business safe? Our clients ask themselves this question every day. In the last year alone, we’ve seen a major increase in cybersecurity questions. Everyone wants a quick way to find out. Many put off worrying until there is a real problem. While October is Cybersecurity Awareness Month and we’re pushing as much education awareness as possible, business owners are still confused about whether or not cyber attacks are a real threat.
An estimated 71% of all cyber-attacks are against small businesses and after an attack, 60% of them will be out of business in six months. In addition to this, there was a 424% increase in attacks in 2021. Why is this important? Smaller businesses are easier targets for cyber criminals.
For businesses just starting out with cybersecurity, we recommend taking a risk assessment that takes into consideration: 1) the size and complexity of your business and 2) whether or not your business is subject to regulatory constraints. There is an art to right-sizing security assessments for SMBs and we understand that delicate balance.
Why Are Risk Assessments Important?
Cyber threats are a serious issue for businesses today – no matter the size. Many smaller companies do not have the appropriate safeguards or policies and procedures in place. Other businesses may feel they have implemented the proper standards when in reality they are still at risk. A Cybersecurity Risk Assessment will help identify the areas that your company needs to improve and recommend the proper security actions to implement. Simply started, we find your security holes and plug them.
The Risk Assessment Process
To begin the process, our cybersecurity experts will schedule a 30-minute consultation to complete an initial cybersecurity questionnaire about your business. The answers to this questionnaire generates a matrix highlighting your security needs into four quadrants: Administrative Safeguards, Physical Safeguards, Technical Safeguards and Organizational Requirements.
If the business is in a non-regulated industry, the generated matrix will be reviewed in concurrence with running the Full Network Detective Security Diagnostic. If the business is in a regulated industry, the generated matrix will be reviewed in conjunction with running the Full Network Detective Security Diagnostic. In addition, HIPAA, PCI DSS, FINRA and NIST diagnostic modules will be added for the relating industries.
Our matrix identifies the following four areas where your business may need to improve security:
ADMINISTRATIVE SAFEGUARDS | This identifies potential threats, risks, and vulnerabilities with your data. It also ensures that you protect the confidentiality, integrity, and availability of the data you create, receive, maintain, or transmit. In addition, it outlines how you manage user access to data and train workforce members to protect confidential data. Lastly, it clarifies what policies and procedures are used to monitor login attempts.
PHYSICAL SAFEGUARDS | This evaluates the disaster recovery procedures and emergency operations plans you currently have in place. It will also assist in identifying how you grant access to your office, your systems and your data, as well as how you inventory all systems with access to data. Assessing the maintenance and protection of passwords is also covered.
TECHNICAL SAFEGUARDS | This ensures correct technology policies and procedures are implemented. It will look at the current framework for how access is granted to hardware/software systems and data. It also reviews the company password policies, details how inactive sessions are closed, and assess how data is protected from alteration or destruction.
ORGANIZATIONAL REQUIREMENTS | This evaluates how your business partners protect the privacy and security of confidential data and how data breaches are handled. Contractual provisions are reviewed to ensure business partners protect the privacy and security of data. It also ensures that records are kept to document adherences to contractual provisions.
Post Risk Assessment
Once you pull back the curtain on cybersecurity and understand how your small business is vulnerable, you can take the necessary steps safeguard it. First and foremost, find and work with a dependable, competent Managed Service Provider (MSP). Ensure the provider delivers core security services, including Patch and Vulnerability Management, Identity Management and has a Deep Understanding of Network Security. Establish policies and processes for managing compliance areas applicable to your business and employ user on and off boarding at a minimum. Last but not least, train or hire staff knowledgeable in security and compliance disciplines. These cybersecurity best practices will go a long way to keeping your business protected. Don’t forget that we’re always here to help. Reach out to begin your cybersecurity assessment today.
Stay tuned each week in October as we’ll post a new blog for Cybersecurity Awareness Month.
Written by: Chris Zambuto | Chief Information Security Officer @CMITBostonCambridge
