WHAT ARE THE CYBER RISKS TO MY BUSINESS?
Cyber risk can be defined as the risk of financial loss, disruption or damage to the reputation of an organization through a failure of its information technology systems. Information technology has fueled rapid growth to small businesses, which can help you -- reach more customers, tap into new markets, grow faster, and create more jobs. With that increased reliance on information technology and access to data, new risks to your businesses’ financial, customer data and reputation can occur.
The process of cyber risk assessment includes identifying your organization’s important data (financial data, customer data, and intellectual property), potential vulnerabilities for the systems that store or handle that data, and the potential impacts to your organization associated with a loss of confidence, integrity, or availability to that data.
FACT 1: ASSESSING CYBER RISK
Assessing and managing cyber risk is no different than managing other types of risk. If you were to manage the risk to your business from flood damage you would -- identify the most important assets that could be affected; consider how vulnerable those assets would be to a flood; consider the likelihood of flooding in the area; and determine what responses make the most sense based on the corresponding costs of responding to that risk. (Eg: invest in measures to protect those assets, move the assets, transfer the risk through insurance, or accept the risk.)
FACT 2: RESOURCES
There are many available resources to assess cyber risk. How extensive to analyze risk – is based on a range of factors --- business priorities, regulatory standards or cost considerations. The National Cybersecurity Society provides a free survey that helps small businesses assess cyber risk called NCSS CARES (Cybersecurity Assessment and Resiliency Evaluation for Small Business). The assessment methodology was adapted from two main sources: The NIST Cybersecurity Framework and Carnegie Mellon’s Software Engineering Institute, CERT, Resilience Management Model.
FACT 3: NCSS CARES
NCSS CARES measures small business risk based upon the level of maturity of the business’ organizational cybersecurity and resiliency processes as defined by CMMI. CMMI (Capability Maturity Model Integration) is a process level improvement training and appraisal program, developed by Carnegie Mellon University. NCSS CARES can be found at: https://nationalcybersecuritysociety.org
FACT 4: INSURANCE
Assessing your cyber risk is an important consideration for any organization’s overall evaluation of risks. Many insurance providers are using an assessment to set rates for policies; therefore, an understanding of your risks and how your organization manages risk are a critical steps in ensuring your business is resilient. Begin now by assessing your risk through the NCSS CARES.
FACT 5: VENDOR AGREEMENTS
The American Bar Association is recommending all vendor agreements include a section on assessing the risks of an organization’s partners. NIST 800-171, Protecting Critical Unclassified Information in Non-federal Systems, is requiring contactors who do work with the government assess their risk and provide an affirmation statement that they have complied with addressing and mitigating known risks.
FACT 6: NIST CYBERSECURITY FRAMEWORK
The NCSS has mapped NCSS questions in the survey, NCSS CARES, to the cybersecurity framework. The mapping can be found elsewhere on our site.
HERE ARE SOME RISKS TO CONSIDER:
- Internet of Things
- Lack of employee awareness/training
- Social Engineering
- Weak Passwords and the lack of 2 Factor Authentication
- Unsecure website
- Lack of data retention policy
- Limited to no backups of critical data/systems
Download a PDF of this fact sheet.
Still have questions, need help?
Contact us at our “Ask-an-Expert” service, firstname.lastname@example.org or visit us at the link below.
©2018 National Cybersecurity Society, All Rights Reserved
JOIN THE NCSS
Become a member of The National Cybersecurity Society today and learn more about how to protect your business from a
About The National Cybersecurity Society
The National Cybersecurity Society is a non-profit organization focused on providing cybersecurity education, awareness
and advocacy to small businesses. The NCSS provides cybersecurity education tailored to the needs of the small business
owner; helps small businesses assess their cybersecurity risk; distributes threat information to business owners so that they
will be more knowledgeable about the threats facing their business; and provides advice on the type of services needed to
stay safe online.