NCSS small.png

CYBER RISK

 

WHAT ARE THE CYBER RISKS TO MY BUSINESS?

 

Cyber risk can be defined as the risk of financial loss, disruption or damage to the reputation of an

organization through a failure of its information technology systems. Information technology has fueled

rapid growth to small businesses, which can help you -- reach more customers, tap into new markets,

grow faster, and create more jobs. With that increased reliance on information technology and access

to data, new risks to your businesses’ financial, customer data and reputation can occur.

 

The process of cyber risk assessment includes identifying your organization’s important data (financial

data, customer data, and intellectual property), potential vulnerabilities for the systems that store or handle

that data, and the potential impacts to your organization associated with a loss of confidence, integrity,

or availability to that data..

 

FACT 1: ASSESSING CYBER RISK

Assessing and managing cyber risk is no different than managing other types of risk. If you were to manage

the risk to your business from flood damage you would -- identify the most important assets that could be

affected; consider how vulnerable those assets would be to a flood; consider the likelihood of flooding in the

area; and determine what responses make the most sense based on the corresponding costs of responding

to that risk. (Eg: invest in measures to protect those assets, move the assets, transfer the risk through insurance,

or accept the risk.)

 

FACT 2: RESOURCES

There are many available resources to assess cyber risk. How extensive to analyze risk – is based on a

range of factors --- business priorities, regulatory standards or cost considerations. The National

Cybersecurity Society provides a free survey that helps small businesses assess cyber risk called NCSS

CARES (Cybersecurity Assessment and Resiliency Evaluation for Small Business). The assessment

methodology was adapted from two main sources: The NIST Cybersecurity Framework and Carnegie

Mellon’s Software Engineering Institute, CERT, Resilience Management Model.

 

FACT 3: NCSS CARES

NCSS CARES measures small business risk based upon the level of maturity of the business’ organizational

cybersecurity and resiliency processes as defined by CMMI. CMMI (Capability Maturity Model Integration) is

a process level improvement training and appraisal program, developed by Carnegie Mellon University.

NCSS CARES can be found at: https://nationalcybersecuritysociety.org  

 

FACT 4: INSURANCE

Assessing your cyber risk is an important consideration for any organization’s overall evaluation of risks. Many

insurance providers are using an assessment to set rates for policies; therefore, an understanding of your risks

and how your organization manages risk are a critical steps in ensuring your business is resilient. Begin now

by assessing your risk through the NCSS CARES.

 

FACT 5: VENDOR AGREEMENTS

The American Bar Association is recommending all vendor agreements include a section on assessing the risks

of an organization’s partners. NIST 800-171, Protecting Critical Unclassified Information in Non-federal Systems,

is requiring contactors who do work with the government assess their risk and provide an affirmation statement

that they have complied with addressing and mitigating known risks.

 

FACT 6: NIST CYBERSECURITY FRAMEWORK

The NCSS has mapped NCSS questions in the survey, NCSS CARES, to the cybersecurity framework. The

mapping can be found elsewhere on our site.

 

 

DID YOU KNOW…

HERE ARE SOME RISKS TO CONSIDER:

 

  • Reputational

  • BYOD

  • Internet of Things

  • Lack of employee awareness/training

  • Social Engineering

  • Weak Passwords and the lack of 2 Factor Authentication

  • Unsecure website

  • Lack of data retention policy

  • Limited to no backups of critical data/systems

 

Download a PDF of this fact sheet.

 

Still have questions, need help?

Contact us at our “Ask-an-Expert” service, web@thencss.org or visit us at the link below.

 

©2018 National Cybersecurity Society, All Rights Reserved

www.nationalcybersecuritysociety.org

 

JOIN THE NCSS

Become a member of The National Cybersecurity Society today and learn more about how to

protect your business from a cyber attack.

 

 

About The National Cybersecurity Society

 

The National Cybersecurity Society is a non-profit organization focused on providing cybersecurity education,

awareness and advocacy to small businesses. The NCSS provides cybersecurity education tailored to the needs

of the small business owner; helps small businesses assess their cybersecurity risk; distributes threat

information to business owners so that they will be more knowledgeable about the threats facing their business;

and provides advice on the type of services needed to stay safe online.

Similar Content