WHAT ARE THE CYBER RISKS TO MY BUSINESS?
Cyber risk can be defined as the risk of financial loss, disruption or damage to the reputation of an
organization through a failure of its information technology systems. Information technology has fueled
rapid growth to small businesses, which can help you -- reach more customers, tap into new markets,
grow faster, and create more jobs. With that increased reliance on information technology and access
to data, new risks to your businesses’ financial, customer data and reputation can occur.
The process of cyber risk assessment includes identifying your organization’s important data (financial
data, customer data, and intellectual property), potential vulnerabilities for the systems that store or handle
that data, and the potential impacts to your organization associated with a loss of confidence, integrity,
or availability to that data..
FACT 1: ASSESSING CYBER RISK
Assessing and managing cyber risk is no different than managing other types of risk. If you were to manage
the risk to your business from flood damage you would -- identify the most important assets that could be
affected; consider how vulnerable those assets would be to a flood; consider the likelihood of flooding in the
area; and determine what responses make the most sense based on the corresponding costs of responding
to that risk. (Eg: invest in measures to protect those assets, move the assets, transfer the risk through insurance,
or accept the risk.)
FACT 2: RESOURCES
There are many available resources to assess cyber risk. How extensive to analyze risk – is based on a
range of factors --- business priorities, regulatory standards or cost considerations. The National
Cybersecurity Society provides a free survey that helps small businesses assess cyber risk called NCSS
CARES (Cybersecurity Assessment and Resiliency Evaluation for Small Business). The assessment
methodology was adapted from two main sources: The NIST Cybersecurity Framework and Carnegie
Mellon’s Software Engineering Institute, CERT, Resilience Management Model.
FACT 3: NCSS CARES
NCSS CARES measures small business risk based upon the level of maturity of the business’ organizational
cybersecurity and resiliency processes as defined by CMMI. CMMI (Capability Maturity Model Integration) is
a process level improvement training and appraisal program, developed by Carnegie Mellon University.
NCSS CARES can be found at: https://nationalcybersecuritysociety.org
FACT 4: INSURANCE
Assessing your cyber risk is an important consideration for any organization’s overall evaluation of risks. Many
insurance providers are using an assessment to set rates for policies; therefore, an understanding of your risks
and how your organization manages risk are a critical steps in ensuring your business is resilient. Begin now
by assessing your risk through the NCSS CARES.
FACT 5: VENDOR AGREEMENTS
The American Bar Association is recommending all vendor agreements include a section on assessing the risks
of an organization’s partners. NIST 800-171, Protecting Critical Unclassified Information in Non-federal Systems,
is requiring contactors who do work with the government assess their risk and provide an affirmation statement
that they have complied with addressing and mitigating known risks.
FACT 6: NIST CYBERSECURITY FRAMEWORK
The NCSS has mapped NCSS questions in the survey, NCSS CARES, to the cybersecurity framework. The
mapping can be found elsewhere on our site.
DID YOU KNOW…
HERE ARE SOME RISKS TO CONSIDER:
Internet of Things
Lack of employee awareness/training
Weak Passwords and the lack of 2 Factor Authentication
Lack of data retention policy
Limited to no backups of critical data/systems
Download a PDF of this fact sheet.
Still have questions, need help?
Contact us at our “Ask-an-Expert” service, firstname.lastname@example.org or visit us at the link below.
©2018 National Cybersecurity Society, All Rights Reserved
JOIN THE NCSS
Become a member of The National Cybersecurity Society today and learn more about how to
protect your business from a cyber attack.
About The National Cybersecurity Society
The National Cybersecurity Society is a non-profit organization focused on providing cybersecurity education,
awareness and advocacy to small businesses. The NCSS provides cybersecurity education tailored to the needs
of the small business owner; helps small businesses assess their cybersecurity risk; distributes threat
information to business owners so that they will be more knowledgeable about the threats facing their business;
and provides advice on the type of services needed to stay safe online.
FACT-Cyber-Risk-FINAL.pd.pdf 954.5 K