Menu
Business.com aims to help business owners make informed decisions to support and grow their companies. We research and recommend products and services suitable for various business types, investing thousands of hours each year in this process.
As a business, we need to generate revenue to sustain our content. We have financial relationships with some companies we cover, earning commissions when readers purchase from our partners or share information about their needs. These relationships do not dictate our advice and recommendations. Our editorial team independently evaluates and recommends products and services based on their research and expertise. Learn more about our process and partners here.
Finding vulnerabilities now could protect your small business from costly intrusions later.
Your sensitive customer data and intellectual property are under constant threat from cyber attackers. If they successfully manage to download their malware onto your IT network, they could shut it down and stop you from doing business. If your sensitive data were to get into the wrong hands, the financial and reputational damage to your firm could be disastrous. There’s never been a more important time to invest in cybersecurity for business.
Below, find out how to do a cybersecurity risk assessment to discover your firm’s vulnerabilities and why it makes business sense to tighten up your defenses.
A cyber risk assessment is an evaluation that an organization carries out to discover how well it can defend its data and IT network against data theft and unauthorized access.
The results reveal how prepared a business is to defend itself from an internal or external attack. Companies then use these results to bolster their digital security, with the goal of minimizing their vulnerability to a breach.
Cybersecurity threats constantly evolve as hackers find new ways to break into companies’ IT networks. Experts recommend that businesses carry out at least one risk assessment yearly as part of their overall cybersecurity plan.
Take the following steps to carry out a cybersecurity risk assessment.
To understand the technical weaknesses in your IT network, you need in-depth knowledge of how your systems and devices connect with each other and the outside world. Follow these steps as part of your preparation:
Map your digital ecosystem.
Start by listing all the hardware, software and online apps — like accounting software and customer relationship management (CRM) systems — that you use in your business. Keep handy key documentation on each item of equipment or app you’re using, together with details such as vendor information, update and version histories, and who within the business is responsible for maintaining or managing it.
Gather information about your devices.
Compile the same information on each device or program that connects to your network and to the internet. These devices include your Wi-Fi routers, printers and security cameras. Also list the apps that talk to other apps via plug-ins or application programming interfaces, because they can send, modify and receive company data. [Read related article: How to Set up Wi-Fi for Your Business]
List all users.
Determine who has access to your network, data, software and apps. Be sure to include freelancers, software providers, partners, vendors and other third parties, if applicable. List the people who are responsible for granting and denying access to employees and outsiders, as well as those in charge of configuring your network. If your business has an e-commerce presence, find out how well they protect your online store from attack, particularly if it connects to your internal software.
Assess your current recovery plan.
Examine your current plans for recovering data and access to your systems in the event of a cyber breach.
After following these steps, you’ll have a clear understanding of what and who are on your network and how they interact with each other. If you don’t feel confident about doing this and you have no in-house IT people, you can call in a cybersecurity expert to conduct this part of your assessment.
The next step is to find out what needs to be protected and the types of attack you need to prevent. Here’s how to do it:
Identify your valuable assets.
As a business, you’ll create and accumulate more data every day. Some data is particularly important, like your customer information, financial records and any unique intellectual property your company owns. [Read related article: 17 Security Tips to Protect Your Business’s Information]
Most valuable is the data that, if lost or unaccessible, would cause a substantial operational hit to your business, either to your finances or your reputation. Your customers may switch to a competitor if they believe you can’t protect their sensitive data.
Your technology — including hardware, software and apps — is valuable, too. For example, getting locked out of your central server or allowing hackers to download key data from your CRM system could be catastrophic. This is a common tactic used in ransomware and cyber extortion attacks.
Remember that the data you hold in the cloud is just as important as the data you hold on-site. [Read related article: SMB Guide to the Different Cloud Services]
Make a comprehensive list of the minimum assets you need to operate as a business. This will help you decide where to focus the bulk of your cybersecurity efforts and resources.
Identify threats.
The nature of the threats presented by cybercriminals changes constantly. The following resources are very useful for staying informed of the latest risks and how to prepare and respond to them:
Identify vulnerabilities.
Now that you know the most likely threats to your core business assets, you must identify your systems’ vulnerabilities. For example, potential attack vectors may result from outdated software, weak passwords, poorly configured systems and weak authentication mechanisms.
To test how vulnerable they are, you could run a configuration audit, a manual penetration test, an automated scan, or a code review on any custom software you’re using. This will flag any existing weaknesses right away.
In addition, it’s important to invest in cybersecurity training for your staff. A report from Verizon Business found that human error was a factor in 74 percent of all cyber breaches.
During the first stage of this process, you made a list of each piece of hardware, software or app and who was responsible for maintaining and managing them. You also listed who was responsible for granting and denying access to your systems. See what rules they’re operating by and whether they’re fulfilling their duties as required. Include your website in your assessment, too, if it connects to your CRM system or other internal apps.
In addition, consider what rules your general staff members are using. You may discover additional gaps in your security processes and procedures. If you already have a security policy in place, make sure people are adhering to it and their managers are enforcing it, because even the best security measures can be undermined by human error or negligence.
You should not overlook threats from internal actors, like disgruntled employees. The Association of Certified Fraud Examiners reported that organizations lose 5 percent of their revenue because of employee fraud. While it may be next to impossible for them to access your company’s checking account, someone may have eyes on your customer database and want to take it for themselves. [Read related article: How to Prevent Employee Accounting Fraud]
Review your access privilege management. Ensure that employees have access only to the systems and data necessary for their roles and that privileges are regularly reviewed and updated. As soon as an employee leaves the company, deny them access to your network.
Start and maintain a vulnerability inventory that you retain as part of your company’s internal cybersecurity documentation.
Identify regulatory requirements.
A key element in any cybersecurity risk assessment should be verifying that you comply with all relevant regulatory requirements.
For example, if you’re in the health care sector in the U.S., you’ll need to comply with HIPAA. If you handle European Union citizens’ data, regardless of where your business is located, you’ll need to adhere to the General Data Protection Regulation. If you take debit or credit cards, you’ll need Payment Card Industry Data Security Standard clearance to comply with payment processing rules and laws.
These frameworks share three features:
If you’re not sure of the regulations governing your business, you could hire an attorney with expertise in this area. Ask them to create a comprehensive list of the requirements you need to adhere to, paying special attention to any gaps in your existing security measures.
Because regulations change often, you may wish to pay a retainer to your lawyer to keep you advised of any new legislation or changes to existing legislation. They can then advise you on how to prepare your systems for any changes to the current regulatory landscape.
The next step is to evaluate how likely your company is to fall victim to different types of attack and the impact this would have on your business.
Ask your IT lead or consultant to devise risk scenarios to determine the potential damage of an attack. Then, find out how to prevent these scenarios from happening and how you’d recover from one if it were to occur.
Consider the likelihood of each type of scenario. Many cybersecurity frameworks recommend using a rating system to do this. Think about how discoverable a vulnerability in your system is and how easy it could be exploited once found. Then, score each vulnerability on a scale from 1 (rare) to 5 (highly likely).
You can round these scores up or down depending on these factors:
Now that you know which types of risk you’re most vulnerable to, the next step is to prioritize them so you can defend against the threats that are most likely to cause significant harm.
Many cybersecurity frameworks recommend prioritizing threats based on a five-factor matrix. You assign a score to each of five factors, sum them up and focus on the highest-scoring threats. These are the five factors to assess:
For each high-priority risk you identify, you have three possible courses of action:
While it’s impossible to eliminate all cyber risks, these steps should help your company successfully defend itself against the types of attack that could damage it the most.
At this stage, you have a clear overview of how secure your data and IT network are, who can access both, how you handle sensitive data and the cyber threats you need to defend your company against.
Working with your senior team and outside consultants if needed, you should use this information to establish a plan that improves security across your business and prioritizes protection against the vulnerabilities that pose the greatest threat.
To implement your plan, build a team, assign clear responsibilities to each member and set deadlines for their tasks. Ask for regular progress reports, and if possible, allocate extra resources and personnel.
Remember to involve your general staff in the process as well, and begin training your employees on what they need to know as you implement the changes across your business. Pay attention to co-workers who don’t have strong technical knowledge, and make sure they understand what they’re being taught.
From initial planning to implementation and beyond, keep meticulous records of your cybersecurity strategy and why you made each decision. That way, if something goes wrong, you can show any external stakeholders and regulators the proactive actions you took to protect your network and data. In the event of a breach, no matter how minor, keep records of every action you took to manage it.
You should also review your policies regularly. Many experts recommend that you thoroughly review performance every 12 months to look for further ways to adapt your policy in response to new and emerging threats and regulatory changes. Consider holding additional reviews in the aftermath of an attack or if there are major changes in your business, like adopting new technology or purchasing another business.
The risk of becoming the victim of a cyberattack is real. If you don’t carry out a security assessment or you fail to act on the findings of an assessment, there can be severe consequences.
Keri Lindenmuth, marketing director and team lead for business services provider KDG, told us that businesses “can experience increased costs in the future when a hack or data breach that could have otherwise been prevented occurs. Many small businesses don’t recover from a data breach because of the financial implications and end up closing their doors forever.”
Indeed, according to MSP Connectwise, 78 percent of SMB owners believe a serious cyberattack could put them out of business.
Here are some of the benefits of running regular cybersecurity risk assessments for your business:
Andrew Martins contributed to this article. Some source interviews were conducted for a previous version of this article.