Running a risk assessment on your business's cybersecurity should be a routine process, no matter how big you are or what industry you're in. Security incidents can happen to any business, especially small businesses, either because hackers believe they're an easy target or they're trying to breach a larger company by going through their small partners. While self-assessment and monitoring should be a continuous process, a comprehensive security risk assessment should be conducted at least once every two years, according to the Information Systems Audit and Control Association.
There are different levels of risk assessment, and, fortunately, it's possible to perform a comprehensive analysis of your security on your own. There's no short supply of cybersecurity companies that specialize in vulnerability and risk assessment testing for clients. These services can be pricey, and may not be cost-effective if you're a small business working with a small network.
Running your own risk assessment is much more affordable. The only trade-off is that you'll need to use your own time and resources to perform it.
Doing your own risk assessment is for your own self-awareness and benefit to improve security, but if you're in an industry that requires professional assessments and audits from a certified entity, you'll have no choice but to use a third-party provider to earn an official certification. Those groups seldom accept self-assessments.
It's important that you know what you're doing and what you're looking for when performing a risk assessment. Having a glancing knowledge of cybersecurity won't be enough when trying to find vulnerabilities that attackers can exploit. If you have an IT staff, it's best to work with them when coming up with a plan to perform a risk assessment. In some cases, it may offer more advantages for you to do your own risk assessment because you know how your network operates, and because you may have built it.
"If businesses don't have the experience, the tools, or the team to conduct a thorough and accurate risk assessment, and are just trying to save costs by doing it themselves, they can experience increased costs in the future when a hack or data breach that could have otherwise been prevented occurs," said Keri Lindenmuth, marketing manager for Kyle David Group. "Many small businesses don't recover from a data breach because of the financial implications and end up closing their doors forever."
If you're confident that you and your staff have the collective expertise to conduct a risk assessment, the next thing you need to keep in mind is that you must be objective when looking at your system. Often, companies overlook certain aspects of security, because changing those things would cause too much of a disruption or it would cost too much to fix. You need to be willing to make big changes if your results point to major holes in your network.
How to run your risk assessment
When performing a risk assessment, your goals are to identify risks and vulnerabilities in your network, rating how severe they are, determining the effectiveness of your current security resources and calculating these factors into an overall risk.
According to Ryan Zlockie, global vice president of authentication at Entrust Datacard, the three main areas small businesses should focus on when doing a risk assessment are their employees, web pages and physical devices that connect to the internet.
One of the biggest causes of data breaches is unintentionally caused by employees who haphazardly click on suspicious links or download attachments from phishing emails. Vulnerability testing on employees' responses and online practices can be useful before initiating specialized cybersecurity training.
Online phishing simulators allow you to set up emails disguised as colleagues with the goal of convincing employees to download an attachment or submit credentials. Negative results shouldn't result in any punitive action but, instead, should allow you to determine how much additional training your staff needs in cybersecurity practices. This can also help you determine if you should implement two-factor authentication on network access.
Securing your network from web attacks is an important front for protecting your business. If you have a web page where you sell merchandise and accept payments from customers, determining if it's secure is paramount to not only protecting yourself but also your customers. Lots of tools exist online to help you determine if attackers can easily strongarm their way into your network through your website. For instance, Pentest Tools is a paid service that scans your websites, web applications and network to determine if vulnerabilities exist. Common problems with websites are a lack of SSL/TLS certificates and HTTPS, which are factors in securing a domain.
In the office, it's important to make sure your physical devices are secured as well. Attackers often gain access through internet-enabled devices and access your network through unpatched exploits. Devices such as wireless printers, Wi-Fi routers and mobile devices can be exploited to give hackers access to the rest of your network.
An easy way to avoid problems is to make sure your devices' firmware are all up-to-date. Microsoft has a free tool to help you detect if your Microsoft products on your network are all up-to-date.
Having a professional cybersecurity consultant perform a risk assessment for you is an extra expense, but they will likely find several weaknesses and risks that you may have overlooked. A comprehensive risk assessment done by a service occasionally can help you avoid massive data breaches caused by some of the newest and most subtle exploits, but doing your cybersecurity assessment can at least help you discover some of the most glaring and immediate risks to your network. Another advantage is that doing your own risk assessment can help you become more acquainted with your network and how it works.