What can a small or medium business do to address cybersecurity issues without wiping out their budget? Without a serious analysis process, the answer to this question is not immediately clear. However, exactly how to conduct this kind of analysis also isn’t immediately clear. This conundrum causes many small and medium businesses to become “stuck” before even getting started.
Therefore, many businesses move forward without conducting threat or vulnerability analysis. These businesses either do nothing and “hope for the best”; or implement a salesman-supplied “solution du jour“; or ad hoc controls which may be effective, partially effective, totally ineffective, or even counterproductive. These approaches often are high-cost and low-benefit. This is a big problem and very common.
Business stakeholders should consider very seriously how the business might be vulnerable to which threats to which assets. As we have seen, data breaches are a daily occurrence. Stakeholders should take time to document this process and its results, and then re-examine and update the results regularly as the business grows and changes over time.
There are three generic steps to help any business start thinking about where, when and how to apply cybersecurity resources (time, people, money):
- Identify critical business assets, including digital, physical and intellectual property.
- Identify threats to those assets and include “black swan” type events that cannot be predicted but have extremely high negative impact.
- Score the threats on two scales: a) a scale of likelihood to occur, and b) a second scale of estimated impact (cost) to the business if they occur.
There are many methods of conducting these assessments. No one method is always correct, and invariably there will be a need to update the results, as new assets are added and threats are identified over time. Having this initial understanding of your business establishes a baseline. It allows business stakeholders to develop the actual plans and resource allocations in subsequent steps.
Once the business has this “map” of assets to protect and an idea which might be worth protecting first, the next step is to identify vulnerabilities. Determining which actual controls to apply depends not only on the assets and threats identified, but also on where the business is vulnerable to compromise. Again, there are many methods to do this. No one particular method is right for everyone. The results of this step will point to which controls should be considered first, which is the basic groundwork for developing plans.
If your business has assets worth protecting – and which businesses don’t? – then you might consider measuring how far along this threat ad vulnerability analysis timeline you’ve progressed. Shore Cybersecurity LLC is able to help you at each step, whether starting at the beginning or getting through a particular phase. Contact us for more information.