Risk.
It’s one of those things that we talk about but sometimes don’t really know how to describe.
The dictionary defines risk something like this: Risk is exposure to the probability of loss.
There is risk with almost everything we do – driving a car, building a house, flying to a vacation, purchasing a car, and connecting your business to the Internet.
Every small and mid-sized business should understand that cybersecurity risk can be significant. We all depend on technology and our connection to the Internet. This means that we are exposed to threats such as ransomware, malicious software, social engineering, and active attacks. There are a variety of reasons why attackers attack us, but the threats are real and risk to our organizations can be great.
We need to understand that connecting our businesses to the Internet exposes us to a chance of loss.
But how can a SMB think about managing risk?
There are a few things you can do to manage your risk. These ideas are relevant whether your business is large or small or just one person.
The first thing to consider when managing risk are the activities of the business. Think about this in terms of people, processes, and technology. Yes, this is where the dreaded POLICY comes in! What do people need to *NOT* do? What do you want people to do? How do you want them to do this? What is the approved technology they can use?
Policies should be written to detail how the organization will respond to cyber threats. Policies should talk about both technical and non-technical controls. Policies should address passwords and MFA. Policy should talk about cybersecurity training.
Policy is important to reducing risk in your organization.
Another thing to consider when managing risk are the computing devices and software in use. Do you let unmanaged devices or personal devices connect to corporate networks? What about having a list of approved company software rather than letting people install the latest program they heard about on TikTok? Software and operating systems should be required to have current versions and patches installed. And you should figure out a way to know what devices are on your network.
This is such an important activity to reduce risk that it is part of the first 2 critical security controls from the Center for Internet Security!
Yes, this should be included in policy.
A key component for risk management is cyber-insurance. Just as we have homeowners, rental, and auto insurance to reduce the amount of loss if there is an accident or theft, so we have cyber-insurance to reduce our losses in the event of cyber-attack.
Cyber-insurance can provide some financial protection to your organization in the event you experience a cyber-attack or a data breach. A useful side benefit to purchasing cyber-insurance is that the insurers generally require you to have good cyber protections in place before they will cover you.
I can’t think of any type of business that wouldn’t need to consider cyber-insurance
Finally, you should have a plan to regularly evaluate your risk management strategies. Do this as there are changes to your business. Annually review your policies and procedures. Keep yourself aware of changes to cyber-threats you may face.
The idea here is to make sure you are prepared for current and changing cyber-threats.
Cybersecurity risk should be a significant concern for you. You need to understand the threats and resulting risk, and you should develop a strategy to address them.
