Why should a small business conduct a cybersecurity risk assessment? For a number of years, small businesses were governed by a myth that hackers and cyber criminals were simply not interested in them. Unfortunately, the opposite holds true. Small business typically lack on-staff security staff and technical IT controls to safeguard the information they hold. Given this limitation, hackers know that they can easily extract the data and digitally cover their tracks after hijacking the data from a small business. Ponemon Institute conducted a study with thousands of SMB respondents in November of 2018. The study suggests 67 percent experiencing a cyber attack. A data breach in the last 12 months was observed by 58 percent.
Almost all small businesses have credit card information. Bad actors can quickly monetize information underground. This occurs almost near real-time after a credit card breach occurs. In 2006, Visa and MasterCard established requirements for businesses that process credit cards. The standard is known as Payment Card Industry Data Security Standard (PCI-DSS). This body is empowered to levy huge fines against entities that breach credit card data.
Other small businesses may have personally identifiable information (PII) or personal health information (PHI). Hard copies and electronic formats are in-scope. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to provide data security standards for PHI and ePHI. The Office of Civil Rights is the governing body. They are currently moving swiftly to include PII to their privacy and oversight protection. Like PCI-DSS, HIPAA authorities can fine breached organizations up to $1.5M per violation. The fine is separate from lawsuit fees. And, it does not cover the cost to recover the business. let’s not forget about the cost of identity protection for impacted individuals.
Purpose of the Risk Assessment
The purpose of the risk assessment is to remove the guesswork and uncertainty. Businesses need to know where and how to deploy capital to protect technology assets from a cybersecurity attack. The risk assessment will align with a security framework. The two the work best for SMBs are the Center for Internet Security (CIS) or the National Institute of Science and Technology (NIST). SMBs tend to use CIS, and SMEs typically select the NIST framework. Both of these security frameworks will deploy a risk assessment process that will:
-Identify the network, computer, software vulnerabilities and risks
-Analyze the network, computer, software vulnerabilities and risks
-Evaluate the network, computer, software vulnerabilities and risks
-Prioritize the removal of network, computer, software vulnerabilities and risks
A detailed security plan will be delivered upon completion of the risk assessment. The security plan will enumerate the steps required to secure the business. To avoid wasting time, effort and resources, partner with Cyber Security Experts. Cyber Security Experts provide a free consultation. The pricing model is transparent and affordable. Our goal is to help small businesses keep their digital IDs and underlying technology safe and secure.
For more information about our risk assessment practice, click here.