Adjusting to current cyber security threats: assessing business risk
Since the COVID pandemic, small to mid-sized companies have significantly adjusted their business models to support remote employees with mobile capabilities. These changes have emphasized the need for improved cyber security protection and increased employee awareness of the threats to business resilience, and customer data protections. This brief report outlines three areas that businesses can use to remain cyber aware and take meaningful steps towards improving cyber security.
In the following three installments, we will cover these topics:
- Assessing the business risk appetite
- Business resilience
- Protecting the business from threats
Our goal is for businesses with limited cyber security budgets and staffing to be armed with the knowledge and framework to take action and increase their security protection.
Assessing business risk appetite: how much is too much?
Let’s start with analyzing the business risk appetite. This means understanding how much risk your organization can accept. Accepting risk can come in many forms, but in most small businesses, risk is accepted unintentionally, because leadership is avoiding or not implementing security controls. Here are a few examples:
- Avoiding setting standards for password settings or using multi-factor authentication.
- Never training employees to avoid clicking on links in phishing emails.
- Failing to use malware protection on company computers.
Some of these practices cost money, which impacts budgets that are already stretched thin at small companies. However, cyber attacks can happen to anyone, regardless of company size. Remember: it’s not if you are impacted by a cyber event, it’s when. And by that time, it’ll cost you more than the price of implementing security controls and best practices.
Using Google Workspace to secure your small business
In order to help frame this exercise, we will use the example of a small business that uses Google Workspace. This cloud-based solution provides most of the necessary business tools including email, spreadsheets, presentations, and document tools, as well as a secure place for file storage. We will also assume each employee has a laptop or tablet for work and takes those devices home in the evening or travels with them.
Identifying risks begins with establishing the systems and information you are protecting. This works best as a collaborative effort with various areas of the business.
For more detailed information on a standard, the National Institute of Standards and Technology has created the NIST Cybersecurity standard. It provides a much more in-depth set of guidelines, however, they can be complex. Here is a loose framework of questions and answers to organize the NIST Cybersecurity standard information.
|Example questions||Example answers to these questions|
|What is the information that the business needs to protect?||Customer records such as name, email, phone address, sales data.|
|What are the systems that hold that information?||Google Workspace, emails, Google Drive storage, and local laptops of employees.|
|Who are the people that access the sensitive information?||Customer support, marketing, an external vendor for analytics, sales staff.|
|Specifically where is the information stored, transmitted, and processed?||Google Drive in “Folder X”. Laptops in the desktop folder. Information is received in email and stored. Information is uploaded to marketing website. Information is processed for email campaigns.|
Organizations want to collect customer information and need a secure place to store it. But access to this “secure place” can create risk. Some companies allow ALL employees to access that information; while convenient, this greatly increases risk of a data breach. There are security processes and specialized applications that protect customer information and other sensitive data, like company secrets. This is how your business can begin defining which cyber security control your organization needs.
Establishing security policies that align with your business’s appetite for risk
The final step in assessing your appetite for risk is to define standards that protect the company. This will define how much security the organization will need and establish standards for security. These are your policies and standards to limit risks that could destroy the business.
|Systems and information requiring protection||Examples of standards to secure the business|
|Customer records such as name, email, phone address, sales data.||The business will protect all customer data by securing information from unauthorized access.|
|Sensitive information is stored in Google Workspace, found in emails, Google Drive storage, and local laptops of employees.||Always assign the least amount of access that is required for your users. This is called the principle of least access.|
|Customer support, marketing, an external vendor for analytics, sales staff.||Each authorized user of company systems must be provided a unique user ID and password. No user should share credentials to access company information. Users must always protect company information in their care. Never leave systems unattended without locking access to the system. Users must protect their credentials from theft or loss and be aware of security risks associated with accessing company systems.|
|Google Drive in “Folder X”. Laptops in the desktop folder. Information is received in email and stored. Information is uploaded to marketing website. Information is processed for email campaigns.||A centralized administrator should manage access to sensitive information. Companies should avoid allowing general users to manage access without strict guidelines and training. All access must be approved by the system and information owner prior to granting access. All vendors and contractors with access to company sensitive information must be contractually bound to follow industry security standards (protecting information and personally identifiable information.)|
This is not an exhaustive list. Other policy statements should be made. However, this is how a business can begin to mature its cyber security program. Start documenting the security items that are important to you.
With a little bit of planning, small steps can be made to significantly reduce the risks of your business. For more information about how to continue this process with in-depth and highly effective cyber control, let’s connect.
Start today: Secure Remote Collaboration with Google Workspace
Next, we will focus on establishing business resiliency in the cloud for small businesses.