“Nothing ventured, nothing gained.” – Geoffrey Chaucer
These words should be engraved about the front door to every business around the world. Considering that half of all small to medium-sized (SMB) businesses shutter their doors within the first five years, the nothing ventured part of that saying seems to imply that running an SMB is a risky undertaking. This raises a very important question:
What are you doing to manage those risks?
Whether your business is a sole proprietorship or one of the companies vying for a top 10 spot on the Fortune 500 list, the principles of risk management remain the same. Every business owner should be able to answer the following three (3) questions:
- What are the risks that threaten the livelihood of my business?
- How can I mitigate those risks?
- Are the mitigation costs worth the investment?
Chances are that you’re already managing risk as part of your daily routine. Maybe you’re investing resources in marketing, sales, and account management in order to ensure that your business is gaining more customers than it is losing. Maybe you’re constantly adjusting your pricing model in order to ensure that your Accounts Receivable is greater than your Accounts Payable. For many business owners, this day-to-day risk management is second nature.
One area of risk management that is easy to overlook, however, is risk management for information systems.
SMB’s engage their customers via email and social media, marketing and selling products and services via ecommerce websites. These same businesses use computers for back office functions, and many of them permit employees to bring personal smartphones and laptops into the office to connect to the company wireless network. With this in mind, we should rephrase our earlier question:
What are you doing to manage those risks related to information systems?
The National Institute of Standards and Technology (NIST) maintains a 55-page guide on how to perform risk assessments on information systems. The NIST approach to risk assessments relies on calculating risk values using the following equation:
Risk = Threat * Vulnerability * Asset
This equation enables business owners to assign a monetary value to each risk by identifying the likelihood of threat impacting the business, the impact of the vulnerability that the threat would exploit, and the value of the asset impacted. Traditionally, likelihood and impact are scored on a scale of 1 (least) to 5 (greatest), although the asset value with vary from company to company.
For example, let’s suppose you permit employees to connect mobile devices (smartphones and tablets) to your company email server and to your internal wireless network. You could calculate the risk as follows:
- One threat is a lost or stolen device that ends up in the wrong hands. This scenario could result in an unauthorized outsider with access to both company email and possibly to the internal network.
- A few vulnerabilities that could increase this risk are the lack of a passcode, the inability to remotely wipe the device, and the lack of device encryption.
- The asset isn’t the device itself. The asset is really the data stored on the device and the access that the device has to the internal network.
By repeating this process for all of the information systems relevant to your business, you’ll be able to determine how much you should invest in controls to mitigate those risks. More importantly, you’ll be able to prioritize the risks to determine which controls you should implement first. We refer to this process as risk mitigation.
NIST recommends a number of options for risk mitigation. You can choose to assume the risk (accept it), avoid it (eliminate the risky process or system), limit it (implement compensating controls), or transfer it (buy cyber liability insurance). It is the responsibility of your Information Security Steering Committee to determine which action your business will take with regards to each risk. More importantly, you need to document who is responsible for addressing the risks, how the risks will be addressed, and when the work is to be done. This document will ultimately become your risk mitigation plan.
Other scenarios that you may want to consider during your risk assessment:
- A terminated employee has company data on her personal smartphone.
- A competitor hires an attacker to launch a distributed denial of service (DDoS) attack against your ecommerce website.
- A developer makes an unauthorized change to the website that breaks the order processing functionality.
- An attacker discovers a flaw in your web application and is able to download your customer credit card information.
To recap, you need to integrate risk management for information systems into your business plan. At a minimum, every business owner should do the following:
- Perform a risk assessment for your information systems (at least annually)
- Document your risk mitigation plan
- Consult with your lawyer about the value of cyber liability insurance
Need more information on information security basics for small and medium-sized businesses? Head on over to Infosec Simplified.