How Do You Write an Effective Cyber Risk Assessment for a Small Business?

It can be easy to think that cyber criminals have no reason to attack small businesses. But, in reality, small businesses are at a greater risk of attack as they tend to be less prepared for one. So, with that in mind, how do you write an effective cyber security risk assessment for a small business?

When creating a cyber security risk assessment for a small business, you should consider the following factors:

Identify the key cyber risks and threats to your business. Prioritise those risks in terms of how likely they are to happen to your businesses
Try to determine the potential impacts of those risks if they were to happen
Having determined risk likelihood and impact you can now decide if you wish to accept those risks as they stand (do nothing) or bring controls into play which reduce those risks, bringing them down to an acceptable level
Don’t fall into the trap of thinking that’s the job done! Risks change over time, so it makes sense to review them from time to time to ensure the control is still effective and the potential likelihood or impacts have not changed

Read on to learn more about what makes a good cyber security risk assessment and what to consider when creating one for a small business.

What Is a Good Cyber Security Plan?

A cyber security risk assessment is an organisation’s forward planning to secure its systems and data against the threat of cyber attack. It is a written document containing information detailing an organisation’s identification of cyber risks such as phishing, website defacement, unauthorised access etc., and the controls brought into play to reduce those risks. Those controls can include security policies, procedures, technical countermeasures and training.

A good cyber security risk assessment provides a clear identification of risks, and can act as a mini gap analysis of your controls, showing you where you have weaknesses/areas of improvement, focusing your resources on those areas..

What are the 5 Key Elements of a Cyber Security Plan?

To create an effective cyber security risk assessment, there are a number of factors to consider, including identifying your key risks, determining your risk appetite , and testing if your controls are effective.

Here are our top five tips on how to create a cyber security risk assessment for your small business.

Identify Key Assets, Risks and Threats

The first stage of creating a cyber security plan is to identify the assets that you want to protect, as well as the key risks and threats to your business. This information will help you to create an effective plan, perfectly tailored to your business.

Some examples of your assets might include:

Your business data, this includes things like your client data, but also your emails and calendars
Money
Intellectual property
Website
Cloud environment or on premise IT
Physical property

Prioritise These Assets

Start to think about how important your assets are to your business. Some will be more important than others, and some you could do without for longer. If, for whatever reason, you couldn’t access them, that reason could be a cyber-attack!

Think about the impact of attacks upon assets. A DDoS attack against your website (attacks which can render a website inaccessible) will have greater impact if you are an ecommerce business than if you simply have a website that is informational only.

Once you have identified the risks and threats, you then need to prioritise these risks, specifically in relation to your business. From here, you can go on to create countermeasures in order of importance.

Toi learn more about DDOS attacks, read our informative blog by clicking here.

Think About Controls

A control is a measure you bring into your business to reduce risk. Controls can be technical, such as encryption, MFA, anti-virus etc., or process based, such as a written policy telling your staff that USB sticks are not to be used. They can also be training based, such as training your users to spot phishing emails

Accepting Risks

Sometimes risks may be unlikely to happen and low impact, in such instances a business may choose to do nothing. This isn’t turning a blind eye or sticking your head into the sand, it’s an informed and considered decision.

There is always a chance that something deemed to be low risk will occur and have an impact. But not all businesses will have the resources to treat every risk. They therefore might choose to invest limited resources into controls which will mitigate the most likely risks.

Don’t Do this Once and Think That’s Job Done

Risks don’t stay static, they change overtime. Sometimes what was once an effective control might lose its efficacy. Or, there may be more effective countermeasures available to treat the risk which are new to the market.

Equally, threats change and, in the cyber-world, part of the issue is just keeping up with the ever changing threat landscape. Therefore, it’s important that risks are reviewed frequently.

That being said, “frequently” isn’t useful as a timeframe. Some best practice frameworks consider policies should be reviewed at least quarterly or, in the case of software, ensuring patches are applied within 14 days of release from a vendor.

The bottom line is things change and your risk assessment needs to keep pace with those changes to be effective.

Learn more about this process in our recent blog, How to Promote Cyber Security in the Workplace.

How Can the NEBRC Help?

The NEBRC has a policy review service, which can help you identify gaps in your policies and procedures, as well as offering training to help your staff spot those phishing emails.

It’s important to ensure that all employees are aligned with your cybersecurity plan and policies. Take the time to deliver any training required, provide resources as appropriate and regularly monitor company-wide adherence to these policies.

Furthermore we can conduct vulnerability assessments to help you identify weaknesses in your internal or external IT systems. We also have a network of partners who are experts in risk assessments and helping small businesses achieving best practice such as cyber essentials and ISO frameworks

Stay Up to Date With Cyber Security for Business With NEBRC

At NEBRC, we’re a police-led not-for-profit organisation that’s dedicated to your cyber security. We work closely with you to keep your data safe and reduce your risk of cyber attacks.

Visit our website to find out more about our Network Vulnerability Assessments, or to find out about our Web app Vulnerability Assessment to protect your website too. Or, why not sign up for our Free Core Membership, designed to provide you with relevant resources and ongoing support to improve your resilience to cyber security threats.

Cookie	Duration	Description
CookieConsent	1 year 1 month 4 days	This cookie stores the user's consent state for the current domain.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Analytics" category.
cookielawinfo-checkbox-functional	1 year	The GDPR Cookie Consent plugin sets the cookie to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Necessary" category.
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores the user consent for cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
elementor	never	The website's WordPress theme uses this cookie. It allows the website owner to implement or change the website's content in real-time.
wpEmojiSettingsSupports	session	WordPress sets this cookie when a user interacts with emojis on a WordPress site. It helps determine if the user's browser can display emojis properly.

Cookie	Duration	Description
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
_fbp	3 months	Facebook sets this cookie to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising after visiting the website.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.

Cookie	Duration	Description
lpv*	1 hour	This cookie is part of Pardot and prevents the tracking of multiple page views over a single session.
visitor_id*	1 year 1 month 4 days	Pardot sets this cookie to store a unique user ID.
visitor_id*-hash	1 year 1 month 4 days	Pardot sets this cookie to store a unique user ID.