Businesses today cannot be separated from their digital assets. Data drives every aspect of business, from strategic decisions to tactical operations, and all that data is stored in, accessed by, and transmitted across networked systems. Keeping cyber risks under control is a critical issue for any company.
Even small, non-tech-oriented businesses handle data, use technology, and are interconnected to other (often larger) businesses. Let’s say, for example, the business is a local cupcake bakery that runs a limited storefront in Ames, Iowa. To start, the business needs supplies. Most likely, ordering is done through an online supplier. Tracking and processing sales is probably done through a retail-specific SaaS database. Custom orders and deliveries are likely scheduled via an online calendar. Bank accounts need to be set up so that the business can pay and receive electronic payments for suppliers, partners, and employees. Chances are the bakery has a website and uses online channels for marketing, even if e-commerce is not configured.
The point is, networking, even at minimal levels, can’t be disconnected from modern-day business. The amount of connected technology and data only grows as the business does, and with every piece of tech and every megabyte of data added, cyber risk levels rise. Now, small-town bakers may not be thinking about the security and privacy risks of their customers’ data in the same way a national restaurant chain would, but they still have responsibility for protecting it and liability if they do not. Running any business is a risk; cybersecurity simply must be factored into the equation, no matter who you are and what you do.
Needless to say, cyber risk is not a static measure. New threats and vulnerabilities arise every day, changing what’s at risk and by how much. For instance, an executive who is traveling might connect their mobile phone—the same one used to access sensitive company files—to airport WiFi. The marketing team might make an unannounced purchase of automation technology into which they upload the entirety of the business’ customer records. A new vulnerability could be found in what seems to be perfectly fine software or hardware. In other words, the amount of risk a company faces can change on a dime. A one-time snapshot of risk is not sufficient to protect the business from compromise or breach. And while smaller businesses may have fewer cyber criminals targeting them, compared to larger ones, due to the volume and type of sensitive data they collect and manage, it’s also true that larger organizations with sought-after information are bound to have greater access to resources to help secure people and technology, thereby influencing risk measures.
How to Start your Cyber Risk Assessment
Before any business can determine its risk, it is necessary to understand what’s at risk. In other words, is your business a government contractor with direct or indirect access to government intelligence and state secrets, or is your business the little bakery in Ames, Iowa? The type and extent of data and technology in use are good indicators of the type of threats facing the business.
A starting point in assessing risk, therefore, is to identify key assets: What data do you have that criminals might be after? What systems are used to store, process, and access that data? Who has access to them? Larger and more sophisticated organizations will need to conduct larger and more sophisticated asset inventories of how systems, services, and applications are communicating on and across their networks, and what security controls are implemented on them.
The results of an asset inventory will help those responsible for security and risk understand what’s in scope and what needs to be prioritized. It’s important to note that prioritization is different for every business, based on its individual risk tolerance as well as the type of data and systems it manages and applicable privacy and cybersecurity regulations. What’s more, this entire process is not a one-time project; asset assessments must be continuous to reflect the current state of the organization, taking into account new data and technology added to the ecosystem that put the organization at greater or lesser risk.
Test Your Controls
For our small bakery in Iowa, testing security controls is probably outsourced to providers, though it’s important to remember that outsourcing management of security does not equal outsourcing responsibility for security. For enterprises with security and infrastructure teams, ongoing testing of controls to ensure they’re working as desired is necessary. “As desired,” though, is unique from organization to organization, based on risk tolerance. Often, stricter security controls impact performance and accessibility. Therefore, the organization might make a risk decision to place less stringent requirements for access and use onto less sensitive assets.
What’s more, both security control settings and risk tolerance are adaptive. What is appropriate or acceptable one day, month, or year may not be acceptable the next. This is because, as mentioned previously, things change all the time. New data is added to the company’s systems. Employees join and exit the organization. Technology and applications are deployed. Sometimes these ship with vulnerabilities and sometimes vulnerabilities arise while they’re in production. And the list of risks only grows from here.
These growing risks necessitates a constant OODA loop—observe, orient, decide, act. Importantly, while the company is in the first three stages of the loop, security and infrastructure teams can’t neglect action. Data and systems must be protected from threats at every stage. This is why the security of the modern enterprise is so tricky to manage—and why organizations must operate in shades of risk rather than a Draconian answer to, “Is the business secure?”
Invest in People, Processes, and Technology
There is no shortage of security technology available for purchase, but simply purchasing a supposed cutting-edge solution is not the answer to “how do I protect my assets and mitigate risk?” That said, no company—big or small—can exist in today’s cyber threat climate without tools that prevent, detect, and stop threats. This is why it is important for any company evaluating a security solution to understand how the provider-partner addresses adaptive risk. Static security controls don’t match the dynamism of today’s business needs. Tools that require tons of hands-on, manual management and oversight aren’t realistic given the amount of work security and network teams have in merely keeping systems operational and secure.
Instead, businesses should look for security provider-partners that:
- Temper cyber risk through adaptive security controls that work across environments (cloud, on-premises, container);
- Use automation and machine learning to ensure that controls are appropriate for the amount and type of security desired by each individual customer; and which
- Scale easily alongside the business, eliminating the historically arduous deployment and on-boarding schedules of many traditional security solutions.
When new security solutions to prevent and detect cyber compromise are implemented, it’s then necessary to invest in skills development and awareness. The people managing the technology must understand its capabilities and governance requirements; even best-of-breed products take a moment or two to learn. A little upfront training on proper use of the technology will go a long way in reducing risk down the road. People and processes are critical risk factors, so don’t overlook the importance of training.
Keeping Control
All businesses start out small, like our fictional cupcake bakery in Ames. Some businesses choose to stay small while others grow. Neither type of business is free from cyber threats, but both should be able to take advantage of modern technology to run their business without adding avoidable risk. In summary, you can keep your cyber risk under control with:
- Ongoing asset inventories that help determine what assets you have and how to prioritize protection;
- Security controls that reflect the needs of the business. Controls must be tested to ensure they’re functioning as desired;
- Adaptive security solutions and processes that can grow alongside your business; and
- Trained, skilled staff who have command over the environment and can make risk-based business decisions using best-of-breed cybersecurity technology.
As a business realizes success and grows, it should not have to assume preventable risk due to security controls that have to be manually configured, adapted to new environments, or that take too long to deploy, therefore introducing unnecessary vulnerabilities. So whether you’re a baker in Ames, Iowa, or an internal auditor at a big bank, cybersecurity should never be too far from your thoughts. 
Katherine Teitler is a cybersecurity speaker and writer based in Medford, Mass.