During my cybersecurity consultations with owners and leaders in small businesses, the initial discussions generally center around five topics. The order in which they’re introduced isn’t intended to imply any relative importance but instead represents a conversational flow as we walk through an abbreviated initial risk assessment and get into some of the common first steps in implementing a small business security program.
- Information. What types of information is the business generating, collecting or storing? These could be customer lists, inventories, recipes or other methods of production, banking records, emails, receipts or other data used to support the business.
- Importance. When understanding the information’s importance there are (at least) three scenarios to consider:
- What harm would come if the data were to become public?
- What would be the impact if the information were corrupted or somehow made incorrect?
- What would be the consequences if this information became inaccessible?
- Systems. What technology (high-tech, low-tech or even no-tech) touches the business’ information? PCs, Macs, point-of-sale equipment, mobile devices, website platforms—even filing cabinets and manual systems should be included.
- Threats. When considering the various types of identified information, what dangers threaten? Theft, disclosure, information alteration (whether intentional or accidental) and information destruction (whether intentional or accidental) are some of the threats to be considered. It’s also significant to take into account known or potential vulnerabilities of the systems involved.
- Responses. Through these conversations, some priorities should emerge and these will likely drive next steps. They may include training personnel, developing procedures, changing information access, procuring anti-malware, addressing backups, implementing updates and using encryption.
I’ve found that most small business owners and leaders understand the importance of improving their security posture but don’t feel they have the resources, knowledge or time to tackle the project. One of my aims as a cybersecurity consultant to small businesses is to provide them with what they need to be confident in moving forward.