To begin building an SMB Cybersecurity Plan, businesses need to conduct an assessment to determine what should be protected. Security incidents and breaches among SMBs are on the rise. According to Thycotic’s 2017 State of Cybersecurity Metrics Annual Report, SMBs are the target in two-thirds of all cybersecurity attacks. And when attacks are successful and become incidents or breaches, SMBs are both financially impacted and can suffer irreparable reputation damage.

To protect your SMB, you need a cybersecurity plan. Something that accounts for evolving risks and threats, and outlines how your organization will respond. But you can’t protect what you don’t know exists. Today’s SMBs rely heavily on computers, wireless networks, software and applications, and data, but many don’t even know what they’re protecting or the assume the responsibility for protection falls to someone else.  For example, an SMB may assume that the only thing they need to worry about is the five computers used by the owner and employees.

What you might not be taking into consideration in that scenario is the network that connects those computers together, maybe a server or old desktop used to store files and backups, the mobile devices—like personal mobile phones and tablets or computes—that are connected to your wireless network, and the data that is stored on all those devices.  Each one of those devices represents a risk, and the SMB is responsible for ensuring those risks are addressed. It’s this that makes it vitally important that the first step in creating an SMB cybersecurity plan is to conduct inventories and assessments.

Understanding Security Assessments

Aside from needing a physical inventory of the devices that are part of your IT infrastructure, security assessments dig deeper into all your business assets, including:

  • Hardware
  • Software and Applications
  • People
  • Company Data
  • Intellectual Assets
  • Customer Data

However, assessments go beyond an accounting of these assets to discover vulnerabilities and weaknesses in your existing environment. An assessment also helps determine your tolerance for risk, prioritize which threats are most critical, and then outlines a framework for mitigating risks.

Insight Gained Through Assessment

We’ve put together a 15-question SMB Cybersecurity Self-Assessment to help you understand how at risk your SMB may be. The questions are all Yes or No and we’ve included a simple scoring system. The assessment isn’t comprehensive, but should get you thinking about the cybersecurity needs of your SMB. Once you’ve answered the questions in the self-assessment and seen your score, here are some additional questions to consider:

  • What are your critical systems; the systems that would be most damaging if they were unavailable for any length of time? How are those protected? Do you have a recovery plan to get those systems back online ASAP?
  • What data do you have that could be attractive to cybercriminals? Consider employee data, customer data, payment information, and corporate financial data or intellectual assets. What repercussions would your SMB suffer if that data was compromised?
  • Who has access to your company network and the data on that network? Do you control what those users have access to?
  • How quickly and appropriate could you respond to a cybersecurity incident like ransomware or other types of malware, or a security breach?

A full cybersecurity assessment digs deeper into these areas and many others to help you learn where and how your SMB is at risk and what needs to be done to protect against those risks. There are many resources online to help you self-assess your cybersecurity preparedness, including resources associated with the Cybersecurity Framework from NIST. However, if you’re not sure a self-assessment is the right option, Advanced Network Solutions is happy to assist you.