by Nathan White, VP of Client Services
According to the 2017 State of Cybersecurity Metrics Annual Report released in July by cybersecurity firm Thycotic, SMBs are targeted in two-thirds of all cybersecurity attacks. It’s a scary statistic. But it suggests an important question that not enough SMBs are thinking about: Does your SMB have an IT risk assessment?
According to the report, over one-third of all companies admit they don’t have enough information to make a strategic decision about protecting their company from cybersecurity risks. They are making those decisions blindly, and that points to a breakdown when it’s time to assess IT risks.
What is an IT Risk Assessment?
Many small businesses may assume that because they don’t have an IT department, they don’t need an IT risk assessment. Nothing could be further from the truth. It’s because many SMBs don’t have full time IT departments that they become targets, and that makes it vitally important for you to conduct regular tech risk assessments.
So, what is a tech assessment? In a simple definition, it’s a detailed examination of all the technology you have associated with any aspect of operations for your business. It uncovers any weaknesses or vulnerabilities in your existing technology and then prioritizes those risks by impact. Finally, your IT risk assessment outlines a mitigation plan to guide you in implementing the proper security to address and prevent the threats uncovered by the assessment.
Tech assessments look closely at three general categories:
- Assets: This is an inventory of the equipment, software, and configurations that make up your IT infrastructure. It can include:
- Telecommunications systems
- Threats: Every business has circumstances specific to its markets that make it an attractive target. The threats section of an IT assessment looks at those threats and how they can impact your business. For example, a bank will have different threats than a restaurant or a physician’s practice.
- Vulnerabilities: The vulnerability assessment looks at all the ways your company could be compromised or exploited. This includes weaknesses in your equipment, infrastructure, operating systems, firmware, patches and patching programs, configuration files, software, and policies.
IT risk assessments not only look at external cybersecurity risks, but they also take into consideration internal risks such as disgruntled employees or former-employees, and both man-made and natural disasters like fire, tornadoes, hurricanes, and floods.
Why SMBs Can’t Afford NOT to Assess IT Risks
If a risk assessment sounds like a lot of work, that’s because it is. However, it’s work performed now that will save your business from disaster in the long run. Consider these statistics:
- 4 out of 5 companies don’t know where their most sensitive information is stored or how securely it’s protected. (Thycotic)
- 4,000 small businesses a day fall victim to cyberattacks. (IBM)
- The direct costs for a cyberattack could be $38,000 or more, and that’s before indirect costs such as the damage to your relationships with customers. (Department of Homeland Security)
- Downtime alone can cost a small business $8,600 per hour or more. (Aberdeen)
- About half of all SMBs have experienced a data breach in the last 12 months, and more than half have experienced a cyberattack. (Ponemon)
SMB IT assessments are no longer an option. The cybersecurity climate of today’s world alone should be enough to scare you into conducting a tech assessment, but if cybersecurity isn’t enough, consider all the other things that could go wrong. Are you prepared? How long would it take you to be back up and running?
If you haven’t conducted an IT assessment, do it today. Schedule the time to review all the technologies you leverage to keep your business running. At least then you’ll know what your IT risks look like and you’ll can build a plan to mitigate those risks and strengthen peace of mind knowing your business (and your customers) are covered in the event that something goes wrong.