Insurance Business America reports that 41% of small businesses were victims of cyber attacks in 2023, which is an increase from 39% in 2022 (and close to double the number from 2021, which was 22%). The report further reveals that phishing is still the primary point of vulnerability and means of entering a company’s infrastructure, but other areas of weakness include unpatched servers/VPNs, and credential theft.
People are more aware of the dangers of cyber attacks, but on the “flip side” of that realization is the role that Artificial Intelligence (AI) can play in phishing and other attacks. It was easier to recognize scam hacking attempts in the past because of faulty punctuation, grammar, and sentence structure, but AI and ChatGPT have succeeded in making these bogus emails seem more believable.
The report further revealed that 59% of small businesses don’t use security awareness training and 43% of the surveyed companies don’t have network-based firewalls.
You could conclude that while businesses have become more aware of the risks of cyber attacks, we still have a long way to go. This should serve as a reminder to every business owner of the importance of performing risk assessments to determine your network’s vulnerability – and, more importantly, to take the necessary steps to protect your organization’s infrastructure.
What is a cybersecurity risk assessment?
IBM describes a cybersecurity risk assessment as “a systematic process for identifying evaluating and prioritizing potential threats and vulnerabilities within an organization’s information technology (IT) environment.
An assessment should identify weaknesses and provide recommendations for correcting these vulnerabilities.
It begins with:
- Identifying what the critical assets are in your infrastructure: hardware, software, sensitive data, and the IT infrastructure
- Cataloging what the potential threats are to an organization (keeping in mind that these potential threats can expand almost daily). The cataloging of these threats would include (but not necessarily be limited to):
-
- Malware and ransomware, the results of which can be gathering of information up to disruption and/or destruction of the infrastructure
- Phishing and other forms of social engineering
- Outside hackers
- Internal threats (such as a disgruntled former employee who may know access codes), and the threat of harm from a natural disaster, such as a power surge, power loss, or other act.
- Weak passwords
- Outdated software, and unsecured networks
The assessment continues with:
- Evaluating what the potential risks are from each identified threat. Just as an example, statistics repeatedly stress that human error is a large factor in cyber intrusion. One way of determining the level of risk might include evaluating the ongoing training that the company provides, for example. Is a phisher likely to succeed with minimally-trained employees? Evaluate what risk each asset poses to the organization.
- Mitigation and control of risks: The process includes developing strategies and plans to address any threats that are deemed significant. This could be part of a cybersecurity plan, and it could also be developing security controls that could mitigate or eliminate the threat.
- Constant monitoring and reviewing: An organization should never be lulled into a false sense of security, by thinking that once a risk assessment has been completed, problem areas identified, and solutions proposed, that their work is done. Remember that hackers basically don’t take vacations. Establish and follow through on a regular system of monitoring. Watch for software, patch, and system updates and implement them faithfully.
The cybersecurity risk assessment team—which may be an external cybersecurity partner—will use a number of tools to conduct and complete the risk assessment. These include penetration testing, along with external attack surface management tools, security monitoring and incident response tools, and compliance software.
When To Get An Assessment
Getting a risk assessment done for your company is too important a step to delay. Business.com says it this way: “Your sensitive customer data and intellectual property are under constant threat from cyber attackers. If they successfully manage to download their malware onto your IT network, they could shut it down and stop you from doing business.” Even if your company has internal IT resources, when it comes to security, it makes sense to have a conversation with a Managed Services Provider to be sure that you are doing everything you can to protect your network and company against outside intrusions. You’ve worked hard to get where you are; don’t you owe it to yourself to see that your company has the best protection possible? For a no-obligation conversation, please give us a call or visit our website.