In this article, I'll explain why managing the online risks to your key information assets is vital for your small business. I'll give you the hard facts, explain the options and give you a simple risk framework that you can apply to your business.
The cyber threat to small businesses has never been greater than now and the financial livelihoods of small business owners could be severely impacted by a cyber-attack.
Hey, it's John Byrne here, entrepreneur, insurance professional online educator, and founder of Surviving Cyber, where I help small business owners get to grips with cyber risk. This short article series about cyber risk and cyber insurance will help you prepare for an incident and keep your small business and your people safe.
Now, today, in article number four of the series, I ask "why is managing online risk vital for your small business". Make sure you read to the end because I'm also going to share some very interesting findings from a UK 2022 government report on cyber risk that you won't want to miss.
I'll begin by talking about some disturbing
facts about cyber risk to set the context. Then, I'll explain what the options
are for treating any risk in your business. I'll explain the idea of gross risk
and net risk and then I'll show you how to apply that to your key information
assets. And finally, I'll end up with an example using the fictional firm of
accountants, ABC Accountants. As you read this content, please bear in mind the
thoughts of Robert Mueller, the former FBI director who said: "There are
only two types of companies, those that have been hacked, and those that will
Some Disturbing Facts
Let's begin with some disturbing facts from UK-published reports on cyber risk that we really need to consider.
- The first fact is that 48% of SMEs have suffered a cyber incident in the last 12 months. This is coming from the Hiscox Cyber Readiness Report 2022. So that's half of the businesses of all sizes, almost, who are suffering a cyberattack in the last 12 months.
- The second fact often shown in reports is that 60% of SMEs don't survive more than six months after a cyber incident. So, for these companies, a cyber incident is a catastrophe, and the majority of small companies don't recover from a serious cyber attack.
- And the final disturbing fact, again from the Hiscox 2022 Cyber readiness report, is that 20% of companies that were attacked, reported that the impact of the incident threatened their solvency. In other words, a cyber-attack threatened the very existence and continued solvency of the company.
Risk Treatment Options
Next, let's consider the options available for risk treatment in
- The first choice is to avoid the risk entirely. We always have the choice not to do things and therefore we would avoid risk to our key information assets. However, avoiding risk is a drastic approach, because with risk comes the prospect of return, and risk is a normal part of any business. So, the issue is - do we choose to avoid certain risks because they are not within our risk tolerance as a business?
- Our second option is to reduce or mitigate the risk. We would do that by implementing controls. Generally, small businesses begin with technology controls, however, not much is usually done to reduce or mitigate people risk or governance risk, at least in the beginning.
- The third option is to accept the risk. We can accept and manage the residual risk or the risk that remains after we have applied our controls.
- The fourth option is to transfer the risk. Now, small companies usually practice risk transfer using insurance and therefore the insurance company takes the risk involved. In the case of cyber risk, a cyber insurance policy would be the mechanism for risk transfer. Another type of risk transfer is a contract. However, small companies generally don't have the power to transfer risk using contractual provisions.
These are the options that exist for the treatment of risk to your key information assets.
Risk Treatment Process
The process that companies go through when considering how to treat risk begins with considering gross risk or inherent risk. So, "what is the gross risk to your asset arising from your business?" After you apply controls, we get to consider the net risk or residual risk. And then the decision needs to be made about risk transfer. The decision time comes when we either retain the risk or transfer it to an insurance company. But how do we decide what the gross risk is to our key information assets? Well, the usual process is:
- First of all, we consider the threat – what are the threats to which the asset is exposed?
- Next, what are the vulnerabilities that we have in the asset?
- Next, what would be the impact or the severity if the vulnerability was to be exploited by a cybercriminal?
- Then we consider - what's the likelihood of that happening.
- And taking all of that together gives us some idea of the inherent or gross risk.
Then we consider the net risk by asking:
- What are the controls that we have around the information asset? There could be operational controls, or technical or technology controls.
- We then consider - what's the effectiveness of the controls that we have in place.
- And that gives us a measure of the residual risk.
As an example of how the process works in practice, we could use the key information asset of our website. First, the threat to our website would be a criminal hack, that's a very obvious threat that exists. The vulnerability could be that we are not using an SSL certificate on our website traffic. The impact of our website being hacked could be severe, as we're accepting payments for our goods through the website. And the likelihood of this happening is high if we have not put the right controls in place. So, this would give us a measure of our inherent or gross risk. We might apply a grade such as “high” to the gross risk.
Then we move on to consider the controls that we have in place over the website, they could be operational controls, such as having a third party contracted to maintain the site, or they could be technology controls. We then consider how effective the control structure is. And finally, that gives us a measure of our residual or our net risk. Again, we might apply a grade such as “medium” to the net risk.
And then we know what the risk to this key information asset really is. This is the methodology for coming up with a rating of our gross and net risk for our key information assets.
Now we get to the Case Study, ABC Accountants. In step one, ABC will have assessed its risk and in step two reduced this risk, and now it will get to make a risk transfer decision. However, first, it must establish the gross risk for each of its information assets.
This firm has decided that technology is rated "high",
people risk is rated "high" and governance risk is rated
"high" at a gross or inherent level. At the net risk or residual risk
level after controls, technology is rated "medium", people risk is
still "high" and governance risk is still "high". So
overall, ABC is saying that its net risk or residual risk is "high".
The analysis shows a high cyber risk level and a material gap in the
preparedness for a cyber attack because there is no plan in place. The decision
then by the board is to investigate cyber insurance and arrange a meeting with
the insurance broker to discuss its concerns. A proposal form is completed, additional information is provided, and quotations are received for cyber
insurance from insurers. A decision is made on whether to transfer the risk or
not. This is how risk transfer happens in most companies.
UK Cyber Security Breaches Survey 2022
Earlier in the article, I said that I was also going to share some
findings from a UK government report on cyber risk, the UK Cyber Security
Breaches Survey 2022. So here are those findings.
- 54% of businesses have acted in the last 12 months to identify their cybersecurity risks. This is encouraging. Security monitoring tools were the most common responses used and that makes sense as people are looking for problems in their IT network. In the last 12 months, 32% of small and micro businesses have done some form of cyber risk assessment. However, only half that number, 16%, have carried out staff or awareness training. This is a pity because many cyber incidents begin with people and lack of training is a major problem for small and micro companies.
- 22% of small and micro businesses have a formal Cybersecurity strategy, meaning that they had a document that puts together their policies and procedures, and 39% use an outsourced cybersecurity provider. And this is to be expected when small companies have limited resources for cybersecurity.
- Finally, limited board understanding meant that the risk was often passed to an outsourced cyber provider, or an insurance company, or passed to an internal cyber colleague. This is also an understandable finding. Because boards of directors don't understand the topic, they are quick to pass it to somebody who does. However, the board is ultimately responsible for managing the risk as they are responsible for managing all risks of the business.
These are just a few of the very interesting findings of the UK Cyber Security Breaches Survey 2022.
Thanks so much for reading today's article. I hope you found it helpful and can now appreciate why managing online risk to your key information assets is important, in fact, it's vital for your small business.
Now, before you go, I want to give you access to a free cyber resilience video workshop, "How Small Business Owners can create their First Cyber Resilience Plan in less than 30 days". It's full of practical tips that you can implement. You should use the link pages.survivingcyber.com/workshop to get access now.
I hope to see you again soon for article five in the series when I provide an Introduction to Cyber Insurance.