How to Quantify Your Cybersecurity Risk: A guide for SMBs
According to Conference Board, cybersecurity is the top concern for American CEOs.
And really, who can blame them? Cybersecurity incidents are becoming more prevalent and now involve significant financial losses and result in the loss of consumer confidence.
According to Security Intelligence, you’re more likely to suffer from a data breach involving 10,000 records than you are to get the flu. The 13th-annual Cost of Data Breach Study found that for every record that is compromised, companies paid an average of $148 in 2018. On average, data breaches cost companies $3.86 million last year.
Of course, bigger data breaches are more expensive. Companies that suffered data breaches involving less than 10,000 records paid an average of $2.2 million for the incident. That number rises to more than triple, or $6.9 million, for incidents involving 50,000 or more records.
Mega breaches, or those that involve more than a million records, cost a company an average of $39.49 million. The report also says that a breach that compromises the information of 50 million people will slap you with a bill amounting to $350.44 million.
That’s just the monetary aspect. The loss of consumer confidence can add to that cost when you suffer a data breach. The report points out a company losing less than one percent of their existing customers will lose $2.8 million more because of the breach. At four percent, you can lose another $6 million, on average.
Do you really need to quantify your cybersecurity risks?
Yes.
The biggest reason why you should quantify your cybersecurity risk is to help you create a more efficient IT budget. With all the big data breaches with big penalties hitting the news right now, we understand why companies are overspending on tech. You can go crazy thinking that it’s helping save you money when, in fact, you’re not even covered for all risks.
Plus, with cybersecurity, the goal is the lack of negative results, such as having no data breaches or no hacking attacks. This situation makes it difficult to see the returns of your cybersecurity investments.
Justify your IT investments
On the other hand, quantifying cybersecurity risks can help you push for more IT investments where you are lacking. Knowing what types of risks you should be watching out for will help you justify the cost of new software, hardware, or additional IT personnel.
Get a better view of security
Quantifying your company’s cybersecurity risk can give you a full picture of several things. You will know what devices, software, and hardware are connected to your network.
You will know whether or not these resources are updated or left unpatched. You will know if there are resources that are no longer used.
You will know where everything is, what types of files are stored where, and what you need to deactivate or discontinue.
Take stock of the different types of attacks
What makes quantifying cybersecurity risk more difficult is that cybersecurity can be very complex. Not only are new technologies coming out, but there are also different types of threats.
For instance, you can have all the latest software, training, and technologies that help you fight e-mail phishing scams. But these precautions don’t mean you’re safe from DDoS attacks or a supply chain attack.
Quantifying your cybersecurity risk can help you know what IT resources you have and what types of attacks are possible with these resources. This knowledge will, in turn, help you get the tools, expertise, and technologies that can help you fight all potential attacks.
When you do this, you will be able to maximize the efficiency of your cybersecurity tools, policies, and resources. You will be able to direct the most effective strategies to the most important systems and most sensitive information.
In the case of small businesses, you will be able to allocate resources where they’re really needed, while still being aware of possible attack vectors in other parts of your company.
Other reasons why you should quantify your cybersecurity risks
The biggest reasons for quantifying cybersecurity risks are to make sure that you are able to use your IT budgets more efficiently while getting a bird’s eye view of your business and the online risks it faces.
However, there are other reasons why you should do it, as well:
- Lower costs over the long term. “When you identify potential threats, you can proactively mitigate the risks that you face and prevent security incidents,” explains Sidd Gavirneni, Co-Founder and CEO at Zeguro. “And that means you’ll avoid facing a regulatory fine (on top of the other costs of a data breach) that can easily be in the hundreds of thousands, or millions, of dollars.”
- You can have a template for assessments in the future. Quantifying your cybersecurity risks is not a one-off deal. You will need to assess regularly to make sure that you are still adequately protected from the latest threats. The good news is that doing it the first time will give you a template for future assessments.
- Self-awareness. There is nothing wrong with being self-aware. In fact, all successful businesses exhibit this trait. Quantifying cybersecurity risks can help you know where your strengths and weaknesses lie. As such, you know where you need to invest more so that you can plug the holes.
- Improves communication. Quantifying your organization’s cybersecurity risk is not a one-man job. You will need input from different employees and departments, no matter how small your business is. As such, the exercise will help initiate and facilitate communication between two employees or departments.
- Complying with regulations. Depending on what industry you’re in, you might be legally required to quantify cybersecurity risks or to conduct a cyber risk assessment. For instance, the Health Insurance Portability and Accountability Act (HIPAA) requires hospitals and other covered entities to do this. Other companies must comply with PCI-DSS requirements, as well as local, state, and federal laws.
- Getting cyber insurance. Did you know that two out of three businesses think that they will either close shop or go out of business if they were hit by a hacker or suffer from a data breach? Getting insurance can help. “Just like health and other forms of insurance, having cyber insurance will ensure that you do not face financial difficulties in the event that your cybersecurity systems fail and you are hit by a data breach,” explains Gavirneni.
How do you quantify cybersecurity risk?
It’s not enough to just say, “We didn’t have any data breaches in the past year, therefore our cybersecurity investments are working.”
The good news is that there are many ways for you to quantify cybersecurity risks, such as conducting internal assessments or third-party audits, penetration tests, and more.
How to do internal assessments
Quantifying cybersecurity risks is not easy, but it’s not impossible to do. All you need is to choose a credible security framework that you can base your own risk assessments on.
The National Institute of Standards and Technology’s guidelines are a good start.
- Start with a data audit
You will always want to start with a data audit, which will give you a clear view of what information your company gathers and stores. You will also know how you are documenting and protecting the data you’re gathering. Lastly, you should know how long you keep the data and what you do when it’s no longer useful for you. - Define the parameters
You should always know what you’re trying to accomplish before you start quantifying your cybersecurity risk. For instance, the purpose and scope of the assessment should be clear. You should also know if you have priorities or limitations that might affect the evaluation. You should also pinpoint the key people who should be involved in the process. - Identify the sources of threat
You should know where the potential cybersecurity lapses would come from. It could be employees, insiders, hackers, and other individuals. It could be a foreign entity or other outsiders. Or it might be your competitor spying on you. You also have non-adversarial threats, such as regular users of your systems or website. - Know the threat events
Different frameworks, such as NIST’s, will give you a more thorough explanation of what the threat events are, how they are carried out, and how to stop them. NIST, for example, lists some of the most common threats, such as unauthorized access, insider threats, data leaks, data loss, and disruption to your operations. You should also know what vulnerabilities exist in your system and how they are exploited. - Determine how likely these events are going to happen
After you’ve identified the threats and gathered other information, you should be able to gauge how likely a certain attack is going to happen. - Recognize the potential impact
Another thing you have to know is the potential impact of an attack.
All of these will help you quantify your cybersecurity risk. As such, your cybersecurity risk is a mix of how likely an event will happen and the potential losses you might incur should it come to pass.
Who should be quantifying cybersecurity risk?
While everybody should be on board when it comes to this exercise, ultimately, it will fall on a team or an individual who will actually carry out the job. The responsible team or individual should have a thorough understanding of how the network and digital infrastructure works.
They should also have a keen grasp of how the information flows from one department to another, and even other information from the business side of things that might be useful for the assessments.
However, if you do not have the personnel for it, you can always outsource. There are firms and individuals that can provide cyber risk assessments for you. That said, you should ask for recommendations. You might check out peers and other companies who have hired a consultant or a company for the same purpose.
Once you have already identified a few leads, you should always scrutinize a potential firm or consultant. Check out reviews online or get feedback from previous clients. You can get an idea of how thorough they work, their professionalism, and their work ethics and competence. In short, you’d know which ones are really doing a great job and which ones are just trying to complete the report and then milk you out of your hard-earned revenue.
Finally, request a quote. This will help you get the pricing and cost matters out of the way. It will also help you know the scope of work they are going to do.
Problems and limitations
These options do have their own limitations and disadvantages. For one, they are resource-intensive. You might not be able to devote your IT team or hire a company to audit your cybersecurity with your available cash flow.
What’s more, these options are good only for a particular point in time. Your antivirus software may have been able to fend off an infected e-mail when you were doing the tests, but that is no guarantee that it will be able to intercept everything in the future.
Penetration tests and internal and third-party audits are also very subjective. They often produce technical metrics that a business owner might not be able to understand.
All in all, the scenario that most small businesses see is this: they need to make a decision today, but they cannot rely on the tests done during the last quarter. They need to do another audit, but the last one took more than a month and to be honest, it was very expensive. As such, for most small businesses that opt to do these processes to quantify their cybersecurity risks, it’s a challenge, to say the least.
Quantifying Your Cybersecurity Risk: Not easy but necessary
Everything worth doing is going to take a lot of work. The good news is that the process of quantifying your cybersecurity risk is one of those things. It gets easier in time, but the first time you do it, it will entail a lot of effort.
The benefits make it worth it. It helps you get a full view of your IT risks and defenses, and it also helps save money in the long run. You don’t even have to wait, as you can use the insights you get from quantifying your cybersecurity risk to help you allocate your IT security budget more efficiently.
This article has been published in accordance with Socialnomics’s disclosure policy.
