How Small Businesses Can Evaluate Their Security Risks in the New Year

Evaluating risk vs. reward is a process most people go through on a daily basis. For example, you are about to make a left-hand turn but a car is coming. You think you can make it but he’s kind of coming fast. The risk, of course, is misjudging his speed and getting into an accident.

At Ready.gov a risk assessment is a process to identify potential hazards and analyze what could happen if a hazard occurs. A business impact analysis (BIA) is the process for determining the potential impacts resulting from the interruption of time sensitive or critical business processes.

A business impact analysis (BIA) predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies. Potential loss scenarios should be identified during a risk assessment. Operations may also be interrupted by the failure of a supplier of goods or services or delayed deliveries. There are many possible scenarios which should be considered.

Risk is a fundamental part of a small business operation. The question is how much attention you pay to each risk and what the reward is for reducing the risk. The cost/benefit key is to effectively recognize risk and reduce it with as little investment as needed.

Define Risk

Be able to define, articulate and be alert to what risks the organization may face in a given year. If any of these risks could cause loss in any way, they need to be addressed far in advance.

Identify Risk

Risk comes in many forms. Create a list of potential threats from your experiences, others’ experiences or from proper risk assessment plans. Threats come from criminal hackers, employees, customers, competitors and more. What’s at risk may include reputations, digitized information, paper documents, physical hardware, and life and limb.

Create a Risk Assessment Chart.

Compile a list of assets (people, facilities, machinery, equipment, raw materials, finished goods, information technology, etc.) in the left column.

For each asset, list hazards that could cause an impact. Since multiple hazards could impact each asset, you will probably need more than one row for each asset. You can group assets together as necessary to reduce the total number of rows, but use a separate row to assess those assets that are highly valued or critical.

For each hazard consider both high probability/low impact scenarios and low probability/high impact scenarios.

As you assess potential impacts, identify any vulnerabilities or weaknesses in the asset that would make it susceptible to loss. These vulnerabilities are opportunities for hazard prevention or risk mitigation. Estimate the probability that the scenarios will occur on a scale of “L” for low, “M” for medium and “H” for high.

Analyze the potential impact of the hazard scenario. Rate impacts “L” for low, “M” for medium and “H” for high.

Information from the business impact analysis should be used to rate the impact on “Operations.”

The “entity” column is used to estimate potential financial, regulatory, contractual, and brand/image/reputation impacts.

The “Overall Hazard Rating” is a two-letter combination of the rating for “probability of occurrence” and the highest rating that impacts people, property, operations,  environment, and entity.

When evaluating risk and determining where funds, energy and attention are allocated to such risks, a risk scoring system can help determine what is a high or low probability vs. what would cost the company irrevocable harm.

The worst thing any organization can do is…nothing. Taking responsibility and using past experience and prediction methods can properly prepare an organization for the inevitable. As they say, if you fail to plan, you plan to fail.

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures