WATCH The Importance of a Risk Assessment – Day 19 of Cybersecurity Awareness Month
Mike Miller 00:06
MSPs and SMBs are under increased cyber attack. And I’m told that a risk assessment may be a place to start in building your cyber defenses. So With us to discuss risk assessments today is Craig Taylor, CEO and co founder of CyberHoot. So tell us correct? Why should companies worry about their cyber defenses? And why should they start with a risk assessment?
Craig Taylor 00:30
Well, that’s a great question Mike, and one that’s very important to SMBs and MSPs. companies of all shapes and sizes have a finite budget of time and money to spend on their cyber defenses. And you the most effective way to accomplish this is to engage an outside party to perform a risk assessment. Why is that? Because the outcome of a risk assessment is all of your risks put together in a either in a spreadsheet or in a database. And then you can prioritize them based on their probability, their impact and their materiality to your business. So it really helps you tease out the most important things to be working on. Otherwise, you might be spending your time and money on low priority risks that might never happen, ignoring some much bigger risks over here that need your attention desperately. So for that reason, CyberHoot always recommend starting with a risk assessment.
Mike Miller 01:27
Okay, that’s good advice. I heard recently, there’s an important difference between threats that a business faces and the vulnerabilities that they contain, right? Isn’t it true that these things combined to represent a business risk? And can you explain the difference and why that matters?
Craig Taylor 01:45
Absolutely. And this is kind of one of the special nuances of cybersecurity that I think is readily understandable, and important to really come to terms with in your business, a threat is an external risk to the business, such as a hacker, a natural disaster, with COVID, a supply chain disruption, right card chips being a good example, or even political instability. Each of these could impact your business but from the outside, and they represent a threat. Now on the other hand, a vulnerability remains an internal characteristic of your business that could put you at risk, such as technical debt, for lack of upgrading your infrastructure for years, or missing patches that haven’t been applied, or a lack of awareness in your employees, or a lack of processes for them to follow to keep everything running properly.
So on the outside, or threats on the inside, or vulnerabilities both can be risks sources of risk, but they combine typically, to interact and fall into that risk assessment at some level of priority. A good way to think about it, and I’ve used this as a way to explain it is let’s imagine we just came out of a movie, it’s after midnight, we’re walking in a dark alleyway to your car. And out of the bushes pops a hacker or I’m sorry, an attacker, and they’re brandishing a knife at you. Now that knife and that attacker represent a threat to your safety to you and whoever you’re with your loved one. Whether you’re vulnerable, though, to that attacker depends on a couple of things.
Are you or are you not a martial arts expert, if you have your fourth degree black belt, that knife might not seem like that big of a threat, because you could quickly disarm that person. And you know, disable them call the cops and you’re safe, the threat doesn’t really materialize because you you’re not vulnerable to it. If on the other hand, you’re either not a fourth degree black belt, or the attacker hasn’t got a knife, but rather a gun. Well, that’s a different threat and vulnerability matrix, and the outcome is very different. So in your business, our risk assessments helps you identify the threats that you face, and you might not be aware of all the threats of the current cybersecurity landscape against your vulnerabilities. And when you combine those in a risk assessment, it bubbles everything up so that you make intelligent decisions on how to spend your hard earned money and time remediating things.
Mike Miller 04:11
Okay, yeah, that’s great information crack. So MSPs and SMBs should be performing a risk assessment and using it not only to prioritize the risks, plan their remediation, right, but also to determine if they’re spending enough on cybersecurity program development. Right, right. Okay, so that’s a great budgetary tool. Craig does CyberHoot perform risk assessments for its clients? Yes. And
Craig Taylor 04:38
Just a word on that budgetary tool. A lot of times, we’ll do a risk assessment and companies will say, Oh, we allocated you know, $10,000 to our cyber program development. They do the risk assessment, they realize they have this great big laundry list of risks and they say, well, we can’t let those sit there for a year and a half that we’re two years to, to fix. We got to change our budget and increase it to fix these things because these are clear and present dangers to our business. So sometimes you have to come out of a risk assessment and decide we’re going to spend more money to fix more risk faster. But yes, CyberHoot definitely does risk assessments. In fact, we have a service offering called VCISO, where we become your virtual chief information security officer. And we do a risk assessment as our number one priority every time we do that engagement, because we don’t want to spend your money any more than you do. We treat it like our own money.
And if you’re going to spend on a risk, we want to know that it’s the biggest risk you face based on the outside threats and your inside vulnerabilities. And be sure that we’re in agreement that we’re going to spend money on the most egregious risk first. So we help companies do NIST based assessments, that’s best practices in cyber security, or HIPAA PCI, a new standard in the defense industry is called cmmc. We can help you prepare for all of these to either be certified or just to follow the best practices that are in those assessment models. At the end of the day, we want you to become more aware to become more secure and we’re trying to help you get there.