Before you can assess what your risks are, you need to understand the business processes you have, and how your systems and data fit into them. Decide which ones are the most important to secure.
Your systems could be either external or internal to your business. You might have:
- external systems that you access through a web browser. These could be systems managed by a third party, like Xero for instance
- internal systems that you host and manage yourself. For example, if you have a business that prints t-shirts, the software that runs the printing machine would be an internal system.
It’s hard to assess everything at once. Start by considering which systems are most important to you. Focus on the systems that are critical to your business running, and the systems that store data. This could be systems that store customer details, or systems that process payments.
Identify the threats and vulnerabilities
When you’ve identified what your most important systems are, you can work out what kind of threats they face.
For most businesses, the threat of an untargeted attack against a system that’s accessible over the internet is quite likely. For example, attackers could:
- scan your business’s web server, using automated tools made to find known vulnerabilities
- attempt to access your web mail account using a database of compromised passwords.
It’s good to note that not all threats and vulnerabilities are malicious. For example, one of your employees could accidentally delete or modify some of your data. This might be human error rather than anything sinister, but it’s still important to consider.
You may want to hire a security professional to help you document threats, to make sure you don’t miss anything. Otherwise, you could research them yourself online.
Identify the risks
When you’ve identified the threats your systems face, you’ll need to work out the risk each one presents. A risk is something that could damage your data or systems — caused by a threat or vulnerability. You can break your security risks down into three categories:
- confidentiality — meaning that your system or data is no longer secret. Privacy of personal data (like customer details) is a type of confidentiality risk.
- integrity — when your system or data is no longer accurate
- availability — when systems or data are unavailable.
Common security risks for business include unauthorized access, leaked information, and production stopping. For example:
- if an attacker was scanning for vulnerable web servers and noticed that yours was missing a patch, they could exploit it. They could access your server and use it to host malicious content like malware or phishing pages. That would be an integrity risk, as the attackers could make changes to your web server without your permission
- if an attacker was able to access your web mail, they could use it to collect sensitive business information. This is a confidentiality risk. They could also direct your clients to make payments into their bank account instead of yours. That would be an integrity risk.
Remember that risk is always going to be a trade-off. There will be some risks you have to accept, and some you can manage so the risk is not as high. You need to find the balance that’s right for you.