360 Degree Cyber Security, LLC

Helping small business understand what is risk

Helping small business understand what is risk

Non-credit card pumps

Gas station in Plainwell, MI that still does not accept credit cards at the pumps.

To help businesses understand what is at stake in their business when it comes to information technology, it helps to show them the value of what they have as assets and then apply a level of risk to that asset

Rarely do you find a business any more that does not use a computer of any sort.  Gone are the days of credit card carbon slips, paper ledgers, and hand drawn engineering diagrams.  We are striving to do more with less to increase profit.  In this effort, we reduce what is at stake in one way and see increases in others.  For example, in my recent travels to Michigan, I stopped for gas at a gas station that did not have any card readers on their pumps.  While I do not know why, it provides a good example of what is at stake by not adopting technology.  For example, the reduced threat of credit card theft, but at the expense of having people drive off as it provides a different experience than at other gas stations.

To that end, to remain competitive, businesses of all sizes that are adapting to new technology, may not understand what is at stake by not addressing the risk of implementing it.  Does your small business understand what is at risk by providing free and open Internet access to your customers?  How about the risk of placing card readers on the gas pumps?  Do the benefits out weight the risks?  What information does your business have or use?  What happens if that information could be used to embarrass your business?  What can be done to reduce the effect on your business?

The effect can be reduced by identifying risk and that starts with identifying what you have at stake.  Don’t think of what is at stake just physically, because what you have is more than the physical devices that you may have purchased.  For example, the laptop that you bought may have only cost $300.  The value of the laptop itself may decrease (likely), but what about what you have been doing on that laptop for your business. How much information do you have stored on it (think contracts, projections, plans, contacts, etc?)  What is the value of that information?  Do you now see that the laptop is worth a lot more than just the value of the physical device.  Identifying what you have is designating what you have as assets.

Weaknesses in the laptop represent vulnerabilities.  These weaknesses can come in the form of how susceptible it is to damage (physical or logical).  For example the laptop is a portable device that contains various pieces of software installed on the computer and the information that is important to your business.  Each of these items are vulnerabilities that has different weaknesses.   But these weaknesses don’t necessarily mean your information will be lost.

Look at the weaknesses.  What or who might take advantage of or exploit those weaknesses?  The threat could come in the form of the user having an accident.  For example, accidentally spilling Starbucks into the keyboard, loosing it at the airport or mall, and dropping it on the ground?  Or the threat could be external:  Your house or place of business catches on fire; a meteor smashes a hole through the computer; or someone steals it.  How about cyber criminals infecting the laptop with malware when you visit innocently visit of interest?  Threat can come in many different forms and it is necessary to identify threats, even the hypothetical and far-fetched ones.

Given the look at the weaknesses and threats, the question that begs to be answered is “What is the likelihood?”   The chance that a meteor might smash a hole through the laptop is pretty slim.  That someone would steal your laptop is higher.  By identifying what risks exist, a small business can address the threats in a way that would reduce the risk.

For example with the laptop, what can be done to keep from loosing the information on it if it is stolen?  For example, maybe you could encrypt the hard drive.  Use cable locks to secure the laptop.  Keep it with you and don’t leave it in a car.  What about that meteor leaving a hole in it?  Back up the information off of the device.  These actions are called mitigating actions, in that the mitigate the risk by reducing the likelihood that the weaknesses we identified would be exploited.

Identifying what is at stake and determining what the risk is based on the weaknesses and the identified threats will help small businesses make informed decisions on the actions necessary to protect their information and ultimately their business, brand, and good name.  If you need help identifying what is at risk for you, do not hesitate to reach out to us info@360cybersec.com.


About the Author

Chris Wolski author

Chris Wolski is the founder and principle consultant of the small business and municipality focused cyber security firm 360 Degree Cyber Security, LLC. He is currently certified by International Information System Security Certification Consortium as a Certified Information Systems Security Professional and by the SANS Institute as a Global Industrial Cyber Security Professional. Active in the information security community, Chris volunteers his time at BSides Delaware and to various individuals seeking to be mentored in cybersecurity. He is frequently researching industrial devices to discover weaknesses that would present a problem for users of those devices. Chris obtained his start in cyber security in the U.S. Navy where he served in various information security and signals intelligence roles over his 20 year career. He left government service after serving in a position to develop cyber threat intelligence against industrial controls and later on the Joint Chiefs of Staff as a cyber incident handler. Chris has a Bachelor of Science Degree in Cybersecurity from University of Maryland University College and is currently pursuing a Master in Business Administration, also at the University of Maryland University College.

Leave a Reply