In my last article (Calculating the dollar cost of risk with MAX Risk Intelligence), I outlined how organizations – big and small – can both identify and quantify risk by placing a dollar cost on that risk. This process, as defined by LOGICnow’s Risk Intelligence solution, calculates risk as a function of the amount of unprotected sensitive data, the average cost per record during a data breach and a score determining how vulnerable a given endpoint is.
For organizations with a dedicated security team, all this makes perfect sense. For the security professional, looking at the dollar cost of risk it helps outlines where their focus needs to be to reduce this risk.
But, what does this mean for the SMB?
According to Cisco’s 2016 Annual Security Report, SMBs are still less secure than their Enterprise counterparts. They have no dedicated security team, they often use outdated hardware and security solutions and they lack the security protocols around intrusion and vulnerability protection – all of which leaves them prone to attack.
While the dollar cost of risk for an SMB may actually be lower than that of an enterprise, this cost needs to be put into perspective. Think about it – if there are less endpoints and less records than say a company with 25,000 employees, the calculated dollar cost of risk will have less zeros at the end. The 25,000-employee company may have a risk dollar cost in the millions where the SMB’s risk is only measured in the thousands. However, it’s important to look at the dollar cost relative to both the size and revenue of the organization in question.
Regardless of the specific value, if there is a dollar cost of risk for any given business, it reflects vulnerability, mismanagement of sensitive data and the dangerous potential mixture of the two should an external attack take place.
So, what steps should SMBs take to reduce the risk (and the associated dollar cost)?
To answer this, let’s start by looking at how the dollar cost of risk is calculated:
# of unprotected records x cost per record x CVSS Score
And remember this is calculated on a per-endpoint basis, as each endpoint, in essence, gets its own CVSS score. So, if you want to reduce your risk (as indicated by the risk dollar cost), you can simply work to reduce each of the three areas of risk outlined in the calculation:
SMBs have a lot more to worry about than larger organizations. Some of the most basic tenets of IT security are rarely adhered to, making SMB networks prime targets for external attacks. The use of the dollar cost of risk isn’t necessarily meant to be a wakeup call by using some massive number (although using a tool like MAX Risk Intelligence and getting a report with a whopper of a risk cost sure better get you out of your seat!). Instead, use the dollar cost to represent the outline used by enterprises to define where they need to place their energies in order to reduce risk. By following the steps outlined in this article, you can effectively reduce each facet of risk that is used to calculate your organization’s dollar cost of risk.
Just because you’re an SMB doesn’t make you immune; it makes you a target. Do the math, and get cracking on clamping down on your dollar cost of risk.