Calculating the real dollar cost of risk for small business owners

Nick Cavalancia

In my last article (Calculating the dollar cost of risk with MAX Risk Intelligence), I outlined how organizations – big and small – can both identify and quantify risk by placing a dollar cost on that risk. This process, as defined by LOGICnow’s Risk Intelligence solution, calculates risk as a function of the amount of unprotected sensitive data, the average cost per record during a data breach and a score determining how vulnerable a given endpoint is. 

For organizations with a dedicated security team, all this makes perfect sense. For the security professional, looking at the dollar cost of risk it helps outlines where their focus needs to be to reduce this risk. 

But, what does this mean for the SMB?

According to Cisco’s 2016 Annual Security Report, SMBs are still less secure than their Enterprise counterparts. They have no dedicated security team, they often use outdated hardware and security solutions and they lack the security protocols around intrusion and vulnerability protection – all of which leaves them prone to attack. 

While the dollar cost of risk for an SMB may actually be lower than that of an enterprise, this cost needs to be put into perspective. Think about it – if there are less endpoints and less records than say a company with 25,000 employees, the calculated dollar cost of risk will have less zeros at the end. The 25,000-employee company may have a risk dollar cost in the millions where the SMB’s risk is only measured in the thousands. However, it’s important to look at the dollar cost relative to both the size and revenue of the organization in question.

Regardless of the specific value, if there is a dollar cost of risk for any given business, it reflects vulnerability, mismanagement of sensitive data and the dangerous potential mixture of the two should an external attack take place. 

So, what steps should SMBs take to reduce the risk (and the associated dollar cost)?

To answer this, let’s start by looking at how the dollar cost of risk is calculated: 

# of unprotected records  x  cost per record  x  CVSS Score

And remember this is calculated on a per-endpoint basis, as each endpoint, in essence, gets its own CVSS score. So, if you want to reduce your risk (as indicated by the risk dollar cost), you can simply work to reduce each of the three areas of risk outlined in the calculation:

  • Reduce the # of unprotected records
    Start by asking: “what constitutes an unprotected record?” Generally, the calculation dictates that it’s a record found on an endpoint rather than securely stored on a server. So, there are two things right there: 
    • have an inventory of all endpoints (so you’re aware of all the devices unprotected records can potentially exist on); 
    • and, consider implementing company policies that encourage users to not copy sensitive data to their endpoints. 
       
  • Reduce the cost/record
    OK, this one sounds strange. That’s industry data we’re talking about – how are you supposed to reduce that? Call up Ponemon and ask them to lower the number? While no one from Ponemon will return your calls, you can reduce the cost/record by reducing the access to costly data types. Now, the HR folks will always need to access social security numbers here in the US, but ensuring that data isn’t accessible by anyone else becomes important. Putting privileges in place to minimize access by accounts is a great first step. Remember, just because a record is sitting on an endpoint, doesn’t mean every user logging onto that endpoint can access it… provided you put some security in place to prevent it.
     
  • Reduce the CVSS score
    According to the Cisco report, Flash vulnerabilities continue to be a popular attack vector. Why? Because nobody updates their Flash to patch all the security vulnerabilities that exist. This is such an easy one for you all – it really just comes down to scanning and patching all your devices. I’m oversimplifying things a bit, but at the end of the day, the CVSS really just looks at a device and tells you just how vulnerable it is based on known vulnerabilities. Patched endpoint? Low CVSS score. Simple.
     
  • Reduce the number of unprotected endpoints
    While this one isn’t exactly part of the calculation, because the CVSS is endpoint-specific, it just makes sense that you begin to look beyond whether an endpoint is patched or not. Instead, looking to protect it from the dangers of an external attacker gaining entry to it via malware-laden emails or websites so that this never becomes a discussion around how many records are actually on a given machine. If an attacker can’t access it, it doesn’t matter anyway. Looking at email protection and even endpoint threat protection solutions is a great start to locking down an endpoint from ever being a victim.

Keeping the SMB Risk Dollar Cost Down

SMBs have a lot more to worry about than larger organizations. Some of the most basic tenets of IT security are rarely adhered to, making SMB networks prime targets for external attacks. The use of the dollar cost of risk isn’t necessarily meant to be a wakeup call by using some massive number (although using a tool like MAX Risk Intelligence and getting a report with a whopper of a risk cost sure better get you out of your seat!). Instead, use the dollar cost to represent the outline used by enterprises to define where they need to place their energies in order to reduce risk. By following the steps outlined in this article, you can effectively reduce each facet of risk that is used to calculate your organization’s dollar cost of risk. 

Just because you’re an SMB doesn’t make you immune; it makes you a target. Do the math, and get cracking on clamping down on your dollar cost of risk.