What Cybersecurity Risk Management Plan Does Your Business Need?

What Cybersecurity Risk Management Plan Does Your Business Need?

You may know someone who’s been a victim of a cybersecurity attack.  Or, maybe you’ve experienced it first-hand.  The clean-up is time-consuming and expensive.  A cybersecurity risk management plan will help keep your business safer.

What is cybersecurity risk management? 

Here’s a definition:

“Cybersecurity Risk Management” means technologies, practices, and policies that address threats or vulnerabilities in networks, computers, programs and data, flowing from or enabled by connection to digital infrastructure, information systems, or industrial control systems, including but not limited to, information security, supply chain assurance, information assurance, and hardware and software assurance.


Here’s a more simple approach:

Threats + Vulnerabilities + Likelihood + Impact = Risk

Let’s look at each one of these elements in the context of cybersecurity: 

  • Threats are outside influences beyond your control. They could be environmental (fire, tornado, etc.), business resources (equipment failure, etc.), or hostile actors (hackers, etc.).
  • Vulnerabilities are weaknesses in your internal cybersecurity.  These can include outdated technology and untrained personnel.
  • Likelihood is the chance that the threats and vulnerabilities will adversely affect the business.
  • Impact is the potential harm to the business. These can include theft or disclosure of sensitive business information, monetary loss, or damage to your reputation.

Combined, these elements define your cybersecurity risks.

Create a Cybersecurity Risk Management Plan 

A cybersecurity risk management plan includes several steps.  You’ll need to identify the information you have, determine the level of protection it requires, and then implement and monitor that protection.  Seek expertise to help you make informed decisions.  Generally, you’ll include legal, insurance, and IT professionals and internal staff. 

  • Identify what information your business stores and uses. Define “information type” in any way that makes sense to you.  This can be challenging and time-consuming, but it’s the most important part of risk management.
  • Determine the value of the information. For example:
    • If this information was made public, what would happen to your business?
    • What if this information was incorrect or altered?
    • What would happen if this information was lost?
  • Develop an inventory. Where are these different types of information stored?  Ask your IT provider for an asset inventory along with the software loaded onto each device to help. 
  • Define and understand your threats and vulnerabilities. Start by recognizing that every business faces them. They could include technical weaknesses in your network or “click-happy” staff. 
  • Evaluate likelihood and impact. Evaluate the likelihood of each event and the significance of the potential impact.  Develop a ratings matrix of high, medium and low for each.  
  • Take steps to help mitigate the risks and safeguard your information. Work with your team to develop a plan.  Create a budget and implementation timetable. 
  • Monitor progress on a regular basis. Cybersecurity isn’t “set it and forget it.” 

To learn more and see sample worksheets to help get you started, check out Small Business Information Security: The Fundamentals, a free resource published by NIST.

If you’d like to learn how CRU Solutions can help keep your business safer, contact us.