You may know someone who’s been a victim of a cybersecurity attack.  Or, maybe you’ve experienced it first-hand.  The clean-up is time-consuming and expensive.  A cybersecurity risk management plan will help keep your business safer.

What is cybersecurity risk management? 

Here’s a definition:

“Cybersecurity Risk Management” means technologies, practices, and policies that address threats or vulnerabilities in networks, computers, programs and data, flowing from or enabled by connection to digital infrastructure, information systems, or industrial control systems, including but not limited to, information security, supply chain assurance, information assurance, and hardware and software assurance.


Here’s a more simple approach:

Threats + Vulnerabilities + Likelihood + Impact = Risk

Let’s look at each one of these elements in the context of cybersecurity: 

  • Threats are influences beyond your control. They could be environmental (fire, tornado, etc.), business resources (equipment failure, etc.), or hostile actors (hackers, etc.).
  • Vulnerabilities are weaknesses in your internal cybersecurity procedures that could be used to harm the business. These can include outdated technology and untrained personnel.
  • Likelihood is the chance that the threats and vulnerabilities will adversely affect the business.
  • Impact is the potential harm to the business. These can include theft or disclosure of sensitive business information, loss of money, or damage to your reputation.

Combined, these elements define your cybersecurity risks.

Create a Cybersecurity Risk Management Plan 

To create a cybersecurity risk management plan, you’ll need to identify the information you have, determine the level of protection it requires, and then implement and monitor that protection.  Include people in this process who can help you make informed decisions, including legal, insurance and IT professionals and internal staff. 

  • Identify what information your business stores and uses. Define “information type” in any useful way that makes sense to you.  This can be challenging and time-consuming, but it’s the most important part of risk management.
  • Determine the value of your information. For example:
    • What would happen to my business if this information was made public?
    • What would happen if this information was incorrect or altered?
    • What would happen to my business if this information was lost?
  • Develop an inventory. Where are these different types of information stored?  Ask your IT provider for an asset inventory along with the software loaded onto each device to help. 
  • Define and understand your threats and vulnerabilities. Start by recognizing that every business faces them. They could include technical weaknesses in your network or “click-happy” staff. 
  • Evaluate likelihood and impact. Evaluate the likelihood that each event will occur and the significance of the impact if it does.  Develop a ratings matrix of high, medium and low for each.  
  • Take steps to help mitigate the risks and safeguard your information. Work with your team to develop a plan.  Create a budget and implementation timetable. 
  • Monitor progress on a regular basis. Cybersecurity isn’t “set it and forget it.” 

To learn more and see sample worksheets to help get you started, check out Small Business Information Security: The Fundamentals, a free resource published by NIST.

If you’d like to know more about how CRU Solutions can help keep your business safer, contact us.