Performing a Risk Assessment:
What Are You Trying to Protect?

Uncle Sam. While not really relevant to the text of the article, his pointed finger reminds the reader that they should be answering the question themselves: "What are You Trying to Protect?"

The first thing we need to start thinking about, is what it is exactly that we’re trying to protect.

This includes systems (computers, laptops, cell phones, tablets, servers) and data (personal, financial, legal).

The systems that you own and the data they hold are all valuable to a cybercriminal. Some are more valuable than others, and we need to take this into account.

We want small business owners to start thinking about this at the outset of their journey into cybersecurity: what are YOU trying to protect?

Since every business is different, it’s impossible to define the highest value targets for every network out there. But here are some things to think about:

  • Physical devices: A good starting point is to perform an inventory of your physical devices. What computer systems, workstations, laptops, cell phones, tablets, servers, printers, VOIP phones, and other devices are in use? What are they used for? Are some more important to protect than others? Why?
  • Personal data: Think about what kinds of personal data might be on the devices you own or stored in an application you use. Personal data is commonly referred to as Personally Identifiable Information, or PII. This may include data about employees, customers, suppliers, contacts, etc. The more sensitive the data, the more valuable it is – but all data has some value to an attacker.
  • Financial data: Are there systems that store payment or financial information? What about financial information pertaining to your own employees? This type of data is of very extremely high value to an attacker and can easily be sold on the dark web. Accounting and bookkeeping firms need to pay careful attention to this.
  • Business-specific data: Many businesses use information about their clients to help them provide better service. Medical offices store patient records; law offices store case files; accounting firms store client files containing and abundance of financial and personal data; etc.
  • Databases and Servers: These are of high value for any attacker. Additionally, the permissions and configurations used are often weak. As the services are often accessible by anyone in the network, they are considered ideal targets.
  • Business-critical systems: Any system that is essential to the working of the business. We want to consider systems other than computers as well, like hospital equipment (MRI, X-ray machines), industrial systems (controls, cameras, sensors, etc.). Many businesses use specific equipment that are critical and connected to the internet.
  • Intellectual property: Consider where the business stores proprietary information.
  • Mission-critical IT infrastructure: Another perspective to incorporate is that of the IT infrastructure (services, drives, file shares). We want to consider both software and hardware.

Once we have identified what systems we have and what data lives on them, we can then evaluate how critical the system and data are.

When it comes to data, we should look at what kind of information is actually stored.

Is it: Names? Email addresses? Physical addresses? Phone numbers? Username/password information? Financial or other personal data?

We want to be thinking about things like: How is the data stored? How is it accessed? Who can access it and how?

Sometimes identifying where the data actually lives can be difficult. It may be stored or backed up in an online database, in the cloud, or within an application.

Once we’ve conducted a thorough investigation and identified the critical systems and data that we need to protect, we can start to determine how to protect them.

This article is part of the Cybersecurity for Small Businesses course from the Guardian Angel IT Academy.