All business leaders want to lower their cyber risk. But do you know the factors that might be putting your business at risk?
I can help. As manager, engineering services, at a managed IT support service provider, I work with companies to assess their cyber risk every day. (Don’t worry though, I’m not writing this article to convince you to work with us. My goal is just to provide information you can use.)
In this article, I’ll explain 10 factors that could contribute to your cyber risk. Some of these factors can be controlled and some of them may be inherent to your industry.
This article includes insight I’ve gained in more than 10 years of IT experience.
I’ll walk you through an easy-to-understand explanation of each of the important factors that could affect the likelihood of your business becoming a victim of a cyberattack, so you can take action to minimize your organization’s risk.
What Is A Cybersecurity Risk Factor?
Most people have the general understanding that a cybersecurity risk factor is something that contributes to the possibility that a technology infrastructure (and the data it contains) will be targeted by cyber criminals.
What people often don’t realize is that those risks can come from any device within your digital infrastructure from computers to internet of things (IoT) devices, or from everyday activities including searching the internet, emailing, and web browsing.
Anything that connects from your internal infrastructure to the internet could pose a cyber risk.
What Could Happen If Your Organization’s Risks Aren’t Addressed?
When organizations don’t identify and address security gaps in their infrastructure, those gaps can be exploited resulting in unauthorized access or unintentional leakage of customer or business data.
Two Types Of Cybersecurity Risk Factors
Cyber risk factors can be broadly categorized two ways.
1. Inherent
Some risk factors exist solely due to the type of work your organization performs, the industry you serve, and the data you collect.
For example, medical groups process personal identifiable and credit card information. Processing this information is part of the business.
The risk associated with processing this sensitive data is inherent to the industry, meaning it can’t be eliminated but it can be controlled.
2. Acquired
Other risk factors are acquired or brought on by someone’s actions. These risks can be minimized or often eliminated.
For example, cumbersome IT processes and delays can result in people buying and installing a device on the network without the knowledge of the authorized IT support organization. While this is done innocently, the device isn’t known to or supported by the IT organization, resulting in potential security risks to the entire network.
Educating employees about the risks their actions can pose and streamlining IT processes to accommodate the real-time needs of users can mitigate risks like these.
Related article: What is Employee Security Awareness Training? Do I Need It?
10 Cybersecurity Risk Factors That Could Affect Your Business
Let’s walk through some specific factors that could affect your organization’s risk:
1. Size
Cybersecurity risks used to be greater for large, multinational organizations, but that is no longer the case. Over time, these organizations dumped millions of dollars into enhancing their cybersecurity tools, making it harder for outsiders to gain unauthorized access.
As a result, criminals now target smaller organizations which often have access to the same level of protected information but often lack the resources and staff required to identify and plug the holes in their infrastructure.
2. Software
Some organizations install and manage updates and patches centrally. They have an IT organization that handles these maintenance activities for the entire organization.
Again, smaller organizations may not have a centralized IT staff. This can result in slow or nonexistent processes for updating and patching software.
The age and type of the software also can affect whether there are gaps that need to be plugged.
3. Infrastructure
Whether your servers are located on-prem or in the cloud is another factor that could affect your organization’s cyber risk.
Many people believe that on-prem servers are safer because they are physically located on site and access is restricted. That is a fine solution for some organizations who have the dedicated staff they need to maintain and update the server software.
The complication comes when the warranty expires and an organization needs to invest in a new server. Due to the cost considerations, many smaller businesses are tempted to use servers beyond their life expectancy, which can leave them vulnerable to cyber risk.
When organizations move their servers to the cloud, the cloud service provider assumes the responsibility for rolling out updates and making sure that data is as well protected as possible. This factor alone is a huge advantage to cloud-based servers.
Related article: What Are The Pros And Cons Of Cloud Computing? (Is It Right For You?)
4. Industry
The industry in which an organization operates can also affect cyber risk both in terms of the data collected and compliance regulations that may govern their actions.
For example, medical providers must comply with the Health Insurance Portability and Accountability Act (HIPAA), which regulates how private healthcare information is used, stored, and secured.
Related article: 5 Key NIST-Related Cybersecurity Functions For The Healthcare Industry
Companies that process credit card payments must comply with the Payment Card Industry Data Security Standard (PCI-DSS).
Organizations that work with the Federal Government must also follow stringent requirements regarding data safety, such as NIST 800-171.
Related article: Does NIST 800-171 Apply To My Business?
5. Information Handled
The type of information your business handles every day may put your organization at an increased risk for cyberattack.
For example, if your team members access personal information (name, address, bank account number, social security number), you have a greater risk than someone who only has access to names and addresses.
It’s important that you honestly assess the value of the information you access to determine your cyber risk and the ease at which that information could be accessed.
Then, you can set up layers of security that provide different levels of protection based on the sensitivity and accessibility of the information.
6. Tools
Your level of risk depends on whether you have the protective tools you need in place. If there are gaps that can be exploited, they will be.
Don’t just assume that since nothing has happened to date, you are in the clear. It’s not a question of if, but when your infrastructure will be exploited.
Related article: Why Businesses Must Budget For IT Security (& How Much)
7. Remote Work
Remote work is a convenience for today’s workforce and became a lifeline for many businesses in recent years.
But when people are working remotely (and possibly using their own devices) chances are that the IT organization is no longer maintaining and monitoring the equipment for potential security issues. This leaves room for gaps to occur.
Related article: Keeping Remote Work Safe: Cybersecurity Policies, VPNs, And More
8. Public Wi-Fi
Employees should never use public wi-fi when conducting personal or business tasks. Everyone needs to assume that all network traffic on your computer can be accessed while connected to public wi-fi.
9. Lack Of Understanding
As we mentioned earlier, some organizations don’t have the financial or staff resources to keep up with cyber security. They might not realize where gaps exist and might not fully understand the risk that security gaps pose to their infrastructure and business.
10. Rogue IT
Rogue (or shadow) IT refers to IT solutions that are implemented without the knowledge and support of an organization’s official IT provider. It can be anything from an app to hardware or software.
For example, I’ve seen cases in which people want more network jacks at their desk, so they’ll go buy a switch. I’ve also seen people buy a router instead of a switch and when they connect it, it shuts off the rest of the network.
Or maybe a user needs a new printer, so they go and buy one at the store and install it on the network without realizing they are compromising the security of the entire infrastructure.
What’s The Bottom Line?
In this article, we’ve defined what a cyber risk is and the two general types (inherent and acquired).
We’ve also discussed 10 examples of factors that increase cyber risk for organizations like yours (size, software, infrastructure, industry, information handled, tools, remote work, public wi-fi, lack of understanding, and rogue IT).
At this point, you might be wondering where to go from here. You aren’t alone. I work with lots of business leaders who understand what needs to happen but aren’t sure how to proceed.
If you have an internal IT support organization, they may have the skills and experience to identify potential security gaps in your infrastructure and develop a plan to secure them. If not, you might want to consider working with an external IT support services provider.
Either way is fine, just don’t leave the gaps unprotected and assume that since they haven’t been exploited so far that your data is safe.
There are a range of tools you can use to bolster the security of your data and infrastructure ranging from firewalls to employee security awareness training to penetration tests and vulnerability scans and more. Some are costly, some are not. Some should be done weekly, some monthly, and some annually or not as often.
The bottom line is that every dollar you invest in enhancing the security of your data and network will pay off when a cyber criminal tries to gain access.
While there is no one foolproof tool that offers 100 percent protection, the more barriers and safeguards you have in place, the stronger the deterrent for people wishing to wreak havoc on your infrastructure.
This approach is similar to the layers of protection you’d put in place for anything of value.
Would you park your vehicle in a dark corner or under an overhead light? You could park your vehicle locked or unlocked, but most will lock it. Given the option, most people would park their vehicle in a garage rather than in the street.
Do these steps mean you are 100 percent guaranteed that your vehicle won’t be broken into? No, of course not, but the more precautions you take, and the more difficult it is for a criminal to gain access, the less the likelihood that they will target your vehicle. The same is true of your IT infrastructure.
Again, the bottom line is that any investment in security will come back to you. I’ve seen it happen.
Need help assessing your organization’s cyber risks? Click the button below for a free checklist you can use to:
✔️Understand where your organization's cybersecurity policy needs improving
✔️Learn actions you can take to keep your organization's data secure
✔️Help ensure your organization follows the latest cybersecurity best practices
If you don’t have the IT resources you need internally and are considering partnering with an external IT support services provider to fill the gaps, I have one piece of advice: compare several options.
I’ve seen too many cases where an organization signs a long-term contract with an IT provider and realizes in a short time that they aren’t the right fit to work together. Avoid a lot of heartache and financial pain, by thoroughly exploring your options. How many should you compare? I typically say 5-6.
And be aware that different providers lump different things together and operate in different ways.
Related article: Block Hours Vs. Managed IT Support: The Pros & COns
Ask the questions you need to ask to understand the differences. Maybe one offers unlimited service calls, while another offers the opportunity for project work in addition to a managed IT support services offering. The details matter.
If you aren’t sure where to start, take a look at this blog post in which we compare the offerings of Charles IT with those of Kelser. We looked at the offerings highlighted on the website of each organization and prepared a head-to-head comparison. You could do the same with the providers you are considering.
The truth is that all providers offer advantages and disadvantages. The best one for you offers the things that are important for your organization. We offer several comparison articles in our Learning Center because we are committed to helping you find the right fit, rather than convincing you to work with us.
If you prefer to talk to an actual human being (which is our communication of choice) click the link below and one of our IT solutions experts will reach out to schedule a 15-minute exploratory conversation via telephone at your convenience to learn about your technology experience.
