(Video) Cyber Risk Management

Today I’d like to talk to you about risk management in small- and medium-sized business and not-for-profit organizations.

I’m not talking about normal risk. Most people have already done a SWOT analysis of their business to find out where their strengths, weaknesses, and opportunities are. I’m talking what information is important to your business and how you are going to protect it.

Most of us in small business nowadays have got a large digital component. This is what makes the business work. And it needs to be protected.

The protection of that information is critical to that business. If someone hacks your system or if you get a virus and they steal information off your laptop, for instance, and people find out that happened, there’s a number of impacts that can have on your business. One, you can lose the trust of your clients and your customers.

You can lose money and financial gain. You can lose your intellectual property. All those components are really important to your business. And every small – and medium-business and not for profit organization does things differently. They keep different information. So you need to do a risk management and analysis of what you’re collecting, why you’re collecting it and where it is being stored.

Once you’ve done that, you can work out, for instance, you have a website that collects email addresses and first names. Great. Do you need anything else? What other information do you need to collect to make sure that you can do your business and you can use that information to target your customers.

By having that analysis in place, you can then go, we need their real address so we can ship stuff to them. Good. Not a problem. So we’re going to keep that information. But you don’t need that driver’s license, their birthday, their tax file number unless it’s a business, or their social security number unless there is a specific reason why you need it.

Most people on the digital world are getting to the stage now where they won’t give away information that is critical and personal. You’ve got to remember that. Don’t make it so that you have to put your tax file number in to buy something.

Because if you do that, not only are you impeding your chances of a sale, because people will look at that and go, if I have to do that I’m not going to buy that. I’ll go somewhere else where I don’t have to put that information in.

That information now becomes really critical to how your business is going to protect it. So an email address and a first name, not a big deal. If that information gets out on the internet, apology to the clients, and we won’t let it happen again.

But if you let all of that information get out there, so all of that information – the credit card details, their tax file number, their social security number, if that gets out on the internet, all that personal information is a time bomb for you. And you don’t want to be in a situation where that information is found in a spreadsheet on some dark, nefarious website.

So as a small business, you need to do a risk management look at your business. Not just for how you’re going to make money in the business. But if you’re collecting information, how are you going to protect it. And that is really important to how you go about doing your business.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.