WCS 494 Final paper
TKR Solutions
A Cybersecurity Risk Assessment Firm
ROYSTER, KYAN A. 12-2-2022  

            Our company “TKR Solutions” is a cybersecurity risk assessment firm whose goal is to address the issue of educating and preventing small businesses in our neighborhood from falling victim to a cyberattack.  The internet has expanded to play a large role in our lives, with many individuals using it to do daily tasks. People may instantly connect with the entire world and perform a wide range of tasks with only a few keystrokes from a computer or even a mobile phone. Although there are numerous advantages to that, it also creates a lot of problems.  A lot of issues businesses have stem from a problem that could be shocking because of how close to home it is. Businesses are unaware that the employees are in fact a huge risk and in most cases the biggest risk to a company’s cybersecurity. One of the main reasons is because of the lack of awareness employees have when performing tasks like not knowing a device is connected to an unsecure Wi-Fi network or storing customers information on a USB. Another reason is the Internet of Things (IoT). Many companies use multiple devices which are all connected to the same network and carry out business critical processes. An employee could connect their mobile phone to the same network and download an app that is contaminated with a virus which could lead to a DDoS attack on every device connected to that network costing the company time and money. Reasons like that is why training on certain topics like which Wi-Fi networks are suitable for downloading apps and having a private network for the companies IoT is highly recommended (openaccess.gov).

            Small firms may not consider themselves targets for cyber assaults due to their small size or the notion that they don’t have anything worth stealing, according to the U.S. Cybersecurity & Infrastructure Security Agency (CISA). Members of the U.S. House of Representatives said during a hearing in 2017 that the average cyberattack caused damages of around $30,000. Additionally, they said that “60% of small enterprises that suffer a cyberattack close their doors within 6 months.” This is obviously a problem that is becoming worse every day. We understand that many small business owners are just starting out, and they have limited resources and understanding when it comes to cyber security issues. They typically devote their limited time and resources to other problems, like supply chain challenges, and frequently, it is because of all the other problems businesses have and is the reason cybersecurity gets neglected and does not receive the attention it requires.

According to (cisa.gov), small businesses are at higher risk of cyberattacks than larger business because they often have fewer resources dedicated to cybersecurity. Smaller businesses tend to have valuable information that cyber criminals try to seek such as employee and customer records, bank account information, access to the business’s finances, and access to larger networks, etc. CISA only confirms the importance of both protecting smaller businesses from cyberattacks because of the important assets and information that they have and why it is a necessity to educate those working in the small businesses of cyberattacks and how to mitigate them for a safer, more aware business. CISA empowers the American public to be safer and more secure online by encouraging Americans to view internet safety as a shared responsibility at home, in the workplace, and in our communities. Our business firm also embodies the same wants as CISA and it is our goal to protect and educate those small businesses in need.

By providing a service that will inform and lay the groundwork for what these small firms should do with regard to their operations and mitigating risks related to technology, we intend to attack these concerns. In order to help businesses understand, control, and mitigate risks involving their assets and technology, the company offers a consultation service that performs a cybersecurity risk assessment in accordance with the National Institute of Standards and Technology (NIST) Framework of other businesses. The emphasis of this Framework is on using business drivers to direct cybersecurity efforts and taking cybersecurity risks into account as part of the organization’s risk management procedures.

               Understanding our customer’s business and getting a deeper understanding of their daily operations and procedures is the first step in providing our service. We can accurately access the numerous assets they use to run their daily operations with the help of this information. Then, after ranking their most valuable assets, we would examine the various safeguards the company is employing for those assets. From those assets, we would develop a risk management matrix where we would discuss the many hazards connected to each asset, including their level of severity and likelihood of occurring, and assign a score to each risk. The total score can be used as a reference to determine which assets need extra care to prevent exploitation. For each risk, there are also mitigation actions that detail how to properly protect yourself. Some assets might have a monetary worth in order to be understood, as well as the amount for a single loss expectancy and the frequency of occurrence on an annual basis. With the use of these numbers, businesses can better grasp the total cost of ownership and the yearly loss expectancy in order to reduce those risks.

            According to the article “Can Public Health Risk Assessment Using Risk Matrices Be Misleading?” the authors say that the risk assessment matrix is widely accepted, semi-quantitative tool for assessing risks, and setting priorities in risk management (Vatanpour, Hrudey, Dinu, et al., 2015). It is said that users should address the source of the problem, apply the risk matrix with a full understanding of the problem and use matrix predictions to inform, but not drive decision-making. Being that the risk assessment matrix is widely accepted, it can be used in various disciplines and company types. For our business, it is good that the risk assessment matrix is widely accepted because we will be dealing with a lot of different types of companies and since it is very interdisciplinary, we will be able to do our job by accessing and discussing all the different hazards that are connected to the assets that the company we are dealing with has.

One of the goals of our business is to educate the businesses we are working with and their employees. TKR Solutions suggest companies should go over security policies with their employees regularly so that the policies stay fresh in their minds. Explaining how certain decisions they make while working can negatively affect the businesses they work for is a priority to us. We could assist organizations in coming up with effective workforce education training for their staff to inform them of better habits when performing tasks so they are more aware of what they are doing and less likely to put the company at risk by making mistakes that could leave the security vulnerable to attacks.

            Another part will include the company’s key performance indicators (KPIs) for their assets and link them to a section of the NIST Cybersecurity Framework Control (Identify, Protect, Detect, Respond, Recover) so that we can clearly explain its significance and we can offer a policy recommendation or procedure. In the identify section of the NIST Cybersecurity Framework Control, the activities are foundational for effective use of the Framework (nist.gov). In this section, you want to develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. The Protect section supports the ability to limit or contain the impact of a potential cybersecurity event. This section develops and implement appropriate safeguards to ensure delivery of critical services. The Detect function enables timely discovery of cybersecurity events. It develops and implement appropriate activities to identify the occurrence of a cybersecurity event. The Respond function supports the ability to contain the impact of a potential cybersecurity incident. It develops and implements appropriate activities to take action regarding a detected cybersecurity incident. The Recover section supports timely recovery to normal operations to reduce the impact from a cybersecurity incident. It develops and implements appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident (nist.gov). Linking assets from the companies we work with to a section of the NIST Cybersecuirty Framework Core Functions will help us figure out the best policy recommendations and procedures that can help secure that business and their assets the best.

            An important obstacle that TKR Solutions could anticipate facing right away are certifications. In order for our staff to be competent and qualified to conduct risk assessments, they will need to hold specific certificates. These qualifications will help assist in building a good reputation with our customers even though they are not necessarily required for any particular field. Our customers knowing that our staff has certifications in cybersecurity would build trust in their relationship with us that we know what we’re talking about and are qualified for the job at hand. According to the article “A Survey of Cybersecurity Certification for Internet of Things,” a cybersecurity certification is one of the most powerful instruments to address cybersecurity concerns before market deployment. Having certifications like the COMPTIA Security+, COMPTIA Pen Tester, Chartered Enterprise Risk Analyst (CERA), Certified in Risk Information Systems Control (CRISC), etc, will go a long way in building comfort for our customers. The collaboration of our customers would be another huge barrier. Our service is based on the information that is provided to us by our customers, and in order to accurately access them, we need to be aware of their current situation.

Another major problem we can face is money. Knowing the law of scarcity and knowing that these businesses only have a limited amount of resources to devote to these risks can cause problems with the service we offer our clients. Although the majority of the work we do is consultation rather than implementation, if we can successfully reduce a risk with the resources we have available from our customer, we shouldn’t run into many problems.

            The effectiveness of our service with our clients can be evaluated in a number of ways. One can be reevaluating these companies and contrasting the results with the first one’s performance. Another could be someone who is struggling financially. The evaluation we do may reveal a resource that is being underutilized and can result in our clients being better prepared to adopt new procedures. Technical measurements like tracking how quickly threats are identified, when solutions are implemented, how long it takes on average to update software, how frequently cybersecurity training is offered, and how much access users should have to perform their duties are also ways our services could be evaluated.

            A class that I have taken here at ODU can relate pretty well to what our business is. In the second semester of my freshman year, I took a science class which was oceanography. In oceanography, many different types of technologies are used for things like remote sensing, satellite communication, data collection, sampling devices, and live video feeds that allow experts from different places around the globe to connect and share information in real time (nathionalgeographic.org). When oceanographers are working on different projects, they use different tools and collect a ton of data in regard to whatever they are working on. They use a geographic information system (GIS) for organizing and analyzing data related positions on earth’s surface. They collect samples of mucus, feces, tissue particles from environmental DNA (eDNA) to make new discoveries about marine life. They even use environmental satellites that detect and observe different characteristics and features in oceans.

            With all the different type of technologies that oceanographers use for collecting data and other assets, a business like TKR Solutions could definitely be useful for their type of work. NBC News says a private, nonprofit facility called Woods Hole Oceanographic Institution that does scientific research on the world’s oceans was a target of an “aggressive” cyberattack. Hackers gained access to the institutions data and emails. With so much data that the oceanographers have in their possession, them and their work would certainly be a target of a cyber attack. If a service request is sent to us, here is how our process will go with a company or in this case the scientists/oceanographers:

            First the company would send a service request to us. Next, they would give us as much details as they can or are willing to give us. From there we would loom over all the information given to us and list their assets based on importance and based on their industry’s key performance indicators. Next, we would observe how they monitor, protect, respond, and recover all of those assets. We would then draft reports on information observed and offer solutions based on NIST Framework. After that, we would conduct a presentation of all findings that are found. And last, our team would reassess in 6 months to see if any improvements are made based the applied recommendations. Each of these steps are important and necessary in order to see what is going on and to try to find a solution to any problems a company might have by going through our process. Of course, it is a top priority of ours to learn how the employees of the company we are working with use certain technologies and how they operate on a day to day basis while on their company’s network. Their behaviors on the network of their company could be a reason why a cyber attack is occurring and we as a company would like to inform them on what to do and why some of the things they are doing is putting their company’s data at risk. The more their employees are aware and educated on the topic, the higher the chances are for them to avoid attacks in the future.

            There is another class that I had to take here at ODU with material in it that can relate to our business “TKR Solutions” and that class is public speaking. I took the class in the spring semester of 2018 which was the second semester of my freshman year. Public speaking is an important tool to have in a work environment no matter the type of work a person does. The way you communicate and deliver information can really benefit a businesses success. A team that knows their information and can break it down for others while delivering their message with passion can grasp the attention and trust of others. Being an effective presenter means you are engaging and exciting while building a deep connection to listeners. That is what we are trying to do here at TKR Solutions. In my public speaking class, we learned about the 5 P’s of presentation which are Planning, Preparation, Practice, Performance, and Passion. Our business fits the 5 P’s well because that is what we are trying to accomplish when talking and explaining information with our clients. Planning objectives, topics, materials needed, etc, is important for our delivery when speaking with other businesses. Preparation includes knowing your audience and the best ways to interact with them. Finding the right strategy that will help our clients understand the material will be very beneficial for our interaction with them. Practice is for practicing things like facial expressions, hand gestures, body movement, eye contact, your voice. It might sound funny but perfecting those things can really have an impact on an audience. Performance is about establishing and maintaining a connection with the people you are talking to and how you respond to issues and ideas. Here is where you focus on the delivery of your voice. We want to use the right tone, pace, and picth in our voice when in meetings and speaking to our clients so learning how to perform our voice will be key. Passion is the last P on the list. Speaking to our clients with the right passion and energy can help build our clients trust and help build our business a positive reputation for current and future business opportunities. Public speaking is an important tool for our business and is something we want to make sure we are good at for the sake of our clients and our business as a whole.

            I think that one way we can determine if our innovation is effective or not would be our reassessment after 6 months from working with a company. When 6 months pass, our business comes back to reassess and check to see if any improvements have been made based on the applied recommendations that were made to help mitigate the problems that our client was facing. If we come back and see less attacks have happened and the company hasn’t had many problems since we last saw them, then that means the procedure we put in place has be working and that the employees listened and changed their ways when operating on their companies network. If the company is still having problems, then that means we didn’t do our job to the best of our ability and we need to assess the problem further and come up with a better plan to fix it. That wouldn’t be a good look for our business and we look to avoid that happening at all cost.

            Another way we could determine if our innovation is effective is by creating some kind of survey for our clients to fill out that answers questions about our business and service. We could ask our clients questions like “On a scale of 1-10, how was our customer service?” “Do you think our service was beneficial for you?” “Did our service teach you about cyber attacks and give you options on how to mitigate them as much as possible?” Asking questions to things we want to accomplish in providing our service would give us amazing feedback and help us learn our strengths and weakness when it comes to our business. From there, we could figure out what changes we need to make if any or how we can improve on something we do for future clients and business opportunities. We want our clients to feel comfortable and feel like we were beneficial to them and with a survey of some sort, we can really figure out if we helped our clients and it is an opportunity to better our company as well because we want to always improve for the sake of our customers.

            In order to turn our business into a reality, we would need to complete a few things so that we can start the business properly. That means we need to do all the legal things needed to start a business, like proper business licenses and an LLC (Limited Liability Company) insurance. After obtaining the proper legal documents like licenses and insurances, we would then need to form a team to help operate the business. Recruiting the right members that have background in cybersecurity and IT of course would be best being that we are a cybersecurity risk assessment firm. Having members that have their cybersecurity certifications and/or clearance would be ideal as well. Our customers knowing we have a smart and capable cyber team will help our business in a big way with building trust and comfort for our clients.

            The process for obtaining an LLC in Virginia include steps like choosing a name for the LLC, appointing a registered agent, determining if you need a Virginia business license, filing the LLC articles of organization, drafting an LLC operating agreement, complying with state employer obligations, paying taxes and fees for the LLC, and complying with federal requirements. Our goal as a company is to be legit as possible and do everything by the book legally so we do not run into any problems or get into any trouble in the future.

            Our next step we should do to turn our business firm into a reality is to establish a firm risk management program. Risk management is critical for all firms including small and medium sized practices (Foerster, Arnold, 2019). It is critical for protecting any assets, finances and operation of the firm and contributing to satisfactory legal compliance, and corporate governance and due diligence. Foerster and Arnold says that effective risk management will protect the reputation, credibility, and status of the firm. To establish a risk management program, we would need to implement a Risk Management Framework based on the risk policy which focuses on services offered, marketing and communication, staff and human resources issues, information and resource management, regulatory obligations, IT issues, succession planning, acceptance and continuance of clients and cash flow management. Next, we would need to establish the context of the firm like goals, objectives, and environment in which it operates. Also identify internal and external stakeholders as well. Then, we would need to identify existing and potential risks and existing controls. Analyzing and evaluating risks on a continuing basis is important because it involves exposure levels against a predetermined tolerance level, the degree of control, potential or actual losses and benefits and opportunities presented by the risk. We should consider both the internal and external risks when assessing the kinds of risk our firm will be exposed to. We would need to treat and manage risks by developing strategies to manage any identified risks. Plans of action can be formed based on the current levels of risk exposure, benefits from actions/controls, the time it takes to implement the actions and the available budget. As a firm, we must communicate and consult with all part of the firm and any outside parties to make sure that everyone involved are kept informed of necessary information. We should monitor and review the risk management strategies in a regular basis too. Because risks change and new risks are also formed especially in the cyber world, older treatment strategies that were once put in place may not be effective against the new risks and therefore should be looked at to come up with a better strategy to handle the situation. Lastly, our firm will need to keep written records of all policies and procedures. Things like documentation of the assessment process, major risk identified, and the measures designed to reduce the impact any major risks should be documented to avoid breaches in performance due to misunderstanding or misinterpretation within our team members (Foerster, Arnold, 2019). By creating a firm risk management program, getting the proper legal licenses and insurance, and assembling a qualified team, we would be on the right path in turning our business firm into a reality.

            After getting our legal licenses and insurance, putting a qualified team together, and creating a firm risk management program, the next step we need to take for our business is to come up with way to promote it and get our name out there. There are multiple ways to promote a business and get its name out to the public eye. It is important that when a brand new business is just getting started, the business needs some type of promotion to attract cliental and get a jump start into finding work. If our business doesn’t put in an effort to promote itself, nobody will find us and our business won’t take off like we plan it does. The more we promote and get our name out there, the better our chances are of attracting business and growing our firm.

            For us to get TKR Solutions out to the public eye, we should try to do some or if not all these strategies at least once. One idea could be taking advantage of local listings. Registering our business with google which is like today’s version of yellow pages, allows customers to potentially find our company’s location and hours of operation easily. Customers can post reviews about our business as well. Setting up a “Google My Business” account can make out company more visible in online searches which will reach more people all over. The next strategy is probably the most common one which is use social media. Social media platforms allow us to inform, attract, and engage with people on a daily basis. It is one of the more affordable ways to advertise a business because it is completely free to set up an account on most social media sites. We could create different social media ads that come up on multiple platforms to reach audiences everywhere. Another way is by creating engaging and informative content through blogs, video tutorials, or infographics that grab peoples attention and builds trust with our audience. We could create a website and optimize its SEO (search engine optimization) which will help our website show up higher in Google search rankings. Creating a press release if we do something notable could work as well. News outlets love interesting stories and if they do a story on us, it would be free publicity. Getting involved in an online community is considered on of the best ways to promote a business as well. Commenting under relevant blogs could help get our name out there and expand our network. Creating visuals for our website and/or social media pages gets peoples attention. Adding pictures and videos that relate to our business will get people to want to learn and see what we have to offer. Paying for advertising like television and radio ads, promoted social media posts, and pay-per-click ads could work and get a of people see your business but could be expensive and might not be the best option when first starting out. Attending local and community events could be very effective because we get the opportunity to speak to people face to face which can have a much stronger impact than if they seen our business on the internet. We could host a webinar and give a presentation online or in person about our business and what its purpose is. It is also a good way to network and make contacts in our field which is cybersecurity. One more strategy we could use is to offer a discounted rate for first time clients. People love incentives and a promotion like that could draw in people and encourage them to want to learn more about our business and maybe even give our services a try.

            Promotion for any new business or product is important if you want it to reach the right audience. There are so many ways in today’s world to promote a business with multiple options to choose from. Since our business is a cybersecurity risk assessment firm, using options like social media and webinars seem like strong choices to use because it can reach a lot of eyes and it can help us connect with others in our field for networking purposes.

Dear Director,

            This letter is about a business idea that me and my group has come up with in regards to cybersecurity. Our group decided to create a cybersecurity risk assessment firm to help different businesses and companies with security issues regarding their network systems. Our goal is to address the issue of educating and preventing small businesses in our neighborhood from falling victim to cyberattacks. We want to inform and lay the groundwork for what small firms should do with regard to their operations and assist in mitigating risks related to any technology they use why working. Any important documents, assets, data, etc, that small businesses have are extremely valuable and is our endeavor to protect it all with our consultation service that we provide. In the process of working to protect these companies and businesses, it is another goal of ours to also take time to educate their employees about how their actions can negatively affect their company’s network security and company assets as well. The more the employees know and are aware of their actions, the less likely they will make mistakes that can damage the companies they work for. Providing a consultation service and educating companies is what our business is all about.

            From doing this project, I have learned about risk assessment matrix and how interdisciplinary it is. I learned a little about LLCs and the steps a business must take to obtain one. I also learned about risk management programs and how critical they are to firm practices. They are important for protecting any assets, finances, and operations of a firm and I learned how a strong risk management will protect the reputation, credibility, and status of the firm. Before doing this project, I didn’t realize the importance of all the tools that make a business firm successful and I am glad that I am now somewhat more educated on the topic.

            Students would be able to find value from my project in my opinion because of how informal it is. I’m sure there are a lot of people who would like to become an entrepreneur and I believe that my paper can be a blueprint of somewhat of things to think about when trying to start a business. Tips like obtaining an LLC and getting all the proper legal licenses and insurance and even explaining all the different type of ways to promote your business once its up and running I feel are useful tools for future entrepreneurs to think about.

            If you were looking to seek us out as a future consultant, we would be open and willing to listen to any ideas you might think could help make our business firm stronger or more effective. We are always looking to improvement our service and if that mean changing things up or do a certain thing differently, we are willing to adjust and make the necessary changes for the wellbeing of our firm. Thank you for reading Director!

From,

TKR Solutions

Work Cited