Topic: Creating a private cybersecurity business” focused on providing Cybersecurity risk assessments help organizations, understand, control and mitigate cyber risks

Structure: 

–the problems we see in regards to cyber attacks and give examples of both small scale and large scale attacks.

-Transition to talking about how it’s a known issue and a lot of people/companies still look at important things like changing passwords and making them complex to be a chore…

-how a firm can provide a service to those first time business owners/ local business owners (our target area) in looking at all of the different assets regarding their establishment, and assess the likelihood of threats to exploit them, to include suggestions for improvement.

-Barriers can be anywhere from cooperation of the customers, to limited funding to implement crucial processes in order to protect certain areas

-And we can measure success by comparing our success rate to attacks in the areas we don’t service, or we can measure success through inquiries of our customers.

TKR Solutions:

Our company’s endeavor is to address the issue of educating and preventing small businesses in our neighborhood from falling victim to a cyberattack. The internet has expanded to play a large role in our lives, with many individuals using it to do daily tasks. People may instantly connect with the entire world and perform a wide range of tasks with only a few keystrokes from a computer or even a mobile phone. Although there are numerous advantages to that, it also creates a lot of problems.  A lot of issues businesses have stem from a problem that could be shocking because of how close to home it is. Businesses are unaware that the employees are in fact a huge risk and in most cases the biggest risk to a company’s cybersecurity. One of the main reasons is because of the lack of awareness employees have when performing tasks like not knowing a device is connected to an unsecure WiFi network or storing customers information on a USB. It is important that organizations come up with effective workforce education training for their staff to inform them of better habits when performing tasks so they are more aware of what they are doing and less likely to put the company at risk by making mistakes that could leave the security vulnerable to attacks. Regularly going over security policies to ensure employees know what to do and what not to do should also be encouraged to help mitigate as many mistakes as possible for everyone’s wellbeing.

   Small firms may not consider themselves targets for cyber assaults due to their small size or the notion that they don’t have anything worth stealing, according to the U.S. Cybersecurity & Infrastructure Security Agency (CISA). Members of the U.S. House of Representatives said during a hearing in 2017 that the average cyberattack caused damages of around $30,000. Additionally, they said that “60% of small enterprises that suffer a cyber attack close their doors within 6 months.” This is obviously a problem that is becoming worse every day. We understand that many small business owners are just starting out, and they have limited resources and understanding when it comes to cyber security issues. They typically devote their limited time and resources to other problems, like supply chain challenges, and frequently, it is because of all the other problems businesses have and is the reason cybersecurity gets neglected and does not receive the attention it requires.

   By providing a service that will inform and lay the groundwork for what these small firms should do with regard to their operations and mitigating risks related to technology, we intend to attack these concerns. In order to help businesses understand, control, and mitigate risks involving their assets and technology, the company offers a consultation service that performs a cybersecurity risk assessment in accordance with the National Institute of Standards and Technology (NIST) Framework of other businesses. The emphasis of this Framework is on using business drivers to direct cybersecurity efforts and taking cybersecurity risks into account as part of the organization’s risk management procedures.

   Understanding our customer’s business and getting a deeper understanding of their daily operations and procedures is the first step in providing our service. We can accurately access the numerous assets they use to run their daily operations with the help of this information. Then, after ranking their most valuable assets, we would examine the various safeguards the company is employing for those assets. From those assets, we would develop a risk management matrix where we would discuss the many hazards connected to each asset, including their level of severity and likelihood of occurring, and assign a score to each risk. The total score can be used as a reference to determine which assets need extra care to prevent exploitation. For each risk, there are also mitigation actions that detail how to properly protect yourself. Some assets might have a monetary worth in order to be understood, as well as the amount for a single loss expectancy and the frequency of occurrence on an annual basis. With the use of these numbers, businesses can better grasp the total cost of ownership and the yearly loss expectancy in order to reduce those risks.

   Another section includes the company’s key performance indicators (KPIs) for those assets and links them to a section of the NIST Cybersecurity Framework Control (Identify, Protect, Detect, Respond, Recover) in order to clearly explain its significance and to offer a policy recommendation and procedure. Trade secrets and intellectual property, for instance, can be given the control of protection as they represent very sensitive and vital data that needs to be protected at all times. The creation of non-disclosure agreements with a mechanism on how to implement the policy in that particular organization and how frequently it should be reviewed and/or updated may be suggested as a policy.

   An important obstacle we might anticipate facing right away are certifications. In order for our staff to be competent and qualified to conduct risk assessments, they will need to hold specific certificates. These qualifications will assist build a good reputation with our customers even though they are not necessarily required for any particular field. These include the COMPTIA Security+, COMPTIA Pen Tester, Chartered Enterprise Risk Analyst (CERA), Certified in Risk Information Systems Control (CRISC), Certified in the Governance of Enterprise IT (CGEIT), and Control Objectives for Information and Related Technologies qualifications (COBIT). These credentials are continually expanding and changing, therefore they are not all-inclusive. The collaboration of our customers would be another huge barrier. Our service is based on the information that is provided to us by our customers, and in order to accurately access them, we need to be aware of their current situation. Another major problem we can face is money. Knowing the law of scarcity and knowing that these businesses only have a limited amount of resources to devote to these risks can cause problems with the service we offer our clients. Although the majority of the work we do is consultation rather than implementation, if we can successfully reduce a risk with the resources we have available from our customer, we shouldn’t run into problems.

   The effectiveness of our services with our clients can be evaluated in a number of ways. Reevaluating these companies and contrasting the results with the first one’s performance could be one approach. Another could be a person that might be struggling financially. Our evaluation may reveal a resource that is being underutilized, and as a result of our evaluation, our clients are better prepared to adopt the new procedures. Other measurements can be of a technical nature, such as tracking how quickly threats are identified, when solutions are implemented, how long it takes on average to update software, how frequently cybersecurity training is offered, and how much access users should have to perform their duties.

   In conclusion, we want our customers to understand the risks involving technology at their place of business and provide them with affordable solutions and processes they can implement to continue the growth and development of their organization. Whether that means providing food and shelter for the community or protecting personally identifiable information and health information, it is our goal to educate and help those in need.

References

Dahbur, K., Bashabsheh, Z., & Bashabsheh, D. (2017). Assessment of security awareness: A qualitative and quantitative study. International Management Review, 13(1), 37-58,101- 102

Cisa Cybersecurity Awareness Program Small Business Resources. Cybersecurity and Infrastructure Security Agency CISA. (n.d.).  https://www.cisa.gov/publication/cisa-cybersecurity-awareness-program-small-business-resources 

Protecting small businesses from cyber attacks: The Cybersecurity … (n.d.). https://www.govinfo.gov/content/pkg/CHRG-115hhrg26297/pdf/CHRG-115hhrg26297.pdf

Barrett, M. P. (2020, January 27). Framework for improving critical infrastructure cybersecurity version 1.1. NIST.  https://www.nist.gov/publications/framework-improving-critical-infrastructure-cybersecurity-version-11

Hazlegreaves, S. (2019, January 16). Why employees are your biggest cyber security risk. Open Access Government. Retrieved from https://www.openaccessgovernment.org/employees-cyber-security-risk/57043/