top of page



By Patrick E Weithers, MSCSE, CSPM, CISSP

In today’s digital world, data is the life blood of every business. Consequently, Cyber Security has now earned the highest priority among business risk reduction initiatives. Many small businesses purchase insurance (liability, disability, health, property, etc.) as a requirement to remain in business. These insurance policies are a means to transfer residual risk to people and other physical assets as part of a business risk mitigation strategy. Similarly, cyber insurance is a means to transfer residual cyber risk.

Establishing cyber residual risk requires performing regular risk assessments to identify the threat agents to the business.  Part of the risk assessment is a vulnerability analysis. Identifying vulnerabilities and implementing controls to mitigate those vulnerabilities should be a business policy that starts from the governance level. Cyber Security is becoming a significant global problem, and insurance companies are continually developing new types of policies for those businesses that request one. However, a cyber insurance policy is not a “free pass.” in the event of a Cyber breach, insurance companies will use their forensic investigators to determine if the business owners performed due diligence and practiced due care. The importance of a risk assessment cannot be overstated and the perfect time to begin is now. Businesses, of every size are victims of Cybercrime every day.

It is imperative that all-sized business owners should be concerned about, and understand, the security risk profile of their business. As a small business owner who is in the security business, I am continuously concerned about the probability of harm to the continuity of my business and the welfare of my team. My risk mitigation plan starts with the risk, ranking the various risks to my business into 3 levels: high, medium and low. The level of risk determines the type of control I put in place, and the budget established to implement that control. For example, it is not a good business practice to spend a thousand dollars to protect a one-hundred-dollar asset.

My concern for the risk to my business is driven by the fact it is a responsible thing to do, not because I’m intimately familiar with the threat landscape.  If you are a business owner, it is important that you do at least the following:

  1. Conduct a complete risk assessment to determine the risks facing your business.

  2. Assess these risks by severity and prioritize the highest risks.

  3. Determine the level of risk you are willing to accept.

  4. Put in place controls that address the vulnerabilities which exist so that your business risk is reduced to a level you consider acceptable. Controls come in many shapes and sizes and they can be directive, detective, preventative, deterrent, corrective, recovery and compensating. Controls are typically implemented in one of three ways: Administrative, Physical, and Technical.  For example, a physical control in the detective category could by implemented using CCTV cameras or an alarm system, and a compensating control in the administrative category would be job rotation.


Additionally, compliance and legal requirements are becoming more prescriptive for Cyber Security so it is critical that organizations begin to demonstrate diligence by starting with the four steps indicated above. Implementing the correct controls, and the appropriate training for the people that work in your organization is a perfect start, and will be a critical factor in the success of your risk mitigation strategy. Moreover, regular security awareness training for all employees, and specialized, standards-based, best practice training for IT and IT security staff, as well as ongoing monitoring is essential.


Controls should be part of frameworks which are standardized (NIST, ISO, CIS, etc.), modular, consistent, measurable, and comprehensive. Finally, critical to the success of a risk assessment is the personnel with appropriate knowledge, skills and abilities to implement these remediation activities, as well as maintain and support them.

By Patrick E Weithers, MSCSE, CSPM, CISSP
By Patrick E Weithers, MSCSE, CSPM, CISSP
bottom of page