Risk management tips from the SBA and NIST every small-business owner should read

Shifting cybersecurity from a defensive posture to one of managing risk is becoming more important for small-business owners. Here's must-read risk-management guidance.

Image: nicescene, Getty Images/iStockphoto

Risk management is now the primary emphasis instead of cybersecurity, and some people may view this as giving up. Others prefer to think of it as smart business, since several decades of trying to keep cybercriminals at bay has only been marginally successful.

SEE: Vendor risk management: A guide for IT leaders (free PDF) (TechRepublic)

What is a good risk-management strategy?

Barbara Weltman in her US Small Business Administration (SBA) article 5 Best Risk Management Strategies suggests that risks can come from any number of sources, such as economic conditions, competitors, and cybercriminals. "It's essential that you adopt a variety of risk-management strategies," writes Weltman. "These are designed to avert catastrophe and provide you with protection to the extent possible."

What is considered a good risk-management strategy? Large corporations have trained personnel dedicated to managing risk. That is not the case with small-business owners who rely on their experiences or third-party vendors for help; also, contracting with third-party vendors may not be possible due to cost.

SBA's Risk Management for Small Businesses Participant Guide

When it comes to risk management, the SBA has many free-for-the-asking resources. A good first choice would be the SBA's Risk Management for Small Businesses Participant Guide (PDF), as it helps identify:

  • Risks associated with a small business;
  • External and internal factors that affect risk for a small business;
  • Situations that may cause risk for a small business; and
  • Warning signs of risk for a small business.

Once risks are identified, the authors of the guide suggests evaluating the impact each risk has on business operations and continuity. The best place to find that information would be with the operations manager who will have to deal with the fallout if a risk comes to fruition. Taking it a step further, the guide mentions, "In fact, consult with all your key people to enlist their input and communicate to them the risks that you see."

SEE: SMB security pack: Policies to protect your business (Tech Pro Research)

NIST's SP 800-37 revision 2

In addition to receiving help from the SBA, small-business owners should familiarize themselves with the National Institute of Standards and Technology (NIST). Researchers at NIST released in December 2018 the finalized version of the organization's Special Publication 800-37 Revision 2, which provides risk-management guidance in a framework format.

Whereas the SBA's guide helps determine all types of risk, SP 800-37 Revision 2 is a structured process that focuses on risks related to cybersecurity and privacy, including information-system categorization, control selection, implementation, and assessment, system and common control authorizations, and continuous monitoring.

"The Risk-Management Framework (RMF) includes activities to prepare organizations to execute the framework at appropriate risk-management levels," mentions Dan Chandler, cybersecurity and privacy advisor at Criterion Systems, Inc., in this blog post. Activities that the RMF promotes are:

  • Near-real-time risk management and ongoing information-system and common-control authorization through the implementation of continuous monitoring processes;
  • Reception by upper management of information needed to make efficient, cost-effective, risk-management decisions; and
  • Incorporation of security and privacy into the system-development life cycle.

"Executing the RMF tasks links essential risk-management processes at the system level to risk-management processes at the organization level," continues Chandler. "In addition, it establishes responsibility and accountability for the controls implemented within an organization's information systems and inherited by those systems."

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Additional resources for risk management tips

The NIST's RMF suggests using the following resources (which are typically free) to deepen insight into potential risks:

  • Banks are well aware of risk management and can offer suggestions, particularly if they have fiduciary interest in the company;
  • Consult a risk insurance provider; and
  • Check the internet to find similar businesses or professional organizations that may share information on industry-specific risks.

The idea has been to help small-business owners avoid spending money, but there is one expense that might be worth it looking at the big picture: Hiring an auditing firm or cybersecurity-oriented CPA to review the company initially and provide a how-to for future internal risk evaluations.

Final thoughts

Matt Burrough, a security engineer at Microsoft, made several good points while answering a question on Quora. "To me, when I think of the term IT risk management, I think of the planning, decisions, and trade-offs that are made to mitigate risks an IT department might face," writes Burrough.

To clarify the difference between risk management and cybersecurity, Burrough considers cybersecurity to be the process of assessing, securing, and testing one's computing environment against attackers and malicious users.

Interestingly, Burrough does not consider cybersecurity and risk management disparate entities. "I'd consider the decision making part of cyber-security part of IT Risk Management, but not the implementation of those decisions," he explains. "Conversely, not all IT Risk Management is cyber-security related, since there are plenty of risk factors in the IT world that have nothing to do with attackers."

Also see