Enterprise Risk Approach for Small Medium Sized Business

May 17, 2018




Enterprise Risk Approach for Small Medium Sized Business


We have worked our careers focussed on large enterprise clients in Financial Services, Retail, Healthcare, Manufacturing, Government. The advent of technology and its pervasiveness has made it easier to be a small business owner. Additionally, it has forced other small business to adopt technology in all forms.

enterprise risk


The reality of cyber breaches and attacks for small business today is 55% of small and medium sized business have experienced a data breach or a cyber attack. Today, 43% of spear phishing attacks are targeted at small and medium sized business. The data shows that 60% of the business is the victim of a cyber attack are severely affected financially and for their business to function. Small business tend to be a victim as hackers and other cyber attackers look for the weakest link. As regulations and networks have all of us so connected and sharing information seamlessly, this creates multiple vulnerabilities. As a small business, you are now left to understand not only the technology to use but how secure it is and what forms of compliance regulations you are subject to. In healthcare, for example, all entities that have access to specific 18 elements listed in HIPAA need to sign a Business Associates Agreement (BAA). By signing this agreement a small business is now part of the risk and liability in the event of a breach. For a small business, the legal and fines from state and federal government can be a death sentence. They will not be able to function after an attack that results in the loss of ePHI or other sensitive data. As opposed to large business, a small medium sized business needs to protect its reputation. The reputation is the difference between success and failure.

This does paint a rather tough and dire picture for small business today. So what are we really trying to get through here? We think security and privacy should not and are not that complicated. Does that mean they do not require investment and/or budget? No that is not the case. The budget is better served when you understand risk. So the question is how do we determine risk for small business. The simple steps to doing so are


  • Understand data flows and business use cases
  • Document business use cases that you think can create a risk
  • Inventory and document technology (hardware, software, devices)
  • Inventory and document locations of sensitive data
  • Review and centralize all contracts with vendors and support organizations
  • Focus on a data centric approach to security
  • Understand compliance requirements and risk
  • Develop a plan that is documented
  • Provide employees with your policy towards data security and risk
  • Document and develop controls that are defensible based on standards like NIST, ISO, COBIT, HITrust, etc.


The key to developing a good cyber security practice is to focus on risk. Grade your risk based on criticality to your business and overall standards. Focus not only on prevention but detection and business continuity. Document all your plans and share them with relevant stakeholders in the business. Security and Risk are a community event and a culture change. Develop good training and awareness for your employees. To be secure and aware, you need everyone to participate.

Get your free risk assessment report today from SecureFLO

Post by Jyotin Gambhir

Leave a Reply

Your email address will not be published. Required fields are marked *