Cyber security is a risk management problem. Risk management is considering the possibility of something happening, how badly it would hurt, how likely it is, and what you can do about it. Risk management is considering risks and planning how to treat or mitigate them.

Small businesses sometimes (28% by some studies) do nothing about cyber security because the risks feel abstract or they believe they are too small to be a target of an attack.

However:

• Cyber threats are often automated and indiscriminate
• Downtime, data loss, and loss of trust are costly – sometimes very costly
• Many customers, insurers, and partners are beginning to expect and appreciate basic cyber security

A little structure goes a long way. Thinking about your business information, the impact of interruptions, and how to recover quickly gives you control and helps you focus on running your business.

If you do not have a cyber security program, one way to start is just thinking about and writing down your important information assets and the devices used to access them. Then consider the threats to these assets, the impact of losing them, and the steps to respond and recover if they are compromised.

If you do have a cyber security program, consider making it more effective by organizing it and applying good practice to understand its strengths and weaknesses, identify gaps, and prioritizing risk-based, cost-effective improvements that support your business objectives.

---

You will need a Program Description Document. As the cyber security program (or just program) matures, the Program Description Document may become a document set, but having one large document is also a fine implementation.

Governance, documentation, and a cyber security policy are important parts. It shouldn’t be complex, but it does need to be written down.

Building from the Information Security Model Canvas can organize the development or improvement of a program. The Information Security Model Canvas Template (or just Model Template) can be used for this. The Model Template has the headings and sections from the Information Security Model Canvas diagram along with guidance to help you update the Program Description Document.

As you update the Program Description Document, mark sections you don’t use as Not Applicable (for now) rather than deleting the section. Better to explicitly let readers know the section currently has no governance defined.

No Program
If you have no formal cyber security program or nothing is documented, follow the guidance from a context where the content you will add to the Program Document does not already exist. You are creating it rather than plugging it into the Program Description Document.

Have Started a Program
If you have a program and want to consider utilizing the standards-based cyber security program foundations that this site supports, follow the guidance from a context where the content you add to the Program Description Document may already exist. Where it already exists, you are plugging it in rather than creating it.

Secure Storage
You will need to treat this document carefully. Later in the program, you will start to classify documents and information. This helps to control costs. By identifying the classification of data, resources to protect will be commensurate with the data’s value.

If you do not already have a secured digital asset (document) repository, consider getting one. For now, consider that the Program Description Document will evolve into something that you will not want adversaries to have.

Every business handles sensitive data: customer records, emails, payments, calendars. A cyber security policy helps protect information by setting clear expectations for how you and your team handle information, devices, and risks.

Policy can be a tool, not just paperwork, that gives you:

• Clarity – Know what to protect and who is responsible
• Consistency – Everyone works from the same set of easily known guardrails
• Credibility – Shows clients, insurers, and partners that you take protection seriously
• A starting point – From here, you can build policy over time as your needs grow

Add a cyber security policy as an appendix to the Program Description Document or create a separate document. Use your own policy document format or use our Policy Template.

At this time, make a choice about your priorities. Many things in cyber security and risk management start with a risk assessment. There is sound logic in that approach.

A risk assessment is a set of steps used to identify, evaluate, and prioritize potential threats or vulnerabilities, helping guide decisions about controls, investments, and risk treatment. Many elements of a program, including the program itself, start with or utilize a risk assessment. A risk assessment process is outlined here.

However, there are some controls that you know will be part of the program. These are sometimes labeled low hanging fruit. It may be appropriate to just get these controls implemented to reduce the associated risks. These include items such as making sure malware controls on all endpoint devices is in place and running well or implementing backups or multifactor authentication.

You can also do both in parallel. Start the Program Description Document and without waiting for a risk assessment and the document to be completed and approved, start implementing the low hanging fruit controls.

Risk assessments can be completed later: as part of the program review, if the understanding of a risk changes, or for new risks that are identified.

Pragmentum’s free self-assessment can also help you jump start your program. See Pragmentum Services for details on our cyber security services and the free stuff on this site.

Save the Program Description Document and communicate to your team that they should be aware of the program. You now have a program! The risk assessment provides the prioritized risks to be addressed.

Now you need to keep the program current or conduct efforts to close any gaps:

• Set up a process for continuous improvement of the program and the controls
• If a risk assessment has not been completed, conduct one
• Set up a project to prioritize and implement the mitigations from the risk assessment or improve the controls that are in place
• Set a frequency to review the program, at least annually
• React as you become aware of new risks or changes to existing risks