Q8 Do you obtain annual independent, third-party verification (such as through a SOC 1 or SOC 2 report) regarding the information security controls of your service providers that could access your data?

If you answered “NO” to at least one of these questions, then turn the page to learn how to shift the odds in your favor.

Q7 Does your organization conduct a cybersecurity risk assessment at least annually?

Q6 Do all employees and business partners understand the risks associated with the security of your high-value digital assets?

Q5 Do you have a clear picture of how data flows through your organization, including the people, systems, and applications that touch that data along the way?

Q4Do all of your employees understand what digital assets (such as client or donor lists, proprietary processes, and product launch plans) are held by your organization, as well as the value of those assets?

Q3 Do your company’s policies and training reinforce that long-term data security should trump short-term convenience?

Q2 Do you have a company IT security policy that you support and to which you adhere?

Q1 Do your management team’s words and actions clearly set the tone throughout the organization that security of sensitive data is a priority?

yes/no

Think your company is too small to attract attention from hackers? It’s probably time to think again. As larger businesses become more secure, cyber thieves turn their attention to smaller businesses, nonprofits, and even local governments. But don’t fold and walk away from the table. Instead, shift the odds in your favor. Start by answering these questions to assess your organization’s cybersecurity risk.

ARE YOU GAMBLING ON YOUR SMALL BUSINESS?answer these 8 questions to gauge your cybersecurity risk level

yes/no

yes/no

yes/no

yes/no

yes/no

yes/no

yes/no

Q1: Do your management team’s words and actions clearly set the tone throughout the organization that security of sensitive data is a priority?

Why your cards in your current hand matter: Your employees and business partners take their cue from you. Do your words and actions convey that data security is of paramount importance – or do they imply that sacrificing security for the sake of convenience is acceptable? Leaders of secure businesses tend to avoid mixed messages by having frequent discussions with the management team and making sure they are all on the same page about the importance of data security.

Q2: Do you have a company IT security policy that you support and to which you adhere?

Why your cards in your current hand matter: Codes of conduct are among many essential ways that organizations communicate expected behavior. In today’s ultra-connected environment, every organization needs a cybersecurity policy that explains its confidentiality and security standards and practices.

Q3: Do your company’s policies and training reinforce that long-term data security should trump short-term convenience?

Why your cards in your current hand matter: Regular scenario-based training is a critical component of a strong cybersecurity program. Cybersecurity training should address what to do if a breach is suspected or discovered, as well as include competency-based testing to verify that participants learned the key lessons.

Q4: Do all your employees understand what digital assets (such as client or donor lists, proprietary processes, and product launch plans) your organization holds, as well as the value of those assets?

Why your cards in your current hand matter: Organizations of all sizes possess digital information they need to protect – from client or donor lists to protected health information. If your employees and business partners do not understand what those valuable digital assets are – or the value of those assets to your organization – then they are less likely to take the important steps necessary to prevent unauthorized access, use, or disclosure.

Q5: Do you have a clear picture of how data flows through your organization including the people, systems, and applications that touch that data along the way?

Why your cards in your current hand matter: Knowing where data is stored, how it is accessed, and who is using it can highlight potential areas of vulnerability and help to prevent a costly breach. Keep in mind that some of these touch points are within your control (such as local workstations and network servers) and some are not (such as cloud servers). Either way, you need to be aware of all those touch points.

Q6: Do all employees and business partners understand the risks associated with the security of your high-value digital assets?

Why your cards in your current hand matter: Given that your employees and business partners make daily decisions about how to conduct their duties, establishing well-designed policies and training will likely improve the odds that they will understand why long-term security should sometimes be prioritized over short-term convenience.

Q7: Does your organization conduct a cybersecurity risk assessment at least annually?

Why your cards in your current hand matter: A risk is the potential for loss, damage, or destruction of an asset. Only after determining the risk level for a digital asset can you make informed decisions about investments in training, technical controls, and cybersecurity awareness programs. Given the speed at which technology changes, it is best to assess your risk at least annually.

Q8: Have you obtained independent, third-party verification (such as through a SOC 1 or SOC 2 report) regarding the information security controls of your service providers that could access your data?

Why your cards in your current hand matter: Business partnerships thrive on trust. When it comes to the protection of valuable data, that trust should be based on independent verification of the vendor’s controls.

HOW PREPARED IS YOUR BUSINESS FOR A CYBER ATTACK?When it comes to cybersecurity preparedness, your organization has room for improvement. Each of these questions represents an essential card in your cybersecurity hand, and even one “no” equals an opportunity to tighten your game strategy and strengthen your cyber defenses.

CRInsight: CRI can help you develop a cybersecurity training program. Learn more about what this program should include.

next steps Learn more about how to execute a winning game strategy by downloading our CRInsight, Do You Know Your Odds? 6 Key Ways to Strengthening Your Cybersecurity Posture. Additionally, contact CRI’s cybersecurity specialists to discuss how your organization can uncover its true risks through a cybersecurity risk assessment. CRIcpa.com