If you can afford to do nothing else, SMBs should adopt a recognized baseline of security controls. This approach doesn’t require any risk analysis at all; it’s just about applying some basic security controls and demonstrating that your organization takes cyber security seriously. Make sure the security baseline you chose takes into account any laws and regulations your organizations must comply with.

Many cyber attacks use indiscriminate scatter-gun approaches to targeting victims. If you’re a small business or sole propriator, you’re just as likely to be a victim of these scatter-gun attacks as a large organization. Attackers may not know (or care) who you are until they get a foothold in your organization.

Cyber security is as much about knowing how your organization functions as it is about technology. Think about what people, information, technologies and business processes are critical to your organization. What would happen if you no longer had access to them (or if you no longer had control over them)? For example, your organization might be able to function reasonably well for a few days without email, but loss of a Customer Relationship Management service might prevent essential day-to-day tasks being completed. Equally, some information (such as personal data) must remain private, but other types of information could be released without any disruption. This basic understanding of what you care about, and why it’s important, should help you to prioritize where to protect your organization most.

The ability to visualize the future consequences of your decisions - some of which cannot be easily predicted - is essential to risk management. You can’t explore every scenario in which you could be compromised, but you shouldn’t let that put you off. It might seem natural to start with a decision you’ve taken, such as adopting a particular password policy in your organization, and to work forwards from there to explore the consequences. However, it can be more useful to start with an outcome that you want to avoid, and then work backwards.

For example, you could imagine the following outcome:

Our customers’ personal data has been leaked

• and work backwards from there. So in this case you might ask yourself:

• What decisions did we take immediately before the leak, which might have exacerbated the situation?

• Why did we make these decisions?

As you work backwards, it should become clear that there are many ways in which any negative outcome can occur. All this can give you valuable insights about how best to deploy your limited cyber security resources. This is not the only way to think about situations in which you could be compromise; it’s just one example of how these kinds of technique could be used.

When you’ve made a business decision (such as deploying some new technology in your organization) you will have to accept some possibility that it could be attacked, subverted, destroyed or otherwise messed with. We all experience risk because the future is uncertain, and cyber risk is no different.

We’re not saying that you should just shrug your shoulders and ignore cyber risks, rather you need to focus on those risks which you can practically do something about. Getting this right depends on:

• understanding what you expect to gain by taking a given risk

• how much it would hurt you if that risk was realized

• how much you can afford to spend on protecting yourself

This all comes down to judgement. So if anyone tells you that a particular framework or piece of security technology can manage ‘all of your cyber risks’, take everything they say with a pinch of salt. You’d be amazed how often the BCSF hear this claim.

Some security measures can reduce one type of risk, while increasing risk somewhere else.

For example, let’s imagine you want your customers’ online accounts to be secure, so you introduce strong password requirements on your website. This might reduce some risks, but it is likely to introduce the new risk of customers leaving your website and going to a competitor’s (where the overall user experience is better).

While this isn’t really a cyber security risk, it still affects your organization, and treating both risks as being separate and unconnected is unrealistic. So, when you decide to adopt a security measure, try to imagine any unintended consequences.

It’s rarely worth re-inventing the wheel. We don’t advocate you blindly copying security solutions without any reflecting on how they fit your own context, but you can learn a lot from studying how other organizations have solved similar cyber security problems to yours.

Cyber security, like most professions, has a lot of myths to bust. For example, there is a myth that cloud-based infrastructures are more risky than using your own equipment. This is rarely true - large and reputable cloud service providers generally have far more robust security arrangements than most organizations would be able to afford themselves. At the same time, the cloud isn’t a silver bullet; you still need to ensure that your organization’s devices that you use to access cloud services are properly protected. Our point is that cyber security is constantly changing, so beware of lazy assumptions and uncritical thinking.

Risk management standards and frameworks often present themselves as if they exist in isolation. This can lead to an impression that you only ever need to understand and use one type of approach. There are fundamentally different ways of approaching risk. Of course, many organizations might adopt a single technique to risk management for practical reasons, such as resource constraints, or to ensure compliance with a piece legislation. In such situations, make sure you are aware of the strengths and weaknesses of the technique being applied.