Skip to content
Microsoft Industry Blogs - Canada

Graphic with text about common user security errors that reads: 30% open phishing emails and 10% open links & attachments

Welcome to Day 2 of Business Self-Defense from Microsoft Canada! In this post, explore how small businesses can better assesses the risk(s) to them from criminal behaviour, include phishing and other cyber attacks. We discuss the scope of activities you need to consider and then provide a checklist you can follow.

What to protect

Let’s start at the beginning. Your business includes your people, your assets, your sales and profit, your data, and your brand. But here’s a big one that often gets overlooked: your level of compliance to regulations and laws. Once you have identified every aspect of the business you need to protect, do a risk assessment. Consider the challenges that might warrant taking a deeper look at the level of protection you need.

Common risks

When analyzing failed companies, we hear terms like theft, fraud, unsafe work conditions, harassment, toxic work environment, mismanagement, exceptions to standard operating practice—you name it. All these risks make small businesses vulnerable to disruption and failure, not to mention a rough place to work. So, the question is, how much do you want to invest to handle these risks?

Three options

If you consider that there are three options when it comes to how you treat risk, it can give you a better understanding of what you might want to do. You can 1) transfer risk (like buying insurance); 2) accept risk (like a skydiver who knows what happens if the chute doesn’t open); or 3) mitigate risk (putting in security and protection systems).

Assessing risk

Mitigating the risk is the most common for small business, but at times it seems like that alone can put you out of business because of the cost. Here’s the secret: the spend should be aligned to the value, and the risk. Just don’t underestimate and don’t go overboard.

Get the ebook

Graphic of the Anatomy of a breach ebook cover

 

Download “Anatomy of a breach: How hackers break in and how you can fight back” to understand the four stages of a breach and to get more helpful definitions and potential solutions to help you formulate an “assume breach” defense strategy. Link here.

Mom and Pop example

Mom and Pop store has $10,000 worth of inventory, a POS system, two employees (the owner’s sisters), and leases the store from a mall. They sell one-of-a-kind crafts and process about 50 transactions daily. They generate $500 in cash sales and leave the money in the register during the day. The community knows the business and goes there for unique items, plus it’s a great place to hang out for an hour or so because the owners put out ham and mayo sandwiches and coffee at a self-service area.

Test your instincts

Now, what do you think might represent the biggest risk to Mom and Pop? The money in the register? Shoplifting? The ham and mayo sitting at ambient temperature all day? Or the POS system? The answer is—it depends. You need to assess the risk of each. For example, the owners may want to reconsider those sandwiches. Mayo left unconsumed for over four hours at ambient temperature can create a foodborne illness!

The real prize

What about that POS? Let’s say cybercriminals compromise Mom and Pop’s system and manage to clone 50 credit cards—each with a $5,000 limit each. Just like that, the business failed to prevent $250,000 worth of potential fraud. Even in a store with only $10,000 in inventory, criminals can steal $250,000. That’s the way they think!

Assess your risks

Work with your IT team or solution provider to conduct a risk assessment to your business. When you do your assessment make sure you consider the full scope of your operations. Try to develop a layered approach to your security—one that accounts for every layer—from physical security to your end users. You can build on our checklist with your own potential vulnerabilities to consider.

Risk checklist

  • Physical Security (locks, security gates, guards, etc.)
  • IT Security (data protection, application protection, privacy laws, compliance regulations, device protection, network protection, etc.)
  • People (background checks, access control, etc.)
  • Policies and Procedures (guidelines on how to protect the business while on the job)
  • Business risk management session

Tip: Try holding a business risk management brainstorming session to call out the top risks and start designing your own new security strategy.

Get the ebook

Graphic of the Anatomy of a breach ebook cover

 

Download “Anatomy of a breach: How hackers break in and how you can fight back” to understand the four stages of a breach and to get more helpful definitions and potential solutions to help you formulate an “assume breach” defense strategy. Link here.

This article was made possible through the generous contribution of Stephen O’Keefe, founder of Bottom Line Matters. This project focuses on providing small and mid-sized retail chains with the knowledge, expertise, and best practices enjoyed by the large Canadian retailers, primarily in the areas of loss prevention and risk management.