Effective Cyber-Risk Management For Small and Mid-Sized Companies



The risk of a cyber-attack is not just a “big business” problem. Due to the media’s reporting, many organizations have the impression that large companies – such as Target and Experian – are the only victims of cyber hacks and breaches. This line of thinking, however, is inconsistent with industry data, which demonstrates that small and mid-size companies are, in fact, vulnerable to this risk. 

Companies of all sizes, large and small, must ask themselves whether competitors are trying to steal their trade secrets, whether companies or others are interested in their intellectual property, and whether their business contracts make them a target for a security breach. The regulatory and litigation costs associated with a data breach are monumental and, in some cases – especially those involving small or mid-sized companies – can be catastrophic. It therefore behooves every company, regardless of size, to create an effective strategy for managing and minimizing the risk of a cyber event. 

There is no cookie cutter approach to managing this risk, and a cyber risk management strategy must be tailored to a company’s specific needs. As discussed below, best practices provide that a company must assess and address its cyber risk, and engage in additional activities in order to effectively manage this risk.  

Cyber Risk Management: Risk Assessment

The first step in creating a comprehensive cybersecurity strategy is to prepare the risk assessment. Many companies often think that because they have evaluated their compliance with a particular security standard, such as HIPAA, they have conducted a sufficient assessment of cyber risk. However, generalized security audit standards, which are helpful and required for regulatory compliance, are divorced from additional and specific risks that are faced by an individual company. A proper and thorough risk assessment requires an organization to identify the specific risks it faces and to then prioritize the management of each risk.   

To prepare for a risk assessment, the company’s IT, business representatives, and attorneys must collaborate and define the scope and purpose of the risk assessment. The involvement of different stakeholders in the organization – including legal, business, and technical – will maximize the effectiveness of the cyber risk management program. 

The second step is to retain a third-party IT forensics company to conduct the risk assessment. Best practices dictate that an organization should use a third-party, and not its own IT department, to conduct the assessment to ensure an unbiased process and results. The third-party should identify threat sources and events, assess current vulnerabilities and predisposing conditions, including the lack of staff with forensic skills, and determine the likelihood of an occurrence along with its potential impact on the business and its operations.

The third step is to communicate the identified risks to appropriate company personnel.  Communication, of course, is vital because it is one method of mitigating the risks. By way of an obvious example, because most any company will formally recognize phishing e-mails as a risk, that company must communicate this risk to every employee who uses e-mail.

Finally, it is critical to bear in mind that these risks are always evolving. A business must therefore maintain its risk management protocol as a “living” document that will, likewise, evolve over time. It is also prudent for businesses to schedule routine and formal reviews for evaluating the effectiveness of its program, and to determine whether additional action is necessary.   

Cyber Risk Management: Additional Key Areas

Best practices indicate that small and mid-sized companies must also engage in additional cyber risk management activities to afford reasonable protection to business operations and to protect customers. In order to develop a culture of “cyber awareness”, companies must ensure that employees are effectively trained. It is also critical that businesses properly manage vendors and partners who have access to company data, develop and practice an emergency response plan, and evaluate the need for cyber risk insurance. Fortunately, an organization can implement these strategies at little cost. 


The risk of a cyber-attack is pervasive, is here to stay, and is one that is faced by companies of all shapes and sizes. Fortunately, with the right efforts and team in place, any organization – large or small – can effectively manage this risk.  

Segal McCambridge Singer & Mahoney would like to thank Sal D. Phillips for his efforts and contributions towards preparing this article.

Get Updates By Email

Blog Contributors