Risk Assessment for SMEs: A Case Study of TechStart Solutions

Leave a Comment / Risk Assessment / By

In this post, I will perform a risk assessment in a small and medium-sized business environment. To accomplish this task, I will use the previous article’s situation. The aim of this article is to determine the level of risk associated with the attack involved in the previous article so that the TechStart Solutions board determines what actions to take to improve the organization’s cybersecurity posture.

Company Profile Summary:

  • Name: TechStart Solutions
  • Industry: Consumer electronics and tech accessories.
  • Size and Presence: Approximately 100 employees. With the rapid growth, Primarily in the United States, with plans to expand to Canada and Europe.

Challenge: A member of the board has been targeted by a sophisticated whaling phishing attack. While the incident response is taking place, the board would like to quickly evaluate the impact this attack could have had on the organization and prioritize their next actions.

Unpacking the Whaling Attack on TechStart Solutions

A sophisticated cybercriminal attack targets Mr. John H. Adler, a board member of TechStart Solutions, with a whaling phishing attack. By deceiving him with an email mimicking the company’s legal advisor regarding a non-existent legal issue, the attackers install malware on his computer, gaining access to sensitive information.

This situation exposed the organization to various risks and issues, including :

  1. Data Breach: Loss of confidential and proprietary information.
  2. Financial Fraud: Unauthorized transactions or financial manipulations.
  3. Reputational Damage: Loss of trust from customers, investors, and partners.
  4. Legal and Compliance Violations: Potential legal repercussions and fines.
  5. Operational Disruptions: Malware spreads, causing system outages or data loss.

Before diving into the main tasks, let’s define some keywords

  • Whaling attack : A category of spear phishing attempts that are aimed at high-ranking executives in an organization [“Google Cybersecurity Certificate Glossary”]
  • Spear phishing: A malicious email attack targeting a specific user or group of users, appearing to originate from a trusted source [“Google Cybersecurity Certificate Glossary”]
  • Phishing: The use of digital communications to trick people into revealing sensitive data or deploying malicious software [“Google Cybersecurity Certificate Glossary”]

Based on a StationX article, phishing is the most common type of cybercrime out there, with around 3.4 billion fake emails being sent out every day by crooks trying to trick people. About 36% of the times when someone’s private data gets stolen, it’s because of phishing. Even though spear phishing, which is a very targeted kind of phishing, makes up just a tiny fraction (0.1%) of these phishing emails, it’s behind two-thirds of all the breaches that happen. Also, after a lot of us started working from home in 2020, the cases of whaling—where big bosses in companies are tricked—jumped up a lot, by 131% from the start of 2020 to the start of 2021

Implementing a ISO 27005-Driven Risk Assessment

The board of directors requires that we perform a risk assessment to prioritize the implementation of security measures.

As there isn’t any risk management process adopted inside Techstart Solution, The risk assessment will be conducted using a guide provided by ISC2 and the risk management process as recommended by the standard ISO 27005.

I will start by setting the context, and then I will do a risk assessment based on ISO 27005 recommendations. Once the risk has been evaluated, it will be communicated to the decision-maker with some recommendations.

Implementation

Understanding the Organization and its Context

TechStart Solutions operates in the fast-paced consumer electronics and tech accessories market. Given the industry’s dynamic nature, the company must navigate a complex external landscape, including stringent regulatory requirements, evolving cybersecurity threats, and changing consumer expectations. Internally, TechStart is characterized by its rapid growth, innovation-driven culture, and strategic focus on expanding its market presence into Canada and Europe. The organization’s objectives revolve around maintaining a competitive edge through technological innovation while ensuring customer data protection and privacy.

Understanding the Needs and Expectations of Interested Parties

TechStart acknowledges a diverse array of interested parties, including customers, regulatory bodies, business partners, and employees. Customers expect robust protection of their personal information, consistent with privacy laws such as GDPR and CCPA. Regulatory bodies require compliance with industry standards for data security and cyber risk management. Business partners seek assurance that TechStart maintains a secure and reliable IT infrastructure, whereas employees need clear guidelines and training on their roles in safeguarding information assets.

Defining the Scope and Boundaries of the assessment

This assessment only looks at the primary affected assets and Stakeholders.

Priamary Assets
  • Sensitive Information: Confidential data, including proprietary technology details, customer information, and internal communications, were compromised.
  • Financial Assets: Unauthorized transactions or manipulations could lead to direct financial losses.
  • IT Infrastructure: The malware installed during the attack could have impacted critical systems, leading to operational disruptions.
Stakeholders
  • Customers: Trust and privacy concerns could arise, altering customer loyalty.
  • Employees and Board Members: Potential personal information breaches and implications on professional reputations.
  • Business Partners: Concerns over security practices might impact current and future partnerships.
  • Regulatory Bodies: Compliance violations could lead to fines and increased scrutiny.

Evaluation of Consequences

  • Financial Impact: The direct costs associated with the attack, including incident response efforts, potential fines for compliance violations, and any unauthorized transactions, can strain the company’s financial resources.
  • Reputational Damage: As a growing tech company, TechStart’s reputation for innovation and reliability is crucial. The breach could erode customer trust, impacting the company’s brand value and future market opportunities.
  • Operational Disruptions: The malware could cause system outages or loss of data, affecting TechStart’s ability to operate effectively. Recovery and mitigation efforts may redirect resources from strategic initiatives.

Information Security Risk Assessment Process

To evaluate the likelihood and the impact of the threat, I will use the likelihood and impact matrix from a ISC2 guide for risk assessment in an SMB environment, presented below

Likelihood matrix

The Likelihood will be determined based on the following scale :

  • Extremely Low Impact (1): Very unlikely to occur. Data breaches are rare in your industry.
  • Low-Medium Impact (2) : Data breaches are conceivable, but not highly likely to occur, and your company has strong prevention measures in place. There may be one occurrence every five years.
  • Medium Impact (3) : There is the potential for isolated incidents to occur, and your company has some weak points in their data security measures. There may be one occurrence every three years.
  • Medium-High Impact (4) : Data breaches are likely to occur, and your company has only minimal prevention measures in place.
  • High Impact (5) : Data breaches often happen in your industry. You may suffer a breach annually or more.
Impact matrix

I will use the following matrix to assess the financial, operational, and reputational impact:

Financial Risk Matrix

  • Extremely Low Impact (1) : The organization has already budgeted the average cost of a breach (or more!) for your incident response budget, or your company can stand to lose the average cost of a breach in one fiscal year.
  • Low-Medium Impact (2) : The organization will not have issues paying to cover the cost of a breach in one fiscal year
  • Medium Impact (3) : The organization can cover the cost of an average breach in one fiscal year, but you haven’t formally budgeted for it, or it will be difficult to explain/move money around.
  • Medium-High Impact (4) : The organization can cover the average cost of a breach in one fiscal year, but boy, is it going to hurt.
  • High Impact (5) : The organization cannot cover the average cost of a breach in one fiscal year; you’re just hoping the actual cost will be lower.

Reputational Risk Matrix

  • Extremely Low Impact (1) : The company is a monopoly in its space and/or does not have a direct competitor
  • Low-Medium Impact (2) : The company is unlikely to suffer a breach due to negligence, and/or you do not have many direct competitors in your space (or your company offers something they don’t)
  • Medium Impact (3) : The company may lose some business, but it is likely to recover quickly
  • Medium-High Impact (4) : The company is likely to lose both customers and contracts due to a data breach
  • High Impact (5) : The company brings in most or all of its revenue via word-of-mouth, has a limited or litigious customer base, or those customers are very likely to go elsewhere

Operational Risk Matrix

  • Extremely Low Impact (1) : The company is well-staffed with strong IT support and redundancy for all operational tasks. If a breach occurs, you will be able to rectify it without sacrificing resources, staffing, or a great deal of time.
  • Low-Medium Impact (2) :The  company is well-staffed but lacks some redundancy. A security incident would do some harm to the business operations in the short term, but it could be contained without long-lasting impact.
  • Medium Impact (3) : A security incident would result in large-scale exposure of sensitive data and would take significant time and money to recover from. Critical business operations would be significantly disrupted.
  • Medium-High Impact (4) : The company has little redundancy, and an incident would do widespread harm to critical business operations for an extended period. The company’s yearly budget and strategy would need to be re-evaluated.
  • High Impact (5) : The company has no redundancy, and an incident would result in complete loss of control over highly sensitive data. Large losses in funding, staff, and resources would cause critical business operations to halt.

Risk acceptation criteria

As we consider multiple impact facets, I will calculate the total risk, then we will compare the calculated risk level to the five level-scale presented below:

  • 0-20 : Your company’s risk level is likely acceptable. Most people can accept this risk and move on.
  • 21-35 : Your company’s level of risk is low to moderate. It is important to establish controls and conduct audits every few years.
  • 36-50 :  The level of risk in your company is average. Remediate any weak points during the next opportunity. Annual audits should be conducted to ensure that controls are put in place.
  • 51-65 : The risk level of your company is between medium and high. Stop activities until the risk has been remediated if it does not affect revenue. It’s essential to establish controls and audit them quarterly.
  • 66-100: Your company’s risk level is high. Stop activities until the risk has been remediated. Controls need to be put in place and audited monthly until the likelihood or impact decreases.

Risk Identification

The risk associated with this attack is characterized by the following information:

  • Primary Assets: Sensitive information, Financial Assets
  • Threats: Phishing targeting high-level executives (whaling) 
  • Existing Controls: Almost nothing
  • Vulnerabilities: 
    • Inadequate Awareness and Training
    • Lack of advanced Email Security
    • Insufficient Multi-Factor Authentication (MFA)

Risk Analysis

Determining the likelihood of the event

Considering the increasing sophistication of phishing attacks and the targeting of high-level executives, the likelihood of such an incident occurring, especially without strong prevention measures specifically against sophisticated social engineering attacks, can be classified as relatively high. But as the event actually happened, we will consider a Likelihood score of 5.

Determining the financial impact

According to an IBM report, “the global average cost of a data breach in 2023 was USD 4.45 million, a 15% increase over 3 years”. Given the size and the nature of TechStart Solutions, covering the average cost of a breach may not have been formally budgeted, and reallocating funds without any significant impact would be a challenge. Based on the Financial impact scale, we consider a Financial impact of 3 (Medium Impact)

Determining the reputational impact

For a growing tech company like TechStart Solutions, the reputational damage could be significant, leading to loss of customer trust and potentially impacting investor relations. We consider a Reputational Impact of 4 (Medium-High Impact).

Determining the operational impact

TechStart Solutions, being a small, growing company, likely lacks extensive redundancy in its operations. A significant breach could disrupt critical business operations, influencing the company’s growth trajectory and necessitating a strategic reassessment. We consider an Operational Impact of 4 (Medium-High Impact).

Determining the total impact

To determine the total risk, we need first to determine the total impact, which is the sum of all the impacts we’ve calculated.

  • Financial Impact = 3
  • Reputational Impact = 4
  • Operational impact = 4

Therefore, Total impact is equal to 11

Calculate the total risk

Total Risk = Likelihood (5) x Total Impact (11), the Total Risk = 55

Risk evaluation

To compare the total risk level to our five level-scale, we need to translate it to a 100-point scale using the following formula

Total scaled risk = (total risk / 75) x 100 which gives us a total scaled risk of 73,3 ⇒ 73/100

Based on the evaluation criteria, the resulting score is :

  • 66-100: Your company’s risk level is high. Stop activities until the risk has been remediated. Controls need to be put in place and audited monthly until the likelihood or impact decreases.

Recommendations

With a total scaled risk score of approximately 73/100, TechStart Solutions falls into the “66-100: High” category. It is necessary for the company to halt their activities until the risks related to sophisticated phishing attacks are effectively mitigated. It is recommended to implement and audit controls quarterly until there is a significant reduction in the likelihood or impact of such incidents.

Expected Outcomes and Benefits:

  • The board can allocate priority to their priorities and make risk-based decisions with that assessment.
  • By including a cybersecurity program, their strategy can be reviewed to support their goals and objectives.

Key Takeways

The significance of vigilant cybersecurity practices at all levels of an organization, particularly among high-value targets such as board members, is emphasized by this particular scenario. Understanding and addressing the specific risks associated with sophisticated attacks, like whaling, can help companies safeguard their valuable assets and maintain trust.

Leave a Comment

Your email address will not be published. Required fields are marked *