Defending your business from cyber-threats should start with an audit of business operations that will serve as the basis for a customized threat assessment. “This risk assessment is critical to determine the most important threats,” says Robert F. Brammer, chief strategy officer, Americas at Brainloop, Inc., a provider of secure file-sharing services to mid-sized businesses.

The areas of focus for your threat-assessment audit will be determined to some extent by the nature of your business. For example, retailers need to focus on protecting their point-of-sale terminals from threats to steal payment card information, and technology and manufacturing businesses need to protect their intellectual property, Brammer says. “Online businesses need to have an approach to mitigate the risks from denial-of-service attacks, and healthcare companies need to protect the privacy of people using their services,” he adds.

One area that deserves a close look at just about any type of business is accounts payable, says BC [folo] Krishna, CEO of MineralTree, Inc., a provider of AP automation solutions. “This is a huge area of vulnerability for most businesses,” he says. Having the right control framework in place--invoice approval, segregation of duties, dual signatures, daily limits on user and company payments--is the first line of defense. “Additionally, businesses should ensure that basic security procedures are followed, including two-factor authentication log-in and two-factor payment verification,” he says.

Conducting a security audit can be a complex affair. “At a minimum, any organization needs to understand its business processes--in particular, the processes that generate revenue--and how important different types of data are to each of those processes,” says John Linkous, senior research analyst at eIQnetworks, Inc., a provider of information security and compliance solutions and services. Once business processes have been identified and important data mapped to them, the next step is to look at potential threats, both intentional and accidental. These may include outside attackers, internal personnel weaknesses, and both man-made and natural disasters.

“The organization needs to very carefully assess these threats to determine how likely they are to occur and the potential impact if they happen,” Linkhous says. Once the threats are identified, the next step is to put into place additional controls that will minimize either the likelihood or the impact if the threat is realized. From a technology perspective, this most often means implementing common-sense security controls--making sure systems are patched regularly, ensuring that anti-virus and other security software is installed as needed, “and perhaps most importantly, making sure employees understand their responsibilities for information security,” he says.

Scott Kinka, chief technology officer at cloud services company Evolve IP, suggests the following as a general guideline that works for all types of businesses in approaching the cyber-security threat audit process:

• Assume you’re a target. Run regularly scheduled security scans from a reputable provider and a diligent process of updating and patching all software programs.
• Create a checklist. Set up a clear and detailed outline of key risks and how employees should handle them if they materialize. (Link to disaster recovery checklist below.
• Back everything up. Disaster-Recovery-as-a-Service (DRaaS) is a good cloud-based option; be sure your provider has data centers with geographic redundancy and adheres to best practices.

Brammer adds that SMBs must also remain alert to the growing threat the use of personal mobile devices to access business information represents. “You should have a policy for BYOD (bring your own device) if you decide to allow this,” he recommends.