Cybersecurity Risk Assessment for SMEs: Practical Approach

Practical Approach to Cyber Security (PACS)

Modular Assignment No. 1 | Need for Cyber Security & Security Mindset

Aryan Kumar Singh

Amity University Online | Project by: TCS iON

Introduction & Objectives

<strong>Objective of This Project</strong><br>• Understand why cybersecurity is critical for SMEs.<br>• Identify real-world threats and vulnerabilities.<br>• Apply a 'Security Mindset' to analyze risks.<br>• Design practical, cost-effective solutions.<br><br><strong>Why This Matters</strong><br>• SMEs are frequent targets due to lower defenses.<br>• Proactive security prevents financial loss.<br>• Limited budgets require smart, targeted planning.

Business Case for Investment

Business Continuity: Operations depend entirely on digital systems uptime.

Financial Protection: Breaches cause direct loss and expensive downtime.

Reputation: Cyber incidents severely damage customer trust.

KEY POINT: Cybersecurity is a business necessity, not just an IT requirement. Prevention costs less than recovery.

SME Company Profile

<strong>Organization Overview</strong><br>• Industry: E-commerce<br>• Employees: ~120 (Hybrid Workforce)<br>• Infrastructure: Cloud-based systems<br><br><strong>Critical Assets</strong><br>• Customer personal & payment data<br>• Website & backend inventory systems<br>• Employee accounts & cloud storage<br>• Third-party integrations

Threat Landscape Analysis

<strong>Observation:</strong><br>While technical exploits exist, the primary vectors are 'Phishing' and 'Ransomware', targeting human error over system complexity.<br><br><strong>Major Threats Identified:</strong><br>• Credential Theft<br>• Unpatched vulnerabilities<br>• Cloud Misconfiguration

The Security Mindset

<strong>What is a Security Mindset?</strong><br>It involves thinking like an attacker to identify weak points before they are exploited. It is the shift from 'will we be attacked?' to 'when will we be attacked?'<br><br><strong>Key Principles</strong><br>• <strong>Assume Breach:</strong> Operate as if adversaries are already inside.<br>• <strong>Least Privilege:</strong> Minimum access necessary for work.<br>• <strong>Layered Defense:</strong> Multiple hurdles improve security.<br>• <strong>Continuous Monitoring:</strong> Security is a process, not a product.

Risk Assessment Methodology

Evaluation Criteria: We assessed threats based on Likelihood (probability) and Impact (damage).

Scope: Focused on realistic scenarios for an SME in E-commerce.

Dimensions: Considered technical flaws, human error, and operational gaps.

RISK = LIKELIHOOD × IMPACT

Risk Assessment Summary

<strong>Critical Risks:</strong><br>Phishing and Ransomware require immediate action due to high likelihood and high impact.<br><br><strong>High Risks:</strong><br>Cloud misconfigurations and web application attacks pose significant threats to the backend.<br><br><strong>Moderate Risks:</strong><br>Insider error remains a constant but manageable variable.

Mitigation Strategies

Technical Controls

• Multi-factor Authentication (MFA)<br>• Automated Patch Management<br>• Secure Cloud Configurations

Administrative Controls

• Security Policy Creation<br>• Incident Response Plans<br>• Vendor Risk Assessments

Human Controls

• Phishing Simulations<br>• Awareness Training<br>• Access Reviews

Implementation Timeline (6 Months)

<strong>Phase 1: Months 1-2</strong><br>• Risk Review & Policy Creation<br>• Enable MFA across all accounts<br>• Initial Security Awareness Training

<strong>Phase 2: Months 3-4</strong><br>• Patch Management Automation<br>• Cloud Security Hardening<br>• Centralized Log Monitoring

<strong>Phase 3: Months 5-6</strong><br>• Incident Response Testing<br>• Advanced Phishing Simulation<br>• Full Security Performance Review

Resource Requirements & Success Metrics

<strong>Resources Required</strong><br>• Utilization of existing IT staff.<br>• Open-source security tools (cost-effective).<br>• Dedicated time for employee training.<br><br><strong>Success Metrics (KPIs)</strong><br>• <strong>Phishing:</strong> Lower click rate in simulations.<br>• <strong>Response:</strong> Reduced time to detect incidents.<br>• <strong>Compliance:</strong> 100% Patch Management status.<br>• <strong>Behavior:</strong> Increased employee reporting.

Key Findings & Recommendations

Findings: Human error is the significant risk factor; tools alone cannot solve security.

Effectiveness: Basic hygiene (MFA, Patching) reduces the majority of threats.

Strategy: SMEs require structured, phased approaches rather than expensive enterprise suites.

Recommendation: Prioritize Training and Access Control immediately.

Reflection Document (1 Page – Content)

Personal Reflection

This project helped me understand that cybersecurity is not only about tools, but about <strong>thinking carefully about risks and behavior</strong>. Developing a security mindset allowed me to analyze threats from both a business and attacker perspective.

The main challenge was balancing security with cost, as SMEs cannot afford complex security solutions. I learned that even simple steps like awareness training, access control, and proper planning can significantly reduce cyber risk.

This assignment improved my analytical thinking and gave me practical insight into real-world cybersecurity challenges. In the future, this mindset will help me make better security decisions and assessments.