While small and medium businesses don’t appear to be as concerned about their cybersecurity vulnerabilities as they should be - i.e. SMBs are the principal targets of cybercrime and as many as 60 percent of hacked SMBs go out of business after six months - the reality is that the growing and rapidly changing threatscape and limited resources are driving them to outside help to protect their businesses. That protection can include assessments, remote monitoring and management, and backup and disaster recovery, but one way to stand out from the competition is to focus on their risk tolerances and customize your offerings to their individual risk appetites.

Risk tolerance - the capacity to accept or absorb risk - will vary from business to business, but with a 40 percent survival rate following a cyberattack, and the rate of cyberattacks soaring, SMBs’ threat tolerance levels are under mounting pressure. The fundamental things that organizations undertake in order to drive performance and execute on their business strategies -- i.e. mergers and acquisitions, extension of third-party networks and relationships, outsourcing, adoption of new technologies, movement to the cloud, or mobility -- are the things that create cyber risk.

Categories of business cyber risks

So cyber risks - exposure to harm or loss resulting from breaches of or attacks to an SMB’s IT assets - are the new reality. They can be broken down into four categories:

• Internal malicious - deliberate acts of sabotage, theft or other malfeasance committed by employees and other insiders
• Internal unintentional - acts leading to damage or loss stemming from human error committed by employees and other insiders
• External malicious - premeditated attacks from outside parties, including criminal syndicates, hacktivists and nation states
• External unintentional - they cause loss or damage to business, but are not deliberate, i.e. natural disasters.

Implications of a cyberattack

Identifying a prospect’s risk tolerance starts with understanding the implications of a cyberattack or breach: What information and resources are critical; and, how long can the business survive with their loss and/or disruption? This requires:

• Identifying and prioritizing their information
• Evaluating the cost of potential loss/cost of protection of information
• Determining the appropriate protections for information
• Implementing policies, procedures, risk management, and best practices

You can’t eliminate cyber risk, but you can manage it so that a customer’s critical IT assets are better protected and more resilient. Managing cyber risk is a balancing act between too little and too much protection: too little and they’re more vulnerable; too much and they’re less flexible to deal with business opportunities and challenges.

Effective cybersecurity is an ongoing process that involves a constantly changing interdependent mix of people, processes and products, but it starts with determining what information and processes are vital to the customer’s business and ensuring that they are the primary focus of their protection and response strategies and resources. Basing your approach - and customizing your offerings - to meet your prospects and customers’ risk tolerances can be a winning strategy for MSP success.