How SMBs Can Build an Effective Cybersecurity Risk Management Plan

Share :

As the Chief Information Security Officer (CISO) at Arctic Wolf, I have a deep bench of security experts I can leverage to provide the organization with robust risk management, threat detection, security awareness training, and incident response.   

That’s an advantage that small businesses often don’t have. And that’s too bad, because small businesses face the same cybersecurity challenges as large, established enterprises — including constant threats from cybercriminals and a struggle to find, recruit, and retain top-tier security talent. In addition to these challenges, leaders at SMBs also have to place their total focus on running and growing their business, leaving little time to worry about cybersecurity.   

Threat actors know this, which is why 34% of small businesses surveyed by Arctic Wolf state that they experienced a malware attack in the last 12 months. The good news? That same survey reveals that 62% of organizations plan to increase their cybersecurity budget or spending in the next 12 months. 

The question is, how can SMBs best allocate those funds? The days of set-it-and-forget-it tools being enough to secure your organization are long gone. Today, SMBs need to realize that cyber risk is business risk, and without a plan to manage their unique risk, they are in danger of falling victim to a crippling cyber attack that they may not be able to recover from. According to the IBM Cost of a Data Breach Report 2023, “Organizations with fewer than 500 employees reported that the average impact of a data breach increased from USD 2.92 million to USD 3.31 million or 13.4%.” That’s millions a small organization may not have. 

Developing a risk management plan is something that all organizations — from small, emerging businesses to large, mature enterprises — need to undertake. The good news for SMBs is it’s easier and less time-consuming than you might think. 

What Is Risk Management? 

The growing attack surface compounds cyber risks for organizations of all sizes. The implementation of new digital initiatives, the adoption of the Internet of Things (IoT), and the continued move to the cloud help drive innovation — but at the cost of increased exposure to threats. Risk management is the best way to combat this issue. 

Risk management is the continuous cycle of discovering, assessing, and remediating risk in your cybersecurity environment. Risk management should be the lens through which every organization, no matter their size, handles cybersecurity. This means that decisions on what tools to add to the tech stack, what positions to hire for, and where to allocate staff time should all be informed by your risk management plan. 

Our recent survey of SMBs reveals that 67% of organizations list “risk-based” as their primary method for cybersecurity budgeting. This is encouraging news, but there is no universal acceptance around the proper way to manage risk — it varies by region, industry and organization. The good news is there are standard steps that any organization could, and should, take to create a risk management plan. 

However, it’s important to note that, while a risk management plan can help to reduce your risk, it won’t eliminate it entirely. Truth is, unless you’re willing to unplug everything, lock the doors and call it a day there will always be some level of risk to running a business. The task is to create a plan to manage risk so that the remaining level of cyber risk aligns with your organization’s risk appetite — the amount of risk you’re willing to shoulder to operate your business. For SMBs, the task is also to ensure that the ways you allocate your budget provides the most return on investment (ROI) in terms of mitigating risk. 

Also, this isn’t a one-time process. True risk management is a constant cycle through these steps, ensuring the plan you’ve built and the decisions and investments you’ve made still serve your organization’s needs. 

How to Build a Cybersecurity Risk Management Plan

Step One: Select a Framework 

The critical first step for any SMB creating a risk management plan is the adoption of a cybersecurity framework — one that helps you evaluate your organization’s current security posture and properly evaluate your risk.  

Widely utilized frameworks like those offered by the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) serve as excellent ways to evaluate your organization’s security posture, identify and evaluate weak spots, and develop a plan to improve.  

Step Two: Take Inventory 

There’s an adage in cybersecurity: You can’t protect what you can’t see. For any organization looking to effectively manage risk, a thorough inventory of assets is a critical step. The good news for SMBs is that this is an easier lift, as they have fewer employees, fewer user accounts, fewer devices, and a smaller physical footprint to secure. 

CIS provides a free Hardware and Software Asset Tracker, which makes the inventory process even easier. This simple tool allows you to track your hardware, software and sensitive data in a single, shareable spreadsheet. 

Step Three: Cover the Basics 

There are lower-cost, lower-lift things SMBs can do right now that can drastically reduce their cyber risk. Verizon’s 2023 Data Breach Investigations Report found that 74% of breaches involve some type of human element. So, a great first step is undertaking efforts to better protect employee credentials and inboxes. How? Implement multi-factor authentication (MFA) and a robust security awareness training program. 


MFA is a form of access control that acts as an additional security measure to a user login. It’s defined as two or more forms of verification factors that are needed to gain access to an application or network by a user. Usually, it involves something you are, something you know, and something you have. For example, you would have to enter a password and then approve verification on your mobile phone. Or you must do those steps above and then enter a unique code. It helps ensure that the user is who they claim to be through their initial credentials.  

Security Awareness Training  

Your employees — whether you have one, 10, or 10,000 — are both your first line of defense and a threat actor’s favorite target. Investing in a managed security awareness program can help empower your employees to recognize and neutralize social engineering, helping end cyber attacks before they can start.  

Step Four: Gain Proactive Protection

For a more robust, holistic plan to manage risk, small-business leaders should consider working with a managed provider of security operations solutions that can deliver robust, comprehensive threat detection and vulnerability management via a cloud-native security operations platform. These providers offer human-led 24×7 monitoring, detection, and response — essentially helping SMBs spin-up an off-site security operations center (SOC) — at a fraction of the cost of an in-house version. 

A SOC identifies threats in real time using log data analysis from myriad data sources within the organization. This up-to-the-second analysis of log data is essential to maintain a strong security posture. By investing in managed security operations, you get all the benefits of an in-house SOC, plus a team of security experts watching your environment around the clock, you can discover, assess, and harden your environment against the unique digital risks your face, as well as quickly detect, respond, and recover from modern cyber attacks. 

Step Five: Transfer What Risk You Can 

Because of the widespread nature of breaches and attacks, the drastic rate at which they’re increasing, and the national and international headlines they make, the painful consequences of cyber attacks have been made clear to organizations of every size. It makes sense, then, that leaders are looking for ways to transfer some of the cyber risk they face away from the business.   

While you will never be able to transfer the reputational damage a breach can cause, you can transfer the financial damage by obtaining a cyber insurance policy. Cyber insurance enables companies to transfer the cost of recovering from cyber incidents. In the event of a data breach, your cyber insurance policy can cover the costs of damages to others, profits lost if your network goes down, and the cost of negotiating ransomware.   

Obtaining a policy, however, is easier said than done in the current market. Driven by the rise of both remote work and ransomware attacks, the premiums of the past are simply not enough to handle the number of cyber claims that are currently coming through. And unfortunately, insurance companies have had no choice but to raise their rates.  

They’ve also increased the number of requirements organizations must meet to obtain a policy. Insurance carriers and brokers often require, or at least strongly suggest, security controls that policyholders are expected to have in place in order to maintain their policies. Globally, the top five most common security controls requested by carriers are: 

  1. Antivirus Software 
  2. Virtual Private Networks (VPN) 
  3. Cloud Monitoring Software 
  4. Firewalls 
  5. MFA 

Additionally, while not on the list of controls required by insurers to maintain coverage, email filtering is a top security control for reducing risk and thus becoming a better insurance candidate. 

Taken together, this makes for a handy to-do list for any SMB looking to transfer their financial risk. Install these six controls before seeking a policy, and you have a greater chance of obtaining one. 

Step Six: Have an Incident Response Plan 

So far, we’ve been concerned with what SMBs can do “left of boom” — prior to a cyber attack. But if the “boom” happens, it’s also vital that SMBs have a plan for what to do “right of boom” — post breach. That’s where incident response comes in.  

Partnering with an incident response provider enables you to conduct rapid and meticulous investigations, find the root point of compromise, document what happened, and restore business operations to pre-incident conditions. 

Step Seven, The Most Important Step: Make Security Everyone’s Job 

Every organization, no matter the size or maturity, should have someone conducting and managing security. If you don’t have an internal IT team, consider working with an MSP who can provide these capabilities at a lower cost than full-time, in-house staff. Many MSPs partner with managed security operations solutions providers, meaning you can drastically improve your security posture and reduce your cyber risk at a manageable cost.  

However, that doesn’t mean the people tasked with your organization’s cybersecurity are the only ones responsible for it. Cybersecurity is the job of every single employee at your organization. By following the steps outlined above, you can create a culture where everyone knows the risks, knows their role in preventing attacks, and knows exactly what to do should an attack occur. 

Explore the Updated CIS Controls with an Arctic Wolf Lens. 

Read our Comprehensive Guide to Security Operations. 

Discover the Importance of Asset Discovery and Classification 

And learn How SMBs Can Manage Risk While Improving Their Security Posture 

Picture of Adam Marrè

Adam Marrè

Adam Marrè is the Chief Information Security Officer at Arctic Wolf. Prior to joining Arctic Wolf, Adam was the Global Head of Information Security Operations and Physical Security at Qualtrics. With deep roots in the cybersecurity space, Adam spent almost 12 years with the FBI, holding positions like SWAT Senior Team Leader and Special Agent.
Share :
Table of Contents
Subscribe to our Monthly Newsletter