How to Conduct a Cybersecurity Risk Assessment for Your Small Business

A Risk Assessment Is the Foundation of a Security Program

Most small businesses approach cybersecurity reactively — buying a tool after a problem occurs, adding a control after a near-miss, or implementing a policy after a compliance requirement surfaces. A cybersecurity risk assessment flips this approach: it systematically identifies your most significant exposures before they materialize, allowing you to prioritize limited security resources where they reduce the most risk per dollar spent.

For regulated businesses — healthcare under HIPAA, contractors under CMMC, retailers under PCI DSS, financial businesses under GLBA — a documented risk assessment is not optional. But even for businesses without regulatory requirements, a risk assessment is the single most useful planning tool available for building a security program that addresses actual risk rather than theoretical best practices.

What a Risk Assessment Actually Is

A cybersecurity risk assessment identifies three things for each area of your business:

1. Assets: What information and systems does your business depend on and protect?
2. Threats: What events or actors could damage, destroy, or expose those assets?
3. Vulnerabilities: What weaknesses in your current controls make those threats more likely to succeed?

Risk is the combination of threat likelihood and impact. A high-likelihood, high-impact risk (ransomware encrypting your customer database) deserves more investment to mitigate than a low-likelihood, low-impact risk (an employee accidentally emailing the wrong person a non-sensitive internal document).

Step 1: Build Your Asset Inventory

Start by cataloguing what you are protecting. For most small businesses, the asset inventory includes:

• Data assets: Customer records (names, contact info, payment data, health info), employee records (SSNs, payroll, HR files), financial records (bank accounts, tax filings, invoices), intellectual property (proprietary processes, pricing, trade secrets)
• System assets: Workstations and laptops, servers (on-premise or cloud), network devices (routers, switches, access points), mobile devices used for business
• Application assets: Email platform, CRM, accounting software, industry-specific applications, cloud storage, payment processing systems
• Third-party access: Vendors and service providers with access to your systems or data

For each asset, note: what data it contains or accesses, who has access, and what business function it supports. This inventory becomes the foundation for all subsequent risk analysis.

Step 2: Identify Threats

For each asset category, identify the realistic threats. Common small business threat categories:

• External attacks: Phishing, ransomware, business email compromise, credential theft, website attacks, supply chain compromise through vendors
• Insider threats: Accidental data exposure by employees, intentional theft by disgruntled staff, improper disposal of equipment containing data
• Physical threats: Theft of equipment, unauthorized physical access to server rooms or workstations, natural disaster damage
• System failures: Hardware failure, software bugs, cloud service outages, backup failure

Focus on threats that are realistic for your business size, industry, and geography. A small accounting firm faces different primary threats than a small manufacturer — tailor the threat list to your actual environment.

Step 3: Assess Current Controls and Identify Gaps

For each identified threat, evaluate what controls you currently have in place and whether they adequately reduce the risk. Document each control and its effectiveness:

• Phishing threat → current control: email security gateway. Adequacy: moderate — reduces but does not eliminate phishing delivery. Gap: no employee phishing simulation training.
• Ransomware threat → current control: antivirus. Adequacy: low — signature antivirus misses most modern ransomware. Gap: no EDR, no tested offline backups.
• Credential theft → current control: passwords only. Adequacy: very low. Gap: no MFA on email or cloud accounts.

This gap analysis directly prioritizes your security investment — the gaps associated with high-likelihood, high-impact threats deserve immediate attention.

Step 4: Score and Prioritize Risks

Assign a simple risk score to each identified gap using a 1-3 scale for likelihood and impact:

• Likelihood: 1 (unlikely), 2 (possible), 3 (likely)
• Impact: 1 (minor), 2 (significant), 3 (severe)
• Risk score: Likelihood x Impact (range 1 to 9)

A ransomware attack with no EDR and no tested backups might score: likelihood 3 (ransomware targeting small businesses is common) x impact 3 (could destroy all business data) = risk score 9. Prioritize remediating the highest-scoring risks first.

Step 5: Document and Create a Remediation Plan

The output of the risk assessment is a documented report containing:

• Asset inventory summary
• Identified threats by asset category
• Current controls and gap analysis
• Risk scores for each identified gap
• Remediation plan: specific actions, responsible parties, and target dates for the highest-priority risks

This document serves as the foundation of your security program — revisit and update annually and after any significant security incident or major business change.

Free Tools for Small Business Risk Assessments

• NIST Small Business Cybersecurity Corner: nist.gov/system/files/documents/2019/08/smb-cybersecurity-cornerpdf — free guidance and assessment tools specifically for small businesses
• CISA Cyber Essentials: cisa.gov/cyber-essentials — a concise framework covering the most critical small business security controls
• HHS Security Risk Assessment Tool: For healthcare businesses under HIPAA — healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool
• SBA Cybersecurity resources: sba.gov/business-guide/manage-your-business/strengthen-your-cybersecurity

Bottom Line

A cybersecurity risk assessment does not require an outside consultant or specialized software. A small business can complete a meaningful assessment in a few hours using the framework above — building an asset inventory, identifying realistic threats, evaluating current controls and gaps, scoring risks, and creating a prioritized remediation plan. The output is a security program that addresses your actual risk profile rather than a generic checklist — and for regulated businesses, the documentation demonstrates due diligence that generic control lists cannot.