Jeremy Tucci
Financial Services
August 2020
3 Min Read

Cybersecurity 101: Classify The Risks – Part Two

Now that you have identified the risks to your business, there may be a sense of where to begin.  In the very early stages, this laundry list may seem overwhelming.  It can be tempting to search for a single solution, but that is rarely effective.  There is also the other side of over-engineering which can cause analysis paralysis or wasted efforts.  This next step serves to establish the starting point and areas that deserve the most attention.  This is considered classifying the risks.

There are many different approaches.  Highly structured and regulated businesses typically fall under either commercial or government classification types.  Some places may choose to give numerical weightings for scoring relevance.  Small businesses with limited resources and more flexibility might find these to be overkill.  Depending on your needs, it does not have to be overly complicated.  Most of these determinations can be made with key team members and some direction from legal requirements.  Presented below are the traditional models along with an alternative approach.

Common Classification Levels

·       Confidential

·       Private

·       Sensitive

·       Public


·       Top Secret

·       Secret

·       Confidential

·       Sensitive but Unclassified

·       Unclassified


The above might be difficult or just not that applicable to small businesses. There is a simpler model and this version can be adapted to almost any company.  The idea is to determine where the risk would fall should it be exposed or compromised.  Note, we do not have a public classification here as it is inherently placed there if it does not fall under one of the following three.  This is an attempt to narrow the focus to only on the things that matter.  Below are also some examples though not hard lines to follow.

  • High –the business itself may close as a result of catastrophic client/financial losses
  • Medium – business may be impacted and suffer but can continue
  • Low – potential non-material inconveniences
Alternative Approach

·       SSNs

·       Banking

·       Medical


·       Personnel Info

·       Proprietary Info

·       Low-level PII


·       Internal communications

·       Procedural Info


While this may not be an exact science, it does help small businesses understand where to begin when it comes to protecting their most valuable information.  It is important to keep in mind the goal is to reduce confusion and distraction.  Once risk identification and classification has been completed, it allows you to begin the process of finding and implementing solutions.