336-886-3282[email protected]
Preferred Data Logo
Schedule

How to Conduct a Cybersecurity Risk Assessment for Your NC Business

Step-by-step cybersecurity risk assessment guide for NC businesses - asset inventory, threat analysis, vulnerability scoring, and remediation. Call (336) 886-3282.

Cover Image for How to Conduct a Cybersecurity Risk Assessment for Your NC Business

A cybersecurity risk assessment is a systematic process of identifying your business assets, cataloging threats and vulnerabilities, scoring risks by likelihood and impact, and prioritizing remediation actions based on your organization's risk tolerance. For North Carolina businesses, this process is the foundation for informed security investments, insurance qualification, and regulatory compliance.

Key takeaway: According to NIST's Cybersecurity Framework 2.0 Small Business Quick Start Guide, a structured risk assessment helps organizations of any size prioritize cybersecurity activities based on actual risk rather than fear or vendor marketing. IBM's 2024 data shows companies with tested incident response plans save an average of $1.49 million in breach costs compared to those without.

Need a professional risk assessment? Preferred Data Corporation provides comprehensive cybersecurity assessments for North Carolina businesses. BBB A+ rated with 37+ years of experience. Call (336) 886-3282 or schedule your assessment.

Understanding the NIST Cybersecurity Framework 2.0

The NIST Cybersecurity Framework (CSF) 2.0, finalized in 2024, provides the most widely recognized structure for organizing cybersecurity activities. It is explicitly designed for organizations of all sizes, including small businesses in the Piedmont Triad and across North Carolina.

The Six CSF 2.0 Functions

  1. Govern: Establish cybersecurity strategy, policies, and oversight
  2. Identify: Understand your assets, risks, and business context
  3. Protect: Implement safeguards for critical services
  4. Detect: Develop capabilities to identify cybersecurity events
  5. Respond: Plan and execute responses to detected incidents
  6. Recover: Restore capabilities after cybersecurity incidents

The "Govern" function is new in CSF 2.0, emphasizing that cybersecurity is a business leadership responsibility, not just a technical one.

Step 1: Asset Inventory

You cannot protect what you do not know you have. Start by documenting every technology asset in your environment.

Hardware Assets

  • [ ] Servers (physical and virtual)
  • [ ] Workstations and laptops
  • [ ] Mobile devices (phones, tablets)
  • [ ] Networking equipment (firewalls, switches, access points)
  • [ ] Printers and multifunction devices
  • [ ] IoT devices and sensors
  • [ ] Manufacturing equipment with network connectivity (PLCs, HMIs)
  • [ ] Building management systems

Software Assets

  • [ ] Operating systems and versions
  • [ ] Business applications (ERP, CRM, accounting)
  • [ ] Cloud services and SaaS subscriptions
  • [ ] Custom-developed applications
  • [ ] Security tools (antivirus, firewall, backup)
  • [ ] Remote access tools (VPN, RDP, remote desktop)

Data Assets

  • [ ] Customer personal information (names, addresses, SSNs)
  • [ ] Employee records (HR data, payroll, benefits)
  • [ ] Financial data (banking, credit cards, accounting)
  • [ ] Intellectual property (designs, formulas, trade secrets)
  • [ ] Regulated data (CUI, PHI, PCI data)
  • [ ] Vendor and partner data

People and Access

  • [ ] User accounts and privilege levels
  • [ ] Administrative accounts and their owners
  • [ ] Third-party access (vendors, contractors, partners)
  • [ ] Former employee accounts (should be disabled)

For North Carolina manufacturers, pay special attention to OT assets that may be connected to IT networks. A Greensboro furniture manufacturer's CNC machines or a High Point textile company's production controllers each represent potential attack surfaces.

Step 2: Threat Identification

After documenting your assets, identify the threats most relevant to your business type, industry, and geography.

Common Threats for NC Businesses

External Threats:

  • Ransomware attacks (manufacturing is the top targeted industry four years running)
  • Business email compromise (BEC) targeting executives and accounting
  • Phishing campaigns harvesting credentials
  • Supply chain attacks through vendor software
  • Nation-state targeting of defense contractors in the Research Triangle
  • DDoS attacks disrupting customer-facing services

Internal Threats:

  • Employee errors (misconfiguration, accidental data exposure)
  • Insider threats (disgruntled employees, departing staff)
  • Shadow IT (unauthorized cloud services, AI tools)
  • Physical security lapses (unlocked server rooms, lost devices)

Environmental Threats:

  • Hurricane damage (relevant for all NC coastal and piedmont businesses)
  • Power grid failures
  • Internet service disruptions
  • Fire or water damage to server rooms

According to Total Assure's 2025 small business cybersecurity report, small businesses experienced a 46% cyberattack rate in 2025, with incidents occurring every 11 seconds. Average losses reach $120,000 per breach, and 60% of companies attacked close within 6 months.

Step 3: Vulnerability Analysis

Vulnerabilities are weaknesses in your environment that threats can exploit. Assess vulnerabilities across technical, procedural, and human dimensions.

Technical Vulnerability Assessment

  • [ ] Run vulnerability scans against all network-connected systems
  • [ ] Review patch levels for all operating systems and applications
  • [ ] Assess firewall rule configurations for excessive permissiveness
  • [ ] Test backup restoration processes
  • [ ] Evaluate encryption status for data at rest and in transit
  • [ ] Check for default credentials on devices and applications
  • [ ] Review remote access security (MFA, access controls)
  • [ ] Assess network segmentation between critical zones

Procedural Vulnerability Assessment

  • [ ] Review password policies (complexity, rotation, reuse)
  • [ ] Evaluate access provisioning and deprovisioning processes
  • [ ] Assess change management procedures
  • [ ] Review incident response plan currency and testing
  • [ ] Evaluate backup testing frequency and documentation
  • [ ] Check vendor access management procedures
  • [ ] Review security awareness training frequency and content

Human Vulnerability Assessment

  • [ ] Conduct phishing simulation tests
  • [ ] Assess security awareness training completion rates
  • [ ] Review privileged access justification for all admin accounts
  • [ ] Evaluate clean desk and physical security practices
  • [ ] Check BYOD policy compliance

Step 4: Risk Scoring

Risk scoring combines the likelihood of a threat exploiting a vulnerability with the potential business impact if it occurs.

Risk Calculation Formula

Risk = Likelihood x Impact

Likelihood Scale (1-5):

  1. Rare: Less than once per decade
  2. Unlikely: Once in 5-10 years
  3. Possible: Once in 1-5 years
  4. Likely: Once per year
  5. Almost certain: Multiple times per year

Impact Scale (1-5):

  1. Negligible: Less than $5,000 loss, minimal disruption
  2. Minor: $5,000-$25,000, hours of downtime
  3. Moderate: $25,000-$100,000, days of disruption
  4. Major: $100,000-$500,000, weeks of disruption
  5. Catastrophic: Over $500,000, potential business closure

Sample Risk Scoring for a Piedmont Triad Manufacturer

ThreatLikelihoodImpactRisk ScorePriority
Ransomware on flat network4520Critical
Phishing credential theft5315High
Unpatched server exploit3412High
Physical server room access248Medium
USB malware introduction236Medium
Insider data theft144Low

Step 5: Remediation Prioritization

With risks scored, prioritize remediation based on risk reduction per dollar invested.

Priority Framework

Critical (Risk Score 20-25): Immediate Action

  • Implement within 30 days
  • Budget allocation required immediately
  • Examples: Network segmentation, MFA deployment, endpoint protection

High (Risk Score 12-19): Short-Term Action

  • Implement within 90 days
  • Include in current quarter budget
  • Examples: Vulnerability patching program, security awareness training, backup testing

Medium (Risk Score 6-11): Planned Action

  • Implement within 6 months
  • Include in next budget cycle
  • Examples: Password policy updates, physical security improvements, documentation

Low (Risk Score 1-5): Accepted or Deferred

  • Address as resources allow
  • Monitor for changes in likelihood or impact
  • Document acceptance rationale

Cost-Effective Remediation for NC SMBs

Not all risk reduction requires large investments. For businesses in Charlotte, Raleigh, Durham, and the Piedmont Triad, these high-impact, lower-cost controls provide significant risk reduction:

  • Multi-factor authentication: Free to low-cost through Microsoft 365 or Google Workspace
  • Security awareness training: $15-$40/user/year for automated phishing simulations
  • Automated patching: Included with most managed IT services
  • Network segmentation: Often possible through existing switch configuration
  • Backup verification: Process change with minimal technology investment

Ready to prioritize your security investments? PDC helps NC businesses focus spending where it reduces risk most effectively. Call (336) 886-3282 or get started.

Tying Risk Assessment to Insurance

Cyber insurance carriers increasingly require documented risk assessments as a condition of coverage. According to industry research, ransomware and data breach incidents account for 58% of all cybersecurity insurance claims, and insurers are becoming more selective about which controls they require.

Common Insurance Requirements

Most cyber insurance applications for North Carolina businesses now ask about:

  • MFA deployment on remote access and email
  • Endpoint detection and response (EDR) installation
  • Backup frequency and offline/immutable storage
  • Employee security awareness training program
  • Patch management cadence
  • Incident response plan existence and testing
  • Network segmentation between user and server networks
  • Privileged access management practices

A completed risk assessment documents your status on each of these controls, streamlining the insurance application process and potentially reducing premiums.

Tying Risk Assessment to Compliance

For regulated North Carolina businesses, risk assessment is not optional. It is a compliance requirement.

CMMC (Defense Contractors)

Defense contractors in the Research Triangle and across North Carolina must conduct risk assessments as part of NIST SP 800-171 compliance. The assessment identifies gaps against the 110 security requirements that CMMC Level 2 requires.

HIPAA (Healthcare)

Healthcare organizations must conduct annual risk assessments per the HIPAA Security Rule. This assessment must address administrative, physical, and technical safeguards.

PCI DSS (Payment Processing)

Businesses processing credit card payments must conduct quarterly vulnerability scans and annual risk assessments per PCI DSS version 4.0 requirements.

Maintaining Your Risk Assessment

A risk assessment is not a one-time event. It requires ongoing maintenance to remain accurate and useful.

Annual Full Assessment

Conduct a complete reassessment annually, including:

  • Updated asset inventory
  • Revised threat landscape analysis
  • New vulnerability scanning
  • Recalculated risk scores
  • Updated remediation priorities

Trigger-Based Updates

Reassess immediately when:

  • Major infrastructure changes occur (new systems, cloud migration)
  • New threats emerge that affect your industry
  • Regulatory requirements change
  • Security incidents occur (yours or industry peers)
  • Business changes happen (acquisitions, new locations, workforce changes)

Quarterly Reviews

Between annual assessments, review quarterly:

  • Remediation progress against the plan
  • New vulnerabilities discovered through scanning
  • Changes in threat landscape
  • Insurance or compliance requirement updates

How PDC Conducts Risk Assessments

Preferred Data Corporation performs comprehensive cybersecurity risk assessments for North Carolina businesses following the NIST CSF 2.0 framework:

  • Asset discovery: Automated and manual inventory of your technology environment
  • Vulnerability scanning: Technical assessment of all network-connected systems
  • Policy review: Evaluation of security procedures and documentation
  • Gap analysis: Comparison against industry benchmarks and compliance requirements
  • Risk scoring: Quantified risk ratings for each identified vulnerability
  • Remediation roadmap: Prioritized action plan with cost estimates
  • Executive summary: Business-language report for leadership decision-making

Frequently Asked Questions

How long does a cybersecurity risk assessment take?

For a typical 25-75 person North Carolina business, a comprehensive assessment takes 2-4 weeks, including asset inventory, vulnerability scanning, policy review, and report development. Smaller environments (under 25 users) can often be assessed in 1-2 weeks.

How much does a professional risk assessment cost?

Professional cybersecurity risk assessments for NC small businesses typically range from $5,000-$20,000 depending on environment size and complexity. This investment typically identifies risks whose remediation prevents losses many times the assessment cost.

Can I do a risk assessment myself without professional help?

You can start with NIST's free Small Business Quick Start Guide for basic self-assessment. However, professional assessments provide technical vulnerability scanning, industry benchmarking, and expert remediation prioritization that self-assessments miss. For compliance purposes, professional assessments often carry more weight with auditors and insurers.

How often should we update our risk assessment?

Conduct a full assessment annually and perform trigger-based updates when significant changes occur. Quarterly reviews of remediation progress and new vulnerabilities keep the assessment current between annual cycles.

What is the difference between a risk assessment and a penetration test?

A risk assessment evaluates your overall security posture across technical, procedural, and human dimensions. A penetration test simulates actual attacks against specific systems. Risk assessments are broader and strategic; penetration tests are narrower and tactical. Most organizations need both, with risk assessments informing where penetration testing should focus.

Know your risks before attackers exploit them. Preferred Data Corporation provides comprehensive cybersecurity risk assessments for North Carolina businesses. Founded in 1987, BBB A+ rated, serving the Piedmont Triad, Charlotte, Raleigh, and beyond. Call (336) 886-3282 or schedule your assessment today.

Support