Threats, Vulnerabilities and Risk, Oh My!
What is the difference between an information threat, vulnerability and risk? For some reason, these terms are confusing, but understanding of these concepts is critical when preparing to protect your critical data.
A threat is something discovered that has the potential to harm people, systems or your organization. There are three types of threats:
- Natural Threats – Natural threats include floods, hurricanes and tornados.
- Unintentional – Unintentional threats could include employees accidently deleting or changing information.
- Intentional – Intentional threats include intent to harm. This could be malware, disgruntled employees, or hackers.
Vulnerabilities are known or unknown weaknesses that if explointed could cause harm to the person, system or company.
A critical step is to perform some form of a vulnerability assessment to identify weaknesses in critical systems.
- Do you have adequate backups in multiple locations that are resistant to failure and ransomware?
- Do you have multifactor authentication enabled for all critical systems?
- Do you have an effective password policy and manager in place?
- Do you have adequate server and end point security in place?
- Do you have a business continuity plan to ensure access to systems in the event something bad happens?
Risk is the potential loss if a vulnerability is exploited by a threat. This loss could include financial, reputation, data/information and even loss of life.
The goal is to reduce the risk to your organization as much as possible given the cost to do so. Some items to consider as you develop your risk management plan:
- Perform a risk assessment. This could be from a third party or internally. The key is to use a framework that you can repeat to compare results over time.
- Create a committe consisting of employees and other stakeholders. It is important to get departmental feedback.
- Identify what risk you accept, transfer (insurance) or eliminate.
- Prioritize remediation of threat risk. No one has unlimited time and money. Figure out what you need to address.
- Get top down support to ensure resources are allocated to make changes.
It is important to understand the relationship between threats to your assets, vulernabilities of your assets and the estimated risk of losing something.