According to this study, “Despite everything you’re read about cyber security, despite all the breaches in the news, the fact is well-intentioned business people are still surprisingly behind the times.”
Hackers aren’t the only ones to blame when a breach occurs, it usually is accompanied with the mishandling of information that should be getting protected. In short, companies need to have a better definition of a threat. Not mentioned in the article, but posted here for your enjoyment, is why my personal favorite way of calculating the threats when performing risk assessments, the Basel II event type categories. See below.
- Internal Fraud – misappropriation of assets, tax evasion, intentional mismarking of positions, bribery
- External Fraud- theft of information, hacking damage, third-party theft and forgery
- Employment Practices and Workplace Safety – discrimination, workers compensation, employee health and safety
- Clients, Products, & Business Practice- market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churning
- Damage to Physical Assets – natural disasters, terrorism, vandalism
- Business Disruption & Systems Failures – utility disruptions, software failures, hardware failures
- Execution, Delivery, & Process Management – data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets
The event categories assist with expanding the basic idea of threats so management doesn’t limit their view to just the bad guys. While performing a risk assessment, create your listing of threats after each category and mark down their likelihood. For example, Damage to Physical Assets – Flood (very low likelihood).
For your reader, you may want a chart of your definition of what very low means. I base it on a year, so in a year, to me, very low can be defined as once in ten years.