The identification of threats plays a critical function for firms. Any thriving business must know existing threats in their business to develop resilience or create abilities to withstand unpredictability.
This piece introduces the meaning of threat. Peter Gregory, a reknown cybersecurity expert defines threat as “an event that, if realised, would bring harm to an asset and, thus, to the organisation.” In other words, a threat would cause harm to business functions, might stifle human freedoms, and might cripple a business.
Businesses, for example, are undergoing increasingly rapid, unpredictable, and unprecedented changes because of the sweeping pandemic. Most companies are building systems to ensure that their staffs can work remotely, so that their customers can buy services virtually and more importantly, they are automating their business process. As such, any serious business would begin to consider the existing threats that might present themselves.
A McKinsey report paints a realistic picture of the current business environs. It states that “catastrophic events will grow more frequent but less predictable”. In addition, the report states that the digital revolution, which increased data availability, comes with potential for “large-scale failure and security breaches.”
There are typical threats company face. They are internal and external threats, intentional or unintentional, and as manmade or natural. Most times, many threats usually fall outside the control of the company but not out of their awareness. As such, a good firm’s Chief Information Security Officer or the security manager must develop a list of threats that are likely to occur to any given assets. Without developing a complete list of threats, the security manager might struggle to manage existing risks within her company.
Looking internally would typically serve as the first point of introspective call for the security manager. Internal threats are associated with employees of the firm and sometimes might be the actors behind the threat. The big task understands all the way that things can go wrong within the company. Some would argue that this is a pessimistic approach but in IT risk management, it is the best approach. In this space, I have talked about staffs exporting company secrets to competitors and exposing the company to unknown business sabotage.
Another example was in field work. An employee intentionally leaves the company’s data centre unlocked for another party to gain entrance. These and many more are certain threats that a firm can face internally. Listing them out would help the information security manager understand various scenarios.
There are certain man-made threats that companies can pay attention to. They include but are not limited to leaked data via e-mail, leaked data via upload to unauthorised system, leaked data via external USB storage device or medium, leaked information face-to-face to unauthorised person, performing a programming error and responding to a social engineering attack.
Many companies have thought about these threats in financial terms and that has inspired them to come up with mitigating methodologies for when these threats manifest. It is good practise to build a list of threat actors that is groups or people that would or can initiate such threat event.
That said, there are external threats that firms should also put into consideration. These are threats that originate outside of the firm. They can be deliberate and accidental actions. It is important the information security manager list these kinds of threats. Recently, a shop was burnt down in Abuja, Nigeria leading to substantial amount of loss and placing employees and customers at risk. This is called a man-made external threat. The company, if they have considered these threats, would have had strong action points to stop the event before happening or contain it while it was happening.
Natural external threats can be rainstorm, hurricane, earthquake, Tsunami, just to mention these ones. There are external threat actors too and they can be former employees, competitors, hackers, and former contractors.
True threat identification analysis requires a balanced focus on various things that might happen and creating a playbook to play out these scenarios to particularly tease out the best solutions for these threats. As companies expand in this digitally driven economy, they must pay key attention to these threats so that they are not caught unawares.
Frontpage February 20, 2019