We have been inundated with recent reports of large-scale data losses, breaches, across multiple industries around the world. Each one has particular events that have been identified as “causes” of these breaches, however, the reports keep up the news about the insecurity of our daily work activities. The various industries include retail, financial organizations to include banks, government agencies, internet, social media, and others.
All of these organizations have been developing and installing their information security plans and technologies continuously and consistently over the past several years. But the breaches keep occurring and personal information keeps being released to unknown entities, or worse yet, to criminal organizations that use our information to steal from us, defraud our institutions, and generally cause disruptions of life and business around the world every day.
So, why is this continuing?
Risk assessments and management reviews lead us to realize there are always 4 components to any risk:
- Assets and their value to the organization
- Threats to our operations and activities
- Vulnerabilities internal to our systems
- Consequences of the possible impact on our business or activities
Each of these components of risk is as vulnerable as the others, so there is always some risk in all organizations, their endeavors, in everything we do and during all of the activities we perform for our organizations.
1. Organizational Assets
Organizational assets contain the information that the organization views, uses, processes and retains the lifeblood or profit-making keys for the stakeholders, shareholders, employees, and management of the organization. In other words, this one area covers the primary purpose of the organization. The hardware, software and information which the organization utilizes to perform its functions are the most important components of the modern organization.
The confidentiality of the data as it is stored and processed by the organization’s employees and users is often targeted by those who would like to know what the organization is doing, or would like to steal it for their own purposes. The vital information is often processed and changed by normal everyday actions, but the correctness and presence of the information is often called into question by either internal employee actions or by external forces acting upon it. The fact that the organization has the data it needs is even an area of concern for organizations.
2. External Threats To Operations
The modern-day uses and misuses of the Internet open up any organization to a myriad of external threats from everywhere. These threats can take form as malware attached or embedded in emails or files which permeate our day-to-day activities online today. In fact, the “spear-phishing” efforts today are often catalogued as the single biggest way that attackers get into an organization from outside.
The world of the Internet is often compared to the old American concept of the “Wild West” because of the incredible proliferation of methods of attack crossing our paths each and every day. The number and scope of possible threats has not decreased with the advent of the implementations of AI (Artificial Intelligence) and ML (Machine Learning) in recent years. The attackers have consistently adapted their tools, techniques, and attack patterns to account for the changes in the tools and defensive security which organizations have been diligently installing and employing for their own safety and security.
3. Internal Vulnerabilities
Vulnerabilities are defined as flaws or weaknesses internal to the organization. The vast array of possible operation systems, applications, information components, and their configurations all are subject to being incorrectly installed, configured, operated, and stored. Each of these deficiencies can cause a vulnerability to exist that can be taken advantage of by those with malicious intent.
Software is often designed by companies which drive the product out from the development environment quickly to obtain their return on the investment that the shareholders and stakeholders demand in today’s instant gratification corporate environment. This has led to software vendors producing software with less than optimum internal controls and incomplete testing of all of the components internal to the program. We, as general users, are often the ones who find the actual deficiencies which then treated as “bugs” by the software vendor and goes into their “defect repair” cycle.
Once identified and repaired, the vendor produces a “patch” to handle the flaw and leaves up to us as users to load and confirm the repair. So, the software vendor is relieved of any liability by issuing this “patch” but the actual action for the repair relies on the organization loading and testing it internally so the deficiency actually is fixed. This cycle is often long and sometimes arduous for organizations which contain many thousands of devices and reduced manpower in today’s economic conditions.
4. Consequences On Business
The consequences of having a risk being realized by the organization can range from minor irritation to full interruption of the enterprise. The possible impacts on an organization are wide and varied and often depend on the timing and scope of the incident and since this is the case, not predicable.
Of course, this unpredictability is exactly what the organization’s management does NOT want, so they reduce the impact evaluations to numeric levels which they can deal with. However, since the “real” scope of the risk is truly subjective, the actual risks are unknown and usually guessed at by the senior management of the organization. The potential frequency of the occurrences of attack, natural events, or accidental mistakes of employees is a variable that is often of an undeterminable nature within the organization. The scope and range of the impact level of one of these events upon the organization and its activities is another unknown which each organization and its management struggle with each day of operations.
The risks that every organization faces daily in today’s Internet-driven online economy are wide, varied, and very real for these reasons. It is vital that each organization identify the risks it is facing on an ongoing basis, since these risks change every day. Getting a risk assessment for the risks in an organization is always a good first step to finding ways to identify and then handle the risks successfully.