An IT Security Primer: Threat vs. Risk
New York State has implemented cybersecurity requirements that affect financial institutions and these changes seem to be coming down the pike for neighboring states. When discussing information security, the question of what constitutes a risk versus a threat comes up quite often. These terms are important to distinguish from each other, especially if compliance rules could change in the near future. While threat and risk are very closely tied, if you’re going to assess and address your company’s IT security vulnerabilities, you have to understand what each looks like, what each means to your IT security, and how best to address them.
What is an IT Security Threat?
A threat is “a person or thing that may cause damage or danger”. IT security Threats can then be broken down into two components:
- Threat Actors
- Threat Actions
IT Security Threat Actors
Some common Threat Actors are accidental or natural events, such as fires or weather events that could affect your data or company. Then there is the human element of Threat. In these cases, Threat Actors could be an untrained employee with no bad intentions, a disgruntled employee with an axe to grind, or outside hackers trying to land malware or ransomware onto a company machine.
IT Security Threat Actions
If a Threat Actor is the “Who” in an info security scenario, the Threat Action is the “What”. To illustrate the correlation between threat actors and threat actions, let’s look at it through the case of a disgruntled employee and a data breach. This threat actor could be present within an organization for months or even years without ever committing a threat action. Then one day, the disgruntled employee sees an opportunity to exact revenge on what is considered a bad boss, maybe getting paid in the process. The disgruntled employee threat actor decides to leak proprietary information to a competitor. The leaking of that protected information is the Threat Action.
When looking at threats, we must look at both threat actors and their associated threat actions to determine the likelihood and impact to an organization. This is how we then define “Risk.”
What is an IT Security Risk?
Simply put, Risk = Likelihood (of a Threat Occurrence) X Impact (of the associated Threat Action).
Unfortunately, there isn’t much we can do to eliminate the existence of threats, but we can certainly put specific security controls in place to reduce the likelihood of a specific threat and help to minimize the impact that threat would have on business operations.
Applying specific controls to reduce the likelihood and impact of a threat is considered “mitigation.”
While it might be hard to “mitigate” a disgruntled employee (hopefully HR is on the job!), there are steps or controls a company can implement take to reduce the likelihood of an attack on their data or network.
These controls come in three categories:
Technical IT Security Controls
In IT security, the first type of control you probably think is the technical control. Technical controls include:
- Intrusion prevention systems (IPS)
- Intrusion detection systems (IDS)
- Antivirus software
- Network access controls
Keeping an intruder out at every possible virtual juncture should be top of mind. See the contact us info if you can’t name your technical controls!
Physical IT Security Controls
Physical controls include fences or gates, fire suppression systems, card access systems, and video surveillance. The physical security of a building or office shouldn’t be neglected when examining the safekeeping of an organization’s information.
Administrative IT Security Controls
Administrative controls are the policies, procedures, and training that tie everything together. These controls are related to protecting an organization’s information as well as the information systems it resides on.
Some examples would be:
- Acceptable Use Policy
- Data Classification
- Data Handling Policies
- Incident Response Plan
- Firewall Management Policy
These controls make sure all aspects of your IT security plan are working in tandem to help ensure consistency and compliance with any industry regulations.
Transfer or Avoidance of IT Security Risk
Beyond the mitigation controls we’ve discussed, organizations may choose to manage risk by avoiding or transferring it.
Avoiding risk is the act of removing the component that the risk was associated with. For example, an organization may have a public facing application server that is rarely used. This server could possibly serve as a back door into a company’s network. They could choose to simply decommission the server and close the connection to eliminate or avoid that specific risk. (A vulnerability assessment would target these weak links.)
Many organizations are getting the benefits of “risk transferal” and don’t even realize it. With the growing popularity of cloud services, businesses are moving their data and applications to systems hosted and managed by cloud providers. By doing this, they transfer a large portion of risk from themselves to the cloud provider.
A great example is Microsoft’s Office 365 product. For years, many organizations have hosted their own email and file servers. By migrating their email and data to Office 365, these organizations have transferred many of the associated risks to Microsoft.
IT Security Risk Mitigation and Management
Now that we have a high-level understanding of threats and risk, it’s important to discuss how to mitigate and manage them.
Before you can mitigate a risk, you need to know what and where it is! A comprehensive Risk Assessment performed by a qualified third-party is the first step for any business looking to improve their security posture. Without understanding the risks that various threats pose to your organization, it’s difficult to know where to begin implementing mitigating controls.
Accounting for Differing IT Security Regulations and Priorities Across Industries
Further, because IT security regulations and needs differ across industries, a Risk Assessment has to provide a prioritized road map using industry standard ratings for risk, as well as accounting for the IT security regulations for a given industry
Once you have a prioritized roadmap, your organization can intelligently begin the mitigation process based on the risks that have the highest likelihood to impact your specific business operations.
Due to constant changes to most environments and the ever-changing threat landscape, it’s typically recommended that an organization have a Risk Assessment performed on an annual basis. This not only captures potential risks with recently added or changed systems but also provides a scorecard for the mitigation efforts based on previous Risk Assessments.[[CTA BANNER HERE Download an eBook on how to establish a NIST Framework]]
And if the thought of figuring out the what and how of understanding and addressing the IT security risks your organization faces, you can get in touch with an IT Security specialist at Link High.
We know this stuff and would be glad to help you understand and implement the best IT security solution for your business.