Risk is the likelihood and potential magnitude of harm. It lies at the nexus of two important information security concepts: threats and vulnerabilities.
A threat is a force, organization, or person with the potential to obtain, compromise, or destroy an information asset. Threats can be physical, like an employee accidentally deleting critical information; natural, like a tornado or earthquake; or internet-based, such as malicious software or viruses. It is important to remember your organization is not only threatened by bad actors, criminals, or acts of nature; insider threats, such as human error or disgruntled employees, must also be defended against. A vulnerability, or weakness, is a gap in information or physical security protections that can be exploited to cause harm or accident.
It is impossible to protect against all vulnerabilities. Every organization maintains some level of risk—it is the cost of doing business. Fortunately, implementing a robust cybersecurity program will reduce your organization’s level of risk to an acceptable one. As an executive, it is your role to determine the level of risk—in accordance with the Board--palatable to your institution.
- Phishing attacks prey on a user’s sense of responsibility, empathy, or urgency to trick him or her into sharing credentials with an unauthorized user, usually via email or telephone.
- Insider threats are threats posed by employees, vendors, and people close to the business, either on purpose or by accident.
- Denial of Service Attacks are an attempt to overwhelm a website or tool with requests so that it becomes useless.
- Ransomware attacks encrypt valuable computer resources and hold them hostage until a ransom—often demanded in cryptocurrency—is paid.
- Natural Disasters, like hurricanes, interrupt business operations and can deprive communities of access to financial resources.