Oftentimes people and/or organizations outside the security industry, and sometimes even security professionals mix up the terminology of threat, vulnerability and risk. It is crucial to understand the relationships between threats, vulnerabilities and risks to build effective security policies and keep your organization safe from various cyber and physical attacks.
We want to highlight the differences in definitions of threats, vulnerabilities, and risks within the context of security;
Threat
A threat is anything that has the potential to disrupt or do harm to an organization. Threats can be natural, intentional or unintentional. Natural threats are hazards such as earthquakes, floods and wildfires, which are random in terms of duration and impact. Intentional threats are actions done on purpose like to steal or damage computer resources, equipment, and data. Unintentional threats are attributed to human error, e.g. leaving the door to IT servers unlocked, or leaving the front door of the organization containing sensitive information unmonitored.
Vulnerability
A vulnerability is a weakness or gap in a security system, which can be exploited by threat actors in order to achieve their goals. A vulnerability assessment is a systematic review of weaknesses in a security system and evaluates if the system is susceptible to any known vulnerabilities, it should assign severity levels to those vulnerabilities, and then recommend remediation or mitigation, if and whenever needed. Vulnerabilities show themselves via several avenues:
Current employees: Social interaction, customer interaction, discussing work in public locations, taking data out of the office (e.g phones, laptops), emailing documents and data, installing unauthorized software and apps, opening spam emails, connecting personal devices to office networks, writing down passwords and sensitive data, losing security devices such as ID cards, lack of information security awareness.
Former employees: Those who are working for competitors, retaining company equipment and data, or discussing company matters.
Technology: Social networking, file sharing, saving data on mobile devices such as mobile phones, Internet browsers, computers or other devices.
Partners and suppliers: Disruption of telecom services and utility services such as electric, gas, water, hardware and software failure, lost mail and courier packages, supply disruptions, sharing confidential data with partners and suppliers
Security Systems: Faulty cameras, sensors, or other security devices. Broken or unfollowed security policies or procedures.
While most organizations implement some type of security, hardly any consider the numerous security weaknesses that exist in their current circumstance. You ought to consider physical security, report the weaknesses in your environment, and make business choices about how to keep those weaknesses from compromising the security of your organization.
Risk
A risk is the effect of uncertainty on objectives. It’s usually expressed in terms of risk sources, potential events, their consequences and their likelihood.
A risk assessment is the overall process of risk identification, risk analysis and risk evaluation. Organizations should invest in a risk assessment program to better understand, measure and prepare for risks to their operations. A risk assessment involves evaluating not only the physical site but also how business is done which could create additional threats and vulnerabilities. These assessments offer numerous benefits including;
Helping to identify which parts of your security measures are weak and what security threats face your organization. This enables you to address vulnerabilities and enhance your company’s security.
See if your organization’s security measures meet the requirements put in place by the government / international bodies.
Enable you to have a clear vision of how efficient your security controls are and how you can upgrade them.
Remember, risk does not end once the basic security systems have been put in place. Risk assessments should take place regularly as threats and vulnerabilities are constantly changing and a risk assessment is like a snapshot of the current risk. A well planned risk assessment program will save your organization from undesirable losses.
With so many staff working remotely, are you doing everything to ensure your employees are set up for success in regards to cybersecurity? We have outlined 6 easy steps to share with your remote workers. Ladyaskari also provides cybersecurity awareness training, which can be completed via video conference. Check out our services at https://ladyaskari.com/project/training/
The COVID-19 pandemic has forced many organizations to set up remote working environments for their employees, without adequately preparing them from a cybersecurity perspective. Several vulnerabilities exist when working remotely, which cybercriminals are using to ramp up their attempts to gain access to data. In its 2020 report on COVID-19’s impact on cybersecurity, Deloitte has reported an increase in cybercrime since the pandemic started.
One of the main methods cybercriminals are using to access computers is phishing scams. This is where hackers pose as trusted companies, pretending to provide COVID-19 information via email or pop-up links. Once someone clicks on these emails or links, criminals are able to access confidential data on their targets and utilize this information in many ways such as identity theft or corporate espionage.
Cyberattacks can be very costly. Businesses and individuals around the world lose about $600 billion annually to cybercrime. Companies that get hacked also stand to lose clients and reputation due to lost trust from the public. Smaller businesses and individuals make easier targets for hackers as they may not have the budget for robust cybersecurity countermeasures.
Read on for Lady Askari’s thoughts on how you can secure your organization from cyber-attacks.
How COVID-19 And Remote Working Increases Cyber Risks
Working from home exposes organizations to cyber risks because employees may not have the same IT infrastructure at home that organizations usually have in place. Employees may also not be aware of the increased cybersecurity threats and how easy it is to be hacked. A recent study found that 66% of workers haven’t had any cybersecurity training in the last 12 months. On top of this, 77% don’t feel that they are vulnerable to cyberattacks.
Studies show that theft of trade secrets increases during economic downturns. Unfortunately, many people have lost their jobs due to the loss of business caused by COVID-19.
Disgruntled, desperate, or unaware employees are a major source of insecurity. Organizations must make sure that information management and intellectual property policies are adhered to by all, especially in situations where employees are distressed.
Access to company data must be immediately revoked once an employee leaves the company. This reduces the chances of your former employees exploiting vulnerabilities in your IT infrastructure.
Key Takeaway
COVID-19 has brought with it an increased risk of cyberattacks due to remote working arrangements. This is a critical time to review your cybersecurity and ensure that your organization and home networks are secured against unauthorized access. Remote working is here to stay and organizations must invest more in securing information and networks.
Companies have several cybersecurity options when it comes to safeguarding their data. These solutions must include working with employees to protect the organization because they are the main source of cyber risks. You should also invest in company-wide training and send out regular updates and tips to increase cybersecurity awareness amongst employees. Lady Askari offers Cyber Security Awareness Training that covers anti-phishing awareness, password best practices, and safe browsing methods on the internet, to name a few topics.
VPNs (virtual private networks) are also a good way for organizations to protect their networks as employees work from home. A VPN helps keep your information secure by creating a secure tunnel within your existing network. Even when using a public internet service provider, private information such as your IP address, search history, websites visited as well as your location are not visible to third parties. Organizations that use a VPN must ensure that their VPN configurations are updated regularly.
For additional information on how Lady Askari can help you safeguard your information please contact us at info@ladyaskari.com or find out more information on our website at www.ladyaskari.com
