In the business continuity planning process, it is important to identify the credit union’s critical functions, and the risks those functions face in day-to-day operations. One of the steps in the process relies upon the business continuity coordinator’s ability to identify threats, or to perform a threat assessment. The credit union will be best prepared when it considers and plans for as many realistic scenarios as possible.
What goes into a threat assessment?
A threat assessment takes a broad overview of the business, and its functions. Then creates a list of threat occurrences which may affect the credit union’s operation. In the assessment’s threat list, each threat is given value/weight to its chance of occurrence, as well as ranking the severity of what that threat could do to the credit union, as a whole, should it occur.
What constitutes a threat?
Threats can be man-made, natural, or technology related. Man-made threats can be as threatening as an arsonist or active shooter. More often it is a simple mistake, such as bumping a ladder over and onto a delicate network appliance.
Natural events, such as floods, earthquakes, tornadoes, and hurricanes, are also considered threats. Technology-related threats list data corruption, device failure, DDoS attacks, and power loss among its denizens.
If something has a realistic likelihood of affecting the credit union’s operations, no matter how silly the event may seem, it may be considered a threat. Take for example my CUSO. In 2011, an incident involving “a befuddled swan and a power line” caused a power outage at the corporate headquarters lasting over a half hour. Thankfully, although we might not have anticipated an attack by a swan, our teams had prepared for a power failure, and during the outage critical systems were able to continue operating on a backup power source.
An important tie-in
Once the threat assessment is assembled, it is then used to model the risk assessment. The risk assessment uses the previously identified weighted threats, along with known/identified vulnerabilities, to calculate a likelihood of those vulnerabilities being exploited, or a control to be circumvented/eliminated.
Without identifying as complete a list of threats as possible, a credit union may leave itself open to be exploited. Should one of the unknown threats occur, a bad actor may be standing at the ready to seize the opportunity. In its current state, is your credit union fully aware of the threats that may affect its operations?