In the business continuity planning process, it is important to identify the credit union’s critical functions, and the risks those functions face in day-to-day operations. One of the steps in the process relies upon the business continuity coordinator’s ability to identify threats, or to perform a threat assessment. The credit union will be best prepared when it considers and plans for as many realistic scenarios as possible.
What goes into a threat assessment?
A threat assessment takes a broad overview of the business, and its functions. Then creates a list of threat occurrences which may affect the credit union’s operation. In the assessment’s threat list, each threat is given value/weight to its chance of occurrence, as well as ranking the severity of what that threat could do to the credit union, as a whole, should it occur.
What constitutes a threat?
Threats can be man-made, natural, or technology related. Man-made threats can be as threatening as an arsonist or active shooter. More often it is a simple mistake, such as bumping a ladder over and onto a delicate network appliance.
Natural events, such as floods, earthquakes, tornadoes, and hurricanes, are also considered threats. Technology-related threats list data corruption, device failure, DDoS attacks, and power loss among its denizens.
If something has a realistic likelihood of affecting the credit union’s operations, no matter how silly the event may seem, it may be considered a threat. Take for example my CUSO. In 2011, an incident involving “a befuddled swan and a power line” caused a power outage at the corporate headquarters lasting over a half hour. Thankfully, although we might not have anticipated an attack by a swan, our teams had prepared for a power failure, and during the outage critical systems were able to continue operating on a backup power source.
An important tie-in
Once the threat assessment is assembled, it is then used to model the risk assessment. The risk assessment uses the previously identified weighted threats, along with known/identified vulnerabilities, to calculate a likelihood of those vulnerabilities being exploited, or a control to be circumvented/eliminated.
Without identifying as complete a list of threats as possible, a credit union may leave itself open to be exploited. Should one of the unknown threats occur, a bad actor may be standing at the ready to seize the opportunity. In its current state, is your credit union fully aware of the threats that may affect its operations?
Nice article, Patrick! (And the great snappy title really caught my attention!)