Skip Ribbon Commands
Skip to main content

Do I Need Better Security? A Guide to Assessing Operational Risk


MNP's TAKE: Any successful business should regularly review its strategic plan and enterprise risk management programs, consider how they are connected and assess whether extra security measures are required. A greater ability to manage risk than your competitors can allow you to take advantage of opportunities that others may miss.

With data rapidly becoming the biggest part of a business’s assets, cyber security has become a new area of significant risk and insurance concerns. Many insurance products covering cyber attacks and losses require the business to complete a risk assessment before applying for coverage: a careful evaluation of risks and opportunities allow you to right-size your investment in security and to leverage that into a winning strategy. For more information on how MNP can assist you with this assessment or other data protection considerations, contact Greg Draper MBA, DIFA, FCPA, FCGA, CFE, ICD.D Vice President - Valuations, Forensics and Litigation Support, at 403.263.3385 or [email protected]


With all the breaches and hacks going on around the world, businesses are asking themselves “Do I need to add extra security?” It’s a simple question, and the answer is “it depends”. In this post, we’ll look at a framework which will give us a much more useful answer. It’s an acronym called CRAFT, and it helps you gauge if and when you need to add a security product.

Darrell Jones III, from Instant2FA, introduced this in a post called “The Best Time to Integrate T​wo Factor Authentication”. If you want to hear it straight from the horse’s mouth, it’s well worth a read! This post draws heavily from his work.


There are five criteria which look at different reasons your business would want to prioritize some security spending.

Customer. If your customers have high security standards (think developers, journalists, financial / HR services, ecommerce shoppers), they’ll expect to see evidence of a strong security posture. It’s business-as-usual for them, and anything less is a red flag. Good password policies, 2FA, and/or account takeover detection, are just a few examples.

Regulation and Compliance. If you’re subject to standards like HIPAA, PCI DSS, ISO27001, you’ll absolutely have a need to spend on security products. If not – you can breathe a sigh of relief ;)

Assets. If the data you store is of high value, you’ll need to protect it from theft or prying eyes. It’s not just documents like HR plans or sales forecasts though – consider if your users would be embarrassed / disadvantaged by your data coming to light. Think user profiles on Ashley Madision or AdultFriendFinder, both of whom have been breached. If your data is low value, then you face less risk if that data is compromised.

Fraud. Some businesses create platforms where spammers, trolls, identity thieves, and others have the possibility of creating havoc. Social networks, forums, ecommerce sites, customer support systems, etc. If this is you, you need to ensure that identities of your users are verified every time they interact with your system.

Transactions. If your business lets users transfer things of value (money, bitcoin, etc), or if the transactions themselves reveal sensitive information about who is interacting with who, then you have an elevated operational risk.

So do I need to add extra security?

Assessing each of those criteria can help you build a better idea of your operational risk. Every business is different and faces different risks. If you’re ticking some of those boxes, take a look at your current risk mitigation solutions. Do you need to add extra security? If you’re ticking a few boxes, start looking at what tools will mitigate your risk. Ticking all five? Get on top of this stat! If you’re a low-value target, then you could add security because it’s a sensible thing to do, but you don’t need to rush.

This article originally appeared in ThisData.


This article was written by Nick Malcolm from Business2Community and was legally licensed through the NewsCred publisher network.