Home|Nintex Blog|How vulnerable are you to cyber threats?

How vulnerable are you to cyber threats?

Every company, regardless of size, industry, or location, needs a cybersecurity game plan. Whether you’re a mom-and-pop shop or a top-shelf Fortune 500 enterprise, your organization is vulnerable to the growing number of cyber threats in the digital space. To combat current cyber threats, inevitable cyberattacks, and potential data breaches, you MUST have a predefined, systemic approach. This approach should encompass 4 phases:

  1. Research: anticipating threats and identifying vulnerabilities
  2. Preparation: employing defense strategies and shield from threats
  3. Respond: responding to an intrusion or breach
  4. Review & Revise: examine processes and implement effective revisions

Last week, we discussed some of the most common cyber threats currently posing the greatest risk to the market. This helped to familiarize you and your company’s cyber heroes with the most volatile threats for 2017 and 2018. There isn’t much you can do to deter black hat hackers from crafting new cyberattack campaigns aimed at compromising your cyber defenses. You can, however, identify and proactively address vulnerabilities to protect your organization from increased susceptibility to malicious breach attempts…  

In this post, we’ll walk through phase one of your cybersecurity plan of action by evaluating information used by your organization and how this data translates into your organization’s cyber vulnerability.

Identifying and assessing your organization’s threat vulnerability

In your efforts to safeguard data from hacktivists and cybercriminals, you must adopt a method of identifying the vulnerabilities that leave your business all the more susceptible to a breach. This method is commonly referred to as “risk assessment.” 

This simplistic assessment* outline can be used by any organization, regardless of industry or size!  

However, before we explain the process, keep in mind you’ll likely need to collaborate and gather input from other members of your team… Directors of applicable departments, managers of projects, IT specialists, and legal personnel will likely help identify some of the information you’ll want to include. 

Step 1: Identify information your organization uses and stores

To begin the process of assessing your organization’s risk, you’ll need to compile the pieces of information received or sent as part of your business’s transaction cycles and workflows. This may include email addresses, phone numbers, account numbers, lines of invoice, SSNs, or other proprietary information. This is an excellent time to collaborate with other members of your team in compiling an accurate list and avoiding accidental omissions. We recommend segmenting and grouping all the individual pieces of information into categories that make sense for your business.  

Expert Tip: Try this quick process of organizing if your business has no pre-defined data categories:  

  1. Write each piece of information on a Post-it.
  2. Physically segment the Post-its into groups (categories) with consideration to their similarity. Create the number of groups that makes sense for the amount of data gathered and your organization, but try and keep it under eight if you can.
  3. Label the groups based on the pieces of information in each group.

Make sure to include all internal—information associated with your employees or the organization itself—and external—information associated with your clients, customers, partners, and other stakeholders—data. Additionally, consider labeling each piece of information as either “internal” or “external.”

Step 2: Determine the information’s value

Now you have a working outline of all the pieces of information that a cybercriminal could potentially gain access to. The next step is to determine each piece of information‘s value. When you determine a piece of information’s value, safeguarding and security determinations become all the simpler!  

In determining value, an ordinal scale is likely more efficient than attempting to assign a monetary value to a piece of information. Consider using a 0-3 scale, where 0: no value, 1: low value, 2: moderate value, and 3: high value. To arrive at a logical value, evaluate every piece of information using these key questions: 

  • What would happen should my customers or staff be unable to access this data?
  • If this information was modified or communicated incorrectly, what further implications could occur?
  • What would happen should my customers or staff be unable to access this data?

Step 3: Determine the information’s threat vulnerability

After determining each piece of information’s value, you need to determine the threat vulnerability index of each group. To do this, take the piece of information with the highest-ranking value (0-3) in the group, and assign that same value as the group’s threat vulnerability index (1: low, 2: moderate, 3: high).

Notice that averaging the values of all the pieces within a group is not recommended… This could potentially leave a high vulnerability (3) piece of data in a group with a moderate (2) or low (1) threat vulnerability index.  


The finished product will yield a clear picture of how your data comprises your company’s vulnerability to cyber threats and is a required piece to next week’s post: determining your organization’s right-fit security approach.  

Keep in mind… This is a simplified method of identifying and analyzing vulnerabilities based on information your organization uses or stores. Based on your organization, industry, use of data, and familiarity with data use, you may not be able to determine the value of your information and data without a cybersecurity threat analyst. Particularly, smaller organizations with heavy data use and no IT personnel should consider seeking an outside resource for accurate evaluations.  

Next steps…

By determining your organization’s overall cyber vulnerability, you’ve now completed the first phase in comprising your systemic cybersecurity approach. This should help provide some clarity in deciphering what groups will require more security resources from others. 

Next week, we’ll identify different defense strategies and determine if, based on your organization’s threat vulnerability, your security efforts can be housed within an internal IT department or if outsourcing through external security vendors makes the most sense for your organizational needs.



Want to try out Nintex AssureSign® for yourself? Click here to request a free trial.



Request a live demo
See how you can manage, automate and optimize your business processes today ‐ get a demo from one of our experts.
Why Our Customers Trust Nintex on

Please wait while form loads...

Couldn't load the form.

Please disable your ad blocker or try a different browser. If you continue to experience issues, please contact info@nintex.com