There are three types of threat to information assets facing organisations today. There is the insider threat. There is the cyber threat. Thirdly there is the cyber threat that feeds off the low cognisance of being a target, otherwise termed the low ‘threat IQ’, of the insider. What needs to be established is which one threatens the organisation. Inside these three threats are many variants that feed off whichever vulnerabilities an organisation has at any particular time. And they vary increasingly if that organisation becomes a target, because it has something others want, financial, commercial or political, or because it represents something others find offensive.
Analysing which particular threats are risks to an organisation requires knowledge of the cyber variants and how they exploit vulnerabilities. Managing that risk requires particular skill to balance the most effective defences needed for the ongoing successful business of the organisation. IL7 has the technical knowledge to build perimeter defences against the cyber threat, to employ analytics and monitoring against the cyber threat and to utilise communication and consultancy to galvanise a corporate culture and reduce the threat IQ. The key is to understand the business and what business assets are valuable. Identify vulnerabilities and introduce controls to eliminate or mitigate them. IL7 has the experience to assess risks that a business can take to exploit a business opportunity and the expertise to identify measures to mitigate any effect if the risks taken become reality.
 For the purposes of this exercise, acts of God and natural disasters are treated as hazards, insurable risks, treated with back-up, business continuity. This paper concentrates on the risk to information assets.
 The ‘insider’ here is a collective term that includes the privileged user, the normal user, the service provider, service consumer or supplier as all could be duped into being infected in a way that can endanger the target.
IL7 consultants will operate within a framework consistent with ISO 31000 principles, clauses and guidelines. Consultants will start by discovering the context of where they are operating first. The object is to understand the business, whether it be HMG or local government, a utility or service provider. Our consultancy will not just be about risk assessment and presenting an RMADS type document, but about risk management, including how system managers communicate security and risk awareness and how they monitor progress of controls – how they will keep the risk management progress alive and bring about continual improvement. In effect, our presence will build capability and competence. For further reading....