Information security vulnerabilities are weaknesses that expose an organization to risk. Understanding your vulnerabilities is the first step to managing risk.
Employees
1. Social interaction
2. Customer interaction
3. Discussing work in public locations
4. Taking data out of the office (paper, mobile phones, laptops)
5. Emailing documents and data
6. Mailing and faxing documents
7. Installing unauthorized software and apps
8. Removing or disabling security tools
9. Letting unauthorized persons into the office (tailgating)
10. Opening spam emails
11. Connecting personal devices to company networks
12. Writing down passwords and sensitive data
13. Losing security devices such as id cards
14. Lack of information security awareness
15. Keying data
Former Employees
1. Former employees working for competitors
2. Former employees retaining company data
3. Former employees discussing company matters
Technology
1. Social networking
2. File sharing
3. Rapid technological changes
4. Legacy systems
5. Storing data on mobile devices such as mobile phones
6. Internet browsers
Hardware
1. Susceptibility to dust, heat and humidity
2. Hardware design flaws
3. Out of date hardware
4. Misconfiguration of hardware
Software
1. Insufficient testing
2. Lack of audit trail
3. Software bugs and design faults
4. Unchecked user input
5. Software that fails to consider human factors
6. Software complexity (bloatware)
7. Software as a service (relinquishing control of data)
8. Software vendors that go out of business or change ownership
Network
1. Unprotected network communications
2. Open physical connections, IPs and ports
3. Insecure network architecture
4. Unused user ids
5. Excessive privileges
6. Unnecessary jobs and scripts executing
7. Wifi networks
IT Management
1. Insufficient IT capacity
2. Missed security patches
3. Insufficient incident and problem management
4. Configuration errors and missed security notices
5. System operation errors
6. Lack of regular audits
7. Improper waste disposal
8. Insufficient change management
9. Business process flaws
10. Inadequate business rules
11. Inadequate business controls
12. Processes that fail to consider human factors
13. Overconfidence in security audits
14. Lack of risk analysis
15. Rapid business change
16. Inadequate continuity planning
17. Lax recruiting processes
Partners and Suppliers
1. Disruption of telecom services
2. Disruption of utility services such as electric, gas, water
3. Hardware failure
4. Software failure
5. Lost mail and courier packages
6. Supply disruptions
7. Sharing confidential data with partners and suppliers
Customers
1. Customers access to secure areas
2. Customer access to data (ie. customer portal)
Offices and Data Centers
1. Sites that are prone to natural disasters such as earthquakes
2. Locations that are politically unstable
3. Locations subject to government spying
4. Unreliable power sources
5. High crime areas
6. Multiple sites in the same geographical location