Do I need better security? A guide to assessing operational risk

With all the breaches and hacks going on around the world, businesses are asking themselves “Do I need to add extra security?” It’s a simple question, and the answer is “it depends”. In this post, we’ll look at a framework which will give us a much more useful answer. It’s an acronym called CRAFT, and it helps you gauge if and when you need to add a security product.

Darrell Jones III, from Instant2FA, introduced this in a post called “The Best Time to Integrate Two Factor Authentication”. If you want to hear it straight from the horse’s mouth, it’s well worth a read! This post draws heavily from his work.


There are five criteria which look at different reasons your business would want to prioritize some security spending.

Customer. If your customers have high security standards (think developers, journalists, financial / HR services, ecommerce shoppers), they’ll expect to see evidence of a strong security posture. It’s business-as-usual for them, and anything less is a red flag. Good password policies, 2FA, and/or account takeover detection, are just a few examples.

Regulation and Compliance. If you’re subject to standards like HIPAA, PCI DSS, ISO27001, you’ll absolutely have a need to spend on security products. If not – you can breathe a sigh of relief ;)

Assets. If the data you store is of high value, you’ll need to protect it from theft or prying eyes. It’s not just documents like HR plans or sales forecasts though – consider if your users would be embarrassed / disadvantaged by your data coming to light. Think user profiles on Ashley Madision or AdultFriendFinder, both of whom have been breached. If your data is low value, then you face less risk if that data is compromised.

Fraud. Some businesses create platforms where spammers, trolls, identity thieves, and others have the possibility of creating havoc. Social networks, forums, ecommerce sites, customer support systems, etc. If this is you, you need to ensure that identities of your users are verified every time they interact with your system.

Transactions. If your business lets users transfer things of value (money, bitcoin, etc), or if the transactions themselves reveal sensitive information about who is interacting with who, then you have an elevated operational risk.

So do I need to add extra security?

Assessing each of those criteria can help you build a better idea of your operational risk. Every business is different and faces different risks. If you’re ticking some of those boxes, take a look at your current risk mitigation solutions. Do you need to add extra security? If you’re ticking a few boxes, start looking at what tools will mitigate your risk. Ticking all five? Get on top of this stat! If you’re a low-value target, then you could add security because it’s a sensible thing to do, but you don’t need to rush.