Cybersecurity is never completed. Businesses must continue to take proactive steps as cyber threats continue to increase. Protecting your sensitive data and assets from cybercriminals is a constant, ongoing task. Threat tactics change as cyber-defenses improve, This danger to data security is persistent and attacks come from many different places.

Offices are digitally sophisticated these days, and just about every activity relies on some type of technology and data sharing. Cybercriminals can breach these systems from several entry points. The list of vulnerable devices includes computers, smartphones, cloud applications, and network infrastructure.

It’s estimated that cybercriminals can penetrate 93%  of company networks.

Threat modelling is an approach that can help organizations fight these intrusions. It involves identifying potential threats and vulnerabilities to an organization's assets and systems by prioritizing risk management and mitigation strategies.

Attacks are going to happen – it’s not a matter of IF, but of WHEN, and some will be successful – largely due to untrained or unaware employees falling for phishing schemes. Once the fox is in the henhouse, what do you do? This practice helps keep the henhouse door closed, mitigating the risk of falling victim to a costly cyber incident.

Here are the steps businesses can follow to conduct a threat model.

Identify Assets That Need Protection

This is a common sense first step: Identify assets that are most critical to the business. These include sensitive data, intellectual property, and financial information among others. What is it that cybercriminals will be going after?

Include phishing-related assets like company email accounts. Business email compromise (BEC) is a fast-growing method of attack. It capitalizes on breached company email logins.

Identify Potential Threats

The next step is to identify potential threats to these assets, which do tend to fall into ‘The Usual Suspects’ category. Some common threats could be cyber-attacks such as phishing. Others would be ransomware, malware, or social engineering.

Another category of threats could be physical breaches or insider threats. This is where employees or vendors have access to sensitive information.

Remember, threats aren’t always purposefully malicious. Human error causes approximately 88% of data breaches. So, ensure you’re aware of mistake-related threats, such as:

Using weak passwords

Unclear cloud use policies

Lack of employee Security Awareness Training

Poor or non-existent BYOD policies

Assess Likelihood and Impact

Your risk management and mitigation strategies need to be ranked according to the likelihood and impact of the threats you have identified. Businesses must understand how likely each threat is to occur as well as the potential impact on their operations, reputation, and financial stability.

It’s best to base the threat likelihood on current statistics as well as a thorough vulnerability assessment. It's best that this assessment is performed by a trusted 3rd party IT service provider. If you’re doing your assessment with only internal input, or by your regular IT provider you’re bound to miss something. Also, it’s human nature for people to hide mistakes and sloppy work.

Here at IT Support LA, we offer a FREE non-intrusive scan and report of the state of your network and security. Details are at the bottom of this page. We have performed these assessments many, many times, and it is extremely rare that we don’t find security problems.

Prioritize Risk Management Strategies

Next, prioritize your risk management strategies based on the likelihood and impact of each potential threat. Most businesses can’t tackle everything at once due to time and cost constraints. So, it’s important to rank solutions based on the biggest impact on security.

Some common strategies to consider implementing:

Access controls


Intrusion detection systems

Employee training and awareness programs

Endpoint device management

Businesses must also determine which strategies are most cost-effective. They should also align with their business goals.

Continuously Review and Update the Model

Threat modeling is not a ‘one and done’ process. Since cyber threats are constantly evolving, so must your defenses. Continuously review and update their threat models. This will help ensure that security measures are not only effective but aligned with your business objectives.

Benefits of Threat Modeling for Businesses

Improved Understanding of Threats and Vulnerabilities

Threat modeling can help you gain a better understanding of specific threats. It also uncovers vulnerabilities that could impact your assets by identifying gaps in your security measures and helps uncover risk management strategies.

Ongoing threat modeling can also help companies stay out in front of new threats. Artificial Intelligence (AI) is birthing new types of cyber threats every day. Companies that are complacent can fall victim to new attacks.

Cost-effective Risk Management

Giving threats and the corresponding strategies to mitigate them a ‘pecking order’ optimizes company resources and security investments. This will help ensure that businesses divide resources effectively and efficiently.

Business Alignment

Threat modeling can help ensure that security measures align with the business objectives. This can reduce the potential impact of security measures on business operations. It also helps coordinate security, goals, and operations.

Reduced Risk of Cyber Incidents

Implementing targeted risk management strategies reduce risks – specifically the likelihood and impact of security incidents. This will help to protect your assets and reduce the negative consequences of a security breach.

Frequently Asked Questions

Q: How often do you need to review a security policy?

A: Depending on the nature of your business, the sensitivity of your data, and the compliances you must meet, the minimum is at least once a year.

Q: What are the top 5 major threats to cybersecurity?

A: Broken Access Control: When users have access to information they do not need for their job.
Phishing: Email ploys that entice a user to click on a malicious link or attachment.
Compliance Dips in Security: IT teams are smaller than ever. IT firms need to employ automation and artificial intelligence to lessen the work burden so security issues are not overlooked.
Internet of Things (IoT): ‘Smart’ devices (from printers to coffee makers) that are connected to a network are the most vulnerable.
Ransomware: This also uses Phishing to ‘lock up’ a network and encrypt the data until a ransom is paid.

Q: How do most cyber attacks start?

A: Far and away, cyber attacks start with human error. The two most common errors are:

1) An employee uses weak, easy to crack passwords.
2) An employee falls for a phishing email and clicks on a malicious link or attachment.

Q: How does security scanning work?

A: Network scans run vulnerability tests on network components, looking for faulty settings in the machines connected to the network, the router, and the servers themselves. They also scan for misconfigured internet protocols, server settings, weak passwords, etc.

How secure is your network?

As a reputable member of the IT Support Los Angeles community since 2002, IT Support LA offers a FREE, no-risk network and security assessment. It is a non-intrusive scan that allows us to deliver a comprehensive report that is yours to keep. No strings, and no obligation to ever use our Managed IT Services.

The best defenses are expert Cybersecurity to protect your data from theft, and a top-notch MSP to ensure continued reliability and defenses against newly emerging threats.

With our 100% Money Back Guarantee in writing, we offer a risk-free way for prospective clients to try us out. Because we do not require a ‘hard’ contract, our clients can fire us at any time with 30 days’ notice. We have to be good.

Among the Managed IT services we provide:

IT HelpDesk Service
Onsite IT Support
Cloud migration and management
Email migration services
Backup and disaster recovery
VoIP phone systems
IT disposition and recycling
Office moves
White label services (IT to IT)

IT Support LA is an award-winning Managed Services Provider (MSP):
o  3 Years awarded Best IT Support by the Small Business Expo
o  Awarded 2nd best company of any type in the US by the Small Business Expo SB100
o  Awarded Best IT Support in California by Channel Futures
o  Winner of Best IT Support in Los Angeles by Channel Futures
o  Listed as one of the world’s Top 501 MSPs by CRN and in the top 250 in the   ‘Pioneer’ listing
o  4 years listed as one of the Top 501 MSPs in the World by Channel Futures
o  Listed as #21 Managed Services Provider in the World in Channel Futures NextGen 101
o  Globee 2021 Bronze Award winner for Chief Technology Officer of the Year
o  Globee 2022 Gold Award winner for Chief Technology Officer of the Year
o  Named one of 2022’s 50 ‘Best’ businesses in California by UpCity
o  Named Best of IT winner by UpCity
o  Winner of Local Excellence Award for 2021, 2022 and 2023 by UpCity
o  Named Best of Cloud Consulting winner by UpCity
o  Certified as Top Managed Services Provider and Cybersecurity Pro by UpCity
o  Named Best IT Services in Los Angeles by

Get Started with Comprehensive Threat Identification

Wondering how to get started with a threat assessment? Our experts can help you put in place a comprehensive threat modeling program. Give us a call today to schedule a discussion and take advantage of our FREE network and security assessment.