Nick Malcolm









Using "CRAFT" to answer 'Do I need to add extra security?'

Note: This post was written for and originally published on the ThisData blog in 2016. Ages ago! I have reposted it here in case it's useful in the future.

With all the breaches and hacks going on around the world, businesses are asking themselves “Do I need to add extra security?” It’s a simple question, but the answer is “it depends”. In this post we’ll look at a framework which will give us a much more useful answer. It’s an acronym called CRAFT, and it helps you gauge if and when you need to add a security product.

Darrell Jones III, from Instant2FA, introduced this in a post called “The Best Time to Integrate Two Factor Authentication”. If you want to hear it straight from the horse’s mouth, it’s well worth a read! This post draws heavily from his work.


There are five criteria which look at different reasons your business would want to prioritise some security spending.

Customer. If your customers have high security standards (think developers, journalists, financial / HR services, ecommerce shoppers), they’ll expect to see evidence of a strong security posture. It’s business-as-usual for them, and anything less is a red flag. Good password policies, 2FA, and/or account takeover detection, are just a few examples.

Regulation and Compliance. If you’re subject to standards like HIPAA, PCI DSS, ISO27001, you’ll absolutely have a need to spend on security products. If not - you can breath a sigh of relief ;)

Assets. If the data you store is of high value, you’ll need to protect it from theft. That could be in your infrastructure, support system, and customer-facing applications. If your data is low value, then you face less risk if that data is compromised.

Fraud. Some businesses create platforms where spammers, trolls, identity thieves, and others have the possibility of creating havoc. Social networks, forums, ecommerce sites, customer support systems, etc. If this is you, you need to ensure that identities of your users are verified every time they interact with your system.

Transactions. If your business lets users transfer things of value (money, bitcoin, etc) then you have an elevated operational risk.

So do I need to add extra security?

Assessing each of those criteria can help you build a better idea of your operational risk. Every business is different, and has different risks. If you’re ticking some of those boxes, take a look at your current risk mitigation solutions. Do you need to add extra security? If you’re ticking a few boxes, start looking at what tools will mitigate your risk. Ticking all five? Get on top of this stat! If you’re a low value target, then you could add security because it’s a sensible thing to do, but you don’t need to rush.

What to add? It depends! But if you’re looking to protect your user’s sensitive data from theft through account takeover, I’d love for you to take a look at our product ThisData. Let us know how you go, and get in touch if you need help evaluating your risk or finding a suitable solution!

24 November 2016