Without policies and security-management controls in place, the organization is really saying that anything goes. That opens the organization to a host of risks, both internal and external. Examples of internal threats include leakage of sensitive data, theft, legal liability, and corruption of data. External threats include natural disasters, spyware, viruses, worms, and Trojan programs. This is by no means a complete list, but it should alert you to the many dangers that organizations face each day. Failure to deal with these threats can lead to loss of information assets, reduced profits, civil or criminal suits, or even the demise of the company.