The Forrester Wave™: Cybersecurity Risk Ratings Platforms, Q2 2024
What is Cyber Risk? Definition & Examples
Businesses have always faced different kinds of risk, but in the last two decades, cyber risk has become one of the fastest-growing threats to businesses, their data, and their financial success today. As technology advances and changes, cybercriminals are using it to compromise and steal organizations’ assets. Add to that internal errors, like misconfigured servers or employees who accidentally leave data open to the Internet, and cyber risk opens a company up to many threats, from theft to reputational loss.
According to the most recent Allianz Risk Barometer, cyber risk is the third most important business risk in 2021. If it weren’t for current events, cyber risk would be #1 on that list; the global pandemic and the business continuity risks associated with COVID-19 bumped cyber risk from the top spot this year.
Cyber risk continues to be a top concern: according to The Center for Strategic and International Studies (CSIS), almost $600 billion — nearly 1% of global GDP — is lost to cybercrime each year, and last year according to the Identity Theft Resource Center 300,562,519 individuals were impacted by publicly reported data breaches.
What is cyber risk?
While “cyber risk” may seem self-explanatory, it’s not always clearly defined and may mean different things to different people. At its most basic level, however, cyber risk is the risk of damage to an organization through its information systems. To quote a definition from PwC: “Cyber risk is any risk associated with financial loss, disruption or damage to the reputation of an organization from failure, unauthorized or erroneous use of its information systems.”
Cyber risk may take several forms. Cybercrime, cyber terrorism, corporate espionage, the faulty safety controls of vendors and other third parties, and insider threats all are sources of cyber risk. Those risks can take specific forms, like ransomware or phishing attacks.
Broadly, however, there are two basic types of cyber risks, external, and internal.
A look at external cyber risk
External cyber risk is any risk that comes from outside your organization or its extended ecosystem. These are the threats you might think about first when you think of cyber risk: cyberattacks, phishing, ransomware, DDoS attacks — any attack that comes from the outside world.
They’re also some of the most common attacks: cyber attacks were the primary cause of data compromises reported in the last months of 2020, says the Identity Theft Resource Center.
What are the most common types of cyberattacks?
Phishing: Phishing is a social engineering attack in which an attacker sends a message to a person within an organization, attempting to trick them into opening the email or an attachment that will release malware or ransomware into the system, or to reveal credentials that will allow the attacker access or the organization’s network and data. Phishing is on the rise and according to data from Microsoft, attackers have shifted their focus from malware attacks to using phishing to harvest people’s credentials.
Malware: Malware is malicious software that is often inserted into computers when attachments on phishing emails are opened or links are clicked it breaches information systems by exploiting network vulnerabilities. Malware can include viruses, keyloggers, spyware, worms, or ransomware.
Ransomware: Ransomware is a form of malware that locks a user out of their information systems unless a ransom is paid to the attacker. Some attackers who don’t get their ransom will retaliate by posting a company’s proprietary data online.
Distributed denial-of-service attack (DDoS): A distributed denial-of-service attack bombard an organization’s central server with simultaneous data requests, causing it to freeze up, holding a company hostage until an attacker’s demands are met.
Other cyberattacks include brute force attacks, SQL injections, and other social engineering attacks.
External risks can come from a variety of sources, including competitors, nation-states, individuals, or hacktivist groups.
Internal cyber risk: malicious or mistake?
External threats are scary, but about half of cyber risk is coming from inside the house. Forrester found that 46% of breaches in 2019, 46% involved insiders like employees and third-party partners.
When you think of internal cyber risk, you may think of malicious insiders. There are certainly incidents of cyber risk coming from employees-gone-wrong; nearly half of the internal breaches recorded by Forrester in 2019 were the result of abuse or malicious intent. However, malicious intent among insiders is on the decline, sliding from 57% in 2018 to 48% in 2019. That’s both the good news and the bad news: while malicious intent is on the downswing, employee and third-party mistakes are on the rise.
Mistakes, like misconfigured Amazon Web Services buckets, servers, unpatched software, and other issues are a real source of cyber risk for an organization. Oftentimes, the mistakes made by an employee who hasn’t been trained in proper cyber hygiene can open your organization up to an external threat.
How can you mitigate your cyber risk?
1. Take stock of your most valuable digital assets
The first thing you’ll want to do is identify the various assets that could be compromised by cybercriminals. These assets might be physical (like computers) or intangible (like data or networks). You’ll want to understand which of these assets criminals might want to target, which are most at risk of being targeted, and which might not be secure.
2. Identify the cyber risks, past and present
Once you’ve identified the assets you need to protect, you’ll need to identify the risks that could affect those assets. Every potential threat, including new and emerging risks, should be identified.
3. Plan for an attack
When an attack happens, how will your company respond? Part of mitigating risk is having a well-thought-out plan in advance — if you have to respond to an attack on the fly, you may not make the best decisions. The cost of a data breach can be staggering, but the Ponemon Institute finds that one of the best ways to mitigate the cost of an attack is to plan for one.
4. Review your controls
You may already have controls in place to prevent the risks you’ve identified or to respond to attacks if they occur. Review the controls you have in place to make sure they adequately cover your current risks. Continuous risk monitoring is important because the risk landscape is constantly changing.
5. Build a culture of cybersecurity in your organization
Security is everyone’s job. Training and good cyber hygiene practices go a long way towards keeping an organization safe from some of the attacks that can do the most harm, like phishing or other social engineering-related breaches.
How SecurityScorecard can help
SecurityScorecard helps you identify and mitigate your company’s cybersecurity risk by quickly finding the weaknesses in your controls and the threats to your organization.
Our SecurityScorecard Ratings allow you and your organization’s business leaders to continuously monitor the most important cybersecurity KPIs for your extended enterprise. Our security ratings use an A-F scale across thirteen factors and automatically generates a recommended action plan when any issues are discovered.
We allow you to see your security from the outside — just as attackers see it, so you can prevent breaches before they even happen.