This ultimate guide provides a comprehensive review of cyber risk, including:
Definition of cyber risk
Key components of cyber risk
Threat actors who exploit cyber risk
Common sources of cyber risks and their impacts
Real-world examples of cyber risk exploitation
Consequences of cyber threats for businesses
Cyber risks and cybersecurity challenges
Mitigating cyber risk
Cyber risk management best practices and practical guidance
What is a cyber risk assessment?
Protecting the enterprise from evolving cyber risk
Resources to support cyber risk management
FAQ
Definition of cyber risk
Cyber risk is the chance of loss caused by a cyber attack or data compromise (e.g., breach or accidental loss) caused by cyber threats or vulnerabilities in networks and digital systems. Included in cyber risk are the potential consequences and the likelihood that a cyber attack will be successful. Cyber risk management involves IT and security teams as well as non-technical areas of an organization, such as finance and supply chain teams.
Key components of cyber risk
The main components of cyber risk are part of threats and include the following.
Capability
Capabilities include the skills, resources, and techniques that a cyber criminal uses to turn a cyber risk into successful exploitation.
Likelihood
After assessing a cyber risk, the chance of it occurring is determined. This likelihood helps categorize and prioritize a cyber risk within the context of other cybersecurity tasks.
Motivation
Understanding the drivers behind a cyber attack can help assess likelihood as well as identify potential targets. As noted above, cyber criminals have varying motivations.
Opportunity
Access potential usually informs opportunity. Whether or not a cyber criminal has or is likely to be able to gain access can help determine the magnitude of cyber risk. Vulnerabilities also offer opportunities for cyber attackers.
Threat actors who exploit cyber risk
When considering the impact of cyber risks, an understanding of who is behind the threats can explain what the effects will be if exploits are successful. Several of the common attack profiles and their motivations are as follows.
- Competitors—conduct illicit activities to steal trade secrets or other sensitive corporate information.
- Cyber criminals—primarily motivated by financial gain and use various tactics to steal sensitive data or other valuable assets.
- Hacktivists—seek to disrupt specific organizations for political or social reasons.
- Nation states—target sensitive government data or critical infrastructure.
Cyber risk exposure is usually associated with cyber criminals and cyber attacks, but it can also be accidental. For instance, an employee may inadvertently expose sensitive data by accidentally sending an email to the wrong person. IT issues, such as unpatched systems, open ports, misconfigurations, or vulnerabilities in third-party software or systems, can also cause exposure.
Common sources of cyber risks and their impacts
There are a near-infinite number of cyber risks—some general and others applicable to specific industries or types of users. Several commonly seen cyber risks include the following. Understanding these can help identify the more nuanced cyber risks.
API vulnerabilities
The extensive use of application programming interfaces (APIs) to connect applications and systems creates cyber risks. Several of the top API vulnerabilities that create cyber risk are broken object-level authorization, inadequate user authorization, injection attacks, excessive data exposure, lack of rate limiting, and insecure direct object reference (IDOR). These, along with insecure coding practices, make APIs a significant cyber risk.
Cloud vulnerabilities
Gaps in cloud computing environments create cyber risks that cyber attackers exploit to gain unauthorized access, disrupt services, and steal data. The most common cyber risks associated with cloud environments are human errors and misconfigurations.
Compliance deficiencies
Failure to comply with the security requirements set forth in regulations and standards not only puts an organization at risk for penalties but leaves gaps in security. The security measures that come with these rules reflect best practices designed to address known attack vectors. Cyber risks associated with compliance deficiencies range from exposure to malware and ransomware to phishing attacks and distributed denial of service (DDoS) attacks.
Ineffective access management
A number of cyber risks are associated with ineffective access management. Among the most common access management issues are granting users access to unauthorized data, allowing logins from unauthorized internet protocol (IP) addresses, a lack of visibility into user access privileges, and poorly defined access policies.
Insider threats
Insider threats are a serious cyber risk as they result from internal users with authorized access privileges. These are usually associated with malicious activities, such as disgruntled employees maligning systems, exfiltrating data, or being tricked or coerced into performing misdeeds on behalf of an external cyber criminal. In other cases, internal users simply make mistakes, sharing sensitive information accidentally or losing a device, which is then compromised.
Insufficient data security
Data security lapses can occur in a number of ways. Failing to encrypt sensitive data at rest and in transit exposes it to unauthorized access if the data is intercepted or if a cyber criminal gains access to the data where it is being stored. Another data security issue is caused by data leakage, where sensitive data is exfiltrated.
Lack of visibility
With organizations using many distributed applications and systems, often through the cloud, IT and security teams struggle to gain comprehensive visibility. This leads to a number of elusive vulnerabilities as IT and security teams have difficulty identifying, contextualizing, prioritizing, and mitigating because they cannot monitor many of these tools.
Misconfigurations
Vulnerabilities and misconfigurations in code, especially infrastructure as code or IaC, drive cyber risk in applications and systems. Misconfigurations are often found in containers, virtual machines, and serverless environments, which are difficult for IT and security teams to see and manage.
Poor identity and access management
A number of cyber risks are the result of poor identity and access management policies and enforcement. Access management issues that drive cyber risk include a lack of visibility into identities and associated access privileges, weak authentication, poor password protocols, policy misconfigurations, and not having a standardized, automated process for managing identity lifecycles.
Shadow IT
With the easy accessibility of cloud services and applications, users frequently create and use accounts without the knowledge of IT and security teams. Lacking visibility into these creates security gaps that cause cyber risk. The biggest cyber security risk is data loss caused by users storing sensitive information without proper security and sharing sensitive information with unauthorized parties.
Third-party vendor risk
Third- and fourth-party vendors are responsible for significant cyber risk as they often have access to sensitive data and systems but may not have the level of security necessary to protect them properly.
Real-world examples of cyber risk exploitation
The following real-world examples illustrate how threat actors exploit cyber risks. These examples provide context that can help identify and optimize remediation efforts and defensive tactics.
Ransomware
The Colonial Pipeline ransomware attack in May 2021 exploited a compromised virtual private network (VPN) account that lacked multi-factor authentication (MFA). Attackers gained initial access through this vulnerable account. Then, they took advantage of a lack of network segmentation to spread and infiltrate Colonial Pipeline’s systems, encrypt data, and demand a ransom payment to restore access.
Phishing
The Target data breach in 2013 exploited several cyber risks. The attackers first acquired credentials from a phishing attack on a third-party vendor. Because of a lack of network segmentation, the attackers were able to move laterally across the network and gain access to the point-of-sale (POS) network. They were able to install malware on POS devices that allowed them to collect and exfiltrate credit card data from transactions in real time.
Cloud misconfigurations and poor access management
The Capital One data breach in 2019 was the result of a combination of misconfigurations in cloud infrastructure and insufficient access controls within their Amazon Web Services (AWS) environment. The misconfigurations allowed the attackers to execute a server-side request forgery (SSRF) attack and gain access to credentials for privileged accounts. The compromised AWS environment also had misconfigured permissions that allowed broader access than necessary. Additionally, Capital One’s cloud storage contained personal information, including Social Security Numbers, addresses, credit scores, and bank account details which were not encrypted.
API exploit
In the Facebook-Cambridge Analytica data scandal, Cambridge Analytica leveraged vulnerabilities in Facebook’s API infrastructure to collect data on 87 million users without their consent. This exploit was possible because of overly permissive data access via the API, which enabled access to both direct users’ and their friends’ personal data. This lack of granular access controls and inadequate monitoring of third-party developers enabled Cambridge Analytica to compile vast amounts of data for targeted political advertising, which resulted in massive fines for Facebook.
Insider threat
A well-known example of an insider threat exploit is Edward Snowden’s leak of classified information from the U.S. National Security Agency (NSA) in 2013. Snowden, working as a contractor for the NSA, used his authorized access to gather and steal highly sensitive documents. Several cyber risks were exploited in this example, including over-permissive privileged access and insufficient monitoring.
Supply chain attack
In 2020, attackers compromised SolarWinds’ software update system by inserting malware into updates of its platform. These infected updates were distributed to customers, including private companies and U.S. government agencies. Due to insufficient network segmentation at many of the organizations that installed the compromised software, attackers used Microsoft Office 365 vulnerabilities to access additional cloud assets through interconnected systems. Additionally, due to a lack of sophisticated detection mechanisms, the breaches went undetected for many months, partly because the attack mimicked legitimate traffic.
IoT botnet DDoS attack
The Mirai botnet attack in 2016 exploited several key cyber risks associated with Internet of Things (IoT) devices. This attack used a hardcoded list of common credentials to access IoT devices with brute force, targeting devices with open Tenet and Secure Shell (SSH) ports. The botnet was used to launch massive DDoS attacks across the world.
Consequences of cyber threats for businesses
Because of the far-reaching implications of cyber risk, it is generally considered to be of the utmost importance for organizations. When cyber risks are exploited, the results can include data loss, financial loss, operational disruption, loss of productivity, and reputational damage.
The broad scope of cyber risks also makes it an important issue. Cyber risk vectors range from malicious activities, such as ransomware and other malware, to poor compliance management that creates vulnerabilities that can lead to legal actions and fines.
Cyber risks and cybersecurity challenges
Cyber risks continue to get more complex and difficult to combat. The rise of remote work and cloud-based systems has exponentially expanded organizations’ attack surfaces and increased cyber risk exposure.
Attackers are highly adept at finding weaknesses and exploiting them. Endpoint, mobile, and IoT devices are being targeted as they are considered a weak link in an organization’s security and a path to access data and other resources. In some cases, cloud-based collaboration platforms are being used to launch social engineering campaigns that avoid malware and phishing prevention systems used to protect email systems.
Complacency is also a factor that is contributing to the efficacy of cyber threats. When organizations have fulfilled their compliance obligations, many believe that this puts them out of the reach of cyber attackers. This is not the case. While compliance requirements elevate an organization’s overall security posture, cyber risk remains, and organizations must remain vigilant.
Several of the cybersecurity challenges that organizations face despite valiant efforts to shore up security systems are:
- 5G networks—compromised to gain access to data collected and stored on devices
- Generative AI—used to create highly targeted campaigns, including phishing and deep fakes, to compromise accounts and gain unauthorized access
- Mobile malware—designed to exploit inherent weaknesses in mobile devices and their communication protocols (e.g., Wi-Fi and Bluetooth)
- Ransomware attacks—targeting critical business areas
Mitigating cyber risk
Three highly effective approaches to mitigating cyber risk are implementing cybersecurity measures, developing incident response plans, and conducting regular security awareness training.
Cybersecurity measures for vulnerability mitigation
- Asset discovery and inventories
- Attack surface reduction
- Configuration monitoring and management
- Continuous monitoring
- Cyber risk assessments
- Endpoint protection systems
- Security controls (e.g., technical controls, physical access controls, procedural controls, and network access controls)
- Security patch and software update management
- Threat detection systems
- Vulnerability assessments
Incident response and crisis management
Create a detailed incident response plan that:
- Outlines the immediate actions to be taken when an incident occurs
- Establishes communication protocols to inform stakeholders
- Defines steps for system recovery
- Tests and supports updates to the incident response plan
- Incorporates lessons learned from past incidents
Cybersecurity awareness and prevention
Regular cybersecurity training plays a key role in reducing cyber risk. These programs should help employees understand:
- Common forms of attacks
- Ways to recognize phishing attempts and other social engineering ploys
- Importance of strong passwords
- Security policies and protocols
Cyber risk management best practices and practical guidance
Apply a risk-based vulnerability management approach to managing, mitigating, and remediating cyber risks.
- Close any unused accounts.
- Identify and inventory all digital assets and keep the inventory up to date.
- Identify sensitive systems and the potential impact of loss or disruption of those operations if they are damaged or otherwise compromised.
- Monitor access privileges and adjust them to ensure that only the minimum access needed to perform tasks is granted.
- Terminate accounts when users are no longer part of the organization
- Use machine learning and predictive prioritization tools to identify vulnerabilities and assess their potential impact.
What is a cyber risk assessment?
Organizations use cyber risk assessments to proactively identify and evaluate potential threats that could compromise their data, systems, or operations. Cyber risk assessments examine vulnerabilities, the threat landscape, and the effectiveness of existing security controls to estimate the likelihood and impact of potential cyber incidents. By conducting cyber risk assessments, organizations are better able to prioritize risks and develop strategies to mitigate, transfer, or accept them based on their risk tolerance.
In addition to likelihood and impact, other areas to consider when conducting a risk assessment are:
- Asset identification to catalog critical assets, such as data, systems, software, and hardware that are potentially at risk
- Threat identification to provide insight into potential internal and external threats that could exploit vulnerabilities, such as malware, phishing, ransomware, and insider threats
- Vulnerability assessment to analyze existing weaknesses in systems, software, processes, or policies that attackers could exploit
- Current control evaluation of the effectiveness of existing security controls and defenses, such as firewalls, encryption, and access controls
A simple formula for calculating cyber risk is:
The potential monetary and operational impact of a threat + the likelihood of exploitation = cyber risk
Additional considerations when measuring cyber risk include time to:
- Identify risks
- Assess risks
- Prioritize responses to risks
- Remediate identified risks
Protecting the enterprise from evolving cyber risk
Proactive defense is the best approach to protect the enterprise from evolving cyber risk. IT and security teams need to stay on top of the latest trends in security solutions as well as the threat landscape. Unfortunately, as security advances, so do the cyber criminals, who continually evolve attack vectors to evade new security measures.
The evolving threat landscape
Cyber attack trends reflect the evolving threat landscape. The following are several key threats that organizations should be aware of to manage and mitigate cyber risk effectively.
- AI and ML-powered attacks
- Gen-AI-powered targeted phishing attacks
- IoT and mobile device vulnerabilities
- Mega attacks
- Quantum computing threats
- Ransomware
- Security skills gap and staffing issues
- Supply chain attacks
- Third-party vendor vulnerabilities
- Zero-day attacks
Advanced technologies and practices for evolving cyber risk mitigation
AI is at the heart of most advanced cyber risk management and mitigation solutions and practices. It gives organizations the ability to manage an increasingly complex threat landscape by leveraging the power of machines to process information faster and in ways that humans cannot.
AI tools can collect, aggregate, and correlate threat intelligence to identify and respond to cyber attacks in real-time. AI also can automate responses to new and emerging attacks to help mitigate them quickly.
Resources to support cyber risk management
The following are several resources that can be used to bolster cyber risk management efforts. Used in conjunction with risk mitigation strategies and best practices, these resources can reduce organizations’ exposure to cyber risk.
Cyber risk management frameworks and standards
There are a number of freely available cyber risk frameworks and standards that are widely used to guide cyber risk strategies and programs. These cyber risk frameworks and standards are designed to meet a variety of requirements, and some are geared to support specific types of organizations. Often, several frameworks and standards are used in conjunction.
Examples of frameworks and standards used to support cyber risk initiatives are:
- NIST SP 800-53 provides detailed security and privacy controls (e.g., access control, incident response, and configuration management ) for federal information systems and organizations but is also widely used by other organizations
- NIST Cybersecurity Framework (CSF) offers a broader framework to help organizations identify, protect, detect, respond, and recover from cyber threats, as well as improve resilience against evolving cyber risks
- ISO 27001 ISO/IEC 27001 provides a systematic approach to protecting sensitive data and reducing the risk of compromised confidentiality, integrity, and availability
- Center for Internet Security (CIS) Controls are a set of best practices that focus on asset management, access control, and incident response to mitigate cyber risks and help organizations prioritize security and risk management efforts and comply with industry standards
- ISACA Risk IT Framework provides a comprehensive approach to managing IT-related risks that integrates IT risk management with business objectives and focuses on identifying, assessing, and mitigating risks across the organization
- MITRE ATT&CK Framework provides a comprehensive knowledge base of tactics, techniques, and procedures (TTPs) used by attackers to help organizations assess and mitigate cyber risks effectively by identifying vulnerabilities and understanding how adversaries exploit them
Risk assessment and management tools
There are a number of tools available to support cyber risk management efforts. These range from assessment tools to systems that automate cyber risk oversight. Examples of the many tools that are available include:
- Cloud security and risk assessment tools evaluate cloud environments for misconfigurations, vulnerabilities, and compliance risks
- Governance, risk, and compliance (GRC) tools that help teams manage cyber risk by aligning security, compliance, and governance with business objectives as well as track regulatory compliance, manage cyber risk policies, and conduct continuous monitoring.
- Identity and access risk management tools manage risks related to user access and permissions across systems, enforcing least privilege access policies and monitoring identity-related threats
- Quantitative risk assessment tools use models to assess the financial impact of risks and assign probabilities and monetary values
- Qualitative risk assessment tools focus on the subjective evaluation of risks using likelihood
- Third-party and supply chain risk management tools assess and monitor the risks posed by vendors, partners, and suppliers
Threat intelligence platforms
A number of tools are available to provide insights into the latest threats and vulnerabilities affecting public and private organizations. The main categories of threat intelligence, strategic, tactical, technical, operational, and sector-specific cover options for organizations’ different requirements.
- Strategic threat intelligence provides high-level intelligence focused on long-term trends and geopolitical risks and is mostly used by executives and decision-makers for strategic planning and security investment decisions
- Tactical threat intelligence focuses on the tools, techniques, and procedures (TTPs) used by threat actors and is used by security teams use it to improve incident detection and response by identifying specific attack patterns, such as phishing or malware campaigns
- Operational threat intelligence provides real-time or near real-time intelligence about ongoing attacks or campaigns targeting specific industries and regions to help security operations centers (SOCs) proactively monitor and defend against current threats
- Technical threat Intelligence offers technical details, such as IP addresses, malware hashes, and indicators of compromise (IOCs) used in attacks to integrate with security tools to block malicious activity proactively
- Sector-specific threat Intelligence is tailored intelligence focused on threats affecting specific industries to help organizations address unique vulnerabilities and regulatory requirements
Incident response playbooks
Incident response playbooks offer detailed, predefined guidelines for managing and mitigating cyber risks during security incidents. They provide step-by-step instructions for detecting, containing, eradicating, and recovering from cyber attacks. Common types of incident response playbooks tailored for various cyber risks include the following.
- Data breach response playbooks detail processes for investigating and mitigating data breaches, including notifications to meet legal and regulatory requirements for breach disclosure
- Distributed denial-of-service (DDoS) response playbooks guide recovery efforts in the wake of DDoS attacks that overwhelm systems with traffic
- Insider threat incident response playbooks facilitate the detection and management of incidents caused by users with authorized access, including steps for monitoring to identify suspicious behavior, revoking access, and conducting internal investigations
- Malware incident response playbooks focus on infections such as viruses, ransomware, and Trojans and include guidance for how to isolate infected devices, identify the malware source, and restore systems from backups
- Phishing incident response playbooks provide steps for handling phishing emails, spear-phishing attempts, and email account compromise, as well as help employees identify malicious emails and administrators revoke compromised access and block associated domains and IPs
- Ransomware incident response playbooks offer guidance on how to rapidly respond to ransomware attacks, including containment, communication protocols, and recovery from backups, as well as considerations for whether to negotiate, pay the ransom, or initiate legal action
Cyber risk insurance policies
Cyber risk insurance reduces an organization’s exposure through risk transference. Insurance policies help offset any costs associated with a cyber-related incident, such as losses incurred through data destruction, hacking, data extortion, and data theft.
The two types of cyber risk insurance coverage are first-party and third-party. First-party cyber risk insurance covers the costs incurred by the insured organization. Third-party cyber risk insurance helps cover expenses related to damages or losses suffered by third parties, such as customers or vendors.
General coverage considerations when selecting a cyber risk insurance policy include:
- Breach investigation services (e.g., forensic experts)
- Communication support (e.g., public relations or crisis communications specialists)
- Cyber attacks that impact systems
- Data breaches
- Delivery of customer notifications
- Attacks on data stored by vendors and service providers
- Financial compensation for impacted customers
- Legal counsel to help with notifications and other regulatory requirements
- Legal expenses for a lawsuit or regulatory investigation
- Lost or stolen data recovery and replacement
- Penalties or fines related to the cyber incident
- Ransom
- Reimbursement for lost revenue due to operational disruptions
- Settlements related to mediation or lawsuits
Cyber risk awareness: The key to prevention
Cyber risk can be found in all areas of an organization. While most cyber risk is associated with IT, it is imperative to have organization-wide awareness of this challenge and its potential impact. Engaging users across the organization helps mitigate cyber risk and create a culture of security that is at the heart of vulnerability mitigation and a proactive security posture.
