Cyber Risk:
Definition, Common Types and How To Protect Against Them

Bart Lenaerts-Bergmans - March 20, 2023

In our rapidly expanding digital environment, every organization has operations, revenue, data and brand reputation that’s potentially at risk from a cyberattack. For organizations large and small, the focus needs to be on the cyberattack surface and managing cyber risk all while navigating changes in the market and continuing to delight customers.

Of course, that’s no small feat, so let’s take a closer look at cyber risk and the most common types that security teams face, as well as explore five tips that will help your organization turn the tables on threat actors to remain protected.

What Is Cyber Risk?

Cyber risk measures the likelihood (probability) that an attacker may exploit a cyber threat, as well as considers the potential impact of that bad event, such as the loss of confidentiality, integrity and availability of an organization’s information. Keep in mind that the total impact to an organization can include both tangible and intangible factors:

  • Tangible impacts are most often the variables leading to an organization’s financial losses, such as cost of paying a ransom, lost revenue from interrupted business operations, incident response expenses, legal fees and regulatory fines.
  • Intangible impacts are felt below the surface and most often take longer to see and quantify. Some examples include damage to brand trust, reduction in new customer acquisition and an increase in customer turnover.

Cyber risk has steadily increased over the last decade with the market seeing attacks grow both in volume and sophistication. In fact, researchers predict that more than 33 billion records will be stolen by cybercriminals in 2023, representing a 175% increase from just five years ago in 2018.1 Why is there so much growth? Well, it comes down to 2 main drivers: geopolitical tensions and an overall increase in cybercrime.

Information technology and the internet have surrounded our society. When geopolitical tensions rise between states or communities, IT infrastructure and data have become a new weapon. State actors as well as hacktivists use cyber attacks as part of their arsenal to obtain their objectives such as espionage, disrupt critical infrastructure or influencing campaigns

Cybercrime is a very lucrative business, so bad actors are highly motivated to advance their efforts and attack techniques to reap the financial rewards. In fact, cybercrime is such a moneymaker that it has grown to become the world’s third-largest economy (if it was a country) after the US and China, according to the World Economic Forum (WEF). Based on data from Cybersecurity Ventures, it is projected to cost the world $8 trillion in 2023 and $10.5 trillion by 2025.2

2023 Global Threat Report

Uncover notable themes, trends and events across the cyber threat landscape by downloading our 2023 Global Threat Report.

Download Now

External vs. Internal Cyber Risks

Cyber risk can originate from outside the organization (external risks) and inside the organization (internal sources of cyber risk).

External sources that create cyber risk include lone hackers, organized cybercrime groups, and government entities, as well as environmental events such as weather and earthquakes.

Internal threat sources are typically employees, contractors or partners with authorized access to the company’s network that abuse their privileged access and act maliciously for gains, such as espionage, fraud, intellectual property theft and sabotage.

Both types of cyber risks present their own set of unique challenges. Digital transformation is a huge driver in risk expansion, which makes external attacks difficult to manage for organizations. Now,  they have to anticipate many techniques a threat actor might use to gain a foothold into the company. Internal exploits are also troublesome because the malicious users are authenticated on the domain, and use legit tools which can make these threat actions hard to detect early.

While the impact of a successful event can be equally damaging for threat sources that originate from either inside or outside the organization, there’s a clear winner on which one organizations see most often. According to Verizon, data compromises are 75% more likely to result from external attacks than from an internal source.3

Most Common Types of Cyber Risk

Rapid innovations like cloud adoption, digital engagement and multi-channel customer touchpoints, as well as other emerging technologies have transformed the way companies operate in the last decade. At the same time, the evolutions in business operations have expanded an organization’s attack surface, fostering rapid advances in the cyber threat landscape where tactics and attack methods change and improve almost daily.

Internal and external malicious actors access a company’s network and data using several paths. This is also called an attack vector. Some of the most common attacks include:

Internal Risks

When thinking about internal cyber risk to your organization, it’s important to consider both accidental and intentional (malicious) acts in the scope.

Whether malicious or accidental, the most common internal cyber risks are derived from unprotected attack surfaces, such as:

  • Unmanaged exposed assets: When users aren’t properly deprovisioned or network access isn’t removed for decommissioned IT assets, it creates security risk exposure for the organization. These rogue risks can appear at any time since business environments change constantly.
  • Unpatched vulnerabilities: In the world of nonstop vulnerability exploits, keeping up with patch management plays an important role in safeguarding against cyber risk. Yet, 71% of IT and security pros find patching to be complex and time consuming.4
  • Identity, password hygiene: Corporate systems are constantly getting login attempts throughout the day where human or machine identities must be verified. Then, there’s the revolving door of passwords and user access to manage as employees join and leave the organization. Unfortunately, password hygiene or machines can be a weak link for organizations with 80% of all data breaches globally stemming from password security issues. 5  Machine identities (such as SSL certificates, SSH keys or signing certificates) also grow at record pace. Identity sprawl and bad management of keys exposes organizations to high risks.
  • Insufficient protection: As organizations adopt business-enabling technologies, such as pursuing cloud migration initiatives, implementing the appropriate protection for those new attack surfaces may lag behind (or not get adopted at all). In these scenarios, the organization is operating with insufficient security measures and the chance of a data breach with high impact is far more likely.
  • User security awareness and training: Your employees are often the last line of security defense where everything comes down to whether or not they decide to click on a link. Educating employees on the security dos and don’ts can make all the difference in reducing your organization’s exposure to this internal cyber risk.

External Risks

External risks from malicious outsiders can originate from many groups, including nation-state, eCrime and hacktivist adversaries. Over the course of 2022, these threat actors continued to prove their ability to adapt, splinter, regroup and flourish in the face of defensive measures.

One way external threat actors are so nimble is by leveraging sophisticated underground marketplaces for buying and selling ready-to-go attack kits. Phishing kits, pre-packaged exploits, website cloning tools and other kits have made it easier for bad actors to assemble and launch perfectly tailored attacks. Some of the most common attack techniques include:

  • Phishing and Spear Phishing: Actors set up fake sites, emails or voice mails tricking users into providing their credentials or executing a task by exploiting the human mind. Once in possession of the credential, actors can sell these via underground forums where they can be reused for implanting botnets, new impersonations or extortion.
  • Malware: Malware is any program or code that is created with the intent to do harm to a computer, network or server. Malware is the most common type of cyberattack, mostly because the term encompasses many subsets such as ransomware, trojans, spyware, viruses and any other type of malware attack that leverages software in a malicious way.
  • Exploits kits: An exploit kit is a toolkit that bad actors use to attack specific vulnerabilities in a system or code. Once they take advantage of these vulnerabilities, they perform other malicious activities like distributing malware or ransomware. These toolkits are named this way because they use exploits, code that takes advantage of security flaws and software vulnerabilities. While exploits can be written by security teams to prove potential threats, they are usually created by attackers.
  • Distributed denial-of-service (DDoS): A DDoS attack is a malicious, targeted attack that floods a network with false requests in order to disrupt business operations. As a result, users are unable to perform routine and necessary tasks, such as accessing email, websites, online accounts or other resources that are operated by a compromised computer or network. While these attacks don’t typically result in lost data, they cost the organization time, money and other resources in order to restore critical business operations.
  • SQL Injection: A SQL Injection attack leverages system vulnerabilities to inject malicious SQL statements into a data-driven application, which then allows the hacker to extract information from a database.

Learn More

Read our post on the different types of cyberattacks to go in-depth on how they might affect a business and learn different examples per type. Read: Types of Cyberattacks

5 Tips to Stay Protected From Cyber Risks

Many believe that only enterprise-sized companies are the sole receivers of cyberattacks, but small and medium-sized businesses are some of the biggest targets for threat actors. As a matter of fact, the market saw a 200% increase in incidents targeting organizations with less than 1,000 employees between 2021 and 2022.6

The takeaway: as adversaries keep changing their game, companies both large and small should remain vigilant in their security practices. Here are five tips that will help.

1. Take Inventory of Your Digital Assets

Asset inventory is a foundational element of every company’s security program. Without a comprehensive and current inventory, it introduces critical security gaps and elevates the risk of a data breach because you can’t protect an asset you don’t know you have.

Maintaining a good IT hygiene with real-time inventory of your digital assets will give your organization robust visibility over the computers, applications and accounts being used in your environment. That visibility will help your IT and security team build a complete security program that covers all of your digital assets.

2. Stay on Top of All Potential Threats

Speed, volume and sophistication of threat actors combined with a fast-expanding threat surface requires an approach where you start by knowing the threat actors and capabilities. This risk management strategy, also known as intelligence-driven defense, is based on the adversaries and the capabilities they pose against your organization’s information technology environment.

Understanding the threat actor doesn’t need to be complex or time-consuming, as long as the right threat intelligence is available. Because the adversary universe is vast and adversarial operations change quickly, your threat intelligence tools must be able to quickly sort through all of the available data to inform updates on the latest adversarial activities. Leveraging threat intelligence that allows you to build prioritized adversarial lists is the fuel that helps you stay on top of potential threats in today’s fast-changing threat environment.

Learn More

Explore our adversary universe site to stay on top of today’s global threat landscape and stay ready to protect your business.  Explore: Adversary Universe

Learn More: Adversary Universe

3. Have an Incident Response Plan

Incident response planning is important because it will help your organization react quickly when there’s a security incident to effectively minimize the impact and improve the recovery time. When it comes to incident response and having a foundation on which to build your plan, the National Institute of Standards and Technology (NIST) provides a solid framework to follow. Following this framework will give you a solid approach for ensuring all key stakeholders know their role and can act swiftly and with purpose when a response effort is required. It contains four phases of the incident response lifecycle:

  • Step #1: Preparation
  • Step #2: Detection and Analysis
  • Step #3: Containment, Eradication and Recovery
  • Step #4: Post-Incident Activity

Ensure your plan is documented and shared with all key stakeholders. You’ll also want to periodically update it so that it remains current. All relevant personnel should have access to the parts of the plan that pertain to their responsibilities and should be alerted when the plan is revised. In the spirit of continual improvement, your organization should also have a feedback loop that is initiated after a significant incident. This will help you gain insights into what went well and areas where you can implement improvements in order to strengthen the team’s future incident response coordination.

4. Implement a Comprehensive Cybersecurity Training Program

Employees are a company’s best asset but, often, the weakest link in protecting against cyber threats. The human element (e.g., falling for phishing, clicking on a link or simple human error) continues to drive security incidents, contributing to 82% of breaches in 2022.7 You can take care of those weak links and reduce the risk by implementing a cybersecurity training program that provides your employees with ongoing education. Notably, companies report reducing this internal cyber risk from 60% to 10% by within the first 12 months of providing employees with regular trainings.8

Your program should educate your people about common security risks, promote responsible online behavior and outline steps to take when they believe an attack may be in progress. Also, the training should be a mandatory task completed by every employee, regardless of level, location or job scope. That said, it may be wise to tailor learning programs based on job type or level of experience, as well as location.

5. Partner with the Right Cybersecurity Professionals

Safeguarding an organization from the range of cyber risks is a big task, requiring security staff and tools for protecting your environment — across your internal and external attack surfaces — from security intrusions and data breaches. To enable the ideal mix of people, process and technology for your organization’s security operations, you’ll want to have strong vendors and service providers in place wherever you have areas of need.

Whether you’re looking to partner with a cybersecurity vendor or a managed security service provider (MSSP), you should choose one that is reputable, has positive reviews and consistently maintains high levels of customer satisfaction. Ideally, your choice in a cybersecurity partner will be a long lasting relationship, so doing extensive research on the partner company before making your selection decision will go a long way to ensuring it’s a good fit for your company now and into the future.

Learn how you can supercharge your SOC and Incident Response teams with built-in adversary intelligence and get ahead of the attackers next move.

Visit Now

GET TO KNOW THE AUTHOR

Bart is Senior Product Marketing Manager of Threat Intelligence at CrowdStrike and holds +20 years of experience in threat monitoring, detection and intelligence. After starting his career as a network security operations analyst at a Belgian financial organization, Bart moved to the US East Coast to join multiple cybersecurity companies including 3Com/Tippingpoint, RSA Security, Symantec, McAfee, Venafi and FireEye-Mandiant, holding both product management, as well as product marketing roles.