Cyber risk is defined as exposure to harm or loss resulting from data breaches or cyber attacks on information systems, information technology and information security. However, this definition must be broadened. A better, more encompassing definition is the risk of financial loss, disruption or reputational damage due to the failure of an organization's cybersecurity strategy.
Cyber risk management doesn't end with your organization. Many organizations fail to take into account their supply chain and service providers when measuring cybersecurity risk. Enterprise risk must take into account third-party risk and fourth-party risk.
Preventing first and third-party data breaches and data leaks has never been more important, with the average cost of a data breach reaching $3.92 million in 2019 and the average cost a data breach involving third-parties increasing the cost by $370,000 to an adjusted average total cost of $4.29 million.
Table of contents
- How does cyber risk materialize?
- How to measure cyber risk
- What are the common sources of cyber risk?
- Why is it necessary to reduce cyber risk?
- How to reduce your cybersecurity risk
- Who should be involved with assessing cybersecurity risk?
- How UpGuard can reduce your cyber risk
1. How does cyber risk materialize?
Cyber risk materializes in a variety of ways:
- Deliberate data breaches that expose sensitive data or other valuable assets.
- Accidental data leaks or cloud leaks of personal information or intellectual property caused by misconfiguration of cloud services.
- Operational IT risks such as configuration drift, the Internet of Things, new technologies and poor default S3 security settings that lead to business interruption and sensitive information being stolen in a cyber incident.
Poorly managed cyber risks increase your exposure to cyber threats like phishing, ransomware and other types of malware. In many cases, organizations suffer from preventable cyber attacks due to slow vulnerability patching cadence. The spread of WannaCry is a concrete example of how poor global cyber resilience is. Cyber criminals represent a global risk to small businesses and large multinationals alike.
Pair the growing risk of cybercrime with increased data breach notification laws and many businesses find themselves in the middle of a public relations nightmare as they struggle to recover lost assets and prevent further damage. Financial services and healthcare businesses are particularly high-value targets because they have vast amounts of personally identifiable information (PII).
2. How to measure cyber risk
Regardless of whether you are a small business or large multinational, you could be the target of cyber attacks. In fact, many small businesses are targeted by cyber criminals due to their lack of robust security solutions. The first step to measuring cyber risk is to understand what cyber threats your organization is exposed to.
In most cases, the larger your organization's web presence, the higher the cyber risk. Common cyber threats include:
- Email spoofing
- Domain hijacking
- Man-in-the-middle attacks
- Different types of malware
Security ratings are akin to credit ratings. Credit ratings take information about a prospective debtor and produce a grade such as A+ down to C or D (riskier to lend to).
A security rating is determined through data by assessing and aggregating an organization's internet facing cyber risk profile, incorporating other related technical and business data. Security ratings platforms can also draw on databases of reported data breaches and vulnerabilities like CVE, as well as the outputs from security monitoring of web applications, network security, security controls, endpoint security, security systems, penetration testing and malware protection.
3. What are the common sources of cyber risk?
Cyber attacks are committed for various reasons including financial fraud, information theft, activist causes, to deny service, ruin user experience, disrupt critical infrastructure and vital services of government or an organization.
Nine common sources of cyber risk are:
- Nation states
- Cyber criminals
- Service providers
- Developers of substandard products and services
- Poor configuration of cloud services
- Corporate espionage
- New technologies like the Internet of Things
Cyber attacks can come from anywhere, even your own employees who are given access to sensitive information. Even well-meaning employees can fall victim to phishing scams that steal sensitive data or install a type of malware. Cloud computing and portable devices means traditional security isn't always enough. CISOs need to be concerned with information that is exposed due to cloud configurations and educate their staff about the risks of cyber attacks like Wi-Fi based man-in-the-middle attacks.
4. Why is it necessary to reduce cyber risk?
Cybersecurity risk is a part of any organization and isn't always under the control of your IT security team. Global connectivity, cloud services and outsourcing means the potential attack vector has never been larger. This is why cybersecurity has become so important.
The C-suite and other business decision makers are making technology-related risk decisions everyday, in every department, without even knowing it. When your CMO trials a new email marketing tool, they are potentially introducing a huge cyber risk that could expose your customer's personally identifiable information (PII).
Organizations that expose their customer data, whether intentionally or accidentally, risk losing customers. In fact, the average data breach caused 3.9 percent of customers to stop using an organization's product or services.
Fines, legal fees, lost productivity and mitigation, remediation and incident response all cost money too. One Allianz white paper estimates the annual cost to the global economy from cyber crime at $445 billion.
Other costs can be harder to quantify but are as important and more importantly long-lasting. These include lowered brand equity, reduced goodwill, loss of intellectual property and loss of competitive advantage.
It can be hard to show the value of investing in cyber risk mitigation because success is invisible. The absence of a cyber incident or the ability to show the event had less impact than it might have had isn't as concrete as increasing gross margin. But that doesn't mean managing cyber risk is any less important.
5. How to reduce your cybersecurity risk
A good place to start is with the National Institute of Standards and Technology (NIST) Cybersecurity Framework and a threat intelligence exercise.
Cyber threat intelligence is about understanding what cyber threats your organization is exposed to and identifying similarities and differences between them in an accurate and timely manner.
Cyber threat intelligence is developed in a cyclical process referred to as the intelligence cycle. In the intelligence cycle, data collection is planned, implemented and evaluated to produce a report that is then disseminated and revaluated in the context of any new information.
The process is a cycle because during the gathering or evaluation process you may identify gaps, unanswered questions or be prompted to collect new requirements and restart the intelligence cycle.
Common ways to reduce cyber risk include:
- Automating vendor risk management
- IP attribution
- SOC 2 compliance
- Vendor management policy
- Defense in depth
- Network security
- Digital forensics
- SSL certificates
- Information risk management
- Cybersecurity risk assessments
- Information security
- Third-party risk management framework
- Vendor risk management
- Continuously monitoring third and fourth-party vendors' security posture
- Security questionnaires
- Automatic data breach and data leak detection
- Cyber insurance
6. Who should be involved with assessing cybersecurity risk?
The list of those responsible for securing physical and digital assets has rarely extended beyond cybersecurity, IT and physical security.
This can no longer be the case in today's technology-driven digital businesses. Chief Information Security Officers (CISOs) emerged about a decade ago but it was not until recently that we've seen cybersecurity become a topic of discussion among the broader executive leadership team and boards of directors.
The truth is every employee is a source of cyber risk. OPSEC failures have show us us that even oversharing on social media can lead provide attackers with critical information they need to launch an attack. Something as simple as leaving a computer unlocked at a coffee shop or using public Wi-Fi can lead to big data breaches.
Software engineers need to ensure new releases don't create backdoors or vulnerabilities that can be exposed. HR professionals need to use secure applicant tracking systems to protect candidate data. Every employee has access some form of sensitive data.
This is why cybersecurity awareness training is foundational to any cybersecurity strategy.
Managing cyber risk is a balancing act for all organizations, regardless of size and complexity. Some organizations take on too much risk, others arguably do not take on enough.
The emergence of cyber threats has complicated this equation further and it is increasingly become a topic of C-suite and board level discussions, as well as financial analysts who see cybersecurity risk as a large part of overall business risk and the current stock price. The consequences of a successful cyber attack or data breach can be fatal to a business's bottom line, brand reputation or the CEO's career.
The truth is organizations must take on some level of risk in order to drive performance and execute on their business strategy. Globalization, mergers and acquisitions, outsourcing, adopting new technologies, moving to the cloud and remote work all introduce cyber risk. And none of these trends look to slow any time soon.
Executive decision-makers need to understand the nature and magnitude of the risks they take on, and balance them against the benefits that come from taking them to make more informed decisions.
Cyber risk must be factored in to an organization's overall risk appetite.
8. How UpGuard can reduce your cyber risk
There's no question that cybersecurity is more important than ever before. That's why companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data and prevent data breaches.
UpGuard BreachSight can help combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors' security posture over time while benchmarking them against their industry.
Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We can even alert you if their score drops.