Inherent risks (IR) are vulnerabilities within an organization before a set of controls or auditing procedures have been implemented. IR management is a large part of enterprise risk management, which examines an entire company’s risk factors that could disrupt business operations and cause financial losses.
In contrast, residual risk is calculated after cybersecurity protections have been put in place to protect against these inherent risks. Its calculation includes every attack vector that could affect important systems and data, including the potential impact should a cyber attack occur.
Examples of Inherent Risks in Cybersecurity
These are the most common types of risks that can affect an organization:
Inadvertent Data Loss
The accidental deletion of files due to mistakes made by authorized users can be considered an inherent cybersecurity risk because it's something that could happen over time without protection. A company would need to implement software for backup storage and encryption, so this type of event doesn't cause severe consequences like total file destruction.
Lack of Antivirus Software
Antivirus software is often the first line of defense in detecting and removing viruses that have infected a computer or system. The best protection against this inherent risk is a robust, well-funded cybersecurity program with the right hardware and software protections.
Unauthorized Access Points
An unauthorized user gaining access to data on an unprotected network or device can lead to significant loss of information, including:
- Personally Identifiable Information (PII) - Includes social security numbers (SSN), names, email addresses, physical addresses, driver’s license numbers, and phone numbers
- Intellectual Property - Includes confidential trade secrets, classified military documents, copyrighted content, and patents
- Financial Records - Includes banking account details, financial statements, financial transactions, payment information, tax records, accounting ledgers, and business invoices or receipts
Inappropriate Data Handling
Employees mishandling sensitive data by using it for non-business purposes (such as accessing bank statements) could result in violations of company policies which may lead to lawsuits from customers. Failure to implement internal controls or security policies regarding data security can lead to the loss or theft of data.
Using default or simple passwords is a common practice in the workplace and everyday life. External threats attempt to guess these passwords during the initial phase of a credential-stuffing or brute-force attack because they have a very high success rate.
Without proper security controls or anti-malware software, users are at risk of a malware infection. A device infected with malware such as ransomware can result in the loss of data, business disruption, distributed denial-of-service (DDoS) attacks, and destruction of devices.
Poor technology and IT education often result in users failing to recognize phishing and social engineering scams. Employees clicking on links containing malicious links could result in entire networks being infected with viruses that will allow hackers to gain control over systems.
Employees violating company policies (such as downloading software for personal use) may be able to compromise corporate information, creating insider threats. A lack of access control or privileged access to protect against employees accessing information they shouldn’t be able to view creates inherent risk.
Difference Between Inherent Risk and Residual Risk in Cybersecurity
Inherent risk is the inherent probability that a cybersecurity event may occur due to a lack of countermeasures. Residual risk, on the other hand, is what remains after risk mitigation efforts and internal controls have been implemented. This means residual risk can be evaluated without consideration for inherent risks, which is the key difference between the two.
For example, a computer system that does not have antivirus software installed makes it susceptible to malware. This creates a high inherent risk as there are no countermeasures in place that protect against this threat.
Residual risk, on the other hand, is the remaining risk if antivirus software is installed and the user regularly changes their system passwords. Residual risks include social engineering tactics, phishing attacks, and malware infections. Residual risks will always be an issue, even with extensive cybersecurity controls. Rapid digital transformation is expanding the attack surface and multiplying digital risks. This makes residual risks dynamic, requiring a more comprehensive approach to cybersecurity.
For example, a staff member trained to recognize phishing emails may fall victim to fraudulent phone calls requesting login information. So it's not enough to mitigate residual threats individually because the entire threat landscape needs to be monitored.
Inherent risks may be present in any process, but the impacts will vary from one industry type to another. For example, healthcare organizations have inherent cybersecurity risks with their data management systems because they need to store large amounts of sensitive protected health information (PHI).
On the other hand, financial institutions typically only have low-level inherent cybersecurity risks due to their use of advanced encryption technology for online banking (though this high standard is rarely met).
Why is Inherent Risk so Important in Cybersecurity?
All organizations should be concerned about inherent cyber risks because overlooking them significantly increases their susceptibility to a data breach or data leak. If an organization is not properly securing its data storage systems, there are no defense mechanisms to scramble unauthorized access attempts.
There are three main types of inherent risks
What is Control Risk (CR)?
Control risk in cybersecurity measures the likelihood that cyber incidents will exploit vulnerabilities within an IT ecosystem despite having a system of controls in place. These occur through a combination of both human error and faulty processes. Control risks can open a vast spectrum of attack vectors if left unaddressed.
Every organization should have formal policies to monitor their networks’ security status and work closely with qualified external security experts who can provide valuable insight into how to increase defenses against potential threats.
What is Detection Risk (DR)?
Detection risk in cybersecurity measures the chances that a cyber auditor fails to detect procedural risks or potential security gaps. Without a strict, formalized auditing procedure, there is inherent risk in the audit process that is left unchecked. There must be a control for measuring auditing efficiency and effectiveness to eliminate oversight and auditing failures.
How to Measure Inherent Risks
The detection and measurement of all inherent risks will provide a rough evaluation of your security posture and the critical vulnerabilities exposing your sensitive data. Most auditing standards measure the potential impact of inherent risks on an organization’s overall security posture.
Managing inherent risks is particularly important for organizations in the financial industry. These businesses must conform to strict regulatory cybersecurity requirements to protect the PII of their customers.
One method of measuring inherent risk in the finance sector is using the Cybersecurity Framework the FFIEC. The Federal Financial Institutions Examination Council (FFIEC) has developed an assessment protocol to help finance organizations evaluate their level of risk to create an inherent risk profile.
Measuring Third-Party Cybersecurity Inherent Risks
Inherent risks can also arise from external factors such as vendors, third parties, or service providers who may have access to your network. These can be difficult to measure since they require insight into the security programs of each third party.
The most convenient method of measuring third-party inherent risks is through an attack surface monitoring solution such as UpGuard.
UpGuard scans billions of data points throughout the internal and external cyberattack surface and identifies all detected vulnerabilities in a clean dashboard and summarized reports. This streamlines the risk management process making it both efficient and scalable.
All detected vulnerabilities are categorized by level of security risk to help security teams efficiently distribute their remediation efforts.
How to Manage Third-Party Inherent and Residual Risks
Both residual and inherent third-party risks are best managed through risk assessments. Risk assessments describe a vendor's current state of cybersecurity and all vulnerabilities that need to be addressed.
In the absence of risk assessment management, the framework below can be used to discover both inherent and residual risks throughout the IT ecosystem. The below framework focuses on evaluating the state of security of an internal network.
How to Perform a Cyber Risk Assessment in 6 Easy Steps
If your organization is looking to perform a cyber risk assessment or build a new audit risk model, follow these steps to get started:
Step 1: Audit Your Entire Ecosystem
This includes everything from your internal devices, servers, and firewalls to every device on the internet. Upon completion, you should have a baseline of the amount of risk threatening your data centers.
Your security team should identify what is currently connected, where they are located, and how they connect with other systems for a complete understanding of risk exposure.
Audited systems should include processes, functions, and applications throughout the vendor network.
Here are some questions to help guide the audit process:
- What is the risk of a system being compromised?
- Who may be interested in compromising my information assets or information technology?
- If a breach occurs, what's the most likely method?
- What will be the business impact for each degree of a data breach?
- Are there any unpatched vulnerabilities that could lead to compromise at some point down the line?
- How does data flow throughout the ecosystem?
Once this process has been completed, you should be left with a list of all devices in your environment, their vulnerabilities, and potential access points for exploitation
This information can then be used to prioritize areas of assessment. Some exposure will have a higher risk than others (i.e., customer-facing vs. internal resources).
A high-level summary report can also be created detailing key findings such as missing patches, expired certificates, and identified third-party vendors so that this can be shared with team members and stakeholders
Step 2: Identify All Possible Threats
Cyber threats include those that are common to all sensitive resources and those that are unique to your information security setup.
Some examples of common threat types include
- Unpatched software: This is when a vendor releases an update to address the vulnerability, but not all users apply it. Such gaps in coverage can allow for possible exploitation of that vulnerability by attackers who exploit knowledge of this hole before other people know about it.
- Unsecured devices and data: This could include the lack of firewalls or insufficient security controls. Such unsecured devices are at a high risk of being exploited in a DDoS attack.
- Phishing scams: A phishing scam is when an attacker sends emails or texts to a user to trick them into clicking on a link, installing malicious software, or relinquishing sensitive information.
- Data leakage: A data leak is an unintentional exposure of sensitive data on the internet. For example, an employee might upload customer data files to an unsecured server.
- Lack of encryption: This is the storing, sending, or transferring information without converting it into ciphertext first.
- Social engineering: Social engineering is when a victim is tricked into giving up sensitive data. For example, someone claiming to be a police officer requesting specific information about a customer is social engineering.
- Poor password management: A poor password manager can lead to passwords being reused across accounts that may not have appropriate security controls. If one of these compromised accounts is targeted, all other associated accounts could also be at risk. An example of poor password management is not implementing multi-factor authentication.
- Reputational damage: This can happen when sensitive customer data is shared without permission with people who are not authorized to view them. For instance, if a company shares customer data with third parties without their consent, this breach of confidentiality could lead to negative publicity.
Step 3: Determine the Impact of all Inherent Risks
This process is completed without considering the control environment. All of the inherent risks discovered in the preceding steps should be assigned a rating reflecting their level of impact if exploited.
- High Risk - A severely negative impact on your organization.
- Medium Risk - A damaging yet recoverable impact.
- Low Risk - Minimal impact
Step 4: Audit Your Control Environment
The control environment includes policies, process controls, connection types, and security measures to mitigate risks.
Evaluate your control environment for compliance with basic information security principles such as segregation of duties; least privilege; use restrictions on access rights; centralized authorization, and the periodic review of sensitive data holdings.
Each identified control should be assigned a satisfactory rating:
- Satisfactory - Policies and objectives are adequately met.
- Satisfactory with Recommendations - Policies and objectives are met. However, improvements are possible.
- Improvements Required - Policies, objectives, and regulatory requirements are not sufficiently met.
- Inadequate - Not control, regulatory or policy standards are met.
Step 5: Estimate the Likelihood of an Exploitation
Referring to all identified environment controls, estimate the likelihood of a threat actor exploiting your vulnerabilities
- High Likelihood - Inefficient controls to defend against the list of potential cyber threats.
- Medium Likelihood - Environment control may be sufficient to disrupt the threat source.
- Low Likelihood - Environment control is sufficiently resilient to possible cyber threats, or system vulnerabilities don't tempt threat actors.
Step 6: Estimate Your Risk Rating
An accurate risk rating is achieved through a highly complex calculation considering multiple attack vector variables to provide real-time rating updates. In the absence of such a solution, an estimated value can be calculated with the following equation:
Risk rating = Impact x Likelihood of an exploit in the assessed control environment
The different values for impact and likelihood can be found in the NIST Special Publication 800-30.
Manage Your Inherent Risk with UpGuard
UpGuard monitors the internal and external third-party attack surface to discover all inherent risks that circumvent control measures. With the addition of Third-Party data leak detection and Third-Party Risk Management, UpGuard is the most comprehensive cyber risk management solution.