Inherent risk is a vulnerability within an organization before security measures are implemented. In contrast, residual risk is calculated after cybersecurity protections have been put in place to protect against all of these inherent risks; its calculation includes every possible attack vector that could affect a system or data.
Examples of inherent risks
Inadvertent Data Loss
The accidental deletion of files due to mistakes made by authorized users can be considered an inherent cybersecurity risk because it's something that will happen over time without protection. A company would need to implement software for backup storage as well as encryption so this type of event doesn't cause severe consequences like total file destruction.
Lack of antivirus software
The best protection against this inherent risk is a robust, well-funded cybersecurity program with the right combination of hardware and software protections in place.
Unauthorized access points
An unauthorized user gaining access to data on an unprotected network or device can lead to significant loss of information including:
- Personally Identifiable Information (PII) - Such as social security numbers and credit card details.
- Intellectual Property - Such as trade secrets or classified military documents.
- Financial Records - Such as banking accounts or databases containing personal customer profiles.
Inappropriate Data Handling
Employees mishandling sensitive data by using it for non-business purposes (such as accessing bank statements) could result in violations of company policies which may lead to lawsuits from customers
The liberal use of default passwords is, unfortunately, a common practice in the workplace. These passwords are always used by external threats during the initial phase of a credential stuffing attack because they have a very high success rate.
Infecting a device with malware such as ransomware can result in the loss of data, disruption of business operations caused by payment demands or denial-of-service attacks, and destruction of devices
Having employees click on links containing malicious content could result in networks being infected with viruses that will allow hackers to gain control over systems.
Employees violating company policies (such as downloading software for personal use) may be able to compromise corporate information
Difference between inherent risk and residual risk
Inherent risk is the inherent probability that a cybersecurity event may occur as a result of a lack of countermeasures. Residual risk, on the other hand, is what remains after risk mitigation efforts have been implemented. This means residual risk can be evaluated without consideration for inherent risks, that is the key difference between the two.
For example, a computer system susceptible to malware does not have antivirus software installed. This creates a high inherent risk as there are no countermeasures in place that protect against this threat.
Residual risk, on the other hand, will be low if antivirus software is installed and the user regularly changes their system passwords. Residual risks include social engineering tactics, phishing attacks and malware infections.
Residual risks will always be an issue despite the implementation of extensive cybersecurity controls. Rapid digital transformation is expanding the attack surface and multiplying digital risks. This makes residual risks dynamic, requiring a more comprehensive approach to cybersecurity.
For example, a staff member trained to recognize phishing emails may fall victim to fraudulent phone calls requesting login information. So it's not enough to mitigate residual threats individually, the entire threat landscape needs to be monitored.
Inherent risks may be present in any process, but the impacts will vary from one industry type to another. For example, healthcare organizations have inherent cybersecurity risks with their data management systems because they need to store large amounts of sensitive personal information.
On the other hand, financial institutions typically only have low-level inherent cybersecurity risks due to their use of advanced encryption technology for online banking (though this high standard is rarely met).
Why is inherent risk so important?
All organizations should be concerned about inherent risks because overlooking them significantly increases the chances of a data breach.
If an organization is not properly securing its data storage systems, there are no defense mechanisms in place to scramble unauthorized access attempts.
What is control risk?
Control risk is the likelihood that cyber incidents will exploit vulnerabilities with an IT ecosystem.
If left unaddressed, control risks can open a vast spectrum of attack vectors including data breaches and ransomware attacks.
Every organization should have formal plans in place to monitor their networks’ security status as well as work closely with qualified external experts who provide valuable insight into how best to increase defenses against potential threats.
How to measure inherent risks
The detection and measurement of all inherent risks will provide a rough evaluation of your security posture and the critical vulnerabilities exposing your sensitive data.
The management of inherent risks are particularly important for organizations in the financial industry, These businesses must conform to strict regulatory cybersecurity requirement to protect the Personal Identifiable Information (PII) of their customers.
One method of measuring inherent risk in the finance sector is using the Cybersecurity Framework FFIEC.
The Federal Financial Institutions Examination Council (FFIEC) has developed an assessment protocol to help finance organizations evaluate their level of risk to create an inherent risk profile.
Measuring third-party inherent risks
Inherent risks can also arise from external factors such as vendors, third parties, or service providers who may have access to your network. These can be difficult to measure since they require infight into the security programs of each third party.
The most convenient method of measuring third-party inherent risks is through an attack surface monitoring solution such as UpGuard.
UpGuard scans billions of data points throughout the internal and external cyberattack surface and displays a summary of all detected vulnerabilities in a clean dashboard. This streamlines the risk management process making it both efficient and scalable.
All detected vulnerabilities are categorized by level of security risk to help security teams efficiently distribute their remediation efforts.
How to manage third-party inherent and residual risks
Both residual and inherent third-party risks are best managed through risk assessments.
Risk assessments describe a vendor's current state of cybersecurity and all vulnerabilities that need to be addressed.
The assessment process is done through a series of questions, either created from a standard framework or completely custom designed.
In the absence of risk assessment management software, the framework below can be used to discover both inherent and residual risks throughout the IT ecosystem.
The below framework focuses on evaluating the state of security of an internal network.
To learn how to design risk assessments for your third-party vendors, refer to this post.
How to perform a risk assessment in 6 steps
Step 1: Audit your entire ecosystem
This includes everything from your internal devices, servers, and firewalls to every single device on the internet. Upon completion, you should have a baseline of the amount of risk threatening your data centers.
Your security team should identify what is currently connected, where they are located, and how they connect with other systems for a more complete understanding of risk exposure.
Audited systems should include processes, functions, and applications both internally and throughout the vendor network.
Here are some questions to help guide the audit process:
- What is the risk of a system being compromised?
- Who may be interested in compromising my information assets or information technology?
- If a breach occurs, what's the most likely method?
- What will be the business impact for each degree of a data breach?
- Are there any vulnerabilities that I am unaware of that could lead to compromise at some point down the line?
- How does data flow throughout the ecosystem?
Once this process has been completed, you should be left with a list of all devices in your environment, their vulnerabilities, and potential access points for exploitation
This information can then be used to prioritize areas of assessment. Some exposure will have a higher risk than others (i.e., customer-facing vs internal resources).
A high-level summary report could also be created detailing key findings such as missing patches, expired certificates, and identified third-party vendors so that this can be shared with team members and stakeholders
Step 2: Identify all possible threats
Cyber threats include those that are common to all sensitive resources and those that are unique to your information security setup.
Some examples of common threat types include
- Unpatched software: This is when a vendor releases an update to address the vulnerability, but not all users apply it. Such gaps in coverage can allow for possible exploitation of that vulnerability by attackers who exploit knowledge of this hole before other people know about it.
- Unsecured devices and data: This could include the lack of firewalls or insufficient security controls. Such unsecured devices are at a high risk of being exploited in a DDoS attack.
- Phishing scams: This is when an attacker sends emails or texts to a user with the aim of tricking them into clicking on a link, installing malicious software or relinquishing sensitive information.
- Data leakage: A data leak is an unintentional exposure of sensitive data on the internet. For example, an employee might upload a file containing customer data to an unsecured server.
- Lack of encryption: This is the storing, sending or transferring of information without converting it into ciphertext first.
- Social engineering: When a victim is tricked into giving up sensitive data. For example, when someone claiming to be from a police officer requests specific information about a customer.
- Poor password management: A poor password manager can lead to passwords being reused across accounts that may not have appropriate security controls in place. If one of these compromised accounts is targeted then all other associated accounts could also be at risk. An example of poor password management is not implementing multi-factor authentication.
- Reputational damage: This can happen when sensitive customer data is shared without permission with people who are not authorized to view them. For instance, if a company shares customer data with third parties without their consent, this breach of confidentiality could lead to negative publicity.
Step 3: Determine the impact of all inherent risks
This process is completed without considering the control environment. All of the inherent risks that were discovered in the preceding steps should be assigned a rating reflecting their level of impact if exploited.
- High Risk - A severely negative impact on your organization.
- Medium Risk - A damaging, yet recoverable impact.
- Low Risk - Minimal impact
Step 4: Audit your control environment
The control environment includes the policies, process controls, connection types, and security measures that are in place to mitigate risks.
Evaluate your control environment for compliance with basic information security principles such as segregation of duties; least privilege; use restrictions on access rights; centralized authorization and the periodic review of sensitive data holdings.
Each identified control should be assigned a satisfactory rating:
- Satisfactory - Policies and objectives are adequately met.
- Satisfactory with Recommendations - Policies and objectives are met, however, improvements are possible.
- Improvements Required - Policies, objectives and regulatory requirements are not sufficiently met.
- Inadequate - Not control, regulatory or policy standards are met.
Step 5: Estimate the likelihood of an exploitation
Referring to all identified environment controls, estimate the likelihood of a threat actor exploiting your vulnerabilities
- High Likelihood - Inefficient controls to defend against the list of potential cyber threats.
- Medium Likelihood - Environment control may be sufficient enough to disrupt the threat source.
- Low Likelihood - Environment control are sufficiently resilient to possible cyber threats, or threat actor isn't tempted by system vulnerabilities.
Step 6: Estimate your risk rating
An accurate risk rating is achieved through a highly complex calculation considering multiple attack vector variables to provide real-time rating updates. In the absence of such a solution, an estimated value can be calculated with the following equation:
Risk rating = Impact x Liklelyhood of exploit in the assessed control environment
To complete this equation, the different values for impact and likelihood can be found in the NIST Special Publication 800-30.
Inherent risk management with UpGuard
UpGuard monitors both the internal and third-party attack surface to discover all inherent risk that circumvent control measures. With the addition of Third-Party data leak detection and Third-Party Risk Management, UpGuard is the most comprehensive cyber risk management solution.
UpGuard also supports compliance across a myriad of security frameworks, including the new requirements set by Biden's Cybersecurity Executive Order.
Check if your website is vulnerable to cyber risks, CLICK HERE for a free instant security rating now!