Understanding Cyber Risks & How to Avoid Them

Today, there are a growing number of cyber risks for organizations of all sizes across all industries around the globe. While these cyber risks can certainly be quantified in terms of data loss, cyber risk has more far-reaching impacts such as threats to your operational resilience and potential financial losses and negative brand and customer impact.

Unfortunately, many organizations just don't have enough qualified staff, time, resources or experience to identify all of the potential cyber risks for their organization or make plans to prioritize and address them.

As such, threat actors are working overtime to target the likelihood that at least some risks within your organization haven't been mitigated. They're waiting for the right opportunity to exploit a cyber threat and take advantage of your weaknesses with potentially catastrophic outcomes.

As teams work around the clock to get a handle on cyber risk, the reality is the list grows in length, types, and complexity daily.

And, as we've seen since the coronavirus outbreak in 2020, most organizations are balancing cyber risk analysis and cyber risk management while often actively responding to multiple risks turned disruptions at the same time.

In fact, Allianz Risk Barometer 2022, which takes a look at top corporate risks for the next 12 months, ranks cyber perils as the biggest global concern for the year. That encompasses ransomware attacks, major IT outages, and data breaches. These concerns, even while still dealing with the pandemic, currently outrank other business disruptions, including supply chain issues and natural disasters.

This is the second time that cyber incidents have made it to the top of the list, with a surge in ransomware attacks leading the pack as a top cyber threat that increases cyber risk for all organizations.

The National Institute of Standards and Technology (NIST) defines cyber risk as the risk of "financial loss, operational disruption, or damage, from the failure of the digital technologies employed for informational and/or operational functions introduced to a manufacturing system via electronic means from the unauthorized access, use, disclosure, disruption, modification, or destruction of the manufacturing system."

In more simple terms, cyber risk takes into account the likelihood an attacker may exploit a cyber threat as well as the potential impact of that attack. Often, this is broken down into a calculation that looks something like this:

Cyber risk is the risk of potential negative impact to your organization if your information systems fail or are disrupted, damaged, or destroyed by unauthorized use or access. A cyber risk is all about the likelihood a cyber incident can expose or harm your organization.

While some may think of cyber risks specifically in terms of technology and data loss, cyber risk may result in brand or reputational damage, loss of productivity, and loss of revenue.

And, there is more than one type of cyber risk. While cyber risks generally focus on risks of doing business in an interconnected, online world, you may have other threats, for example, insider threats or corporate espionage.

Your cyber risks may be internal (for example, insider threats) or external (for example, cyber-attackers).

While cyber risk exploitation is generally intentional, for example a threat actor exploiting a known vulnerability, cyber risks may also be accidental, such as an accidental data exposure (for example, an email containing sensitive or protected information is unintentionally sent to an unintended or unauthorized user).

Cyber risks may also result from operational IT issues such as poor system integrity or lack of implementation of best practices for IT, risk management, or cybersecurity.

While the terms cyber risk and cyber threats are often used interchangeably, there are some notable differences between the two. First, a cyber threat is generally referred to as any incident in which an organization’s information systems could be impacted by unauthorized access to systems and networks, including the potential for data destruction, modification, or unauthorized release. An attacker can often exploit a cyber threat as part of a malicious act to damage or steal data.

While related, cyber risk is the potential impact of (or risk of) a cyber threat negatively affecting your organization. In terms of risk, it’s about looking at the potential for losses, not just related. To systems and data, but also financially and to your reputation and your ability to do business.

Cyber risk is relevant to all organizations because today, no organization is immune to a potential cyber-attack or other disruptive cyber issue. It was once industry thinking that cybercrime only targeted large enterprises where the potential for large-scale data grabs and financial payouts were greater. But today, any organization whose systems create, store, process, or store data could be at risk.

And, with a growing number of companies turning to cloud services providers in a shared environment, attackers could even be more interested in exploiting your cyber threats and increasing your cyber risks because they can often move laterally in interconnected systems unnoticed for longer periods of time with the potential for greater negative impact to your operations.

Cyber risk management is a key part of a mature cybersecurity program. It can help you better protect all of your assets, as well as your sensitive and protected data. Many compliance and regulatory mandates require some degree of cyber risk management.

Cyber risks are also relevant to your organization because by identifying where you have cyber risks, you can mature your operational resilience practices, building proactive and reactive defenses to prevent attackers from stealing your data. That's not just about your customer data, but can also include your organization's intellectual property and financial data.

Unfortunately, as the types and complexities of cyber threats evolve, many organizations just don't have the ability to keep up with that evolution. Already understaffed IT and security teams are stretched and many lack the tools and resources they need to effectively manage all the cyber risks identified, especially for organizations using traditional vulnerability scoring tools such as CVSS.

As enterprises continue to expand with more technology and asset adoption, along with continued migration into cloud environments, security infrastructure gets more complex. Teams often don't have any control of what happens with third-party applications, introducing even more cybersecurity risk into our environments.

Oui.Cybersecurity and cyber risk are related.

Cybersecurity encompasses all of the technologies, processes and practices your organization employs to protect your system and data. Your cybersecurity practices can help mitigate and remediate your cyber risks by directly addressing cyber threats and identifying and fixing gaps within your security program. A cyber-attack is an example of a cyber risk for your organization. Your cybersecurity practices can help decrease the likelihood and potential impact of that risk.

Oui.There are different types of cyber risks. Some cyber risks are internal. Others are external.

Some examples of internal cyber risks include device loss or theft; poor employee cyber hygiene; lack of employee education and training; unauthorized use of devices; unauthorized data access; corporate espionage; disgruntled employees wishing to do reputational or other types of damage; and data stealing or deletion of or damaging data and systems.

According to Cybersecurity Insiders' 2022 Insider Threat Report, more than half of companies surveyed indicated insider threats are more frequent than previous years. Another report, this one from PurpleSec's 2021 Cyber Security Statistics The Ultimate List Of Stats, Data & Trends, found that of the increased number of social engineer attempts that resulted in successful breaches, about 7% of those originated with a malicious insider.

Although insider cyber risks may be on the rise, much of today's cyber risk originates from external sources. For example, ransomware attacks, phishing schemes, vulnerability exploitation, and hacking. External cyber risks are generally related to external threats from outsiders attempting to gain unauthorized access to your systems and network. External cyber risks may include attempts to steal or compromise your organization's sensitive data.

Tenable's Measuring & Managing the Cyber Risks to Business Operations report, which was independently conducted by the Ponemon Institute LLC, identified these as some of the key KPIs organizations use to measure cyber risk:

• Délai d'évaluation des cyber-risques

• Délai de remédiation aux cyber-risques

• Identification of OT and IoT assets vulnerable to cyber risk

• Efficacité de la priorisation des cyber-risques

The report also identified additional KPIs often used to measure financial consequences of cyber risk, including:

• Perte de chiffre d'affaires

• Perte de productivité

• Chute du cours de l'action

While these KPIs are good, the reality is these traditional approaches to cybersecurity risk measurement are often inadequate. Pourquoi ?Well, first, they put a lot of attention on the technical side of cyber risk, without taking a closer look at other factors, such as business and financial impacts. Also, these KPIs are generally not very strategic and, for all of them, there is not much focus on the need to prioritize risk for effective remediation and cyber risk reduction.

What may even be worse is that 30% of those survey respondents said they can't correlate those KPIs with their ability to mitigate their cyber risks.

A number of organizations in this survey also indicated that they're not measuring the costs of cyber risk at all. En quoi est-ce important ?Measuring the financial costs of cyber risks is a way to illustrate the importance and value of your cybersecurity and risk management programs to your executives and key stakeholders. These leaders are those who'll make important business decisions that will affect your program support. Think of this in terms of personnel, time, finances and resources.

Many executives don't generally understand the scope and impact of cyber risks, even if they've seen news stories about some of the biggest headline-making events. By quantifying the costs of cyber risks, you can essentially better speak a language your executives understand—one that takes into account business goals and objectives. Think of your cyber risk measurements as a way to build your use case in a way that is directly related to your operational resilience.

The terms cyber exposure and cyber risk may be used interchangeably, but there are nuances. When we talk about cyber exposure, we're taking a deeper dive into risk, analyzing not just which risks exist, but also their potential impact, how we can prioritize addressing those risks, and what we're doing to reduce cyber risk over time.

At Tenable, when we talk about cyber exposure, we're talking about how you can address cyber risk.

By understanding your cyber exposure, your organization will be better prepared to answer some important, and often overlooked questions, in a quantifiable way. For example, how secure is our organization?

Cyber exposure helps you take a deeper dive into all of your assets, across all of your environments, understand where you have vulnerabilities and other security issues, and then prioritize when and how you'll address those cyber risks based on real-world exploitation information and a range of other important areas that are specific to the way you do business and how your risk management processes directly relate to your business goals and objectives.

By aligning your cybersecurity risk management program to the cyber exposure lifecycle, your organization will be able to answer these key questions with confidence:

• Where is my organization exposed?

• Where should we prioritize based on cyber risk?

• Are we reducing our cyber risk over time?

• How do we compare with our peers for cyber risk management?

By addressing your cyber exposure, your organization will be better prepared to identify all of your cyber risks across your entire attack surface, or, as we say it in simple terms, see everything. This isn't just for your traditional IT assets. It's also about discovering your cyber risks all the way from DevOps to deployment and beyond, including in your cloud environments, within operational technology environments, and even in your web apps.

But it's not just about finding those cyber risks. Cyber exposure also helps you predict which cyber risks actually pose a potential security issue for your organization, now and in the near future. For example, using machine-learning, Tenable's products have integrated predictive capabilities to help you prioritize your risk remediation strategy.

And, you don't have to guess how to resolve those prioritized issues. By using a cyber exposure platform like Tenable, you can even get best practice recommendations on how to address your cyber risks in a way that you can reduce the likelihood a business-impacting cyber event may happen.

Cyber risk management is an essential component of cybersecurity. When we discuss cyber risk, it's important to also talk about cyber risk management (or cyber exposure management) practices and how they can benefit your organization.

By developing a cyber risk management program, your organization can better understand not just which risks exist, but also what their potential impact may be and how you can mitigate those risks.

Cybersecurity risk management can help your teams develop practices that help you identify your cyber risks, prioritize your cybersecurity response measures back on their potential negative impact on your organization, and then develop a risk management plan to address those risks as they relate specifically to your organization.

In a perfect world, cybersecurity teams would love to have the ability to prevent every potential cyber-attack. What we know, however, is that's just not possible. Your cybersecurity risk management program can help you, however, develop plans that are proactive, adaptable, and flexible, so you'll always be ready to address cyber risk, regardless of type or complexity.

You can align your cyber risk management program to the cybersecurity lifecycle, where you can better identify cyber risks, protect your attack surface, respond to cyber incidents, and quickly recover.

A mature cyber risk management program will never approach this lifecycle from a one-and-done approach. Instead, it's an ongoing process where you're continually identifying gaps and weaknesses, improving them, and then retesting to ensure you're maturing your cybersecurity risk management approach as your company and the threat landscape continues to evolve.

There are a number of benefits of implementing a cyber risk management program. First, a cyber risk management program can help your organization more effectively identify cyber risks, prioritize those risks, and remediate or mitigate those risks with a goal of decreasing the frequency and likelihood of a cyber event that negatively impacts your operations.

Your cyber risk treatment plan can help ensure your organization has the necessary proactive and reactive cybersecurity measures in place to protect your organization against cyber incidents, thereby effectively reducing your risk of a potential attack.

We've mentioned a few times the gaps that often exist between IT and security teams and their executives and key stakeholders. A cyber risk management program is an important part of bridging that gap. It can help you quantify the needs and value of your program in a way your executives understand. For example, you can quantify how your cybersecurity risk reduction strategies can reduce costs for your organization and ensure operational resilience.

And, because cyber risk management is just good business practice, it can help you strengthen your business reputation with your customers, the general public and possibly have positive impacts on your market. By demonstrating your organization takes cyber risk management seriously—and that you've employed industry-recognized best practices—you can build confidence in your brand and reputation, creating a win for attracting new clients and retaining existing customers.

Some other benefits of implementing a cyber risk management program include building more confidence in your abilities to meet compliance, regulatory and other mandates, less downtime (or ideally no downtime at all) when a cyber event happens, no or little data loss as the result of a cyber incident, and a better understanding of how cyber risks can impact operational resilience and how to avoid that.

In many organizations, the chief information officer is primarily responsible for evaluating cyber risk as it relates to business risk. However, in some organizations, this is also handled by a chief information security officer, a chief technology officer, or a chief risk officer or chief security officer.

The foundational step in establishing a cyber risk management plan is to do a risk assessment. Depending on your industry and your regulatory guidelines, for example in healthcare, this may also be referred to as a risk analysis.

However, you can step back before building that foundation and take a broader look about what you should know before beginning to build your cyber risk management program.

Before you can fully identify and understand your risks, it may be helpful to better understand what the most common cyber risks are. Some teams have skilled professionals who make this a priority focus; however, most organizations just don't have the time or resources to keep up with the changing threat landscape. If this sounds familiar, you may find it helpful to partner with an organization that can do that type of research for you, for example, the skilled team at Tenable Research.

Once you have an understanding of the current threat landscape, it may be beneficial, if you haven't done so already, to do research to get a better understanding of how threat actors operate, what motivates them, and how some organizations within your industry have responded to and recovered from successful attacks.

With the information about the current threat landscape and attacker motive and operations, you'll be better poised to get started with your risk analysis or risk assessment. From this position, your risk analysis should take into consideration all of your critical assets and business functions, as well as the potential impact a cyber threat may have on your ability to maintain those assets and services to conduct business as usual.

NIST has guidelines that can help you conduct a formal risk assessment, which we'll get into more details below. However, if you'd like to know more now, go ahead and check out NIST's Information Security Guide for a deeper dive.

There are a number of benefits of doing a risk assessment. Not only will it become a driving factor for how you mature your cyber hygiene practices, it will also help build that bridge we mentioned earlier between your IT and security objectives and your organization's business goals and objectives. Remember, this is an important part of building executive support and buy-in for your cyber risk management program.

A cyber risk management program, especially for organizations that face a number of compliance and regulatory mandates, can help you better understand how your cyber risks directly correlate to key security objectives, for example, ensuring the confidentiality, integrity, and availability of your data.

Oui.There are several frameworks you can use to help you with cyber risk analysis and cyber risk management. Here are some examples:

• NIST Risk Management Framework

• NIST Cybersecurity Framework

• ISO 27001

While there are a range of considerations to take into account when selecting which cyber risk management framework may be best or most appropriate for your organization, most of these frameworks share common themes.

For example, the NIST Risk Management Framework (RMF) has a seven-step process to help your organization manage risks based on NIST standards and guidelines.

Here's an overview of some of the key areas of RMF and how they may be applicable to your cyber risk management program:

1. Develop essential activities that prepare your organization to manage risks

2. Categorize systems and any information processed, stored, and transmitted using an impact analysis

3. Select NIST SP 800-53 controls for protection based on your risk assessment(s)

4. Implement controls and document how they're deployed.

5. Conduct assessments to ensure effective controls are in place, and that they're operating as designed and producing the intended results

6. Ensure senior leaders make risk-based decision to authorize system operations

7. Continuously monitor control implementation and system risks

Another helpful resource may be the NIST Cybersecurity Framework (CSF), which has a voluntary set of standards to manage and mitigate cyber risks.

NIST CSF can help you identify cyber risks and make plans to address those risks relevant to your organization's business goals.

You may also be interested in drawing on ISO 27001 standards for help developing, implementing, and managing processes such as cyber risk management.

And finally, one more cyber risk management framework that may be helpful is SOC2, also known as System and Organization Controls 2, which can help your organization criteria manage cyber risk.

There are several factors to consider when determining which cyber risk management framework may be best for your organization.

You should take into account the size of your organization, the volume and types of assets, the types and complexity of your technology architecture (for example, traditional IT, OT, web apps, the cloud, etc.), data your organization stores, transmits and processes, where you use or store that data, and of course, the current threat landscape.

Need help selecting the right cyber risk framework for your organization? Tenable's next-generation approach to security may be exactly what you're looking for. Read more about security framework support with Tenable here.

There are a number of best practices your organization can employ to better manage your cyber risks. If you haven't already, consider adopting a cyber risk management framework, such as the NIST Risk Management Framework. A risk management framework can help you develop plans to identify cyber risks for your organization, mitigate those risks, and prioritize which risk may have the most potential impact on your organization so you can develop a strategy to address them.

Here are some other best practices that may help you better see, predict, and act on your cybersecurity risks:

1. Identify and inventory all of your assets. Keep this updated regularly. Remember, if you don't know which assets you have, you can't know where you may have cybersecurity risks.

2. Identify your critical business operations and understand the potential impact of loss or disruption of those operations on your ability to do business as usual.

3. Use a tool, for example Tenable Nessus to automate processes to continuously identify potential vulnerabilities or security issues.

4. Use machine-learning and predictive prioritization tools such as Tenable Lumin to prioritize which vulnerabilities are likely to have the greatest potential impact on your organization now and in the near term.

5. Apply a risk-based vulnerability management approach to managing, mitigating and remediating your cyber risks.

While there are a number of tools on the market that can help teams quickly and automatically identify vulnerabilities and other cybersecurity risks, most IT and security teams struggle with knowing how to address those vulnerabilities. That's particularly challenging for organizations that rely heavily, or exclusively, on the traditional Common Vulnerability Scoring System (CVSS) to prioritize vulnerabilities for remediation.

The most common problem with using CVSS for prioritization is that it generally takes into account only technical severity for a vulnerability. It doesn't take into account other important factors, such as if there is a known exploit in the wild or how likely it is an attacker may exploit the weakness now or in the near future.

The good news is there is a more effective and efficient alternative to help your organization effectively prioritize your cyber risks. That's with Tenable's Vulnerability Priority Rating (VPR). Unlike CVSS, VPR gives you an easy-to-understand score that's directly applicable to your unique organizational needs, so you know which identified vulnerabilities should get your attention first.

And, unlike CVSS where a high-volume (think tens of thousands) of vulnerabilities are scored as critical or high, VPR's machine-learning algorithms cut that down by thousands, ensuring that the vulnerabilities scored critical or high in your platform are those that truly need your attention.

By prioritizing your cybersecurity risks, your organization will be better poised to build, test, and deploy plans that effectively mitigate your risks, while reducing attack frequency and impact so you can quickly recover and get back to business as usual as soon as possible.

Today's threat landscape is constantly evolving and becoming increasingly complex, and as such, so are threat actors' methods to exploit your organization's cyber risks. While this list is routinely changing, while not exhaustive, here are a few examples of some of the biggest cyber risks organizations face today:

• Malwares

• Ransomware

• Phishing schemes

• Social engineering

• Poor password management

• Ineffective identity and access management

• Insider threats

• DDoS attackers

• SQL injections

• Supply chain and third-party risks

• Inadequate cyber hygiene

• Cloud vulnerabilities

• Mauvaises configurations

• Vulnerabilities and misconfigurations in code (infrastructure as code)

• Security vulnerabilities in Active Directory

• IT outages

• Cyber breaches and record exposures

NIST defines a cyber risk assessment as "the process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system."

A part of risk management, a cyber risk assessment incorporates threat and vulnerability analyses and considers mitigations provided by security controls you either have in place now or are planning to implement.

For NIST purposes, risk assessment and risk analysis are synonymous terms.

NIST SP 800-30 provides guidance for conducting effective risk assessments, particularly related to federal information systems and organizations; however, the best practices can be applied across a range of industries.

Based on NIST 800-30, your cyber risk assessment should include four key processes:

1. Framing risk

2. Assessing risk

3. Risk response

4. Risk monitoring

When NIST talks about framing cyber risks, it's related to establishing a context to your risk. For example, it's establishing a framework that takes into account the type of environment where you're making risk-based decisions. This will help guide your risk management strategy so you're poised to address how your organization will assess, respond to and monitor risk.

In terms of assessing cyber risk, this is about how you identify risks such as:

• Organizational threats to your operations, assets or individuals, but may also include threats through your organization against others.

• Internal and external vulnerabilities.

• Adverse impact of these risks based on the potential threat actors may exploit the vulnerability.

• Likelihood a threat exploitation will occur.

The next important step in conducting a cyber risk assessment is to make a plan for how your organization will respond to risk based on your risk assessment results. Here, you're looking to build a risk response strategy you can apply across your organization. It's not just about the actions you may take, but also empowering your team members with the information and ability to adapt for alternative actions within your organization's risk tolerance or risk threshold.

Finally, your cyber risk assessment should include plans to facilitate risk monitoring over time. This will help you stay vigilant in analyzing if your risk response strategies are performing as intended, as well as finding changes within your environment that may require adjustments.

Want to go deeper into NIST's guidance for risk assessments? Check out the full guide here.

Drawing on the Department of Health and Human Services (HHS) and HIPAA guidelines, a formal risk analysis should include:

An accurate and thorough assessment of potential cyber risks and vulnerabilities related to the confidentiality, integrity, and availability of the protected data your organization creates, receives, maintains, or transmits.

• Identification of threats and vulnerabilities.

• Establishing effective controls to manage, mitigate, and remediate cyber risks.

• Creating a risk rating and likelihood of harm from cyber risk.

• Developing documentation for compliance and other management reports.

Some industries require cyber risk assessments to be part of their compliance and/or regulatory standards. Also, it’s interesting to note the growing number of states that are actively developing their own data privacy and cybersecurity standards. It would not be surprising to see most, if not all of these, also include cyber risk assessment requirements.

But your organization can benefit from doing a risk assessment beyond just meeting compliance mandates. Most importantly, it may be helpful to consider what could happen if you don’t conduct a cyber risk assessment or establish a cyber risk management program—your organization’s system and data may be at risk of a cyber event.

Not only could your organization lose productivity and negatively affect your customers, vendors, key stakeholders, and potentially your market, you could face fines that reach into millions of dollars, depending on event type, severity, and culpability. Some organizations that experience cyber events never fully recover, even sometimes being forced to close their doors.

Conducting a cyber risk assessment should be a fundamental business practice for your organization. It can help shore up not just your cybersecurity practices, but also your business continuity and operational resilience strategies. An effective cyber risk assessment can serve as a foundation to your cybersecurity program and can help guide your organization’s risk management activities today and as you evolve and change.

With Tenable, your organization can have the knowledge, tools, and resources to see everything, predict what matters and act to address cyber risk across your entire attack surface.

You can employ the fundamentals of risk-based vulnerability management to mature your cybersecurity risk management practices. This is a great way to introduce a common risk-focused approach to your cybersecurity program. Beyond that, Tenable can help you demonstrate and report on metric-based language that everyone understands and gets excited about being a part of a culture that takes cyber risk management seriously, with great benefits for your organization—from your security and IT teams, all the way up to engaged executive leadership and key stakeholders.

Tenable can help your organization identify, prioritize, and address cyber risks across your entire attack surface.

Webinaire : Visibilité, prédiction, action : Address Cyber Risk With Tenable Capabilities

Understanding the Cyber Exposure Lifecycle

Rapport : Notre entreprise est-elle vraiment sécurisée ?

Tenable Cyber Exposure Study: Ransomwares