Types of Cyber Risks Businesses Should Be Aware Of

What is cyber risk?

Cyber risk is the threat of data loss, property destruction or ransom demands resulting from a hack of your company’s information technology (IT) systems. Cyberattacks can result in a financial loss or disruption to your business. They can also harm your brand’s reputation if consumers don’t feel their information is secure with your organization. 

Cyber risks can lead to computer system failure and the unauthorized use of information. If an unauthorized person gains access to your computer system and databases, they can halt your operations or steal your information unless you pay a ransom. This is why you need to have the right cybersecurity. With just a computer and internet connection, anyone, anywhere, can launch a phishing attack or leverage artificial intelligence (AI) for more sophisticated crimes. “This universality makes every unsolicited email, text or social media message a potential threat,” said Dr. Arun Vishwanath, author of “The Weakest Link.”

What are the types of cyber risks?

Cyber risks are not limited to external threats from bad actors. A business must also deal with internal threats that can compromise data or systems.

Internal cyber risks

While most employers want to believe their employees are trustworthy, there are several types of internal risks you might face. These could come from either a current staffer or a former one who has access to your IT systems and can use that access in an adversarial way. These risks could also arise as a result of a lack of awareness and poor training.

These are some common internal cyber risks to be aware of:

• Employee sabotage and theft: Employee fraud and disruption can be committed by a current or former employee who accesses your systems to obtain information to harm the company. Some information may be used to poach employees while other information could damage your business if it’s disclosed in public forums.
• Unauthorized access: Staffers could obtain access to systems they shouldn’t have access to. They may change the permissions of others or deactivate network security tools.
• Unsafe business practices: When network servers are left in unlocked rooms or users are not properly logging off devices, businesses are left vulnerable to attack.
• Accidental loss or disclosure: Team members may unwittingly disclose sensitive information. This could be by accidentally adding an unauthorized person to a confidential email chain or leaving a company laptop at a coffee shop.
• Bring your own device: Many businesses would not dream of allowing staff to bring in their own devices to connect to the company network because of the security risks involved but other organizations are OK with it. Beware, your network is doubly at risk if you allow this: First, poor security on the team member’s device might give hackers another way into your system. Second, any malware on the device may be transferred to your network. These are often referred to as “end-point attacks.

Working at home can also introduce risks, according to Rob Pritchard, founder of The Cyber Security Expert. “The biggest disadvantage to working from home/remotely from this sort of risk perspective is that people can’t just turn to the person … [sitting] next to them and say, ‘Does this look suspicious to you?,’ or see that their boss is … across the office at their desk and clearly not trying to get them onto WhatsApp to buy gift vouchers for an important client.”

External cyber risks

The other serious threats businesses face come from external cyberattacks, where bad actors attempt to steal data or compromise operations. If you’re subject to such an attack, it can be hard to tell exactly how your defenses have been breached. It can also take weeks or months before you realize you’ve been attacked. “External threats are probably much more significant,” explained Pritchard. “Ransomware gangs are very capable and don’t really care who they target as long as you have the means to pay.”

These are the most common external cyber risks:

• Password theft: Despite decades of warnings, many people, including system administrators, still use easy-to-guess passwords. Passwords can also be stolen via phishing attacks and malware like keyloggers.
• Phishing schemes: Nefarious individuals send fraudulent messages that convince unsuspecting employees to click on links within them and disclose personal or proprietary information, such as passwords and payment details. Phishing attacks can also happen on the phone with, for example, hackers pretending to be from a company’s IT department and asking one of your employees for their network access credentials. [Related article: How Companies Are Detecting Spear Phishing Attacks Using Machine Learning]
• Quishing, smishing and vishing: While emails are used for most phishing attempts, other communication platforms are also vulnerable. In recent years, quick response codes have been covered up with sticker replacements, which direct unwitting users to malicious sites where malware can be installed in a process known as quishing. Smishing uses short message service messages to trick individuals into revealing personal information and vishing involves voicemail phishing.
• Malware attacks: These are viruses that attack your IT systems and can potentially execute unauthorized actions. Standard examples include keyloggers that transmit individual users’ keystrokes back to hackers. Malware is often downloaded during a “drive-by attack,” which involves the automatic download of malware to a person’s device when they visit an infected website.
• Zero-day exploit: No matter how well programmed, every app, website and piece of software has vulnerabilities. Zero-day exploits are hacks that cybercriminals discover and software developers currently don’t know exist.
• Inadequate patch management: When software developers become aware of vulnerabilities, they release patches to fix them. However, your company is protected only if you download and install the patches.
• Structured query language (SQL) injection: Login pages, search boxes and feedback forms on websites use SQL. So do some HTTP headers and cookies. One way for cyberattackers to get into your system is to insert malicious SQL queries into a form that can later be used to manipulate or destroy a company database.
• Formjacking: These are similar to SQL injection, but instead of targeting the forms on a site, they inject malicious JavaScript code into online forms on legitimate websites to grab sensitive details like personal and financial data.
• Traffic interception: It’s possible for cybercriminals to intercept and monitor data that’s sent over a computer network. They can capture a wide range of information, from personal details to login credentials.
• “Man in the middle” attacks: Similar to traffic interception, this is when a hacker fools a user into logging on to their network. For example, if a member of your team is in a public area, like a coffee shop and attempts to connect to the shop’s free Wi-Fi, they may be logging on to a bogus network set up by a bad actor.
• Internet of Things attacks: Fridges, printers, security cameras and more now connect via Wi-Fi to computer networks. Often, the security on these devices is low because companies don’t see why a hacker would target them. The reason they do is because they can use them as funnels to gain access to your wider network.
• Malvertising: This is a type of malware that redirects users to malicious websites. Code is deployed on a publisher’s website that mines data about users for further ad targeting. 
• Cross-site attacks: These attacks take advantage of vulnerabilities in web apps to run malicious scripts in users’ browsers. For example, if you allow customers to talk to each other via an online forum, a hacker might insert bad code into a forum post that then triggers an action in the browser of another customer using the forum. They can hijack user accounts with this approach, including users with admin privileges.
• Water hole attacks: Water hole attackers go after commonly used resources shared by specific groups of users. For instance, many people in your company may log in to a social media network like LinkedIn or a vendor portal. Cyberattackers can insert malicious scripts into these sites, infecting your users’ computers when they next visit them.
• Distributed denial-of-service (DDoS) attacks: A DDoS attack disrupts the normal traffic to a website. This is a type of malware where a botnet overwhelms your website and prevents consumers from using it. 
• Cryptojacking: This is when a hacker uses your computing resources, usually via malware, to mine for cryptocurrency. This can damage your PC hardware, slow down your network and substantially increase your electric bill.
• Ransomware: A type of cyberextortion, this kind of malware locks up system operations and renders websites and networks unusable until a ransom is paid. This offense is becoming more common, as many cyber insurance carriers find that paying the ransom is less expensive than remediating the attack. [Learn how to protect your business from ransomware.]
• Trojan virus: Trojan viruses disguise themselves as legitimate programs. When installed, they can create backdoors to download other malware or steal information.
• Supply-chain attacks: Companies sometimes require clients to place orders with them or send invoices for work done via a custom app that’s updated regularly for various reasons. In a supply-chain attack, hackers target this type of program so hundreds or thousands of businesses and clients may end up downloading the infected app when a new update is rolled out.

These threats to companies of all sizes are very real. In 2023, MGM Resorts fell victim to a ransomware attack that started to cause problems with its computer systems. This resulted in guests being unable to get into their rooms and gaming floor malfunctions. In the end, the consequences of the attack cost MGM $100 million, although the company is confident the incident will ultimately be covered by their cybersecurity insurance – a protection we explain below.

What is the financial impact of cyber risks?

The potential financial impacts of cyber risks on a company are huge. Even a minor attack can force a business to pay for lost or stolen data records, with an average cost of $150 per stolen record. According to research by IBM, the average cost of a data breach in the United States in 2024 was $4.88 million.

“A cyberattack can drive a small business into bankruptcy or total failure,” said cybersecurity, privacy and AI expert Joseph Steinberg. “Unfortunately, such a claim is not theory – we have seen it happen many times. A cyberattack can easily destroy confidence in a small business, causing it to lose customers, while simultaneously inflicting a severe enough cash flow problem as to render the business unable to meet payroll obligations.”

Even if the financial consequences are not as high for a small business, smaller companies still need to brace themselves for lost revenue due to a compromised operating system being shut down for days or weeks. Plus, even after a business restores all systems, consumers may be wary of working with a company that recently experienced a data breach or cyberattack, afraid that their personally identifiable information is not safe. That, too, will impact your bottom line.

How can companies reduce their cyber risks?

Creating a robust cybersecurity plan for your small business will reduce the risk of cyberattacks and thus the risk of financial and reputational losses. While you can’t prevent every cybercrime, you can do a lot to ensure your business is not harmed. Here are 13 ways to reduce your company’s cyber risk:

1. Update your computer systems, apps and other programs regularly: When you don’t update, gaps begin to form that allow things like malware to infiltrate your system. Make sure your antivirus security is up to date and regularly update your operating system to prevent these gaps from forming.
2. Replace software that’s no longer being updated: If an app or software you’re using is no longer being updated, talk to your team about switching to a new product. Having deprecated software on your server and devices is a significant security threat.
3. Protect outbound data: Most business owners protect themselves only from data coming in. You should also protect outgoing data with encryption and other tools to prevent the accidental release of sensitive data by employees.
4. Train your employees: Make sure your employees understand what cybersecurity risks exist and how to be on the lookout for them. This is especially true for things like phishing schemes that may be received by gullible workers who haven’t been trained not to click on suspicious links.
5. Develop strong passwords: Create complex passwords that cannot be guessed. Make sure your system administrator’s password is different from the server’s password. You don’t want to make it easier for hackers to gain access to the entire server. You may also want to consider using a reputable app to manage users’ passwords across the business.
6. Encrypt data: When sending or storing data, encrypt it. This means data isn’t saved in a normal text format, making it harder to be misused. As more companies use off-site servers, cloud encryption is particularly important, as the transmission of data between your network and your cloud provider is another potential attack vector.
7. Limit login attempts: Hackers will use bots to work on cracking passwords indefinitely. You can stop them by limiting the number of login attempts allowed to access your data or server systems.
8. Use dual-factor authentication: This is similar to the technology where banks and credit card companies text you a four- or six-digit code to verify your identity when you make a purchase online. You can set up your computer system so that whenever a colleague logs in, they have to provide an additional form of verification, such as a unique numerical code.
9. Implement a kill switch: A kill switch allows an IT professional to shut down all access to servers or pull websites offline when a threat is detected. This gives you time to address the threat before it can do any damage.
10. Don’t store credit card information: Don’t risk a hacker collecting your customers’ credit card data. Never store this sensitive information in any database you maintain and enact strict policies so your employees never do it either.
11. Back up your data regularly: Take the time to conduct regular data backups. This will make restoration much easier if you do fall victim to a cyberattack.
12. Establish a connected asset register: Regardless of whether you allow staff to use their own devices, consider setting up a register of permitted devices. This means no unauthorized (unregistered) device can log in to your network. You’ll also be able to use the registry to quickly restrict access so former employees and contractors can no longer gain entry.
13. Set up a separate public network: Particularly in the leisure and hospitality sectors, customers today expect you to provide free Wi-Fi access. Offering it can give you a competitive advantage, but you should provide it over a separate network that doesn’t use the business Wi-Fi your team uses to manage sensitive data. [Find out how to set up business Wi-Fi.]

How can cyber liability insurance help?

Since you can’t predict if and when a cyberattack will occur, it makes sense to have cyber liability insurance. A cyber insurance policy can pay for financial losses and expenses stemming from:

• Business interruption
• Ransom demands
• Attack investigations
• Hiring a public relations firm to deal with the public fallout
• Regulatory fines
• Customer notification costs (which can range from 50 cents to $5 per person)
• Customer credit monitoring (which can range from $10 to $30 per person)
• Legal defense and any judgments or settlements

On top of paying for losses and damages, many insurers will help businesses remediate their losses as quickly as possible. This means they use their internal teams to help halt the progress of viruses and malware, with the goal of minimizing the ultimate costs to both your business and them. 

Can you be penalized for cyberattacks? 

The Federal Trade Commission (FTC) is tasked with protecting America’s consumers and it’s every business owner’s responsibility to make sure their consumer data is protected. If it isn’t, you may be held liable and face the risk of fines and, in egregious cases, jail time.  

The FTC recommends business owners assess the types of consumer information they collect and keep, keep only what is necessary and lock that data, either electronically or physically. When the information is no longer needed, you should discard it by shredding it or using a data deletion service. 

However, it isn’t just FTC fines that a business may have to deal with in the event of a data breach. You could face these additional penalties:

• Fair and Accurate Credit Transaction Act fines of up to $2,500 per violation at the federal level and up to $1,000 at the state level, rising to $11,000 per violation after a regulatory warning
• Civil penalties of up to $3,500 per violation
• Health Insurance Portability and Accountability Act penalties of up to $50,000 per violation for erroneous disclosures and up to $50,000 plus one year in prison for criminal wrongful disclosures
• Individual states all have their own data breach laws, with Florida charging up to $500,000 for businesses not meeting notification requirements and Michigan capping multiple violation penalties at $750,000.

These are just a few of the penalties businesses could face after a cyberattack. Most small companies can’t afford these types of fines, nor can they afford to lose an estimated 20 to 30 percent of their customer base from the fallout of a data breach. Keeping consumer data private and having insurance to help protect against financial losses are critical in the digital age.

Who commits cybercrimes? 

Cybercriminals come from various backgrounds. Some cybercrimes are committed by former employees looking to get revenge on a business that fired them. You can prevent this type of crime by revoking system access as soon as an employee is terminated.

Sometimes, attacks come from industry rivals trying to steal your commercial secrets or find information to portray your business in a negative light. There are also activist organizations that believe they are helping society by hacking and harming certain companies.  

Some security risks simply arise from careless mistakes made by employees, especially those who work for businesses that haven’t implemented the right security policies and training. Still, the majority of cybercrimes are committed by those who intend to profit from hacking by selling data on the dark web, demanding a large ransom or funneling credit card transactions to a third-party account they control.

Neil Cumins and Kimberlee Leonard contributed to this article.