Businesses face risk all the time – and that’s OK. Even though the word “risk” typically has negative connotations, the term can actually represent many situations, not all of them unfavorable.

ISO 31000 states that risk is the “effect of uncertainty on objectives.” That actually means risk can come in two types: positive and negative.

What Is Positive Risk and Negative Risk?

Positive risks are events that are beyond a company’s control but can work in the company’s favor, allowing the business to capitalize and benefit from them.

In contrast, negative risks are potential events that could harm an organization. With these risks, the focus is on mitigating, preventing, or minimizing the extent of the negative outcomes or damage they may cause.

Can There Really Be Positive Risks?

Yes, there can be positive risks in business. Just like negative risks, positive risks are uncertain and may or may not occur – but when they do happen, they can boost your organization’s ability to achieve critical business goals. We can also call positive risks “opportunities.”

Positive risks can increase profitability, establish a strong market position, and enhance competitive advantage. Unlike negative risks (which hinder progress), positive risks support organizational teams and encourage improvements in how your employees work towards achieving business goals. Think of positive risks as motivators for executives to focus on profit goals, and also on helping employees to achieve professional aspirations.

The importance of positive risks lies in their ability to help companies reduce production and operational expenses, make better investments, and effectively allocate resources toward business growth. Embracing positive risks is crucial for fostering innovation; it allows companies to develop fresh approaches to overcome industry challenges. When you take on positive challenges, you can position your organization advantageously in the market, gaining a competitive edge.

Examples of Positive Risks in ERM

The idea of positive risks can sometimes be hard to grasp. Here are several practical examples.

Positive risk in project management

One responsibility of a project manager is to create and monitor the project budget, based on the estimated resources needed to achieve the project objectives. Sometimes a miscalculation in the planning phase results in too much money budgeted for the project, which can then be reduced.

Effective project risk management positively affects the organization, especially considering it’s much easier to redistribute unused resources than to cut other projects to cover overspending.

Positive risk in assets & investments

Many of the assets within a company have an estimated service life, which determines the worth of an object or property based on that asset’s ability to provide value over time.

When the actual useful life exceeds the estimated useful life (say, a technology company extending the useful life of its computers from three years to four), that is a positive development. The original assessment was wrong, but the result was beneficial for the organization since it can use the asset for a longer period without investing in a replacement.

Positive risk in technology

When deploying certain technologies to facilitate tasks within the company, the organization must consider the risks. Executives must balance the potential reward (greater efficiency) against the potential risks (higher security risks, for example).

That said, sometimes technology is upgraded in ways that enhance the original efficiency estimate or reduce the original risks. These changes can directly benefit companies that can now take advantage of these new capabilities to increase productivity.

Positive risk in development

Say your company introduces a new product. There is a risk that the product may not achieve the expected performance; for any number of reasons, the market may not like what you have to offer.

Alternatively, the product’s success may exceed your expectations. This could result in problems with the organization’s ability to meet greater demand for the product, but that is generally a good problem to have – certainly much better than the alternative of killing a new product for lack of demand.

Positive risk in supply chain management

Managing the supply chain comes with its fair share of risks, but sometimes these risks can work in your favor.

For example, say you switch to a new supplier offering lower prices. That switch involves some positive risks, like figuring out shipping fees, meeting delivery deadlines, and negotiating the terms of the new contract. It’s all about building trust and creating a solid relationship with this new supplier.

Examples of Negative Risks

Negative risks are much more visible in a company’s daily operations. Also called “threats,” negative risks should be considered alongside positive risks.

Negative risk in project management

Overspending is a common threat in project management. It can result from an inadequate estimate of project costs, and jeopardize your project’s objectives.

Lack of an action plan to deal with budget overspending is a negative risk for the company. Shifting the allocation of resources to complete a project is always a messy endeavor; meanwhile, project interruptions or delays can be far more costly than the original budget overrun.

Negative risk in assets & investments

When a particular tool, asset, or infrastructure fails earlier than expected, that can result in a partial or total production stoppage. Production stoppages harm employee efficiency, customer satisfaction, and profitability, among other damage to the organization.

Negative risk in technology

A wide variety of negative risks in the technology sector can interfere with achieving the company’s objectives. Many of these are invisible until they occur and cause all sorts of damage.

In the same way that there are updates that protect users of particular software, these updates can also create vulnerabilities if the updates go unnoticed by developers (with the potential for serious harm if cyber attackers discover those vulnerabilities).

Negative risk in development

It’s always possible that a new product or service will fail. Therefore, regardless of the proposal or the investment in market research, it’s wise to have risk response strategies in case of the project’s failure.

Negative risk in supply chain

Negative risk in the supply chain refers to potential events or circumstances that can adversely affect a company’s supply chain operations, performance, or objectives. These risks have the potential to disrupt the smooth flow of materials, products, and information throughout the supply chain, leading to various negative consequences.

Managing Positive and Negative Risks

Despite their starkly different consequences, positive and negative risks are two sides of the same coin. It may seem counterintuitive to assess and monitor positive risks since they only help the organization. Still, such risks provide a unique approach to risk analysis and the organization’s risk exposure.

When a positive risk materializes (as in the case of underspending or the underassessment of an asset’s lifespan) it indirectly represents a failure in your risk management processes – which either failed to identify a human error or were not sufficiently accurate in their assessments.

Another issue is that positive and negative risks have opposing risk management strategies. That is, while a company avoids negative risks by delegating tasks or rejecting certain agreements with third parties, it exploits positive risks by taking actions to increase the chances of those uncertain events. Both strategies need to be included in your risk management plan.

While positive risks are shared to reap benefits across the enterprise as much as possible, negative risks are transferred to others better suited to respond or mitigate the harm.

When a positive event occurs, the goal is to leverage its effects and take advantage of them to benefit the organization. In contrast, in a negative event, there are strategies to mitigate the harm. In both cases, the risks that cannot be influenced or modified are accepted, from which an organization can learn for future occasions.

Managing Risks with ZenGRC

Assessing your risks, installing proper controls for managing risk, and collecting documentation at each stage may be intimidating and time-consuming if you try to do it all yourself and manage the requirements on a spreadsheet.

ZenGRC helps you comply with a wide range of frameworks, including GDPR, CCPA, HIPAA, and others, through identifying vulnerabilities, assessing policies and processes, and ensuring tracking and other measures operate correctly.

ZenGRC is a governance, risk management, and compliance solution that can help you streamline and optimize compliance activities by automating many of these time-consuming, manual processes. Schedule a free demo today and see how ZenGRC can help you manage your risk more easily and efficiently.

Cybersecurity is one of the top concerns for organizations. In recent years, and that’s not going to change any time soon – unless, if anything, cybersecurity becomes the top concern.

So what can an organization do about the rise in cybersecurity incidents?

In this article we’ll take a closer look at security incidents: what they are, the most common types, and how to prevent and mitigate them. Armed with this information, your organization will be able to protect itself against future security incidents and to get started on the path toward worry-free cyber risk management.

What Is a Security Incident?

A security incident is any event related to compromised data resulting from missing or failed security measures. Specifically in cybersecurity, an information security incident involves the unauthorized access, use, disclosure, breach, modification, or destruction of data.

Typically an event is categorized as a “security incident” when it is widespread enough to disrupt your normal business operations. That’s not the same as a “security event,” which is a single incident that usually doesn’t disrupt your organization. A security incident is a more serious problem – and it doesn’t necessarily need to be a successful attack to necessitate a response from your organization.

A cybersecurity security incident could be anything from a potential threat to a successful attack; just because your information wasn’t compromised doesn’t mean you should ignore the incident altogether. Any security incident occurs, successful or not, should result in a review of the tools, policies, and procedures you have in place to prevent similar events from happening again.

In many cases, the result of a cybersecurity incident is a breach of personal data. Such incidents can inflict huge financial and reputational harm on the victim. In 2021 the average cost of a data breach was $4.24 million, a figure which is likely to grow considerably in the coming years. Businesses also face additional costs for regulatory fines, fees, and even legal action in extreme cases.

Most Common Types of Threats to Information Security

Below are the most common types of information security threats your security team should know about:

• Insider threats
• Viruses
• Computer worms and Trojans
• Botnets
• Phishing attacks
• Ransomware attacks
• Exploit kits
• Malvertising
• Advanced persistent threats (APTs)
• Distributed denial-of-service attacks

As you can see, information security or infosec threats range from advanced persistent threats to different types of malware, each with the capacity to bring down your organization unless it has an effective cybersecurity strategy.

What Are the Most Common Types of Security Incidents?

Using technology to their advantage, cybercriminals will do everything and anything possible for financial gain. Here are some of the most common types of security incidents executed by malicious actors against businesses and organizations:

Unauthorized Access Attacks

This type of incident involves any unauthorized attempts by a threat actor to access systems or data using an authorized user’s account. How a cybercriminal gains access to user accounts often remains a mystery, even long after an attack. Still, your organization can do few things to prevent this type of security incident from occurring.

If you don’t already do so, require multi-factor authentication (MFA) for all users. This will require users to provide additional identifying information (say, a one-time verification code sent to their phone) after they enter a correct username and password. Many times, multi-factor authentication alone can deter a potential security incident from occurring, since criminals will simply move on to another target that doesn’t use MFA.

Also, consider encrypting your sensitive corporate data at rest and in transit using suitable software or hardware technology. This way, attackers won’t be able to access confidential data such as your account or credit card details even if an attack succeeds.

Privilege Escalation Attacks

This type of incident occurs when an attacker attempts to gain unauthorized access to an organization’s network, and then tries to obtain more privileges using a privilege escalation exploit. A successful privilege escalation exploit grants threat actors privileges that normal users don’t have. Usually, this type of attack takes place only after a hacker has already compromised an organization’s endpoint network security by gaining unauthorized access to a lower-level user account. With privileged access to your most sensitive information, there’s no telling what a cybercriminal might do.

To prevent this type of security incident, start by looking for and remediating any security vulnerabilities in your IT environment. Ideally your organization should do this by conducting regular vulnerability assessments and scans as part of your overall risk management program.

Another tactic is to use the “principle of least privilege” to limit the access rights for users to the bare minimum permissions they need to do their jobs. Also consider security monitoring tools to help you collect and analyze potential security threats, so you can respond appropriately.

Insider Threat Attacks

Insider threats are malicious (intentional) or accidental (unintentional) threats caused by employees, former employees, or third parties, including contractors, temporary workers, or customers.

While preventing insider threats can be difficult, you can take some steps to reduce the chance of an incident. First and foremost, you should implement spyware scanning programs, antivirus programs, firewalls, and a rigorous data backup and archiving routine.

You should also train your employees (and any contractors) on security awareness before allowing them access to your computer networks. A robust security awareness training program should also include routine training sessions to avoid any unintentional security incidents resulting from user error.

You can also implement employee monitoring software to reduce your risk of a data breach or intellectual property theft by identifying careless, disgruntled, or malicious insiders. Additionally, an internal whistleblower program (that protects employees who come forward) can help your organization to gain intel about potential security incidents.

A data loss prevention policy will also let insiders know what’s expected of them when handling company data and that they’re being monitored for unwanted behaviors. Sometimes this alone is enough to prevent internal actors from acting carelessly or maliciously.

Phishing Attacks

In this type of social engineering attack, the attacker assumes the identity of a reputable entity or person via email to distribute malicious code or links that can perform various functions, such as obtaining login credentials or account information from victims. More targeted phishing attacks are known as spear phishing attacks, where the attacker invests more time researching the victim to pull off an even more sophisticated attack to steal information.

On a technical level, a gateway email filter will help you trap a large number of mass-targeted phishing emails and reduce the overall number of emails that reach your users’ inboxes. You probably still won’t be able to prevent every single phishing attempt from entering every single inbox, so you’ll need to take other steps as well.

Start by educating your users so that they’re better able to identify phishing attempts on their own. In some organizations, incentive programs encourage employees to identify and report phishing emails in exchange for a reward. These types of programs have prevented phishing attacks from leading to more serious types of security incidents, like malware attacks.

Malware Attacks

Malware is a broad term for various malicious software, including Trojans, worms, ransomware, adware, spyware, and other types of viruses. Malware can either be inadvertently installed when a user clicks on an advertisement, visits an infected website, or installs freeware or other infected software; or, it can be installed intentionally by insider threat actors or malicious actors with unauthorized access.

The signs of a malware attack include unusual system activity, sudden loss of disk space, unusually slow speeds, repeated crashes or freezes, increased unwanted internet activity, and pop-up advertisements.

To protect your organization against this type of security incident, you should install an antivirus tool to detect and remove any malware. Whether you decide on real-time protection or routine system scans to detect and remove malware, whichever security solution you choose should protect your organization against any existing malware and any future malware attacks.

Distributed Denial-of-Service or DDoS Attacks

This type of security incident occurs when a threat actor floods the target system with traffic or sends information that triggers an attack to shut down an individual machine (or an entire network) so that it cannot respond to service requests. Typically, these attacks can be dealt with by simply rebooting the system.

You can also reconfigure your firewalls, routers, and servers to block any future unwanted traffic. Keep your firewalls updated with the latest security patches as part of your overall patch management program to keep your systems, software, and applications at their most secure. If you choose, you can also integrate front-end hardware into your network to help analyze and screen data packets to classify them as they enter the system.

Man-in-the-Middle (MitM) Attacks

This type of incident occurs when an attacker secretly intercepts and alters messages between two parties who believe they are communicating directly with each other. In a man-in-the-middle attack, the attacker manipulates both victims to gain access to their data. This can occur via session hijacking, email hijacking, and Wi-Fi eavesdropping.

Although this type of attack is difficult to detect, there are some ways to prevent it. You should first consider implementing an encryption protocol that provides authentication, privacy, and data integrity between communicating computer applications, such as Transport Layer Security (TLS). Or a network protocol that gives users, particularly systems administrators, a secure way to access a computer over an unsecured network such as a Secure Shell Protocol (SSH).

You should also educate your employees on the dangers of using open public Wi-Fi networks, because it’s much easier for hackers to commit cybercrime by exploiting these connections. For the most network protection, use a virtual private network (VPN) to help ensure more secure connections.

Password Attacks

A password attack is expressly aimed at obtaining a user’s password or an account’s password. To do so, hackers use various methods, such as password-cracking programs, dictionary attacks, password sniffers, or simply guessing passwords via brute force trial and error.

A password cracker is an application or program used to determine an unknown or forgotten password to a user account. When in the hands of a hacker, a password cracker can be used to gain unauthorized access to company resources.

A dictionary attack is breaking into a password-protected computer system or server by systematically entering every word in the dictionary as a password until the attacker guesses correctly. While this method might not be the most efficient, if a hacker does guess a correct password, he or she may then try to log in to multiple accounts using the same hacked password.

A brute force attack is when a hacker or bot attempts to log in using a series of generated passwords over and over again until the attacker succeeds. This type of trial-and-error attack can also cause websites to crash, which is another reason why multi-factor authentication is so important.

These types of security incidents can be difficult to prevent completely, but you can take some steps to defend yourself against them in the future. As mentioned above, multi-factor authentication is the best way to prevent unauthorized logins. Even if a cybercriminal guesses the correct password, that alone won’t be enough information to let them into your system.

You should also insist that your employees use strong passwords that include at least seven characters as well as a mix of upper and lower case letters, numbers, and symbols. Users should also change their passwords regularly and avoid duplicating passwords for multiple accounts. Any passwords your organization stores should be done so in secured repositories and should also be encrypted.

Web Application Attacks

This type of incident occurs when a web application is used as the vector for an attack. Web application attacks include exploits of code-level vulnerabilities in the application and attacks that thwart authentication mechanisms.

For example, a cross-site scripting attack is a type of web application attack that occurs when an attacker injects data (such as a malicious script) into content from otherwise trusted websites.

To avoid this attack, your organization should review code early in the development phase to detect any vulnerabilities automatically, by using static and dynamic code scanners. You should also implement bot detection functionality to prevent bots from accessing your application data. Finally, a web application firewall will help you monitor your network and block potential attacks.

Another type of web application attack is an advanced persistent threat (APT), a prolonged and targeted cyberattack typically executed by cybercriminals or nation-states to gain access to a network and remain undetected for a period of time. Ultimately, this type of security incident aims to monitor the target’s network activity and steal data rather than cause damage to the network or organization.

To avoid this type of attack, your organization should monitor incoming and outgoing traffic to prevent hackers from installing backdoors and extracting sensitive data. Again, web application firewalls at the edge of your network perimeter will help to filter any traffic coming into your web application servers. A firewall can also help filter out application layer attacks, such as SQL injection attacks which are often used during the APT infiltration phase.

How to Prevent and Mitigate Security Incidents

For each of the common security incidents described above, we included several steps you can take to prevent, or at least reduce the chances of, an incident occurring. To make things easier, we’ve compiled those suggestions into a singular and actionable list so that you can start preventing and mitigating security incidents for your organization.

Security Incident Detection

The first step to preventing security incidents is to put the right tools and processes in place to detect security incidents before they occur. Security incident detection is important for detecting and responding to incidents before they do damage but also so that you can track and trace the origins of the security incident and put the appropriate security controls in place to prevent it from happening again. Make sure all operating systems are up to date.

The first step to preventing security incidents is to put the right tools and processes in place to detect security incidents before they occur. Security incident detection is important for detecting and responding to incidents before they do damage but also so that you can track and trace the origins of the security incident and put the appropriate security controls in place to prevent it from happening again. Make sure all operating systems are up to date.

Monitor User Account Behavior

Implement behavior analytics tools to monitor user account behavior. Before looking for any anomalous behavior, you need to set the baseline for what “normal” behavior looks like. Once you’ve established that pattern, you can start looking for departures from it, especially for privileged users. Any unusual behavior could be an indication that a security incident is taking place.

You should also monitor for unauthorized users attempting to access servers and data, or requesting access to data that isn’t critical to their job function. This type of behavior indicates two scenarios: an insider attempting to gain unauthorized access to confidential information for malicious purposes, or a malicious actor has already gained access to a user account and is using that account to attempt to gain access to more privileged data.

As a general rule, you should always use the principle of least privilege regarding your data. This means only granting access to data to those employees who need access to perform their duties. To implement this principle, however, you’ll need to start by categorizing your data by sensitivity, so that you know which data your employees should have the least access to. You’ll also need clearly defined roles for the users in your organization, so you’ll know which data different types of users need.

Monitor Network Traffic

Your organization’s network is the gateway into your systems, and data. Keeping it secure is the best way to prevent attackers from gaining unauthorized access to your organization’s sensitive information. It’s important to monitor the traffic coming into your network, and the traffic leaving your network perimeter.

This traffic might include insiders uploading large files to personal cloud applications, or sending large numbers of email messages containing attachments to addresses outside the company, or downloading large files to external storage devices such as USBs. You should also monitor for any traffic sent to or from unknown locations-especially if your company only operates in one country.

In general, your administrators should investigate any unknown or suspicious network traffic to ensure its legitimacy. Even if nothing malicious is occurring, it’s better to be safe than sorry.

Monitor Suspicious Activity

Beyond monitoring user account behavior and network traffic, you should also monitor other types of activity. For example:

• Excessive consumption or an increase in performance of server memory or harddrives could mean an attacker is accessing them.
• Changes in configuration that haven’t been approved, such as reconfiguration of services, installation of startup programs or firewall changes are often a sign of possible malicious activity.
• Hidden files that might be considered suspicious due to file names, sizes, or locations and could indicate a data leak.
• Unexpected changes such as user account lockouts, password changes or sudden changes in group memberships.
• Abnormal browsing behavior like unexpected redirects, changes in browser configuration, or repeated pop-ups.
• Suspicious registry entries, which are usually a result of a malware infection.
  
  

Security Incident Management

As you continuously monitor for threats, your organization will inevitably need to evaluate the risk an attack could pose as well as the vulnerabilities an attacker might exploit to do so. If you haven’t already done so, now is the time to implement a risk management program designed to help your organization identify, analyze, prioritize, and mitigate cyber risks.

Cyber Risk Management

The cyber risk management process never ends. Once you begin, you’ll need to keep the program alive and well if you want it to benefit your organization.

Start by creating a list of your company assets and keeping it current; it’s impossible to know how to protect your assets if you aren’t exactly sure what those assets are. Then conduct a risk assessment to determine the level of risk each of those assets presents to your organization. Next, prioritize those risks and create a mitigation plan for each one you identify. Finally, after mitigating your existing cyber risks, it’s time to start the process again.

In general, your organization should regularly conduct vulnerability assessments to identify vulnerabilities in your systems, software, and applications throughout the risk management process. In addition, you should also regularly conduct risk assessments to determine whether your internal security controls are working effectively to prevent threats from doing damage.

See our five-step risk management article for more details.

Incident Response, Disaster Recovery, and Business Continuity Plans

Ultimately, security incidents are inevitable; you cannot mitigate every single cyber risk. You can, however, decide how your organization will respond to those risks if they can’t be prevented. As part of your risk management program, your organization should create a thorough incident response plan to assure that the correct course of action is taken in the event of a security incident.

This includes making sure that the right people know what to do when a security incident occurs, and that you have the right plans to cover your assets in a number of disruptive events, including cybersecurity incidents, natural disasters, and more. A disaster recovery plan will help your organization ensure business continuity in the face of one of these disruptions.

Tools to Help

Protecting your organization from security incidents can be an overwhelming task, especially if you’re attempting to do so on your own. Moreover, with an endless number of security software solutions, tools, and applications to choose from, picking the right ones can be overwhelming too. You want a tool to do all-threat monitoring, risk management, governance, and compliance.

Fortunately, there are solutions designed to help.

Prevent Security Incidents with ZenGRC

ZenGRC is an integrated cybersecurity risk management solution designed to provide you with actionable insights to gain the visibility you need to stay ahead of the different types of cybersecurity threats and communicate the effect of risk on high-priority business initiatives.

Turn the unknown into quantifiable and actionable risk insights with built-in expertise that identifies and maps risks, threats, and controls for you, so you can spend less time setting up the application and more time using it.

A single, real-time view of risk and business context allows you to communicate to the board and key stakeholders in a way that’s framed around their priorities, keeping your risk posture in sync with the direction your business is moving.

ZenGRC will notify you automatically of any changes or required actions, so you can be on top of your risk posture like never before. Eliminate time-consuming, manual work and streamline collaboration by automating workflows and integrating with your most critical systems.

Now, through a more active approach, you can give time back to your team with ZenGRC. Talk to an expert today to learn more about how ZenGRC can help your organization mitigate cybersecurity risk and stay ahead of threats.