Cyber threats are real—and more common than you think. According to the FBI’s 2020 Internet Crime Report, the Internet Crime Complaint Center received 791,790 cyber crime complaints in 2020. That’s a 69 percent increase from 2019, and the number of ransomware attacks continues to rise. In July, IT management software company Kaseya fell victim to a supply chain ransomware attack, which affected 1,500 businesses. 

As ZDNet explained, hackers took advantage of a vulnerability in Kaseya’s software against multiple managed service providers (MSP). And although Kaseya said they had not found evidence that any of their SaaS customers had been compromised, some businesses closed and went offline due to the attack. It wasn’t worth the risk to stay online and fall victim to additional threats. 

The word “threat” is often confused with (or used interchangeably with) the words “risk” and “vulnerability.” But in cybersecurity, it’s important to differentiate between threat, vulnerability, and risk. A threat exploits a vulnerability and can damage or destroy an asset. Vulnerability refers to a weakness in your hardware, software, or procedures. (In other words, it’s a way hackers could easily find their way into your system.) And risk refers to the potential for lost, damaged, or destroyed assets. 

But that’s just the brass tacks. Let’s take a deeper look at the difference between threat, vulnerability, and risk, and why you need to know. 

What are threats?

Threats have the potential to steal or damage data, disrupt business, or create harm in general. To keep that from happening, you need to know what cyber threats exist. In general terms, there are three categories. 

  • Intentional threats: Things like malware, ransomware, phishing, malicious code, and wrongfully accessing user login credentials are all examples of intentional threats. They are activities or methods bad actors use to compromise a security or software system. 
  • Unintentional threats: Unintentional threats are often attributed to human error. For example, let’s say you forgot to lock the back door before leaving for work. While you’re at the office, a thief seizes the opportunity to sneak into your home and steal your valuables. Even though you didn’t mean to leave the door unlocked, the thief took advantage of your home’s vulnerability. In the cybersecurity industry, someone might leave the door to the IT servers unlocked or leave sensitive information unmonitored. An employee could forget to update their firewall or anti-virus software. Current and even former employees may also have unnecessary access to sensitive data, or simply be unaware of the threats. (Which is why employee training is so important.)
  • Natural threats: While acts of nature (floods, hurricanes, tornadoes, earthquakes, etc.) aren’t typically associated with cybersecurity, they are unpredictable and have the potential to damage your assets. 

To protect yourself from cyber threats, continuously monitor all data environments and use two-factor authentication. You should also teach your employees how to recognize phishing attempts and other tactics cyber criminals use to trick people into helping them gain access to sensitive data. For additional ways to protect you and your company’s data, check our ebook  “10 Cyber Risk Management Issues Every Business Needs to Address ASAP.”

What is vulnerability? 

Vulnerability refers to a weakness in your hardware, software, or procedures. It’s a gap through which a bad actor can gain access to your assets. In other words, threats exploit vulnerabilities. 

Take Kaseya. The FBI described the incident as “a vulnerability in Kaseya VSA software against multiple managed service providers (MSPs) and their customers.” Huntress, a cybersecurity firm, tracked 30 MSPs involved in the breach and concluded that the attack was due to an authentication bypass vulnerability in Kaseya’s VSA web interface. It allowed attackers to work around authentication controls and upload malware. 

You should know that small to medium-sized businesses tend to be more vulnerable to attacks. That’s because few can afford a dedicated IT/security department, making it less likely that there are security procedures in place. (That said, cyber attacks affect companies of all sizes.) Companies should be aware of their threats and vulnerabilities in order to identify and respond to all of the risks. To determine the best way to approach a specific threat, perform regular threat assessments. Or try penetration testing, which recreates real-world threats to discover vulnerabilities. 


What does risk mean?

Cyber risk is the intersection of assets, threats, and vulnerabilities. It’s the potential for loss, damage, or destruction of an asset when a threat takes advantage of a vulnerability. Put another way: 

Threats + Vulnerability = Risk

To determine your level of cyber risk, you have to understand the types of threats that are out there and know your system’s vulnerabilities. Although cybersecurity is an ever-moving target, you can keep your overall risk low. Trava has a free cyber risk checkup tool that runs a top-level scan of your domain. (The lower your score, the lower your risk.) By determining your level of risk, you can create a solid cyber risk management plan. 

Use what you know to develop a cyber risk management plan. 

Capturing, storing, and using sensitive data is essential for most organizations, but holding and accessing it means you have the responsibility to protect it. Understanding the difference between threat, vulnerability, and risk is the first step toward developing a cyber risk management plan. After all, cyber risk is business risk. If you can’t keep your customers’ data safe, you may lose their business, not to mention your reputation.