High-profile data breaches have become a regular feature in the news cycle. In Australia, incidents involving Qantas, Medibank and Optus each made headlines for exposing millions of personal records and triggering intense public and regulatory scrutiny.
While these companies operate at a national scale, their stories reflect a broader reality: cyber incidents do not only happen to high-value or high-risk targets. In fact, they can happen to anyone connected to vulnerable systems at the wrong moment.
As organisations digitise operations, rely on cloud platforms, and interact with a wider network of suppliers and service providers, the pathways into their systems have multiplied. So have the risks – often in ways that do not resemble traditional, targeted attacks. In this blog, we delve into the intricacies of cyber risk and how we can help companies navigate it.
What is Cyber Risk?
Cyber risk refers to the potential for financial loss, disruption, or damage to an organisation due to failures in its information technology systems. These risks arise from cyber threats, which include malicious attacks, data breaches, system failures, and human errors. Such risks can impact businesses, governments, and individuals, leading to compromised data, financial losses, reputational damage, and legal consequences.
Shotgun-Style Campaigns and Collateral Damage
A growing number of recent incidents show that being directly targeted is not always a prerequisite for being affected. In fact, many security breaches today stem from broad intrusion campaigns by cybercriminals or state-linked actors, aiming to compromise as many organisations as possible through a shared vulnerability.
The MOVEit Transfer breach, for example, first emerged in May 2023 when a vulnerability in a widely used file transfer application was exploited by a cybercrime group. Over 2,700 organisations worldwide were affected, with data on more than 93 million individuals exposed. The MOVEit case is a prime example of how shared platforms create shared vulnerabilities, turning vendor risks into enterprise-wide consequences.
Similar patterns appeared in the SolarWinds compromise of 2020. Malicious code was inserted into a routine software update, affecting thousands of organisations globally. Most were not specifically targeted; they were caught in a widespread supply chain incident that delivered access to whoever had installed the update.
These cases highlight a key shift in the cyber threat landscape. It is no longer just about who you are, but who you are connected to, what tools you rely on, and whether internal controls are able to flag early indicators of compromise.
Behind the Scenes: Sophisticated Attackers at Work
While some breaches stem from technical misconfigurations or employee error, others involve far more sophisticated actors. Known as Advanced Persistent Threats (APTs), these groups often operate with long-term objectives, leveraging stealth, patience, and highly customised techniques.
Many are believed to be linked to nation-states or operate in environments with indirect state support. In 2021, a group known as Hafnium, reportedly based in China, exploited zero-day vulnerabilities in Microsoft Exchange servers. The attack affected tens of thousands of organisations globally, not because they were specifically targeted, but simply because they used the affected software.
Law firms, schools, local councils, and small businesses were caught in the crossfire. The breach underscored how broad, sophisticated campaigns by state-linked actors can impact ordinary organisations through common platforms.
While the motives behind these campaigns may vary—ranging from espionage to financial gain—the result is often the same: disruption for a much wider group of organisations than initially intended.
The Impact of Cyber Risk Extends Beyond the Big Players
While some recent incidents have involved organisations considered part of critical infrastructure—such as Qantas—others have impacted businesses well outside traditionally high-risk sectors. This reinforces the reality that exposure to cyber threats is not limited to the most prominent or strategically sensitive entities.
In April 2025, the major British retailer Marks & Spencer experienced a ransomware attack that disrupted contactless payments, online orders, and click-and-collect services over a key holiday weekend. The incident caused substantial operational disruption and reputational harm, with losses in operating profit estimated at approximately S$522 million this year.
That same month, a ransomware attack on Toppan Next Tech, a third-party printing vendor in Singapore, resulted in the exposure of over 11,000 customer records from DBS Bank and Bank of China.
While the banks’ core systems remained unaffected, the breach—through a vendor—highlighted how even well-defended organisations can face downstream impact due to third-party weaknesses. Regulatory authorities were swiftly engaged to contain the fallout and investigate the incident.
Even where an organisation holds a limited amount of personal or proprietary data, the consequences of a breach can be significant: reputational damage, loss of customer trust, and compliance obligations under privacy legislation. Therefore, it is increasingly clear that impact is not always proportionate to industry or size.
The Importance of Managing Cybersecurity Risk
Managing cyber risk is a unique and difficult problem with significant stakes for modern enterprises. It is crucial for businesses because the consequences of cyber threats can be severe, affecting not only the organisation’s operations but also its reputation, finances, and legal standing. Here is why managing cyber risk is essential:
Protects Sensitive Data
Businesses handle vast amounts of sensitive information, including customer data, financial records, and intellectual property. A data breach can lead to the theft of this information, resulting in financial loss, identity theft, and loss of trust from customers.
Mitigates Insider Threats
Not all cyber risks come from external attackers; employees or contractors can unintentionally or maliciously compromise systems. Managing cyber risk includes implementing policies and training to reduce insider threats.
Addresses Evolving Threats
Cyber threats are constantly evolving, with attackers using more sophisticated methods. Managing cyber risk ensures businesses stay ahead of these threats by updating defences and adapting to new challenges.
Assurance and Oversight Matter More Than Ever
Cybersecurity is no longer just about preventing targeted attacks or responding to malware outbreaks. It is about understanding the broader environment in which organisations operate—a digital ecosystem where dependencies are layered and threats are often indirect.
A few reflections that are now becoming common across industries:
- Many organisations are exposed through 3rd-party systems and cloud platforms they do not directly control
- Sophisticated attacks often exploit everyday tools that are widely used across sectors
- Internal controls and assurance functions—not just technical defences—play a critical role in early detection and resilience
- Having clear visibility into system access, supplier activity, and response readiness is just as important as installing new technologies
Navigate Cyber Risk With InCorp
Cyber incidents today are increasingly complex, global, and interconnected. While some will always make headlines, many more will unfold quietly, affecting companies not because they were chosen—but because they were vulnerable at the wrong time.
As regulatory expectations grow and public trust in data handling becomes more critical, businesses across all sectors are beginning to reassess how they manage cyber risk. Not as a purely technical matter, but as a core part of their operational and reputational strategy.
Effective cyber risk management starts with understanding your current position. For modern enterprises, this means building a risk profile through comprehensive risk assessment. At InCorp, our team is well-equipped with the knowledge and experience to perform IT and cybersecurity risk assurance services. Contact us to learn how to get started with protecting your business today!
FAQs about Cyber Risk
What is an example of a cybersecurity risk?
- An example of a cybersecurity risk is a phishing attack. Cybercriminals send fraudulent emails or messages that appear to be from a legitimate source, such as a trusted company, bank, or colleague.
What are the different types of cyber risks?
- Cyber risks come in various forms, each posing unique threats to individuals, businesses, and governments. Some examples include malware attacks, ransomware attacks, and data breaches.
What is the difference between IT risk and cyber risk?
- IT risk refers to the potential for any kind of failure or disruption in an organisation's information technology systems that could impact business operations. It encompasses a broad range of risks, including hardware failures, software bugs, and human errors. On the other hand, cyber risk specifically focuses on risks related to cyber threats, such as malicious attacks, data breaches, and unauthorised access to digital systems.
Protect your business with our risk assurance services!
About the Author
