Sources of Cyber Risk
Learn the major sources of cyber risk including human threats, fraud, malware, viruses, sabotage, and DoS attacks with real business examples. ICAN CA-focused notes by Lakshya CA Learn Hub.
Sources of Cyber Risk with Examples
With the rapid digitization of business processes, cyber risk has become one of the most critical threats faced by modern organizations. Companies today depend on accounting software, ERP systems, cloud platforms, online banking, and digital communication networks. While these technologies increase efficiency, they also expose businesses to cyber risks that can result in financial loss, data breaches, operational shutdowns, and reputational damage.
For Chartered Accountancy students, cyber risk is not just a technical topic—it is closely connected to internal control systems, risk management, auditing, governance, and compliance. This blog explains the major sources of cyber risk, each with detailed discussion and practical examples.
1. Human Threats
Human threats are one of the most significant and common sources of cyber risk. These threats arise due to human error, negligence, lack of awareness, or poor judgment, rather than malicious intent. Even with advanced technology, a single mistake by an employee can compromise an entire system.
Employees often handle sensitive information such as financial records, passwords, customer data, and confidential documents. If they fail to follow proper security practices, cybercriminals can easily exploit these weaknesses.
Common Causes of Human Threats
Weak or reused passwords
Sharing login credentials with colleagues
Clicking on phishing emails or suspicious links
Downloading unauthorized software
Lack of cybersecurity training
Business Impact
Human threats can lead to unauthorized access, data leakage, financial fraud, and system downtime. From an accounting and audit perspective, such threats indicate weak internal controls and poor governance.
Example
A mid-sized trading company uses cloud-based accounting software. An accounts assistant receives an email appearing to be from the company’s bank, asking to “verify login credentials.” Without verifying the sender, the employee enters the login details. The email was a phishing attempt, and the attacker gains access to the company’s financial data and payment system. Within hours, fraudulent payments are made to fake vendor accounts.
The loss occurred not because of system failure, but due to human error.
Relevance for CA Students
Highlights the importance of access control policies
Emphasizes the need for training and awareness programs
Shows how auditors assess control weaknesses caused by people
📌 Exam Tip:
Human threats relate to internal control environment, risk assessment, and IT general controls.
2. Fraud
Fraud is an intentional act involving deception, carried out to gain unauthorized financial or personal benefit using information systems. Cyber fraud has increased significantly due to online banking, digital payments, and e-commerce platforms.
Unlike human error, fraud is deliberate and planned, often involving insiders or external attackers exploiting system loopholes.
Common Types of Cyber Fraud
Online banking fraud
Identity theft
Fake vendor creation in accounting systems
Manipulation of digital financial records
Credit card and payment gateway fraud
Business Impact
Cyber fraud leads to direct financial loss, legal consequences, regulatory penalties, and loss of public trust. For accountants, fraud risk is a major concern because it affects the accuracy and reliability of financial statements.
Example
An employee in the finance department has access to the vendor master file. He creates a fake vendor account with his personal bank details. Over several months, he processes small payments to this fake vendor, avoiding detection. Since the transactions are digital and automated, the fraud goes unnoticed until a forensic audit is conducted.
This is a classic example of cyber-enabled financial fraud.
Relevance for CA Students
Links directly to forensic accounting
Important for statutory audit and internal audit
Highlights the need for segregation of duties
📌 Exam Tip:
Fraud is a key topic under risk management, ethics, auditing standards, and internal control evaluation.
3. Deliberate Sabotage
Deliberate sabotage refers to intentional damage or disruption of information systems to harm an organization. This may be carried out by disgruntled employees, former staff, competitors, or hackers.
Unlike fraud (which aims for personal gain), sabotage is often motivated by revenge, anger, or competitive advantage.
Forms of Sabotage
Deleting critical business data
Modifying accounting or ERP systems
Disabling servers or networks
Introducing malicious code
Business Impact
Sabotage can cause complete operational shutdown, loss of critical data, and long recovery periods. From a CA’s viewpoint, sabotage threatens business continuity and going concern assumptions.
Example
A system administrator resigns after a dispute with management. Before leaving, he deletes backup files and disables access to the company’s ERP system. As a result, the company cannot process invoices, payroll, or financial reports for several days, leading to financial and reputational damage.
Relevance for CA Students
Demonstrates the importance of user access controls
Highlights exit controls and role-based access
Critical for business continuity planning
📌 Exam Tip:
Sabotage is linked to preventive and detective controls in information systems.
4. Viruses and Other Data Corruptions
Viruses are malicious programs that replicate themselves and corrupt files, applications, or entire systems. Data corruption occurs when information is altered, damaged, or destroyed unintentionally or maliciously.
Viruses can enter systems through emails, downloads, or external devices and spread rapidly across networks.
Effects of Viruses
Corruption of accounting data
Loss of transaction records
System crashes
Inaccurate financial reporting
Example
A company employee plugs an infected USB drive into the office computer. The virus spreads to the accounting system and corrupts financial data for the past three months. The company must restore backups and re-enter data, delaying audits and reporting deadlines.
Relevance for CA Students
Impacts data integrity and accuracy
Affects audit reliability
Shows importance of backup and recovery controls
📌 Exam Tip:
Data corruption affects information reliability, a core accounting principle.
5. Malware
Malware includes viruses, ransomware, spyware, worms, and Trojan horses. It is designed to steal data, disrupt systems, or demand ransom.
Types of Malware
Ransomware: Locks data until ransom is paid
Spyware: Collects confidential information
Trojan Horse: Appears legitimate but is harmful
Example
A manufacturing company’s server is attacked by ransomware. All accounting and inventory data are encrypted, and hackers demand payment in cryptocurrency. Operations stop, payroll is delayed, and financial reporting is impossible.
Relevance for CA Students
Links to system security and IT controls
Important for risk assessment
Affects business continuity
6. Denial of Service (DoS) Attack
A DoS attack floods a system with excessive requests, making it unavailable to legitimate users
Example
An online banking portal is attacked during peak hours, preventing customers from accessing accounts. This leads to loss of trust and regulatory scrutiny.
📌 Exam Tip:
DoS attacks threaten system availability, part of the CIA Triad.
Final Conclusion
Cyber risks arise from multiple sources, including human behavior, intentional fraud, sabotage, malicious software, and network attacks. Chartered Accountants must understand these risks to effectively evaluate internal controls, audit systems, and business risks.