Exclusive first look at Coalition’s new cyber claims dataGet the 2024 Cyber Claims Report
Cyber Incident? Get Help

Cybersecurity education: Incidents vs. attacks and tools to mitigate them


There are many terms related to cybersecurity failures, such as events, incidents, and attacks. But what do these terms mean, and is there a hierarchy? Some of these terms have specific meanings, and learning the differences can help you build a cybersecurity program in your organization to avoid or mitigate any potential business impacts.

Defining the issue

It’s helpful to understand these terms when thinking about cyber risks because not all risks will impact your organization equally — it’s like having one lightbulb in your store burnt out vs. having no power at all. You can probably get an extra lamp to help customers browse products, but without power, accepting credit cards or operating a register is going to be impossible.

We’ve defined the most common terms below; note that some of these definitions come from the ITIL framework, which is a set of processes designed for standardizing and delivering IT services (including information and cyber security):


Any observable thing that occurs on a computer network/system, such as a user logging in, a file being saved, or a system powering down.


ITIL defines an incident as "any event which is not part of the standard operation of a service and which causes, or may cause, an interruption to, or a reduction in, the quality of that service."

All incidents are events because they are observable, but not all events are incidents. Incidents are adverse events that disrupt the ability of users or a system to operate normally, such as ransomware locking a user out of their workstation or a fire damaging a data center and interrupting access to business-critical applications.


An attack is likely to generate events and, if successful, will definitely cause an incident. Attackers are motivated to seek out a vulnerability (often an unresolved problem), which they then exploit for nefarious purposes. Their actions often create observable events, although well-funded attackers may be able to cover their tracks.

Attacks often result in one or more incidents, such as a data breach or loss of system availability.

Intent matters

Both incidents and attacks can be devastating to a business in several ways. They might disrupt your operations, damage your reputation with customers or partners, or land you in legal trouble if sensitive data is stolen or leaked. The impact of both is the same, but there’s a key difference between the two: incidents are not necessarily intentional. Natural disasters do not particularly target individual organizations, nor do hardware/software failures seek out specific targets.

By contrast, attacks are targeted and intentional — an attacker has a specific objective to exploit or disrupt a specific organization. It’s important to note there are levels of intent as well. Many of us picture a hacker, usually wearing a hoodie and sitting in a dark room hunched over a computer, trying to breach a specific target. In reality, it’s often a foreign nation’s military or a multinational conglomerate.

While targeted attacks do occur, Coalition has often seen attackers casting a wide net and ensnaring anybody they possibly can — turning targets of opportunity into victims. These attacks are still intentional since the criminals are actively seeking to exploit victims, but they haven’t singled out one company or organization in particular.

For example, ransomware attacks often start with a simple vulnerability exploit. An attacker will send a phishing email to harvest credentials or a spear-phishing email containing a malicious attachment that ultimately grants them access to an organization’s network.

How Coalition helps

At Coalition, we firmly believe that the best way to prevent attacks and incidents is to be proactive with your cyber hygiene program. This encompasses the people, processes, and technology your organization uses daily to ensure that both critical business information and information systems stay secure. To help our policyholders, we offer:

Coalition Control

Attack surface monitoring is integrated and free inside Coalition Control, our leading security platform that monitors your organization and discovers vulnerabilities like exposed email and web servers. It also includes simple guidance on how to remediate those vulnerabilities before attackers can exploit them.

Security Partners

Training users to spot phishing attacks, act responsibly with systems and data, and be cyber safe is no easy task. Coalition policyholders get access to Curricula’s suite of training and awareness and phishing simulation tools to help address the people aspect of security. In addition, partners like Malwarebytes, SentinelOne, and Reciprocity can help you address important security processes like incident detection and response, and security governance, risk management, and compliance

Insurance for when things go wrong

No security program is foolproof, and no defense is 100% effective. In the event that an incident or attack disrupts your operations, Coalition Incident Response (CIR) and our claims team are here to help 24x7. They can help investigate and eliminate the threat, and help you recover from the issues that caused the business disruption.