New Benchmark Cyber-risk Report Unveils the Top Industry Threats
Looking at the sweep of 2022 cyber incidents, attackers spared no industry, sector, or organization, no matter how sophisticated. A technology leader such as Uber was compromised (reportedly by a 16-year-old from the Lapsus$ gang) along with technology-poor institutions such as the Jackson County, MI Intermediate School District, which was closed for days by ransomware.
Risk themes continued to evolve in insidiously creative ways, from insider misuse (for example, Meta employees were revealed to be ransoming Facebook and Instagram accounts) to ransomware (not just double but triple extortion, which involves attackers demanding payment from both the compromised company and those who may be affected by the leaking of stolen data) to business email compromise (no longer just criminals impersonating a known source via email but adding voicemail compromise with deep fakes).
Facing this whirl of bad news, cyber-risk leaders and corporate directors need, as mentioned in NACD’s 2023 Director’s Handbook on Cyber-Risk Oversight, clarity about their risk landscape and risk posture to assess the problem in the context of their specific industry and to effectively guide their actions. The RiskLens 2023 Cybersecurity Risk Report provides reference data on the impact of top cyber threats across key industries, based on actual 2022 events. Here are the key takeaways.
Top Industries Impacted
Two industries that pose the greatest financial loss exposure are public administration and healthcare. Though losses per cyber event may be moderate, these industries are particularly vulnerable due to the high frequency of these cyber events.
In the case of public administration, especially local governments in the United States, there is a lack of adequate protection against potential threats. This is often due to budget constraints, leaving them susceptible to cyberattacks. Public administration is one of the most likely industries to be targeted by cybercriminals, with ransom and encryption attacks causing lengthy disruptions of vital services and revenue sources such as payments for parking tickets or construction permits.
For their part, health-care providers and payers play a high-stakes game in the cyber-risk landscape, with sensitive data (sometimes in the hands of third-party vendors) and patient care at risk, all under the oversight of the US Department of Health and Human Services Office for Civil Rights watching—and fining—for violations of the Health Insurance Portability and Accountability Act of 1996.
When looking at losses per cyber event, without consideration of frequency, manufacturing and retail are the industries that record the highest losses, driven, respectively, by outages in the production of goods and breaches of personal customer information.
Top Cyber Threats
When considering both the per-event losses and event probabilities, the study provides findings that might be counterintuitive for many. Consider the top two risk themes by probability: insider error and insider misuse. While these are often the most likely events across industries, they are not in the top three most expensive losses per event. Similarly, the most expensive theme by loss is system intrusion; however, it is substantively less probable than the top three most likely risk themes.
The threat that cyber-risk overseers need to pay the most attention to is basic web application attacks, which are relatively probable and relatively expensive on a per-event basis. Basic web application attacks are any attacks that target and compromise a vulnerable web application and that can result in a business interruption or a data breach.
The report also reveals the top two cyber threats per industry, as follows:
Accommodation and food services: system intrusion, web application attacks
Educational services: web application attacks, insider error
Finance and insurance: insider error, web application attacks
Health care: insider error, insider misuse
Information: web application attacks, social engineering
Manufacturing: insider misuse, web application attacks
Professional services: insider misuse, system intrusion
Public Administration: web application attacks, insider misuse,
Retail: web application attacks, insider error
How Security Affects Risk
The study also examined the possible effect of cybersecurity posture changes and changes in the amount of records such as personal identifiable information and credit card numbers that are at risk of being accessed and stolen by unauthorized individuals or entities.
Many organizations tend to keep more data than may be strictly necessary for running their operations, often at the demand of sales and marketing teams, as they may be useful at some point to run analysis and reports on inactive customers, old patients, or prior students. What these organizations do not realize is that those personal records can become a liability for the company in the case of a data breach, and will add to the possible fines and judgments, credit monitoring bills, and other response costs. Corporate directors should inquire about their company’s data storage practices and ensure that inactive data is purged from live databases.
The key takeaway is that substantial improvements to security posture and a reduction in the number of records at risk can reduce losses by 60 percent and event probability by 67 percent. If applied jointly, these two levers can reduce overall cyber-risk exposure by 88 percent.
Nicola (Nick) Sanna is CEO of RiskLens, founder of the FAIR Institute, and board member of Internet Security Alliance, with whom NACD has worked on the Cyber-Risk Oversight handbook.