The information industry broadly speaking includes organizations in telecommunications, online information services, data processing and IT infrastructure. Sophisticated tech players they may be, but you couldn’t ask for an industry with a bigger attack surface for cybersecurity risk management.
For the recently released 2023 Cybersecurity Risk Report, the RiskLens data science team applied cyber risk quantification, FAIR risk analysis and curated industry data to reveal fresh insights about the probable loss exposure for cyber risks that the information sector needs to understand to plan effective security investments.
As a sector, information industry organizations:
>>Hold plentiful PII
>>Store and move tons of data
>>Hold valuable IP such as source code
>>Prioritize speed to market over security
>>Are in the crosshairs of privacy regulators (for GDPR, etc.)
>>Are likely to get sued over cyber loss events
And other factors all likely to keep their names in the data breach headlines.
Some recent examples of information industry cyber loss events:
>>September, 2022. Optus, the second largest wireless carrier in Australia announced a massive data breach compromising PII for 10 per cent of the country’s population. Employee error left a web-facing API open, leading to a system intrusion.
>>November, 2022. Twitter announced that hackers exploited a vulnerability in an API to steal a database of user email addresses, later estimated at 200 million.
>>December, 2022. LastPass, the password manager with 33 million users, said that a threat actor broke into a developer account, stole source code and other IP, then leveraged that information to steal an employee’s decryption and cloud storage access keys and make off with customer PII.
>>2022 and 2023. European regulators fined Meta a cumulative one billion euros for data breaches, child privacy violation, data scraping and illegal ad practices.
Findings for the Information Industry in the RiskLens 2023 Cybersecurity Risk Report Based on Cyber Risk Quantification, FAIR Analysis and Industry Data
The RiskLens report looks beyond the scope of typical industry cyber risk reports that focus only on the most expensive or most frequent events. The RiskLens data science team ranks risks by average loss exposure (per risk scenario), summarizing how losses play out probabilistically over 10,000 simulated years, incorporating both the probable cost and probability of occurrence of the events. It’s a measurement in dollars that security and risk teams can use to inform cost-effective spending decisions.
(Note the representative/reference organization used for this simulation study is a mid-sized organization in North America of 500-1,000 employees and USD $100M-$1B in revenue with personally identifiable information (PII) records at risk.)
Detail of findings for the information industry in the Cybersecurity Risk Report.
The analysis ranked basic web application attacks, social engineering, and insider misuse the top three risk categories for exposure. Social engineering and insider misuse also ranked the first two for average magnitude of a single loss event, should one occur (see the left column). Digging down into those cost figures, RiskLens data science finds that organizations in the information sector have a 38% greater probability than other industries to experience costs from fines, court judgements and other secondary response costs.
See all the findings about cyber risk for information and technology companies – Download the 2023 Cybersecurity Risk Report now.
RiskLens offers quantitative cyber risk management solutions built on the FAIR™ standard. Leverage RiskLens to understand your cyber risks in financial terms. Contact us for a demo.