The 2023 Cybersecurity Risk Report from RiskLens, the authority on cyber risk quantification (CRQ), finds the government and healthcare sectors face the highest average risk of loss in dollar terms from a cyber incident in a year.
The new report draws on RiskLens extensive data science research, covering nine industries and seven cyber risk categories (insider misuse, ransomware, etc.) to give a rich and detailed look at the cyber risk landscape that organizations can use to benchmark their own cyber security risk management posture.
RiskLens data scientists applied data from industry sources and ran hundreds of thousands of simulations of risk scenarios to generate results with cyber risk quantification. FAIR (Factor Analysis of Information Risk) is the underlying model for the research, as well as the risk analysis SaaS platform and managed services offered by RiskLens. (Note the representative/reference organization used for this simulation study is a mid-sized organization in North America of 500-1,000 employees and USD $100M-$1B in revenue.)
Government and healthcare led the list of top industries by total loss exposure with $7.6 million and $5.5 million respectively. Those sorts of averaged annual figures are especially useful for organizations looking to make informed decisions on insurance or other investments to handle risk over time – but there are many other insights into the data contained in the new report, relevant for your industry and risk concerns.
Why Do Healthcare and Public Administration Rank the Highest for Cyber Risk Exposure?
The two sectors share some similarities: Cyber events are likely to make it into public records, healthcare as a highly regulated industry required by HIPAA to report serious incidents to the federal government and public officials, of course, must operate in public. Both sectors are known for low spending on security, particularly at the local government level. Both store large amounts of personal information in their databases, attractive to attackers.
Chart detail from the RiskLens Cybersecurity Risk Report
Both sectors are particularly susceptible to crippling, costly shutdowns if cyber incidents disrupt services. Attackers exploiting the Log4j vulnerability knocked the Suffolk County, NY, government offline for weeks in late 2022, “plunging it back to the pen and paper and fax machines of the 1990s,” the New York Times reported.
Adding to the loss exposure totals for healthcare: lawsuits by patients over breaches of personal health information. A study by law firm BakerHostetler found that 23% of all lawsuits filed over data breaches targeted healthcare organizations. Hospital chain CommonSpirit was recently sued by 670,000 claimants over a data breach following a ransomware attack in 2022 that disrupted some of its facilities for weeks.
The biggest offenders in healthcare or public administration cyber incidents aren’t external bad actors, though. The RiskLens Cybersecurity Risk Report identifies insider error and insider misuse—in other words, intentional or unintentional harm by employees with access to sensitive information—as the top two risk categories for those sectors.
What are comparable insights into cyber risk exposure for your industry? Download the RiskLens 2023 Cybersecurity Risk Report now.
RiskLens offers quantitative cyber risk management solutions built on the FAIR™ standard. Leverage RiskLens to understand your cyber risks in financial terms – contact us for a demo.