Looking out across the sweep of cyber incidents in 2022, attackers spared no industry, sector or organization, no matter how sophisticated. A technology leader like Uber was compromised (reportedly by a 16-year-old from the Lapsus$ gang) along with technology-poor institutions like the Jackson County, MI, Intermediate School District, closed for days by ransomware.
Risk themes continued to evolve in insidiously creative ways, from Insider Misuse (Meta employees were revealed to be ransoming Facebook and Instagram accounts) to ransomware (not just double but triple extortion) to business email compromise (adding voicemail compromise with deep fakes).
Facing this whirl of bad news, cybersecurity defenders, risk managers and business leaders need, more than ever, clarity about their risk landscape and risk posture to guide their actions. At RiskLens, we believe that clarity comes through cyber risk quantification (CRQ). In other words, understanding cyber risk in business terms — dollars and cents — and prioritizing what matters most. To hit that goal requires a transparent, proven risk model and carefully curated cyber risk data. We based this 2023 Cybersecurity
Risk Report on Factor Analysis of Information Risk (FAIR™), the international standard for cyber risk quantification (CRQ), and extensive research by the RiskLens Data Science team.
We invite you to dig down into this report to discover the most relevant cyber risk data for your organization and benchmark your performance against peers in your industry and others.
We conducted this study with a series of simulations built to represent key industries and their exposure to cybersecurity risk in 2022, as presented by a range of cyber threats, both external and internal to the average organization.
The results of this study included the following key findings:
The top two threat themes by overall exposure are Web Application Attacks, which had the highest
overall loss exposure (risk); and Insider Errors, which were more likely but less costly.
The top two industries by loss exposure are Public Administration and Healthcare, driven by high
event probabilities and moderate losses.
Among the levers at the cybersecurity practitioner’s disposal to reduce cyber risk are security posture
and the data management of records. Specifically, our study found that making substantial improvements
to security posture and reducing the number of records at risk can reduce losses by 60 percent and event
probability by 67 percent. Jointly, these levers can reduce overall event exposure by 88 percent.
As a complement to the insights from our study, this report concludes with an article written by Julian Meyrick, Managing Partner & Vice President, Security Strategy Risk & Compliance, Security Services at IBM, a RiskLens partner.
In this article, titled, “Using Risk Quantification to Empower Decision Makers and Reduce Cyber Risk across Highly Targeted Industries,” Julian describes how organizations can, and have, achieved the promise of CRQ through the disciplined, programmatic application of Factor Analysis of Information Risk (FAIR), the international standard for CRQ.