What Data Tells Us About Cyber Security Breaches - Part 3 - IRIS 20/20
Last time out we looked at the UK Cyber Security Breaches Survey, which, whilst gifting us some interesting statistics, at times had us scratching our heads. The IRIS 20/20 is another great source of insight when it comes to demystifying cyber security breaches, and it has some very contrasting findings!
Rather than surveying organisations, the IRIS research analysed thousands of loss events (aka data breaches) covering the last 10 years trying to find informative patterns about the frequency and impact of breaches. The data from this report, if used effectively, allows us to estimate how much money an organisation is likely to lose in any one year due to a cyber attack.
Why is that important?
Well, qualitative risk assessments (i.e. estimating risk using low, medium and high) do not accurately allow an organisation to understand how frequent a breach could occur, and what losses are likely in financial terms.
Senior leadership teams can relate to the language of money. They can understand it and react accordingly. They will find it more difficult, however, to understand and be able to react to "this is a medium likelihood and high impact security risk".
That's not to say there is no place for qualitative risk assessments, they are a good starting point when an organisation has a low cyber risk management maturity. Quantitative, however, is the gold standard - but it depends heavily on good data.
The IRIS 20/20 report gives us a foundation. We can use the data to estimate the frequency and cost of cyber losses depending on our organisation's industry and size. It isn't perfect or 100% precise, but it allows us to make reasonable, defendable estimations about cyber losses.
Excited? Me too!
Over 60% of the Fortune 1000 had at least one cyber incident over the last decade. On an annual basis, we estimate one in four Fortune 1000 firms will suffer a loss event. We won't spend too long here. Let's face it, 99.92% of you are not a fortune 1000 company. Therefore, that 60% will be much more representative too. I wanted to highlight this figure because it shows that, generally, the bigger the company the more likely they will face (and report) a breach. Why? Big companies have big bank accounts, big data, vast infrastructure and a lot of people. Therefore they are more likely to be targeted and more likely to make a human error, and, due to regulation and pressure, they are also more likely to report breaches. Their cyber budgets will be bigger too. However, as I may have been told once or twice, "It's not what you have but what you do with it." The same applies to cyber security budgets.
Moving beyond mega-corporations, the probability of incidents drops substantially. SMBs have rates below 2% and are orders of magnitude less likely to suffer several breaches in a year. Here we have it. A typical SMB is breached less often, or at least they report it less often. 2% in any once year is perhaps a more suited figure for the majority of the companies out there, but of course it isn't a once size fits all. A company is more likely to be in that 2% if it's doing nothing in the way of good security hygiene. Just like we're all more likely to end up on our death beds earlier if we don't exercise, eat well and relax. Slice it up however you like. Now, there's the IRIS 20/20 statistic for probability. Let's talk about impact, shall we?
Financial losses following a cyber event typically run about $200K, but 10% of them exceed $20M Now. Just as 2% of breach probability seems low. $200k per breach sounds high. This report appears to be full of extremes. Let's consider that the US regulation on reporting cyber breaches is different to the UK's. The US regulation is aimed at bigger corporations whereas the UK (GDPR/DPA) generally requires a firm reports breaches that disclosure personal information. Therefore, the US data we're looking at is likely to analyse bigger firms who suffer breaches. Bigger firms typically have bigger losses for data breaches. We will talk more about the differences in the reports in a later blog post. For now, start saving $200k under your bed because there's a 2% chance that you're next ;) *Join me for a little bonus chat. Data such as that presented in the IRIS20/20 has given us cyber security professionals something we haven't really had access to before. It allows us to quantify risk and articulate it in a financial and defendable way. Rather than saying "there is a high risk we will suffer a breach". With this type of data we can instead say "we are 2% likely to suffer a data breach in any one year at a cost of $200k". This allows us to go a step further and say "each year, we are expected to lose $4k in data breach costs". We could make a more precise estimation if we knew some information about the company in question, e.g. their revenue, number of employees, use of technology and maturity of their cyber security controls. Context really is key for estimating cyber risk. The Factor Analysis of Information Risk (FAIR) is how to more precisely estimate and quantify cyber risks in financial terms. But for the purpose of this blog series, you can take the $4k per year estimation and have a think about it. You can then consider doing something with it. For example, if $4k is the cost per year, does it make sense that the annual cyber security budget exceeds $4k? Arguably not, otherwise a company could be spending more than they would pay for the breach itself, and could still suffer said breach because 0% likelihood is simply not achievable when we're all susceptible to human error.
A $100B enterprise that experiences a typical cyber event should expect a cost that represents 0.000003% of annual revenues. A mom and pop shop that brings in $100K per year, on the other hand, will likely lose one-quarter of their earnings or more. Here's that size gap again. What is interesting here is the amount of effort, resources and cash that goes into the security budgets of big companies, yet the damage can often be negligible. Yet, on the other side, smaller businesses typically don't pay attention to the threats and rarely assign a cyber budget for preventing, detecting and responding to potential breaches. As a recent example, in October 2020 British Airways were fined £20m for "failing to protect the personal and financial details of more than 400,000 of its customers". This is a hefty figure, but even for a company who took more than their fair share of the COVID-19 ripple effect, this fine represented 0.5% of their annual revenues in 2020. There were other costs associated with the breach, but this shows the size gap in action. Smaller firms should, at a minimum, carry out a high level cyber risk assessment. At least then there will be transparency as to how vulnerable or not the company is in the face of today's cyber threats.
There we have it. The IRIS20/20 report has a lot more to offer than what we've covered today. But, for the purpose of using data to help us better understand cyber risk and calculate probabilistic cyber risk projections, reports such as this are extremely valuable.
Next time we'll cover the last report in the series, the Verizon Data Breach Investigations report.