Name: Is Cyber Risk on the Rise? Let’s Ask the Data
Uploaded: 2025-03-26T17:51:05.069Z
Duration: 36 min 12 s
Description: Is Cyber Risk on the Rise? Let’s Ask the Data

Transcript for "Is Cyber Risk on the Rise? Let’s Ask the Data": Hello, listeners, and welcome to this installment of our RSAC webcast series. Thank you for tuning in. I'm your host, Tatiana Sanchez. Looking at data is very critical in the cybersecurity world as it provides us with insights, trends, and patterns so that we can help make predictions. And that is why we are super excited to be joined by Wade Baker, who will take us through a historical dataset of cyber events and losses. This webcast is sponsored by SentinelOne. Before we dive in today's topic, please note that there will be time for questions at the end of the q and a. But if you have a question, please submit at any time using the feature on the right, and we will answer it at the end. Also, as a reminder, this webcast is being recorded. Following the webcast, you'll receive an email containing the link to the video replay and deck. The video replay and deck will also be available at rsaconference.com. Also, lastly, I'm pleased to remind you that as part of our RSAC cybersecurity learning program, we accept submissions on any topic year round. This means that you too can contribute your expertise on a podcast, webcast, seminar, or blog by visiting rsaconference.com forward slash become a contributor. And now I would like to pass it over to our guest so he can formally introduce himself before he dives in. Wade, over to you. Thank you so much. I appreciate it, and thank you everybody for for joining. I am looking forward to this. This is not only a little bit of a of a preview of of a talk I'll be giving at the main conference, but it's also a little preview of some research that has yet to be released. So you guys are kind of the first public audience for for some of these things. So, I'm I'm excited about it. So Wade Baker, I am one of the founders of the Scientia Institute. If you're not familiar with what we do, we do data science and research. You may have seen some of our reports. We've worked with lots of different security vendors and and enterprises. And our, our special power, if you will, is is analyzing a dataset and unearthing interesting insights and sharing those with the community like yourself. I'm also a professor at Virginia Tech. I teach some cybersecurity courses in their business school for, their undergrad and, masters level programs. So let's, let's get this started. Is cyber risk on the rise is the question, and I hope, to a certain extent you're you've joined because you want answers to this question. You know, we we we are in cybersecurity and it and and sometimes there's this echo chamber and you the sort of de facto belief is that, well, of course, risk is always increasing. In fact, it's skyrocketing exponentially all the time. Maybe that's true. Maybe not. And that's what we want to explore. And we don't just want to, you know, hear me share my opinion. We want to ask the data. So, what we have queued up is a large data set, going back fifteen years. And and a lot of this, comes from a series of reports that we at the Scientia Institute have done the information risk insight study or IRIS. We started this in 2020 and the last two that you see on the screen here have been sponsored by cisa the cybersecurity and infrastructure security agency. And what I will be sharing with you today is the upcoming next installment of the iris the iris 2025 also sponsored by CISA. If you like what you see today, you can go to that sciencia.com/iris and just register for it. It's a free report. You don't have to do anything to get it. There's no payment or anything like that. This is work sponsored by CISA that they think, you know, ought to be in the hands of the community. So, you can do that and we'll let you know when that report is available. Alright. Let's, let's let's dig into some data. So, first question I want to tackle, are security incidents becoming more common? Are we seeing more of them? It certainly seems like it. Right? We hear more headlines. What we're looking at here are public incident reports or disclosures. So, these are, you know, maybe a company had to file that we had a breach because of the new SEC ruling. It might be a court case that made it into the public domain. It might be from Freedom of Information Act requests or many other ways that incidents become public knowledge. Alright? So, when we count these, if we rewind the clock back to 02/2008, we were seeing, you know, on the order of 500 ish every quarter. All right. On average. And you can kind of see as we go forward in time, mid tens plateau, had another spike in the, in the twenties and right about now we're sitting at 3,000 incidents, per quarter. That's a 15 x increase over the last fifteen years. That's a lot. So, you know, this this would say, well, when it comes to the frequency of incidents, yeah, cyber risk seems to be on the rise. Now, hold that thought because cyber risk is not only about frequency. We're gonna get into some other aspects of risk, but from this measure alone, big increase. Alright? But it's not increasing everywhere. If we, for instance, ask the question, well, what is the trend of all of those incidents in terms of the type of incidents? This orange line here is ransomware and, wow, you know, that has spiked up over the last few years. System intrusions, you know, gaining access to networks, that's always been high and it's kind of just meandering around the top. But there's actually some types of incidents that are on the declines decline. Sorry. Physical events, insider events, and then there's some that are kinda just petering around at low levels not changing. But the point here is that, yes, we see an increase in the frequency of incidents, but not for all types of incidents. You these trends can actually be going in different directions depending on what type of cyber event you're concerned about. Similarly, when you try to look at how these incidents affect organizations, we see some different trends. So if we just take all of those incidents over the last fifteen years that I that I showed you earlier and we say what kinds of organizations are are suffering those incidents? It's by and large, smaller medium businesses, SMBs are, that's what most of those incidents are affecting. And your larger enterprise class organizations are toward the bottom. And it's it's kind of interesting here that the yellow and orange lines are for for larger organizations. And and that's kinda staying steady trending down a little bit in terms of the frequency of incidents affecting the largest organizations. Still, this isn't probability, but we're but we're getting closer. I see a question here. What's led to the decrease in accidental disclosures? This this is good. And and by the way, I'll I'll try to take some questions as we as we go through. I think we have some time at the end where we can do that as well. But this one this one's on point for for what we're covering. A lot of times we don't know exactly what's causing this, but I think you have more more compliance, more awareness. You know, a lot of these disclosures are the silly mistakes, and we're kind of clamping down on some of those processes over time. Just, you know, some thoughts on on what might be. And all of these trends, by the way, have have different things that I think are contributing to them. And and we go into that in the full report. So if you're if you're interested in this, there's more, ideas and other things about what could be underlying all of these various trends you see. Alright. There's some, small text on the screen. I apologize for that, but hopefully you can see it. This is a similar question still looking at the frequency of incidents, but we are looking at, different sectors. And here again, you see that there are some sectors that historically seem very overrepresented in the data. The public sector is one of those, but that's trending down relatively speaking. And we have some that are trending up. Entertainment, mining, manufacturing are kind of over here in lower left. And then we have some that are that are seem to be kind of quite underrepresented and and below the, overall average. So again, this is a quick webcast. There's a lot to digest here. I apologize for just, you know, throwing up slides and moving on. But but the overall point, again, going back to the question that we have here is cyber risk on the rise? We can measure that in various ways, the frequency of incidents being one of them. And and that trend line is different sort of depending on what sector you're in, what size organization you are, what type of incidents you're talking about. So it's a a complicated answer, but hopefully data like this is helping us to understand it and and answer it better. Alright. Let's, shift gears a little bit. I mentioned that's frequency, the overall number of incidents in the public domain. What about probability? If you are an organization and you're asking the question, hey. What are the chances that we're gonna have some type of security incident this year and the next year? Is that more now than it was ten years ago? Here's the answer. Yes, it is. So if we go back to 02/2008, according to our data that we collected, which is very large large data set of many, many, many, tens of thousands of incidents. The typical organization had about a two and a half percent chance of having a breach. And if we fast forward to now, that's over nine percent chance of having an incident. So, you know, an increase, of almost four times in terms of probability or likelihood. Again, that's a typical firm. Different types of organizations, that trend is is not the same. So for this, we're showing the probability, broken out by organizations of different revenue bands. Okay? So the largest organizations, hundred billion plus in annual revenue, check out this probability. In 02/2008, '50 percent like a coin flip of whether they would have an incident or not, and that's been steadily declining over, over time. I see that little dip, but sometimes the nearer term trends are hard to hard to really get a handle on. And the smaller organizations are increasing. Notice that this is different than what I showed you earlier. Small and medium businesses have the largest share of total number of incidents, but there's also a whole lot more of them out there. If we go on a per firm, probability basis, larger organizations are still more likely to suffer an incident, but that's getting less likely. Whereas for SMBs, it's getting more likely over time that they have incidents. I'll anticipate a question here of, you know, why is this going down for larger organizations? I I I think maybe it's because think about the last fifteen years. They're spending a whole lot more on cybersecurity. You know, I'll plug RSA. They they're they're sending people to RSA and learning about cyber threats and all of and and solutions and all of these things. Right? So so we're we're have a better knowledge of how to protect ourselves, especially the larger organizations that tend to have the most resources and teams, and they can hire and retain people and and all of those things. So, you know, maybe we're seeing some positive benefits there, whereas the threat environment is kind of out increasing outpacing the the SMB, tier organizations. Just my my quick hypothesis there. Alright. We can do this by industry. And again, I just share this not to really dig into these trends, but to, show that let's take manufacturing. The probability of a manufacturing firm having an incident has increased quite a bit over the last fifteen years, whereas utilities is, actually declining. Financial services kinda had a slow steady increase and then maybe a decline, over the end. Point being here that probability also, we see some differences in, you know, is is risk on the rise. Kinda depends on on who you are. Okay. Alright. Let's let's talk about cost. Now this is one where people have a lot of questions. This is hard data to get. You know, typically organizations just don't really like to share how much they were hurt by a security incident. So, they they're not incentivized to to share those details. However, in some cases and increasingly so, they're required to disclose some of that information. I mentioned the SEC ruling, that went into effect, over a year ago, requiring that any material incident be reported. That's for public, organizations, that is. And, you know, so this is allowing more data to come to light. Also, we do a lot of digging into, trying to find this cost information. But, you know, if you kinda break up risk into you have frequency or probability and then you have and then you have losses or impact. So we're on that second part. If we really want to know is is risk increasing, you know, we've kind of confirmed that in general, overall, the frequency of incidence is increasing. The probability of a particular organization having an incident, that's also increasing. What about costs? What's that doing? Alright. If you can ignore the chart on the right just for a moment, this is probably bad, slide design, but let's let's look on the left. Just ask the question, how much do incidents cost? And and you can see here that there's a huge wide disparity from, you know, a thousand all the way up over into into billions. Right? In in terms of how much does a single incident cost, The mound here is, you know, in the hundreds of thousands of dollars, 6 hundred k being the the median. But if we ask what's a more extreme incident, something that is is on the out in the tail here, And and that's over 20,000,000. Okay. And and these are things we need to think about when we are looking at, these kinds of trends. We don't just wanna quote the average or the median, or we don't wanna pick the highest value kinda knowing what that distribution looks like and then tracking that over time is, is very helpful. I'm gonna put on my glasses here because some of these numbers are are a little bit small. See, I said 20,000,000, and it's actually over 30,000,000. So sorry about that. Now let's focus on the on the right side of of this. So the fiftieth percentile line is asking the question, you know, what is that median impact, median loss for security incidents doing over the last fifteen years? Well, rewind to 892,000 was the median loss. And in 2024, just under 3,000,000. Big increase, 15 x increase in the cost of a typical incident. What about a bad incident? That's the ninetieth percentile on cost. So this would be the top 10 of losses from known incidents. 2,008, 6 million, upwards of 30,000,000 in 2024, almost a five x increase. So from this, we can say that when we look at the losses associated with incidents, both for normal typical everyday incidents and the more extreme ones, both of those are trending up at a pretty good clip over the last fifteen years. Security incidents are costing more now than, fifteen years ago. Alright. I'm looking sorry. I'm looking at the, some of the the questions here. I I see one about, plateau of incident likelihood. I know we're on costs now, but a lot of these plateaus that you'll see in here, it's hard to hard to know some of these. Like, I know the ransomware epidemic changed a lot of these things. And as that increase, so did costs, so did the frequency of incidents and those kinds of things. So there's that. Also, you throw in the mix on on some of these disclosure laws have, you know, you think about rewind to 02/2008. There were disclosure laws around, but those have since propagated across, you know, most states and globally and lots of other laws requiring these. So sometimes those cause little upticks, as well, attackers modifying strategies. You know, the the difference between, sort of the APT era, I think, might be in in one of those plateaus where it seemed like a lot of adversaries were going for lower and slower attacks, to where instead you're just trying to max scale across as many as, you know, as you can. A lot of those things make a difference here. Alright. Back to, losses. So, you know, you look at this chart and you could say, all right, well, you know, dollars 600,000 median incident, dollars 32,000,090 fifth percentile. Those numbers may mean something different to you depending on who you are. Are you a small organization? Well, then, you know, a $32,000,000 incident could be. That's it. You you can't can't afford that. If you're $100,000,000,000 incident, you might look at a $32,000,000 and think, you know, we'll we'll write that off pretty easy. So so it depends a lot on your revenue and how big you are. So, let's look at losses as a percentile of revenue. You know? Is this kind of relativize makes makes normalizes costs, and and you're looking at the the relative costs here. So, as an as a proportion of annual revenue, costs are also increasing. Most incidents are less than 10% of, revenue, and you can kinda see how this is going, like, the the the median, point 08% of revenue back in 02/2008. And we're we're getting up toward 1%, near 65% of, point zero sorry, point 65%, of revenues is that that median going up. Same thing for the larger. Now these are over 100% of revenue. So so there are organizations out there that are losing more than their annual revenue on a single incident. And and that is increasing over time. Right. That's about the the ninety fifth percentile. Five to 10% of incidents exceed, that annual revenue of the of the firm. So big big disparity there, but both the absolute costs of incidents are increasing and the relative costs are increasing, as well. Alright. I I saw a question about sources and that's you're you're right. I should have spent more time on those sources. It's pretty detailed if you go back to, that Scientia.com, c y e n t I a Com / iris, I r I s. There's several reports and we give methodologies, but a lot of this is is from a, very large dataset, actuarial dataset that, we use for our research purposes. And then we've we've done a lot to identify incidents and contextualize them and and all of those kinds of things. So, large large incident many years over a hundred thousand losses, and and the I think the biggest thing is these are publicly discoverable incidents and losses. If your organization has a malware infection and you just wipe it and go on about your business, it's not gonna it's not gonna become public information. These are things that that are are publicly known and available either because they triggered a mandatory disclosure law or, you know, some large, company, their website went out and it was obvious they had an outage or denial of service attack or ransomware event or something like that. So these things become public and that's that's those are the ones we're talking about here. Okay. So sticking with the trends that, the question of is cyber risk on the rise kind of changes depending on who you are. This is looking at losses for professional service organizations and retail. I just chose those because they're indicative of two various different trends. Among professional service organizations, which is everything from, you know, consulting firms to law firms. There there there's lots in that that fall under that pro services, sector. Their median loss has increased 26 fold over the last fifth, fifteen years, and their, extreme or ninetieth percentile losses are increasing at a good clip as well. So among those kinds of firms, for whatever reason, the typical and severe losses for an incident are are on the rise. Retail, on the other hand, is trending down, from, 6,000,000 to to a hundred and 42,000. And, you know, you you you asked the the question, what what's what's going on with that? Why why would retail be going down? I think it's, again, a mix of things. If I I did was involved in, the Verizon data breach investigations report at and it started in 02/2008. And I can clearly remember back then, a huge portion of the dataset was retailers, and it was point of sale, breaches that were simple misconfigurations of an external remote access service for some third party vendor that was supposed to manage those. And tons of those credentials were just open to the Internet and default and the adversaries knew them. And, you know, and PCI has gone into effect that I think has required retailers to implement things to protect cardholder information and other things could, you know, could be driving these costs down over time. Chip and PIN is another thing that I think has has really limited the impact in the sense that, you know, since it's encrypted from the point, where, you know, I I tap or whatever it is that I do, it's not stored on that terminal. The chance of aggregating tens of millions of, payment cards in a single breach is lower now than it was a long time ago before some of those practices were implemented. So, these things matter. I see a question about losses are are, normalized adjusted these for inflation over time. So yes. Alright. Do loss trends differ among event types is another question that we could ask about cyber risk being on the rise. So I just shared with you the the distribution of losses just for all types of security incidents. This sort of shows that distribution except for ransomware, denial of service, etcetera. And you can kinda see that that there's there's a different ransomware incidents tend to cost more. They're slid more toward the right of this scale, clustered around a million, than accidental disclosures, which are more clustered around, you know, 10,000, and everything else falling falling in between. So, the the point here being that depending on what type of incident you're talking about, losses are going to differ. I think I think that's fairly intuitive. And we can look at trends for for these as well. So take take ransomware. Ransomware. The losses associated with ransomware, both median losses and ninetieth percentile extreme losses, are trending up quite a bit. You know, we've got a 20 x increase in the cost of a typical ransomware event over the last fifteen years, whereas that accidental disclosure one is is declining. And and here's where you start to piece together that risk picture. Right? We showed you frequency earlier and frequency of ransomware events increasing. They're also increasing in cost. So, yeah, you know, ransomware risk, risk related to ransomware increasing. Accidental disclosure is kind of declining on both of those scales. So risk is actually declining. Doesn't mean disappearing, just just going down. Alright. I rushed through that, and I I wanna just give a second here and say that if you're at the RSA conference, I will be doing a fuller presentation on on this, more of the slices and a little bit more, around what's going on here. I will also be joined by doctor Olga Livingston from CISA on stage at RSA, and she will be adding her insight and experience and kind of merging what CISA is seeing in and around some of these trends. So so if you're at the conference, please don't feel like, I heard it from Wade in the webcast. I'm not going. A lot more to cover there at the actual event, and you'll actually get to hear from somebody else as well. I'll also say that once again, if you want more around these, all of these charts come from the information risk insight study 2025, which is not out yet, but, which it has been drafted and is in review should be out before RSA. If you wanna hit that link, we'll notify you, when it is available. It's a free report, and it has all of these things along with, analysis and commentary around them. And I'll I'll say finally that we're always interested in your ideas around research like this. We are passionate about measuring various components of risk to answer questions like is cyber risk on the rise? If there are other risk relevant questions you'd like to see us tackle, let us know. We try to do research that is meaningful to practitioners like yourselves, and and we want to, put that in your hands. So, give us a shout out. Alright. I will look through some some questions here and see what I missed, as as some of these these ticked by. How important is cybersecurity in law firms? You know, I've never worked for a law firm, but they sure have a lot of information, and they have a lot of information that's both valuable to cyber criminals, personal information, financial information. They also have information that, you know, might be useful for blackmail or other types of things. Right? And increasingly, law firms are some of the first ones included when when there's an incident, sometimes even before incident response, third party forensic firms are called in. So law firms have a huge, visibility into organizations, and and lots of information that that criminals would desire. I'm not trying to say, hey. Yeah. Criminals go after law firms. But, those those are, some trends that I think I think matter there. Has to be a common thread between different markets and verticals. Look at the rate of new CVEs against the increase of reported incidents. I like this question, and I'll I'll use it as a a point to to, I hate to say, gripe about, but, we do try to collect when there's an incident. If there was an exploit of a known vulnerability, what what was that? And and we have some data on that. But by and large, that's not one of the things that's reported sadly on on incidents. And and to be honest, I've never really understood this. Like, this would be one of the primary things I would want to know. But if you just read disclosures of incidents, companies say, oh, this is what happened. You know, here's what we're doing. Oftentimes, details like, well, what what wasn't patched is, is left out of that. So it's yeah. I don't I don't really have an answer to this question, but it's definitely something that we try to collect information on and try to study. It just sadly isn't publicly available a lot. And, but, I I I hope to change that. I do think that there is a common thread between different markets and verticals. We we in this research use the, NAICS classification system, North American industry classification system, I think it is. And in those industries, there's a certain way that they're aligned. But, you know, if you pick apart some of those, there's very different organizations, in them with some very different business models. And I think that sometimes makes trends hard to see because we tend to think that, you know, all retailers well, you know, you have online retailers and you have brick and mortar retailers, and, you know, they're gonna have different threat profiles from a cybersecurity perspective. Right? And then you blend into that size and all of these things. Just all that to say it it does get complicated and you're right there there all of these things have a have a thread weaving through them and and picking those threads out and trying to, okay, what's really what's really going on here can be can be a challenge, but but, but we're trying. Will RSA allow a brief elaboration on your sword collection? Well, they can't stop me now. So and we've got we've got a minute or two left. So, so, yeah, I've had these swords since I was in high school, and I'm very happy to finally, you know, be able to to do something with them. This comes from, you know, I was in high school when Braveheart was a thing, and this is a Scottish Claymore. So that's that this one is a kind of a model of Excalibur again, love the love the Excalibur movies and just anything about that. And then here's the Conan sword. So you can kind of get a sense of what, young Wade was, inspired by and and likes and has carried into his adulthood to hang on the wall. Interesting fact about your swords, Wade. I know, Melissa, we're gonna look at your background because I also complimented Wade's background as well. The color, the background, it's awesome. Wade, thank you so much for being here today to give a little teaser to our audience. And listeners, thanks for tuning in. If you guys wanna tune in to Wade's session live and other sessions at RSAC conference, please be sure to register at 1rsac.com. And, thank you again to our sponsor, SentinelOne, for sponsoring today's webcast. To find products and solutions related to mitigating risk in your organization, we invite you to visit our marketplace at rsaconference.com/marketplace. Here, you'll find an entire array of cybersecurity vendors and service providers who can assist you with your specific needs. And please feel free to keep the conversation going using your social channels and using hashtag r s a c, and be sure to check rsaconference.com for new content posted year round. Thank you all so much, and, Wade's PowerPoint will be sent to you guys via email. So that way, you guys can also look at the charts and the data as well. Thank you again, Wade, and thank you all. Until next time. It. Appreciate it, everybody. Okay. Thank you.