“We have met the enemy and he is us,” goes the old joke, never truer than in cyber risk -- Insider Error ranked #2, and Insider Misuse #3 among risk themes for total loss exposure in the RiskLens 2023 Cybersecurity Risk Report (#1 went to Basic Web Application Attacks).
Insider Threat Definitions
Insider Error = Misconfigurations, failures to renew expired certificates, improper publishing and other unintentional errors by staff members that can have damaging consequences to the bottom line.
- Digital transformation (aka movement to the cloud) has opened new vectors for insider error: The Pentagon Leaked Sensitive Military Emails via a Misconfigured Microsoft Azure Government Cloud.
- Add to the traditional threat actor, the disgruntled insider, a new breed: Employees who sell out to ransomware gangs or other criminals: AT&T Employees Took Bribes to Plant Malware.
Breaking down insider risk by industry, Healthcare and Public Administration are most at risk.
Detail from Insider Error chart, RiskLens 2023 Cybersecurity Risk Report
Our 2023 report enables you to drill down into your industry by risk themes to uncover the most probable frequency and financial impact of loss events. And, if you’re in Public Administration or Healthcare, the news is not good.
Those two industries lead the lists with some chilling stats for Average Annual Probability of a Loss Event:
- Insider Error: Public Administration 37.6% Healthcare 24.2%.
- Insider Misuse: Public Administration 31.9%. Healthcare 20.2%
Why the relatively high likelihood of insider risk? If you think of the two main factors at play
1. Extent of employee access to sensitive records – Healthcare puts very large amounts of sensitive PHI in the hands of staff. Rapidly expanding digitization of medical records adds to inadvertent exposure by insiders (see this: Hospital Websites Are Sending Medical Information to Facebook).
2. Weakness of controls to prevent records exfiltration or other loss events – Public Administration, particularly at the local government level, is chronically under-funded for cybersecurity spending and uncompetitive for cybersecurity staffing.
But just looking at probable occurrence of a cyber loss event in a year doesn’t tell the whole story. The RiskLens Cybersecurity Risk Report also reports on Insider Misuse and Insider Error by Average Loss Exposure (per scenario) in dollars, useful to make informed decisions on insurance or other investment decisions to handle risk over time. Sorry, Healthcare and Public Administration – you top the list here, too.
A note about methods for the RiskLens Annual Cybersecurity Report:
The RiskLens data science team ranks risks by average loss exposure (per risk scenario), summarizing how losses play out probabilistically over 10,000 simulated years, incorporating both the probable cost and probability of occurrence of the events. It’s a measurement in dollars that security and risk teams can use to inform cost-effective spending decisions.
The representative/reference organization used for this simulation study is a mid-sized organization in North America of 500-1,000 employees and $100M-$1B in revenue with personally identifiable information (PII) records at risk.