Estimating Your Odds of a Cybersecurity Breach

Information technology, from computing infrastructure to database platforms, has become a key driver of workplace productivity — and even the global economy. Its ability to facilitate remote and local collaboration, information exchange, customer service, and a host of equally important business activities is unparalleled in history, yet information systems remain vulnerable to a variety of threats.

Making matters worse, the threat landscape is constantly changing as very well-funded cybercriminals work to access technology and the corporate assets that reside behind or within it. While global financial firms charge Fortune 500 firms massive amounts of money to identify and quantify their cyber risk, such assistance is outside the grasp of most small to midsize business owners’ budgets.

Unfortunately, concern about funding challenges can cause business leaders to go the other way, relying on commonly reported, global breach statistics and financial losses to estimate their potential exposure and loss. While such an effort is a good start, it doesn’t consider the specifics of any particular business environment.

For example, a 50-bed hospital that has been digitizing its records for 25 years might have far greater exposure than a much larger hospital that recently opened. The good news is that organizational leaders can gain a reasonable estimate of their risk levels by performing a basic exercise.

1. Benchmark your weighted risk based on industry. Following is a list of commonly breached industries, ranked by risk* (partial figures rounded). Note that the average of all industries is a 9, so the breach risk of an industry with a risk factor of 15 would be more than 150% of the average.
   • Healthcare: 15
   • Finance: 14
   • Technology: 12
   • Pharma, Services, and Industrial: 10
   • Communications, Consumer, Education, Energy, and Transportation: 9
   • Retail: 7
   • Entertainment and Hospitality: 6
   • Research and Public Sector: 5
2. Approximate, as close as possible, how many data records your company retains that are accessible via a network or other connection.
3. Give the record count a relative weight based on size:
   • Below 10,000 is a 1
   • 10,000-30,000 is a 2
   • 30,000-100,000 is a 3
   • 100,000-1 million is a 4
   • Above 1 million is a 5
4. Multiply your record count weight by your risk rating. For example, a financial services firm with 50,000 records would have a risk rating of 42. A hospitality services firm with 25,000 records would have a risk rating of 12.

This rating will give you a better gauge of your risk than one based on global averages, but it doesn’t substitute for a formal analysis. It also doesn’t consider whether your risk is increased due to accessibility of system and data by internal staff (nearly 40% of breaches are caused by employees, whether malicious or just careless). Finally, it doesn’t include the considerable risk escalation factor if your firm has one or more web-based applications. Improperly secured web applications, which are most frequently used by companies to host email systems, are involved, in some way, in nearly 70% of breaches.

To incorporate these and other variables into the equation requires precise risk calculations best conducted by an expert. Performing such analyses is a specialty of Novatech’s cybersecurity team. To learn more about how such an effort works, we invite you to chat with us online.

*Ponemon Institute Cost of a Data Breach Report 2019