A clear agenda for the organization is: “Understand and reduce the risk of cyber-attacks”. The management and the board have gradually joined the agenda and understand that we are dealing with a risk that they must deal with.
We estimate that cyber can cause extreme tail losses, and we support the estimate with the frequently used Danish case stories from ISS, Mærsk, Demand etc. It is as it should be, and organizations work continuously to reduce both the probability and the consequences of these incidents.
However, there is one area which may be overtaking us in the blind spot. Internal errors threaten information security and cause large aggregated losses. Where the devastating cyber-attack could be compared to the major water damage, the internal errors are often cheap but frequent and can be compared to a series of dripping faucets. Individually they may be insignificant, but collectively they accumulate large losses.
See the example below from one of our recent risk assessments. It is representative of the most recent analyses. In the example, we are dealing with a company in the financial sector in Denmark. The amounts are the average annual loss in five classic threat areas together with the 95% fractile. When we talk about an average annual loss of DKK 250,000, this consists of incidents that cost anything between DKK 50,000 and DKK 30 million with fluctuating probability. You can see this by looking at the green distribution below. It is flat (small probability, has its peak around DKK 1 million and then a long tail out to the right). The losses for these cyber incidents are derived by minutely reviewing primary and secondary losses with 90% confidence intervals.
However, notice that cyber appears in third place in relation to the average annual loss. In this case, an annual loss of more than outsourcing and internal errors. So, if you were to mitigate completely rationally, you would rather reduce risk from internal errors and outsourcing than in the cyber area.
Does this correspond to what we see in reality? Yes, we would think so.
Over lunch the other day, we did a completely unscientific survey of what incidents we could remember from the Danish financial sector over the past year. We quickly came up with three incidents that have reached a certain level.
- The MitID incident in Nets, June 26, 2022, problems with a certificate server
- The BEC incident, on August 28, 2022, a technical failure following a planned restart of BEC’s central systems on Sunday night.
- Danske Bank, September 1, 2022, situation where errors in data lead to the crediting of debts for many hundreds of millions of kroner.
Internal errors, Internal errors, and Internal errors.
When we asked the same question about cyber incidents, no one could think of any losses worth mentioning.
Our point is trivial. Risk management aims to provide data to decision-makers that enable the prioritisation of mitigation initiatives. Therefore, risk management must include all digital loss areas in the calculation and treat them exactly the same. If you do, the area calls attention to internal errors.
Work must be done to reduce the risk of extreme losses from external malicious attacks. However, organisations must be aware that there are other sources of loss that, seen over a number of years, cause greater losses than cyber.
It is not always the most frightening that is the most dangerous.