eupolicy.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
This Mastodon server is a friendly and respectful discussion space for people working in areas related to EU policy. When you request to create an account, please tell us something about you.

Server stats:

217
active users

#cyberrisk

0 posts0 participants0 posts today

Is your organization now more or less likely to experience a significant #cybersecurity event than it was 10y ago?

Well, that depends. Let's look at some data from Cyentia Institute's recent 2025 Information Risk Insights Study (IRIS).

The chart below depicts the annualized incident probability for firms in each revenue tier. I won't go into the details here of how we modeled this, but the methodology appendix in the report does get into that (link below). And if you want even more detail, Joran Elias has an excellent blog post for Cyentia Institute members (free account). For now, just assume we've used many incidents over many years to model the probabilities you see here.

From the chart, you can see why I say "that depends" to the lead question. The probability of a <$100M firm suffering a #securityincident has more than doubled, while the chance of a $100B+ megacorporation having an event has dropped by a third over the same time frame. Meanwhile, incident probability for organizations in $1B to $100B range have remained relatively static.

Unfortunately, our dataset is silent on the underlying factors behind these #cyberevent trends, but we can engage in some informed speculation. And LinkedIn is the perfect platform for it. I'll start.

To me, this chart hammers home Wendy Nather's concept of the security poverty line. Giant corporations with their giant budgets to hire the best people, buy the best technology, and implement the best processes, are finding success. But the pace of digitalization has outpaced SMBs’ ability to defend their growing attack surfaces and mitigate #cyberrisk .

I have many other thoughts regarding the factors underlying what we see here, but I'd rather hear from you. What do you see as key contributors?

****
Get the IRIS 2025 here: cyentia.com/iris2025/

You'll have the option to just download it or get it or join Cyentia's free membership program for the report plus a bunch of bonus analytical content.

Are #cybersecurity incidents growing more costly?

Cyentia Institute's recent Information Risk Insights Study points to a 15-fold increase in the cost of #incidents and #databreaches over the last 15 years.

The chart on the left shows the distribution of known/reported financial losses from incidents across the time period of the study. The typical (median) incident costs about $600K, while more extreme (95th percentile) losses swell to $32M. Note that the chart uses a log scale, so the tail of large losses is a lot longer than it appears.

The chart on the right trends the escalating costs of cyber events over time. Median losses from a security incident have absolutely exploded over the last 15 years, rising 15-fold from $190K to almost $3 million! The cost of extreme events has also risen substantially (~5x). So, yeah—cyber events are definitely growing more costly.

That said, this picture looks a lot different among different types and sizes of organizations. How are financial losses and other #cyberrisk factors trending for orgs like yours?

Download the full IRIS 2025 to find out!
Free with no reg req'd - though you can join Cyentia's free membership forum for bonus analytical content related to the report.

cyentia.com/iris2025/

AI is the new attack surface—are you ready?

From shadow AI to deepfake-driven threats, attackers are finding creative ways to exploit your organization’s AI tools, often without you realizing it.

Watch our new 3-minute video, How Attackers Target Your Company’s AI Tools, for advice on:

▪️ The rise of shadow AI (yes, your team is probably using it!)
▪️ Real-world examples of AI misconfigurations and account takeovers
▪️ What to ask vendors about their AI usage
▪️ How to update your incident response plan for deepfakes
▪️ Actionable steps for AI risk assessments and inventories

Don’t let your AI deployment become your biggest security blind spot.

Watch now: youtu.be/R9z9A0eTvp0

youtu.be- YouTubeEnjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.

Only one week left to register for our next Cyberside Chats Live event! Join us June 11th to discuss what happens when an AI refuses to shut down—or worse, starts blackmailing users to stay online?

These aren’t science fiction scenarios. We’ll dig into two real-world incidents, including a case where OpenAI’s newest model bypassed shutdown scripts and another where Anthropic’s Claude Opus 4 generated blackmail threats in an alarming display of self-preservation.

Join us as we unpack:
▪ What “high-agency behavior” means in cutting-edge AI
▪ How API access can expose unpredictable and dangerous model actions
▪ Why these findings matter now for security teams
▪ What it all means for incident response and digital trust

Stick around for a live Q&A with LMG Security’s experts @sherridavidoff and @MDurrin. This session will challenge the way you think about AI risk!

Register today: lmgsecurity.com/event/cybersid

LMG SecurityCyberside Chats: Live! When AI Goes Rogue: Blackmail, Shutdowns, and the Rise of High-Agency Machines | LMG SecurityIn this quick, high-impact session, we’ll dive into the top three cybersecurity priorities every leader should focus on. From integrating AI into your defenses to tackling deepfake threats and tightening third-party risk management, this discussion will arm you with the insights you need to stay secure in the year ahead.

🚫 No fire detection means no going to sea.
If you're running the Consilium Safety CS5000 fire panel on board, hardcoded credentials could let an attacker shut it down remotely.
 
As a result, if the system is taken offline, your vessel could be detained, lose its class certification, or be prevented from sailing altogether.
 
There is no patch available. The vendor has stated they won’t fix the issue unless cybersecurity was part of your original contract.
 
If your panel was installed before July 2024, it likely wasn’t designed with modern cybersecurity in mind.
 
Andrew Tierney explains how we discovered the vulnerability, its implications for operators, and the steps you can take to mitigate the risk.
 
📌 Read here: pentestpartners.com/security-b
 
#MaritimeCyberSecurity #VulnerabilityResearch #OTSecurity #FireDetection #CyberRisk

🎙️ In this On Location conversation recorded during #RSAC2025, attorney, investor, and strategic advisor Yair Geva shares a global perspective shaped by years of legal counsel, venture investing, and deal-making across Israel, Europe, and the U.S.

Geva offers unique insight into how cybersecurity, AI, and mergers and acquisitions are not only intersecting — but actively reshaping the #tech ecosystem.

🚀 New Conversation from #RSAC 2025: From Term Sheets to Trust — What Mergers and Acquisitions Trends Reveal About Cybersecurity’s Future

At RSA Conference 2025, Sean Martin, CISSP and Marco Ciappelli sat down with Yair Geva for a candid conversation about how cybersecurity risk is becoming a defining factor in mergers and acquisitions and much more.

🔐 What are buyers and investors really looking for today — and how does #cyberresilience now play into deal-making and company valuations?

Find out how trust, transparency, and security are reshaping the future of mergers and acquisitions.

🎙️ Watch, listen, or read the full conversation here:
👉 itspmagazine.com/their-stories

🛰️ See all our RSAC 2025 coverage:
👉 itspmagazine.com/rsac25

🌟 Discover more On Location Conversations, Brand Stories, and Briefings:
👉 itspmagazine.com/brand-story

🎥🎙️ This is just one of the many incredible conversations we recorded On Location in San Francisco, as Sean Martin and Marco Ciappelli covered the event as official media partners for the 11th year in a row.

Stay tuned for more insights, stories, and real conversations from RSAC 2025!

🎤 Looking ahead:
If your company would like to share your story with our audiences On Location, we’re gearing up for Infosecurity Europe in June and Black Hat USA in August!
⚡ RSAC 2025 sold out fast — we expect the same for these next events.
🎯 Reserve your full sponsorship or conversation now: itspmagazine.com/purchase-prog

ITSPmagazineFrom Term Sheets to Trust: What Mergers & Acquisitions Trends Reveal About Cybersecurity’s Future | An On Location RSAC Conference 2025 Conversation with Yair Geva — ITSPmagazine | Broadcasting Ideas. Connecting Minds.™Yair Geva joins us to unpack how cybersecurity, AI, and M&A are converging—and what that means for startups, investors, and global deal flow. From the rise of cyber due diligence to the shifting confidence of VCs in the age of AI, this episode offers a rare view into the business side of cyb

Cyber risk is not evenly distributed across users in your workforce. In fact, it's very lopsided. A large majority of risk events in your organization probably tie back to a relatively small population of users.

The attached figures provide some stats supporting that statement:

- Just 1% of users are behind 44% of all clicked phishing emails. 5% of users are responsible for 83.4% of all clicks.

- 1% of users are behind 92% of all malware events! 5% of users are responsible for ALL malware events. The remaining 95% had a clean record.

I don't think the proper response to these statistics is to grab torches and pitchforks and go round up these users to purge them from among us. Rather, these results present an opportunity to have a big impact on risk reduction by doing more focused/effective job of educating, incentivizing, and influencing the behavior we want to see among users.

Full report "Exposing Human Risk" from Mimecast and Cyentia Institute is available here (no reg req'd): assets.mimecast.com/api/public

Which industries are hit hardest by ransomware?

Well, that depends on what you mean by "hit hardest." Do you mean which industries most often suffer ransomware attacks/incidents? Or which ones are the most impacted financially?

Regardless of which dimension is top of mind for you, I have good news: this chart from the Cyentia Institute's latest edition of the Information Risk Insights Study (sponsored by CISA) offers a view of both. It plots each sector according to the share of incidents and publicly-known losses over the last five years attributed to ransomware.

If frequency and losses were perfectly correlated, sectors would lie on or near the dashed line. In general, that’s not the pattern we see here. Instead, we see industries that are disproportionately impacted by ransomware relative to event frequency (e.g., Healthcare, Hospitality), while the opposite is true for others (e.g., Financial, Professional). A myriad of factors contribute to the placement of sectors in Figure 14, but the targeting strategy of ransomware gangs is likely a major driver among them.

So, back to the original question - does this sync with your expectations on ransomware-ravaged industries?

Link to download the study (no registration required): cyentia.com/iris-ransomware/