By Mark Schafer
As leaders, we are often faced with questions we don’t know the answer to. Sometimes our only answer is “I don’t know, but I’ll find out.”
In the cybersecurity world, that seems to be the answer to most questions — and our executives expect answers.
Here are three of the top recent cybersecurity incidents ranked by estimated financial damage, based on recent reports from 2024 and 2025:
- Change Healthcare Ransomware Attack
- Estimated Damage: Over $1 billion
- Date: February 2024
- Details:
-
- Perpetrated by the BlackCat (ALPHV) ransomware group.
-
- Targeted Change Healthcare, a major U.S. medical claims processor under UnitedHealth Group.
-
- Disrupted nationwide healthcare operations, delaying prescriptions and billing.
-
- Massive data exfiltration and ransom payment reportedly in the tens of millions.
- Snowflake Data Breach
- Estimated Damage: Hundreds of millions of dollars (exact figures still unfolding)
- Date: Mid-2024
- Details:
-
- Attackers exploited weak credentials and third-party integrations.
-
- Affected multiple clients, including banking and retail giants.
-
- Resulted in widespread data exposure and regulatory scrutiny.
- Ascension Ransomware Attack
- Estimated Damage: Estimated in the hundreds of millions
- Date: May 2024
- Details:
-
- Hit one of the largest U.S. healthcare systems.
-
- Caused system-wide outages, including electronic health records and patient care delays.
-
- Recovery and remediation costs are still mounting.
Why do cybersecurity briefings begin like this?
In 1975, computer architect Gene Amdahl first used the term “Fear, Uncertainty, and Doubt” (FUD) to describe a method of persuasion that exploits people’s anxieties about the unknown.
FUD is an easy, but lazy, way to address cybersecurity issues. When we write reports like this, we rely on FUD instead of presenting facts.
Communicating Cyber Risks
When meeting with a board of directors, I am frequently asked, “What is our risk?” This is not the appropriate time to rely on FUD as a response.
Most board members have enough experience to recognize when their question is not being directly addressed. This can lead to frustration among board members — a situation best avoided.
The problem is, there are so many unknowns in the world of cybersecurity. We don’t know when the next attack will come. We don’t know what tools are needed to detect the problems. How do we stop an attack once it begins? How do we protect the business?
As a cybersecurity professional, it is important to communicate with leadership without using FUD, and to use language that is accessible. Avoiding technical jargon is essential for effective communication.
However, discussing cyber risk can be challenging due to numerous unknown factors.
Focus on Risk Management
Leading in a cybersecurity world comes down to risk management. As long as you know all the risks, and have reduced your risks to manageable levels, you are ready to run a cybersecure organization.
Now comes the hard part. How do you know all your risks? How do you reduce all your risks to a manageable level? How do you communicate this information to senior leadership?
Steven R. Covey’s The 7 Habits of Highly Effective People reminds us to “Begin with the end in mind,” a principle that is especially important for senior leaders making key decisions.
Instead of overwhelming them with unnecessary details, it’s essential to provide succinct, relevant information that highlights major risks and outlines clear actions.
By focusing on what truly matters, leaders are better equipped to allocate resources efficiently and ensure effective outcomes for their organization.
What Really Matters in a Cybersecurity Report
There is a lot of data in the cybersecurity world — a lot of reports, a lot of numbers — but not all of them need to be shared.
Let me give you an example: I once worked with a company that had a monthly cybersecurity report. In that report there were things like:
- How many emails were blocked by their spam filter
- How many patches were applied to internal systems
- How many packets were blocked by their firewall
While those are all interesting numbers, as a leader, they tell me nothing. Do I really care how many emails were blocked?
Reporting the reduction of user exposure to phishing over time, and linking it to business impact, provides a much clearer way to illustrate progress.
Instead of counting patches, wouldn’t it be more useful to track critical vulnerabilities patched within a service level agreement, and show how that number is trending over time?
If we were to change packets blocked by the firewall into something like the percentage of high-risk connection attempts blocked by the firewall, we could focus instead on intentional threat traffic and show trending. Is traffic going up? That is more meaningful than just a number.
Mark Schafer is a recognized consultant and leader in security program design and implementation. He also has extensive experience in risk assessment and management, compliance, and security awareness training. Mark earned his Certified Information Systems Security Professional (CISSP) certification and is also an active participant in the Infragard partnership with the FBI.