Kaspersky:Third-party data breaches cost businesses more than any other form of breach
The latest edition of Kaspersky IT Security Economics’ annual report reveals the growing severity of cybersecurity incidents resulting from vendors with whom businesses share data. The average economic impact of such a breach on a business reached 1.4 million dollars in 2021, being the most costly violation despite the fact that last year they were not even among the five most common cases of violation. The overall ranking of losses from different types of attacks has also changed significantly since 2020.
Attacks in which world-class businesses are affected through their suppliers have become a dominant trend. Business data is now distributed to multiple third parties, including service providers, partners, suppliers and subsidiaries. Therefore, organisations need to take into account not only the cybersecurity risks that are imposed
which affect their IT infrastructure, but also those that may come outside it.
According to the survey, a third (32%) of large organizations were the victims of attacks involving data shared with suppliers. This figure hasn’t changed much since the 2020 report (when it stood at 33%). The economic impact of this pattern remains the same as last year – 1.4 million dollars – however, at the time they were ranked 13th in the ranking of through classification of means of casualties from all forms of attacks.
The majority of other types of attacks have a lower financial impact, including the physical loss of devices owned by the company (1.3 million dollars), encryption attacks (1.3 million dollars), and improper use of IT resources by employees (1.3 million dollars). The position of these attacks in the corresponding rankings has also changed, reflecting the way the pandemic has changed the landscape of cybersecurity for businesses.
As a result, the average economic impact of each attack has also decreased. Specifically, the decrease stood at 15% compared to last year’s results – 927,000 dollars in 2021 versus 1.09 million dollars in 2020 – and fell even lower than the corresponding figure of 2017 ($992k).
This is probably due to the fact that the previous investments in prevention and mitigation measures have had satisfactory results for businesses. Alternatively, the average cost may be affected by the fact that businesses were less likely to report data breaches this year, with 34% managing to avoid it, up from just 28% in 2020.Financially vulnerable companies may be reluctant to initiate proceedings to conduct a criminal investigation or risk a blow to their reputation if the breach becomes known to the public.
The severity of cyber-attacks highlights the necessity for organizations to take into account the risk of a breach that data sharing with suppliers entails when assessing cybersecurity needs for their businesses. The pandemic has altered digital threats and organizations should be ready to adapt to the new landscape. Companies should evaluate their suppliers based on the type of work they do and the complexity of the access they receive (whether they deal with sensitive data and infrastructure or not), and apply corresponding security requirements. Companies must ensure that they only share data with trusted third parties and expand the existing safety requirements and their suppliers. In case of a transfer of sensitive data or information, all documents and certifications (such as SOC 2) should be requested from the suppliers, in order to ensure that they have the ability to operate at such a level. In very sensitive cases, we also recommend that a supplier perform a preliminary conformity check before signing any contract, Evgeniya Naumova, Executive VP, Corporate Business at Kaspersky.
To minimize the risk of any attacks and data breaches for businesses, effective terminal protection with threat detection and response capabilities should be used. In addition, protection agencies will assist organizations in investigating and countering the attack. This necessary form of terminal protection is included in the Kaspersky Optimum Security framework. For organizations with mature IT security functionality, the Kaspersky Expert Security framework provides additional anti-APT, the latest threat updates, and dedicated professional training