The latest edition of Kaspersky’s annual IT Security Economics report reveals the growing severity of cybersecurity incidents affecting businesses through suppliers that they share data with. The average financial impact of such an event for an enterprise reached $1.4 million in 2021 which makes it the costliest type of incident, even though this didn’t even reach the top five incidents last year. The overall ranking of losses from different types of attack has also changed significantly since 2020.
Attacks where global businesses are affected through their contractors have become a clear trend. Business data is typically distributed across multiple third parties including service providers, partners, suppliers, and subsidiaries. As such, organizations need to consider not only the cybersecurity risks affecting their IT infrastructure but those that can come from outside it.
According to the survey, a third (32%) of large organizations suffered attacks involving data shared with suppliers. This number hasn’t changed significantly since the 2020 report (when it was at 33%). The financial impact of that format remains the same as last year as well – $1.4 million – however, back then it was at 13th place in the ranking of average losses from all forms of attack.
The majority of other attack types demonstrate lower financial impact including physical loss of company owned devices ($1.3 million), cryptomining attacks ($1.3 million) and inappropriate IT resource use by employees ($1.3 million). They also changed places in the rankings, showing how the pandemic has shifted the cybersecurity landscape for businesses.
The average financial impact of any attack has also decreased as a result. It showed a notable 15% decrease compared to last year’s results – $927k in 2021 versus $1.09 million in 2020 – and dropped even lower than the figure from 2017 ($992k).
“The pandemic has changed the threat landscape and organizations should be ready to adapt to it. Companies should grade their suppliers based on the type of work they do and complexity of access they receive (whether they deal with sensitive data and infrastructure or not), and apply security requirements accordingly. Companies should ensure they only share data with reliable third parties and extend their existing security requirements to suppliers. In the case of sensitive data or information transfers it means that all documentation and certifications (such as SOC 2) should be requested from suppliers to confirm they can work at such level,” comments Evgeniya Naumova, Executive VP, Corporate Business at Kaspersky