Digital transformation and highly-connected network ecosystems offer indisputable advantages in terms of business speed, efficiency, and productivity. Gone are the days of slow payment processing, for instance, when businesses’ financial outlooks depended on manual delivery of physical checks. Hospital workers no longer have to hand off patients’ paper records between departments when the patient is undergoing care or is transferred to an off-premises facility (never mind the need to transcribe doctors’ hand-written orders into intelligible treatment plans). Retailers can now track buyers across channels and market the right products at the right time, increasing the likelihood of customer loyalty and additional revenue.
The above are just a few examples of how today’s interconnected networks help businesses, but as any cyber security practitioner knows, network sprawl and unbounded interconnectivity swell cyber risk. How much is risk affected? That depends. How much data does an individual company collect, process, and store? How much of that data is accessible (either intentionally or through malicious action) by connected parties? How many 3rd party relationships does the business have? What about 4th or Nth party relationships?
The equation gets very complex very quickly, and inputs change minute by minute, making exact calculations near-impossible. But "it’s hard” doesn’t play well in board rooms or with investors, and it doesn’t allow companies to manage risk appropriately. Given everything we know in cyber security about vulnerabilities and exploits, data breach/privacy laws and compliance, and brand damage and post-exploitation clean-up costs, the need to understand the scope of the situation has never been more dire.
And that’s what Wade Baker and David Severski, co-founder/CEO and Senior Data Scientist, respectively, of Cyentia Institute, set out to do with their most recent publication on multi-party cyber incidents.
First things first: Cyentia Institute is a cyber security research firm grounded in data science and survey work. They conduct and publish studies on behalf of customers (in the case of the aforementioned report, Risk Recon), with the aim of surfacing quantifiable data on which readers can make strategic and/or operating decisions.
Next, what is a “multi-party cyber incident”? This is more obvious, but for clarity’s sake, “Multi-party incidents (“ripple events’): A cyber incident that affects multiple organizations. This usually involves a compromise to a central victim that generates downstream loss events for various third parties.” In speaking with Baker recently, he explained that the goal of the project was to analyze data on multi-party incidents and help quantify the risk to an organization based on industry, size, and levels of interconnectedness.
Working with Advisen, a data insurance provider, Cyentia analyzed data from 813 multi-party cyber incidents, meaning, the incident (i.e., breach, data loss, privacy violation, service disruption, etc.) affected 3 or more organizations. Why is this important? As per the above, no business exists in a vacuum anymore, and because of digital transformation, IT teams are being pushed hard to open even more access to achieve transformational benefits. What this means, though, is that when a company has an incident, they’re not the only ones who suffer collateral damage, what Cyentia has termed “ripple events.”
According to the research, the average ripple event impacts fewer than 10 organizations. However, the more connected a company’s ecosystem (i.e., the more 3rd, 4th, or Nth party relationships a company has) the more likely it is that downstream organizations will be affected. The most widespread ripple event analyzed by Cyentia included 131 downstream companies. (N.B. It’s worth noting that the extent of ripple events may not always be traceable, because of degrees of separation between companies and/or the recognition or disclosure of downstream events.)
Of course, we’ve seen this before. Depending on your survey source, 3rd parties account for anywhere from 59% - 81% of data breaches. Target, Marriott, and the U.S. Customs and Border Protection breaches are just a few high-profile examples. Typically, the cause of these breaches is positioned as a smaller, less-resourced company with fewer security controls facilitating access into the big company (a.k.a., the “main target”). What Cyentia found, however, is that—overwhelmingly—SMBs are more likely to feel a ripple effect of a larger company’s incident. The data show that only 29% of multi-party cyber incidents originate at a company with 1,000 or fewer employees. Making matters worse, the 71% of incidents that start at larger companies cause a disproportionate effect on SMBs; 65% of SMBs are victims of an incident due to their connectivity with their enterprise partners.
Another key finding in the report is that financial loss from multi-party incidents is 13X greater than those of single-party incidents. When combined with the data on company size, this finding could forecast disastrous effects on small businesses (and long-lasting ones on companies that have the financial resources to absorb a multi-million dollar loss). The report is quick to note that “losses [from cyber incidents] range from sub-$1,000 to over $1 billion,” meaning that the average cost of a data breach should be treated as a loose benchmark and that other factors, such as multi-party vs. single-party, play a role in financial outcomes.
Another surprising finding, said Baker, is which industries tend to be at the center of an incident (i.e., the initial exploit) and which ones feel the biggest ripples. According the research, “nearly half of all ripple events are generated by just two sectors”: business support and finance. Baker clarified that, specifically, credit bureaus, commercial banking, collections agencies, and data aggregators are largely responsible for both the initial incident and the downstream events. Hotels/motels, Computer Systems Design and Related Services, and General Medical/Hospital Services are also commonly swept up in the wake of a multi-party incident.
The report, which is available for download on the Cyentia and Risk Recon websites, contains more juicy data on multi-party security incidents and their effects on risk. It’s sometimes easy to dismiss vendor-sponsored research as subservient to the sponsor’s product offerings, but Cyentia always maintains objectivity—the company is run by a data scientist and a founder of the Verizon Data Breach Investigations Report series. I won’t spoil the surprises in the report, but needless to say, if you are a security or risk manager concerned about the risk your partner ecosystem poses, take a read through and let us know what you think.