Kaspersky research finds third party incidents became most costly enterprise data breaches in 2021
Woburn, MA — October 6, 2021 — This year Kaspersky’s annual IT Security Economics report reveals the growing severity of cybersecurity incidents affecting businesses through suppliers that they share data with. The average financial impact of such an event for an enterprise reached $1.4 million in 2021, making it the costliest type of incident to date.
Attacks where global businesses are affected through their contractors have become a significant trend as business data is typically distributed across multiple third parties including service providers, partners, suppliers, and subsidiaries. As such, organizations need to consider not only the cybersecurity risks affecting their IT infrastructure, but those that can come from outside it.
According to the survey, a third (32%) of large organizations suffered attacks involving data shared with suppliers. This number hasn’t changed significantly since the 2020 report (33%). The financial impact of that format remains the same as last year at $1.4 million, however in 2020 it ranked 13th place in average losses from all forms of attack.
The majority of other attack types demonstrate lower financial impact including physical loss of company owned devices ($1.3 million), cryptomining attacks ($1.3 million) and inappropriate IT resource use by employees ($1.3 million). They also changed places in the rankings, showing how the pandemic has shifted the cybersecurity landscape for businesses.
The average financial impact of any attack has also decreased as a result. It showed a notable 15% decrease compared to last year’s results, $927k in 2021 versus $1.09 million in 2020, and dropped even lower than the figure from 2017 ($992k).
The possible reason behind this is that previous investments into prevention and mitigation measures played well for businesses. Alternatively, the average cost may be affected by the fact that enterprises were less likely to report data breaches this year, with 34% managing to avoid doing so, compared to just 28% in 2020. Financially vulnerable companies may be reluctant to commit time and expense to a criminal investigation or risk reputational damage if a breach becomes public knowledge.
“The severity of cybersecurity attacks highlights the need for organizations to take the risk of a breach involving shared data with suppliers into account, when assessing cybersecurity needs for their businesses,” comments Evgeniya Naumova, executive vice president for corporate business at Kaspersky. “The pandemic has changed the threat landscape and organizations should be ready to adapt to it. Companies should grade their suppliers based on the type of work they do and complexity of access they receive (whether they deal with sensitive data and infrastructure or not), and apply security requirements accordingly. Companies should ensure they only share data with reliable third parties and extend their existing security requirements to suppliers. In the case of sensitive data or information transfers it means that all documentation and certifications (such as SOC 2) should be requested from suppliers to confirm they can work at such level. In very sensitive cases, additionally we recommend conducting a preliminary compliance audit of a supplier before signing any contract.”
To minimize the risk of any attacks and data breaches for businesses, an effective endpoint protection with threat detection and response capabilities should be used. In addition, managed protection services will help organizations with their attack investigation and expert response. This essential level of endpoint protection is included in Kaspersky Optimum Security framework. For organizations with a mature IT security function, Kaspersky Expert Security framework additionally provides anti-APT, the latest threat intelligence, and dedicated professional training.
To learn more insights about IT security costs and budgets in businesses in 2021 visit the interactive Kaspersky IT Security Calculator. The full report “IT Security Economics 2021: Managing the trend of growing IT complexity” is available to download here.
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.