Third party policies make it 3 times more likely for enterprises to receive compensation after supply-chain attacks
Nearly three-quarters (71%) of enterprises which have specific data usage guidelines for partners and subcontractors received compensation after an incident that affected suppliers they share information with. In comparison, only 22% of organizations of the same size who do not have regulations in place reported this to be the case. These are the findings of a survey of IT security leaders conducted by Kaspersky.
According to Gartner research, 71% of organizations have more third parties in their network than they had three years ago – and the same amount expect this number to grow in the next three years. In order for subcontractors to fulfil their work obligations, companies often allow them access to their sensitive data and IT assets.
Kaspersky’s IT Security Economics report revealed that 79% of enterprises have special policies in place explaining to partners and suppliers how to work with shared resources and data, as well as any penalties they may incur. Their concerns make sense as, according to the survey, damage from incidents is estimated to cost $2.57m on average, with data breaches among the three costliest problems faced by enterprises. Kaspersky researchers has discovered a number of sophisticated supply chain attacks including ShadowPad.
One of the main benefits of implementing third party policies is that they solve issues around accountability by defining the areas of responsibility for both of the organizations involved. Consequently, it increases the chances that a company will get compensation from a supplier that becomes an entry point for an attack. 71% of enterprises with a third party policy reported to receive monetary recompense after an incident, compared to only 22% of peers who did not have regulations in place. Policies boost the likelihood of compansation amongst SMBs as well. For instance, 68% of SMBs with policies received money, compared to only 28% of those who didn’t implement rules for their subcontractors.
The survey did not indicate whether or not data breach policies make supply chain attacks any less frequent. Almost a quarter (24%) of enterprises that implemented special IT policies for third parties experienced a data breach because of a cybersecurity incident affecting suppliers and only nine percent of companies without such rules confirmed that they had suffered an attack.
“The results of our survey may seem rather paradoxical with enterprises with special policies saying they have experienced supply chain attacks more often. However, we can suggest that a business with a wider network of third party organizations will pay more attention to this area, which results in implementing specific guidelines. Nonetheless, a vast network of subcontractors may make such data breaches more likely. Besides, organizations with third party policies can more accurately determine the causes of a particular breach,” comments Sergey Martsynkyan, Head of B2B Product Marketing at Kaspersky.
Mr. Dipesh Kaura, General Manager, Kaspersky (South Asia) said, “Most businesses need to work with the third party providers at some point of time and it sometimes becomes necessary to let them enter your network, which definitely should raise concerns about the network’s security. Small and big enterprises now more than ever need to be prepared for the evolving threat landscape as the Government is ready to make India a Digital Nation and enterprises are the backbone of the economy. Businesses should maintain strict guidelines when involving with third-party providers and should have an even stronger cybersecurity framework in place to mitigate the risks of supply chain attacks.”
To stay protected from supply chain attacks, Kaspersky recommends taking the following security measures:
- Regularly update your list of all partners and suppliers, as well as the data they can access. Ensure that they only have access to the resources they need to carry out their work. Confirm that organizations that don’t collaborate with your company are excluded and cannot access or use data and assets.
- Provide all third parties with the requirements they should follow – including compliance and security practices.
- Kaspersky offers Kaspersky Anti Targeted Attack that can detect advanced attacks that may have gone under the radar of perimeter protection solutions, including supply chain attacks, at an early stage.
The full report is available here.
About the survey
The Kaspersky Global Corporate IT Security Risks Survey (ITSRS) is a global survey of IT business decision makers, which is now in its 9th year. A total of 4,958 interviews were conducted across 23 countries. Respondents were asked about the state of IT security within their organizations, the types of threats they face and the costs they have to deal with when recovering from attacks. The regions covered include LATAM (Latin America), Europe, North America, APAC (Asia-Pacific with China), Japan, Russia and META (Middle East, Turkey and Africa).
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.
Disclaimer: The story is in the form of a Press Release and has not been edited or reviewed for language or content. The content is published in the form that it was received by the editors after removing certain personal information such as contact numbers and emails. CXOToday.com is not responsible for the veracity of this content