In this blog, we examine the role of company size in breach events studied between 2012-2021. Are larger or smaller companies more affected by breach events? Read on to find out!
One of the best predictors of breach event frequency may be the size of the organization’s attack surface – the number of systems the company operates on the internet. The larger an organization’s internet presence, the higher the frequency of breach events. Looking at the extremes, organizations with greater than 5,000 internet-facing systems had 21 times higher publicly reported breach events than companies with 10 or fewer systems.
Companies with the largest attack surfaces publicly reported an average of 1.28 breach events from 2012 to 2021, 64 times higher than the smallest organizations.
Stopping there, one might conclude that companies with larger attack surfaces are less competent in protecting their systems. However, from the perspective of breach events per 1,000 systems, that is not the case. The larger the attack surface, the lower the number of breach events per 1,000 systems.
The net of it is that companies with the largest attack surfaces are breached 64x more frequently than the smallest organizations, so they are going to drive a lot of third-party incident response. However, that doesn’t mean the largest organizations are less competent. In fact, on a per-system basis, they are comparatively very good at protecting systems; they are just having to protect such a massive infrastructure.
RiskRecon Risk Management Insights: If you are managing third-party risk, you would be wise to factor the size of the organization’s attack surface into your inherent risk model. The larger the attack surface, the higher the breach event frequency. Companies with >5,000 systems in their attack surface have a 64x higher breach event frequency!
Your team will be assessing the impact of a lot of third-party breach events for those larger companies. It may be the case that the smaller companies aren’t reporting breach events as well as the larger ones, but we won’t know until someone reports it.
Check back soon for most risk management insights and analysis from RiskRecon!