Layered software integrations, open APIs, and mutually beneficial data sharing between different businesses are hallmarks of digital transformation today. These technologies and practices serve as the building blocks for sweeping digital ecosystems. Enterprises use these ecosystems to drive revenue and extend business reach. However, they come with a significant downside.
The more organizations enlarge their digital footprint across numerous third-party and fourth-party relationships, the more they increase their risk of downstream data breaches.
New data indicates that an increasing number of cyber incidents cause massive financial losses that ripple across multiple parties beyond the initial victim. RiskRecon and the data science experts at Cyentia Institute examined historical cyber event data from the cyber loss database Advisen. The study showed that these cyber ripple events can cause 13x larger financial losses than traditional single-party incidents. They're also on a marked upward trajectory.
According to the Ripples Across the Risk Surface report, ripple events are growing more common by the day, increasing on average by 20% annually since 2008. That should come as no surprise given the recent enterprise push toward digital transformation.
Companies are moving quickly on open APIs because they're making money off them. According to Forrester, firms that use APIs externally are 3x more likely to see revenue growth of 15% or more.
The more plugins, extensions, and integrations that piggyback off these external integrations, the bigger the risk surface grows for the whole entire ecosystem. The ripples report research dug into some prime examples of how this can play out.
Cloud Providers: Ripple events can be triggered by security problems in the increasingly complex cloud supply chain. For example, last year security researchers found 540 million Facebook user records exposed by a third-party app that collected that information from the Facebook platform and then stored it on unsecured AWS S3 storage buckets.
Data Aggregators and Brokers: Attackers love targeting any organization that exists primarily to buy, sell, trade, or share data. These are companies that not only scrape publicly available information online but share vital information or PII. A classic example of this is credit reporting agencies like Equifax, which created massive ripples with its 2017 breach. Other common companies in this umbrella are fintech data aggregators and market research firms, both of which can cause massive cyber ripples when they're attacked. For example, a 2018 breach against data aggregator Apollo, a sales intelligence firm, exposed information from 10 million different companies.
Consulting Firms: Business and technology consultants often tie their systems closer to those of their clients to deliver a wide range of tech-enabled services. This makes them juicy targets to attackers and creates ideal environments for triggering ripple events. Take Indian consulting firm Wipro, which last spring was found to have been the source of a ripple event that impacted at least a dozen of its customers when attackers targeted Wipro internal IT systems.
Many cyber ripple events are often hidden from the public eye and may not be uncovered for years after the initial event. The downstream risk of these events may be similarly hidden from the consideration of digital transformation leaders.
As digital leaders design their platforms, build their software, and share data prolifically, they'll need to do a better job folding in third-party risk management best practices into the innovation. This means:
- Doing a better job tracking and managing data sharing and external integrations;
- Maturing vendor management office responsibilities to extend visibility beyond contractual relationships into technical relationships with external parties;
- Taking better control over the software supply chain to ensure they know exactly when a supplier's vulnerabilities put their software at risk;
- Leaning on the CISO to provide digital transformation and business leaders better visibility into the risks of new technical collaborations.
To be sure, digital innovators are rightly concerned about the business risks they face should they fail to build out open digital ecosystems. But at the same time, they need to come into the process with their eyes wide open about the risk of cyber ripple events and work to manage that risk as they innovate.
Click the button below to read the full results of our research report.