Data breaches and security exposures are bad enough when they impact one or two businesses at a time. But in today’s interconnected digital world, we’re seeing an increasing number of security exposures that create a ripple effect across numerous organizations. The growing body of observational data across more than a decade of publicly reported breaches points to how widely the waves of impact from a security incident at a single organization can spread across industries and other individual organizations.
One breach at a technology service provider, for example, could expose the records of hundreds of their business customers if the system is central to the services they provide. Additionally, the security weaknesses of so-called Nth parties—4th party, 5th party, and so on across the business value stream—can and do affect organizations that do not necessarily do business with them directly.
These multi-party security breaches form the basis of this recurring RiskRecon Ripples Across the Risk Surface report, which analyzes all the dimensions of breaches involving three or more interrelated companies. Since our 2019 report on the security ripple effect, the technological world has been shocked by several dramatic examples of the damage a single incident can do, wreaking havoc on many downstream organizations.
The SolarWinds incident stands foremost among them, providing the strongest anecdotal evidence and warning of how a damaging ripple event can unfold. Our argument here is that SolarWinds was not an anomaly or a singular event, and we’ve got the data and stories to prove it.
In this second edition of the Ripples report, we bolster the evidence gathered in our first analysis of not only the risks associated with third-party direct vendors and partners but also the dangers posed by the rest of the supply chain.
Key findings from the report:
- 897 multi-party breach incidents, also referred to as ripple events, have been observed since 2008.
- 147 newly uncovered ripples were observed across the entire data set, with 108 occurring in the last three years.
- A median ripple breach event causes 10x the financial damage of a traditional single-party breach.
- The worst of the multi-party breach events causes 26x the financial damage of the worst single-party breach.
- It takes 379 days for a typical ripple event to impact 75% of its downstream victims.
- The median number of organizations impacted by ripple events across the data set was 4.