For some years now security experts have rung the alarm bells over the risk of third-party breaches. Enterprises are starting to understand that the security weaknesses at third parties with whom they share data or technical connections can directly impact their own internal risk surface.
Now, the question for the security industry is how many of these third-party breaches impact far more than one other party with some kind of financial loss? And what's the typical total collateral damage that ripples across different organizations in a multi-party cyber incident?
Those are the questions that RiskRecon brought to bear together with the data science experts at Cyentia Institute in the latest installment of our series of exploration around enterprise risk surfaces: Ripples Across the Risk Surface.
The report examines the particulars around what we call cyber ripple events.
Ripple events are multi-party cyber incidents that affect numerous organizations that have both direct and indirect connections to the initial victim.
Ripple events typically involve the compromise of a central victim that then generates downstream data loss events at various other third-parties. Often the impact also jumps across degrees of separation, with loss events generated at other fourth-, fifth-, and n-th parties as well.
According to this seminal piece of research, we found:
- Financial loss from ripple events is 13x larger than single-party incidents
- The average ripple event impacts 10 firms beyond the original victim
- The most severe ripple events impacted 131 firms beyond the original victim
- Ripple events are growing more common, increasing 20% annually since 2008
- Companies in finance, administrative, and information sectors tend to both cause and receive the most impact from ripple events
This research lines up with the reality that technical relationships are rarely just one-to-one these days. In the age of digital transformation, data aggregation, and platform integration, the most crucial sets of sensitive data travel through many sets of hands over the course of their lifecycles. Enterprises frequently connect with a host of collaborators to build out digital ecosystems, including vendors, partners, and even competitors.
The data provided in Ripples Across the Risk Surface offers CISOs, risk officers, and digital strategists some of the first concrete evidence of the widespread risks that accompany this kind of expanding digital footprint. These details can help technology and business leaders make informed decisions about why and how they need to address their third-party risks to meet these demands.
The data scientists from The Cyentia Institute created an interactive chart based on the findings from the report to showcase how the interconnected nature of third-party risk among industries. Check it out below: