The world is more interconnected than ever, and that network of dependencies means when an organization experiences a security incident, so do other downstream organizations in the supply chain.
Cyentia Institute analyzed historical data from cyber-loss database Advisen and found 813 incidents which involved at least three organizations. These incidents could be linked to 5,437 loss events at other organizations in the supply chain, a clear indicator that focusing on the number of records breached in an incident tells only part of the story. These “ripple events” are different than traditional security breaches because they spawn secondary loss events affecting thousands of organizations, said Cyentia Institute.
“As an industry, we’ve waited far too long to address the interconnected nature of today’s risk landscape,” said Wade Baker, founder of Cyentia Institute.
Ripple events are aptly named because the complex network of third-party dependencies and exposures means something happening to one entity has cascading effects on others, much like the ripples in the water grow wider when a stone is thrown. On average, ripple events impact fewer than 10 firms beyond the original victim, but some were wider. The largest ripple event in the analysis impacted 131 organizations.
Some of the more significant breaches over the past year or so would be considered muti-party incidents. In May, the American Medical Collection Agency disclosed a breach which compromised personal information of over 24 million individuals. Other companies provided AMCA with the data for debt collection, and these companies were “caught up in the fallout” of AMCA’s breach even though their systems were intact. Cyentia analysis found that 29 entities suffered known loss events in the wake of the AMCA breach. AMCA’s parent company filed for bankrupcy protection, and several of the organizations that worked with AMCA now face lawsuits and investigations.
Magecart is another example of how incidents can cascade as a result of “diverse and sprawling nature of third-party relationships.” The criminal collective compromised two third-party plugins used on Ticketmaster’s website for payment processing, allowing the group to siphon off credit card numbers of Ticketmaster customers. The compromised plugins allowed the group to backdoor other retailers and work through other organizations.
"Most breach research doesn’t explain the downstream impact of ripple events and that these incidents no longer simply impact a single organization," said Kelly White, CEO and co-founder of RiskRecon. RiskRecon sponsored the report.
Another firm’s breach could impact your organization just as much (or worse) than a breach of your own systems.
A comparison of losses for direct victims and downstream victims show that the loss profiles aren't dramatically different. Organizations can be impacted equally or worse by another firm's breach as they would with a breach of their own systems. (Figure 13) Source: "Ripples Across the Risk Surface," Cyentia Institute.
Collection agencies, banks and lending organizations,credit bureaus, government offices, and IT firms accounted for half of the organizations that generated ripple events. They are also among the most often impacted by these events. Hotels and hospitals are also frequently affected. These happen to be the industry sectors with the highest concentration of personal data. The organizations in these sectors tend to have large digital footprints and maintain extensive third-party relationships.
Multi-party loss events resulted in 13 times larger financial loss than traditional single-party incidents, Cyentia said in its analysis. However, there was little difference between the losses reported by the original victim and the losses reported by each secondary victim.
“Another firm’s breach could impact your organization just as much (or worse) than a breach of your own systems,” Cyentia said.
Ripple events are becoming more common, and the frequency is expected to continue to rise because the hyper-interdependency among organizations is not going away anytime soon. Financial and business support sectors tend to have more intricate digital supply chains and information flows, Cyentia said, so organizations in those sectors should consider “extra spend on identifying and managing your portfolio of third-party relationships.”
The point of the analysis wasn’t that third-party relationships are bad, but rather that third-party management programs—especially those that go beyond just vendor contracts and relationship management—are important, regardless of company size.
“Many—perhaps even most—cyber-incidents impact organizations beyond the central victim to some degree,” Cyentia wrote, noting that the analysis showed that “we as a community need to be more aware of and more actively managing this risk.”
The top chart shows sectors that commonly are at the center of multi-party incidents. These are sectors for primary victims. (Figure 6) The bottom chart shows sectors that are commonly impacted downstream in multi-party incidents. (Figure 7) There are some overlaps. Source: "Ripples Across the Risk Surface," Cyentia Institute.