James Steidl - Fotolia
Companies suffer the greatest damage as a result of cyber security incidents relating to their partners, according to research.
This is the finding of a study examining whether cyber security is a cost centre or a strategic investment by Kaspersky Lab and B2B International.
Incidents affecting infrastructure hosted by a third party cost small businesses £106,000 on average, while large enterprises lost nearly £1.5m as a result of breaches affecting suppliers they share data with, and £1.2m because of insufficient levels of protection at providers of infrastructure as a service (IaaS).
These findings indicate that companies should not only invest in their own protection, but also pay attention to that of their business partners.
As soon as a business gives another organisation access to its data or infrastructure, the report said weaknesses in one may affect them both.
There is a growing list of examples of data breaches that can be traced to third-party suppliers, from the Target breach in 2013, to more recent cases such as insider trading by hacking newswire services and fraudulent tax claims by compromising a feature on the US Internal Revenue Service website that was hosted by a third party.
This issue is becoming increasingly important as governments worldwide introduce legislation requiring organisations to provide information about how they share and protect personal data.
“While cyber security incidents involving third parties prove to be harmful to businesses of all sizes, their financial impact on a company has the potential to result in twice as much damage,” said Alessio Aceti, head of the enterprise business division at Kaspersky Lab.
“This is because of a wider global challenge – with threats moving fast, but businesses and legislation changing slowly. When regulations like GDPR [General Data Protection Regulation] become enforceable and catch up with businesses before they manage to update their policies, the fines for non-compliance will further add to the bill,” he said.
Read more about supply chain security
- Business is increasingly recognising the importance of information security, but security within supply chains is still widely overlooked.
- A comprehensive security strategy must include the supply chain.
- The UK government will require IT suppliers to comply with the five security controls laid out in its Cyber Essentials Scheme.
- A new mobile Trojan dubbed DeathRing is being pre-loaded onto smartphones somewhere in the supply chain, warn researchers.
According to the study, 63% of companies are investing in cyber security regardless of return on investment (ROI).
However, the study also shows that businesses around the world are starting to view cyber security as a strategic investment, and the share of IT budgets that is being spent on IT security is growing, reaching almost a quarter (23%) of IT budgets in large corporations.
This pattern is consistent across businesses of all sizes, including very small businesses where resources are usually in short supply. However, while security appears to be receiving a larger proportion of the IT budget, the overall budget is getting smaller. For example, the average IT security budget for enterprises in absolute terms dropped from £19.2m in 2016 to £10.3m in 2017.
As security budgets shrink, the cost of security breaches is going up. In 2017, small to medium-sized enterprises (SMEs) are paying an average of £66,800 per security incident, compared with £65,900 in 2016, while enterprises are facing costs of £756,000 in 2017, up from £655,000 in 2016.
To help businesses with their IT security strategies, based on the industry threat landscape and specific recommendations, Kaspersky Lab has introduced an IT Security Calculator.
The tool is aimed at providing a guide to the cost of IT security based on the average budgets being spent, security measures, the major threat vectors, money losses and tips on how to avoid a compromise.