Companies are increasingly affected by cybersecurity incidents at suppliers with whom they exchange data, as the latest IT Security Economics Report from Kaspersky shows. And that can be expensive, as current figures show.
The average financial impact of an incident for a large company in Europe last year was $ XNUMX million, making it the most costly type of incident.
Business data is distributed in practice
Business data is usually distributed across several third parties, including service providers, partners, suppliers and subsidiaries - which is why cyber criminals are increasingly attacking precisely these. Therefore, companies need to consider not only the cybersecurity risks that affect their own IT infrastructure, but also those that may come from outside their own company.
According to the Kaspersky survey, more than a quarter (28 percent) of large companies in Europe have been affected by attacks on data shared with suppliers. This number has not changed significantly since 2020 (when it was 29 percent). The financial impact is also the same as last year, namely two million dollars.
The attack scenario has changed
Most other types of attacks have a lower financial impact, including physical loss of proprietary equipment ($ 1,2 million), crypto mining attacks ($ 1,2 million), or misuse of IT resources by employees (Jan. , $ 1,2 million).
For example, the average financial impact of an attack on a European company was $ 1,1 million in 2021, compared to $ 839.000 in 2020. In an international comparison, however, this declined: from $ 1,09 million in In 2020 to $ 927.000 in 2021. The possible reason is that the investments made in prevention and containment are now paying off for companies.
However, the average costs may also have been influenced by the fact that the likelihood of companies reporting data breaches this year has decreased: according to the Kaspersky survey, 41 percent in Europe avoided doing this, compared with just 2020 percent in 33. Financially vulnerable companies may shy away from the time and expense of a criminal investigation or the potential damage to their image from a publicly disclosed violation.
Extend security requirements to suppliers
“The severity of the attacks makes it clear that companies must consider the risk of violating data protection law when sharing data with suppliers when assessing their own cybersecurity requirements,” comments Christian Milde, Managing Director Central Europe at Kaspersky. “Companies should classify their suppliers based on the nature of their work and the complexity of what they receive – whether or not they deal with sensitive data and infrastructure – and implement security requirements accordingly. They must ensure that they only share data with reliable third parties and extend their existing security requirements to suppliers. In the case of sensitive data or information, this means that all documentation and certifications - such as SOC2 - should be requested from suppliers to confirm that they are also operating at this level. In very sensitive cases, we also recommend conducting a preliminary compliance audit of a supplier before signing a contract.”
Learn more about IT security costs and budgets for companies in 2021 are available with the interactive Kaspersky IT Security Calculator.
More at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/