Compensation was paid to most (71 percent) organisations hit by a supplier-related data incident if they had specific data usage guidelines for partners and subcontractors. In contrast, only 22 percent got paid when they didn’t have regulations in place
These were the findings of a survey of 5,000 IT security leaders conducted by Kaspersky which also found that each incident cost enterprise businesses’ an average of US$ 1.41 million (£1.08 million), up from US $1.23 million (£940,000) , a year ago - partly due to PR spend to rectify reputational damage.
Gartner research, found 71 percent of organisations have more third parties in their network than they had three years ago and expect this number to grow in the next three years. They often allow suppliers to access to sensitive data and IT assets to do their job.
Kaspersky’s IT Security Economics report found that 79 percent of enterprises have service level agreements explaining to partners and suppliers how to work with shared resources and data, as well as any penalties they may incur. Defining the areas of responsibility for both of the organisations involved increases the chances that a company will get compensation from a supplier that becomes an entry point for an attack.
Policies boost the likelihood of compensation amongst SMBs as well. For instance, 68 percent of SMBs with supplier policies received money, compared to only 28 percent of those who didn’t.
The survey did not indicate whether or not data breach policies make supply chain attacks any less frequent. Almost a quarter (24 percent) of enterprises that implemented special IT policies for third parties experienced a data breach because of a cyber-security incident affecting suppliers and only nine percent of companies without such rules confirmed that they had suffered an attack.
“The results of our survey may seem rather paradoxical with enterprises with special policies saying they have experienced supply chain attacks more often. However, we can suggest that a business with a wider network of third party organisations will pay more attention to this area, which results in implementing specific guidelines. Nonetheless, a vast network of subcontractors may make such data breaches more likely. Besides, organisations with third party policies can more accurately determine the causes of a particular breach,” comments Sergey Martsynkyan, Head of B2B Product Marketing at Kaspersky.
Kaspersky recommends organisations regularly update their list of all partners and suppliers, as well as the data they can access. Ensure that they only have access to the resources they need to carry out their work. Confirm that organisations that don’t collaborate with your company are excluded and cannot access or use data and assets. Also, provide all third parties with the requirements they should follow – including compliance and security practices.