Companies that do not prepare for attacks coming from their vendors are putting themselves at risk of a multiparty breach— where a single compromise can balloon into intrusions of as many as 800 companies, new analysis by data-science firm Cyentia Institute found.
The report, which focused on the top 50 multiparty breaches, found that the average large breach involved 31 organizations and cost $90 million, compared with $200,000 loss for a typical cybersecurity incident. While system intrusions accounted for the incident category with the largest number of organizations impacted (57%), ransomware and wiper incidents caused the greatest loss, accounting for 44% of all recorded losses, according to Cyentia.
In addition, attacks that involved valid accounts and that were conducted by nation-state actors also caused much higher per-incident damages, the firm stated.
The data analysis suggests that companies should put more effort into ensuring their vendors and contractors are not providing a doorway into their networks, says John Sturgis, data scientist at Cyentia.
"Even if you never thought about being targeted directly by a nation-state actor, thinking about it through a lens of what providers do I have that could be targeted, and how can I manage my exposure even within my third parties is a real valid and tractable problem to try and engage in?" he says.
The analysis, part of Cyentia's "Information Risk Insights (IRIS)" study, uses data from insurance data provider Advisen, whose Cyber Loss database consists of nearly 100,000 cyber events. Cyentia combined the largest 30 multiparty events as measured by three different criteria: total incurred costs, number of individuals affected, and number of organizations affected. It then selected the top 50 based on the combined totals and the amount of data available.
The lesson from the largest of the multiparty breaches is that companies' cybersecurity and risk mitigation efforts need to focus on attackers not only targeting businesses but also targeting third parties, which ripples downstream to those vendors' clients. For that reason, companies need to do more than shallowly vet the security of their vendors, says Wade Baker, co-founder of Cyentia.
"There is a limited amount that any single organization can do to a sufficiently resourced and determined party, such as a nation-state or some of the cybercriminal gangs," he says. "However, I think it would be helpful to think of risk management as including more supply chain or third-party-centric thinking. And by that I don't mean filling out a questionnaire."
Kaseya Breach Tops List
The analysis found the top attack to be the breach of the Kaseya Virtual System Administrator (VSA) servers used by many managed service providers, which affected at least 800 downstream organizations in July. The second largest attack was the breach of credit-card processor Global Payments in 2012, which affected 678 organizations, the report states.
Meanwhile, the most costly breaches include the 2017 NotPetya wiper attack caused by a breach of Ukrainian software firm Intellect Service, which produces accounting software that attackers implanted with malware to infect other companies. In second place: Facebook's $5 billion fine levied by the US Federal Trade Commission in 2019 for the platform's privacy and security failings that allowed apps to harvest users' information from the platform, violating their privacy.
Information and professional companies most often are the initial vector in a multiparty breach, according to the analysis.
External attacks accounted for nearly all (97%) of the organizations affected by the top 50 attacks and for 69% of the total losses. While cybercriminal groups accounted for 80% of the impacted organizations, the relatively small number of attacks by nation-state actors caused 58% of the total losses, according to the Cyentia analysis.
Insiders, however, also had an outsized role in damages — not as the actor but as the vector. Insiders and third parties caused or indirectly contributed to 34 of the top 50 security events, accounting for 99% of all recorded damages, the report states.
"Bottom line: Don’t assume your employees and third parties are out to do you harm — that won’t create a healthy or secure business relationship," Cyentia states in the report. "But you also shouldn’t assume that all will be well if everyone just joins hands and sings Kumbaya."