Partnership Costs: Third Party Incidents Became Most Costly Enterprise Data Breaches in 2021

The latest edition of Kaspersky’s annual IT Security Economics report reveals the growing severity of cybersecurity incidents affecting businesses through suppliers that they share data with. The average financial impact of such an event for an enterprise reached $1.4 million in 2021 which makes it the costliest type of incident worldwide, while the same type of attack cost enterprises in META around $915k.

Attacks, where global businesses are affected through their contractors, have become a clear trend. Business data is typically distributed across multiple third parties including service providers, partners, suppliers, and subsidiaries. As such, organizations need to consider not only the cybersecurity risks affecting their IT infrastructure but those that can come from outside it.

According to the survey, more than a third (40%) of large organizations in META suffered attacks involving data shared with suppliers. This number hasn’t changed significantly since the 2020 report (when it was at 44%).

The attacks with the biggest financial loss for enterprises in the META region were: Inappropriate IT resource use by employees ($1.09 million), fileless attacks ($1.08 million) and inappropriate sharing of data via mobile devices ($976k).

The average financial impact of any attack has also decreased as a result. It showed a notable 38% decrease compared to last year’s results – $686k in 2021 versus $1.1 million in 2020. The possible reason behind this decrease is that previous investments into prevention and mitigation measures played well for businesses. Alternatively, the average cost may be affected by the fact that enterprises in META were less likely to report data breaches this year, with 25% managing to avoid doing so, compared to just 17% in 2020. Financially vulnerable companies may be reluctant to commit time and expense to a criminal investigation or risk reputational damage if a breach becomes public knowledge.

“The research results indicate the need for a different approach to tackling the growing complexity of cyberthreats. The difficulties do not necessarily come from the sophistication of attacks, but the growing attack surface that requires a more diverse set of protection methods. This makes matters even more complicated for IT Security departments who have more points of vulnerability to lockdown,” comments Amir Kanaan, Managing Director for the Middle East, Turkey and Africa at Kaspersky. “Some threats like inappropriate IT resource use by employees and attacks involving data shared with suppliers are even harder to mitigate using an algorithm. This adds up to the grim reality of the modern threat landscape, where businesses have to repel the efforts of organized crime, rather than simply block ‘malicious software. A truly efficient strategy, therefore, requires a combination of security technology, the analysis of external and internal cyber threat intelligence, constant monitoring, and the application of best practices for incident response.”

To minimize the risk of any attacks and data breaches for businesses, effective endpoint protection with threat detection and response capabilities should be used. In addition, managed protection services will help organizations with their attack investigation and expert response. This essential level of endpoint protection is included in the Kaspersky Optimum Security framework. For organizations with a mature IT security function, the Kaspersky Expert Security framework additionally provides anti-APT, the latest threat intelligence, and dedicated professional training.

To learn more insights about IT security costs and budgets in businesses in 2021 visit the interactive Kaspersky IT Security Calculator. The full report “IT Security Economics 2021: Managing the trend of growing IT complexity” is available to download here.