Damages escalate rapidly in multi-party data breaches

Companies that do not prepare for attacks coming from their vendors are putting themselves at risk of a multiparty breach— where a single compromise can balloon into intrusions of as many as 800 companies, new analysis by data-science firm Cyentia Institute found.

The report, which focused on the top 50 multiparty breaches, found that the average large breach involved 31 organizations and cost $90 million, compared with $200,000 loss for a typical cybersecurity incident. While system intrusions accounted for the incident category with the largest number of organizations impacted (57%), ransomware and wiper incidents caused the greatest loss, accounting for 44% of all recorded losses, according to Cyentia.

In addition, attacks that involved valid accounts and that were conducted by nation-state actors also caused much higher per-incident damages, the firm stated.

The data analysis suggests that companies should put more effort into ensuring their vendors and contractors are not providing a doorway into their networks, says John Sturgis, data scientist at Cyentia.

“Even if you never thought about being targeted directly by a nation-state actor, thinking about it through a lens of what providers do I have that could be targeted, and how can I manage my exposure even within my third parties is a real valid and tractable problem to try and engage in?” he says.

The analysis, part of Cyentia’s “Information Risk Insights (IRIS)” study, uses data from insurance data provider Advisen, whose Cyber Loss database consists of nearly 100,000 cyber events. Cyentia combined the largest 30 multiparty events as measured by three different criteria: total incurred costs, number of individuals affected, and number of organizations affected. It then selected the top 50 based on the combined totals and the amount of data available.

The lesson from the largest of the multiparty breaches is that companies’ cybersecurity and risk mitigation efforts need to focus on attackers not only targeting businesses but also targeting third parties, which ripples downstream to those vendors’ clients. For that reason, companies need to do more than shallowly vet the security of their vendors, says Wade Baker, co-founder of Cyentia.

To read the complete article, visit Dark Reading.