Data breaches are expensive. We know that. And they’re going to get more expensive if your company has to comply with GDPR. But did you know that the most expensive data breaches tend to be those caused by a third party, especially for SMBs?
That was the finding of a Kaspersky Lab study, which revealed incidents affecting the IT infrastructure hosted by a third party will cost an SMB more than any other type of breach, costing an average of $179,000. Enterprise also has a serious third-party breach problem, with those types of breaches costing $1.74 million (targeted attacks come in just slightly higher).
Why are third-party breaches so costly? SMBs often have poorly protected networks, making them low-hanging fruit, Andrey Pozhogin, security expert at Kaspersky Lab North America, told Dark Reading, adding:
Cybercriminals recognize the paradox of a supplier that has sometimes unlimited access to the enterprise infrastructure while left alone in their struggle to secure their own servers and networks.
The impact of third-party breaches on a business’s bottom line can be detrimental, Tom Turner, CEO with BitSight, told me in an email comment. There are the costs incurred from reputational damage and loss of trust in the brand, but there’s more, he said:
Additionally, under new privacy regulations, victims of breaches can file class-action lawsuits against the at-fault organization, furthering the monetary damage to a company.
It’s going to get worse before it gets better. As Turner said to me, as our vendor and third-party ecosystem continues to expand, so too does its overall security risk, making safeguarding the business a rising challenge:
While businesses may have a firm grasp on their own security posture and the steps they are taking to protect their digital assets, it’s often difficult for businesses to assess the security measures of the third parties that also have access to those assets. Even more troublesome is that many firms operate with a false sense of security and an overwhelming lack of awareness around vendor risk management altogether.
It’s not like ignoring third-party risks was ever an option, but now it is even more vital than ever to understand how those accessing, supporting or providing your infrastructure handle their security. Third-party security has to be built into your overall security budget, including policies and disaster planning. These breaches are already costing companies a lot of money. With new compliances, expect those costs to get a lot higher.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba