No Compensation After a Cyberattack in the Absence of Third-party Policy

• Kaspersky's report revealed that 71% of enterprises with a third party policy reported receiving monetary recompense after an incident, compared to only 22% who did not have regulations in place.

• Damage from incidents is estimated to cost $2.57m on average, with data breaches among the three costliest problems faced by enterprises.

• One of the main benefits of implementing third party policies is that they solve issues around accountability.

Kaspersky IT Security Economics report took almost 5,000 business decision-makers willing to share their thoughts on cybersecurity and their firms’ attitudes about cyberthreats.

The results emphasize on the importance of dedicated policies and protocols for third-party contractors working with IT companies.

Does the concern make any sense?

According to Gartner's research, 71% of organizations have more third parties in their network than they had three years ago – and the same amount expect this number to grow in the next three years. For subcontractors to fulfill their work obligations, companies often allow them access to their sensitive data and IT assets.

Kaspersky's survey laid down surprising facts. It showed that only 22% of organizations that do not have specific data usage guidelines for partners and subcontractors received compensation after a supply-chain attack, or incident that affected suppliers they share information with. In comparison, nearly three-quarters (71%) of enterprises that have specific data usage guidelines for partners and subcontractors received compensation after an incident that affected suppliers they share information with.

The results of our survey may seem rather paradoxical with enterprises with special policies saying they have experienced supply chain attacks more often. However, we can suggest that a business with a wider network of third party organizations will pay more attention to this area, which results in implementing specific guidelines.

- Sergey Martsynkyan, Head of B2B Product Marketing, Kaspersky.

The report revealed that 79% of enterprises have special policies in place explaining to partners and suppliers on how to work with shared resources and data, as well as any penalties they may incur.  The concerns do make sense.  According to the survey, damage from incidents is estimated to cost $2.57m on average, with data breaches among the three costliest problems faced by enterprises.Several sophisticated supply chain attacks including ShadowPad were discovered by the researchers.

A vast network of subcontractors may make such data breaches more likely. Besides, organizations with third party policies can more accurately determine the causes of a particular breach.

-Sergey Martsynkyan, Head of B2B Product Marketing, Kaspersky.

The report suggests that one of the main benefits of implementing third party policies is that they solve issues around accountability by defining the areas of responsibility for both of the organizations involved. It also increases the chance of receiving compensation from a supplier that becomes an entry point for an attack.

Third-party policies also play well for SMBs. For example, 68% of SMBs with policies in place received compensation compared to 28% of those who did not have policies.

READ MORE: A framework for measuring Infosec as a business function

The Kaspersky report makes the following recommendations:

1. Regularly update your list of all partners and suppliers, as well as the data they can access. Ensure that they only have access to the resources they need to carry out their work. Confirm that organizations that don’t collaborate with your company are excluded and cannot access or use data and assets.
2. Provide all third parties with the requirements they should follow – including compliance and security practices.

3.Kaspersky offers Kaspersky Anti Targeted Attack that can detect advanced attacks that may have gone under the radar of perimeter protection solutions, including supply chain attacks, at an early stage.

About the survey

The Kaspersky Global Corporate IT Security Risks Survey (ITSRS) is a global survey of IT business decision makers, which is now in its 9th year. A total of 4,958 interviews were conducted across 23 countries. Respondents were asked about the state of IT security within their organizations, the types of threats they face and the costs they have to deal with when recovering from attacks. The regions covered include LATAM (Latin America), Europe, North America, APAC (Asia-Pacific with China), Japan, Russia and META (Middle East, Turkey and Africa).