Data guidelines for suppliers limit fallout from cyber attacks

13 February 2020

IT purchasers can strongly benefit from having specific data usage guidelines for partners and subcontractors when it comes to limiting the fallout from supply chain incidents, according to a report.

Kaspersky’s IT Security Economics report found that 71% of enterprises with specific data usage guidelines for partners and subcontractors received compensation after an incident that affected suppliers they share information with.

This compares to only 22% of organisations of the same size who did not have regulations in place.

The findings were based on 4,958 interviews conducted across 23 countries. Respondents were asked about the state of IT security within their organisations, the types of threats they face and the costs they have to deal with when recovering from attacks.

The report cited Gartner research that showed 71% of organisations have more third parties in their network than they had three years ago.

The same proportion of respondents expected this number to grow in the next three years.

But in order for subcontractors to fulfil their work obligations, companies often allow them access to their sensitive data and IT assets, creating a potential security risk.  

The survey revealed that 79% of enterprises have special policies in place explaining to partners and suppliers how to work with shared resources and data, as well as any penalties they may incur.

Respondents estimated damage from incidents to cost $2.57m on average, with data breaches among the three costliest problems faced by businesses, said the report.

This is particularly due to the development of sophisticated supply chain attacks such as ShadowPad, malware which is capable of taking screenshots, keylogging, parsing local files, and stealing browsing data.

The report found that one of the main benefits of implementing third party policies is that they solve issues around accountability by defining the areas of responsibility.

This in turn increases the chances that a company will get compensation from a supplier that becomes an entry point for an attack.

 Want to stay up to date with the news? Sign up to our daily bulletin.

CIPS Knowledge
Find out more with CIPS Knowledge:
  • best practice insights
  • guidance
  • tools and templates