Risk Management: Six Degrees of Separation
Do you remember the Kevin Bacon game “Six degrees of separation”? The game was based on the theory that every person and everything can be associated by six or less connections. If we use this theory to consider how we use technology today and how interconnected we are through these connections and with whom, the results are astounding. Results from the Ponemon Institute 2018 Third Party Risk Study indicate that 61 percent of companies surveyed have experienced a data breach caused by third parties.
A recent study published by Cyentia Institute found that losses triggered by a multi-party technology incident are 13 times greater than single-party incidents.
Key Findings from the Third-Party Risk Study
- The average affect from an incident will impact 10 companies beyond the original victim
- The largest incident studied impacted 131 firms beyond the original victim
- Researchers project that multi-party events will increase at an average rate of 20 percent per year
What Can You do to Mitigate Cyber Risk?
As companies shift business systems from in-house data centers to outsourced IT and cloud providers, we recommend they have a clear understanding of the security provided by the outside providers and those that are their responsibility. It’s estimated that Amazon controls 48 percent of cloud computing technology followed by Microsoft at 16 percent.
With significant financial, legal, and reputational risk, organizations should consider how they’re protecting themselves from a third-party cyber attack. Remember your company is only as safe as your most vulnerable connection or user.
Addressing the risk of third-party cyber attacks
We recommend establishing risk protocols to reduce the impact from a third-party cyber attack. These should include:
- Updating your security incident response plan to include your response to third party events
- Identifying and building a team to manage third party risks. This could include internal as well as external resources
- Identifying and taking an inventory all third parties who have access to your computer systems as well as your confidential, sensitive or proprietary data
- Requiring third-party companies that have access to your confidential or proprietary information to provide you with their process for securing your data and if they share it with third parties, what controls they have in place to monitor compliance with agreed upon security protocols
- Establishing reporting requirements with third parties that you will be notified in the event they experience a data breach that compromises their system
- Requiring third parties to provide details on their cyber insurance coverage so you are not left to shoulder the loss
Want to learn more about mitigating your cyber risk? Contact us today. We’d be happy to talk with you!