Third Party Incidents Most Costly Data Breaches for Businesses In 2021


The average financial impact for enterprises who fall victim to a data breach through their suppliers is reaching USD 1.4 million, new research from Kaspersky reveals.

This is now the costliest type of cyber incident for an enterprise globally, according to Kaspersky’s annual IT Security Economics Report. For SMBs, this form of data breach cost an average USD ($) 212,000 this year.

According to the report – which surveyed over 4,300 enterprises and SMBs globally (50 employees and over) – over a third (35%) of Australian organisations suffered attacks involving data shared with suppliers.

Business data is typically distributed across multiple third parties including service providers, partners, suppliers, and subsidiaries. This has become a cybersecurity blind spot for many organisations, explains Margrith Appleby, General Manager for Australia and New Zealand at Kaspersky: “Companies need to consider not only the cybersecurity risks affecting their IT infrastructure but those that can come from outside it. Grading suppliers based on the type of work they do and complexity of access they receive, such as whether they deal with sensitive data and infrastructure or not, is recommended so companies can apply security requirements accordingly. If there is sensitive data or information being transferred, ask suppliers to share documentation and certifications to confirm they are able to work at such a level.”

The research shows globally, cryptomining attacks, physical loss of company owned devices or inappropriate IT use by employees can have an average $1.3 million financial impact on a business.

However, across all forms of cyberattack, the financial impact for Australian businesses was around $388k this year, down from around $483k in 2020.

Globally, the trend was similar – decreasing to an average $927k financial impact in 2021 versus $1.09 million last year. This takes into consideration the cost of hiring external consultants, improving infrastructure, training employees, insurance premiums, compensation, penalties or fines and hiring new staff.

“The possible reason behind this decrease is previous investments into prevention and mitigation measures played well for businesses. Improving how they detect attacks has likely minimised the impact of a breach,” commented Appleby.

Alternatively, the average cost may be affected by the fact that businesses were less likely to report data breaches this year. Just over a third (37%) of all Australian businesses surveyed chose to disclose a data breach (compared to 49% last year and 46% globally). A further 42% noted a data loss was exposed by the media – 14% more than 2020.

For those businesses who reported a data breach, most said it was corporate policy and ethics to do so (63%) while reputation damage mitigation was the rationale for a third. Others said it was due to regulatory requirements (39%), likely to be those who fall under the OAIC Notifiable Data Breaches scheme.

The type of data most commonly disclosed was customer Personally Identifiable Information (60%) and customer payment or credit card data (64%).

“Businesses are becoming more proactive in eliminating the consequences of a data breach, which could mean there is less need to disclose it. Of course, sometimes an attack cannot be hidden from the public, for example if the victim is a public authority or if the attack is exposed to the press, in which case the financial impact can rise significantly,” Appleby noted.

Many Australian businesses surveyed said they detected data breaches on their organisation within a few hours (21%) or one day (17%). However, it took some several days (24%), weeks (17%), or even months (7%).

As a result of such cybersecurity incidents, Australian organisations have implemented additional security policies (38%) and changed authentication procedures for customers or employees (63%) within the past year. A fifth have fired employees.

Mostly it was IT team members who were laid off, however 1 in 10 respondents noted a C-Suite executive was let go.

You can read the full report here.