A survey of IT security leaders conducted by Kaspersky found that nearly three-quarters (71%) of enterprises which have specific data usage guidelines for partners and subcontractors received compensation after an incident that affected suppliers they share information with. In comparison, only 22% of organizations of the same size who do not have regulations in place reported this to be the case.
According to the survey carried out by Gartner, 71% of organizations have more third parties in their network than they had three years ago – and the same amount expect this number to grow in the next three years. In order for subcontractors to fulfil their work obligations, companies often allow them access to their sensitive data and IT assets.
Kaspersky’s IT Security Economics report revealed that 79% of enterprises have special policies in place explaining to partners and suppliers how to work with shared resources and data, as well as any penalties they may incur. Their concerns make sense as, according to the survey, damage from incidents is estimated to cost $2.57m on average, with data breaches among the three costliest problems faced by enterprises.
One of the main benefits of implementing third party policies is that they solve issues around accountability by defining the areas of responsibility for both of the organizations involved. Consequently, it increases the chances that a company will get compensation from a supplier that becomes an entry point for an attack. 71% of enterprises with a third party policy reported receiving monetary recompense after an incident, compared to only 22% of peers who did not have regulations in place. Policies boost the likelihood of compensation amongst SMBs as well. For instance, 68% of SMBs with policies received money, compared to only 28% of those who didn’t implement rules for their subcontractors.
The survey did not indicate whether or not data breach policies make supply chain attacks any less frequent. Almost a quarter (24%) of enterprises that implemented special IT policies for third parties experienced a data breach because of a cybersecurity incident affecting suppliers and only nine percent of companies without such rules confirmed that they had suffered an attack.
The full report is available here.