Breach, Supply chain

Breach ripple effect leads to exponentially greater financial damage

Today’s columnist, Morey Haber of BeyondTrust, points out in the SolarWinds case, lateral movement took place via auto-updates and not asset-to-asset and device-to-device.

A cyber-intrusion involving multiple players will create 13 times more financial damage than may be caused by even “the worst single-party breach,” according to new research, which hits highly regularly like financial institutions particularly hard.

Mastercard company RiskRecon and Cyentia Institute released a joint study dubbed “Ripples Across the Risk Surface,” which was born of analyzing details from more than 800 multi-party breaches over the past decade. The findings demonstrated how “the waves of impact from a security incident at a single organization can spread across industries and other individual organizations,” according to the release. The concept of security risk spread is often referred to as “a ripple effect.” (RiskRecon and Cyentia released a previous report on the same issues in 2019. Since then, in this post-pandemic world, these ripple effect attacks and their damage has grown exponentially.)

“The idea of the 'ripple effect' provides a way to understand why financial damage from breaches is increasing,” said Rafael DeLeon, senior vice president at Ncontracts, and a former bank examiner with the Office of the Comptroller of the Currency for three decades. “One breach affects at least 10 other companies, and when an organization serves the public the way banks and credit unions do, it also impacts individuals...The impact becomes exponential.”

When a breach attack affects one or two organizations — especially financial institutions or other businesses in highly regulated industries, which hold oodles of sensitive information — it can be bad. But, according to the research from RiskRecon and Cybentia, the average ‘ripple event’ typically impacts 10 other businesses beyond the initial target. A larger ripple event can affect more than 100 downstream firms.

“The ripple effect described in RiskRecon’s report is something we have been witnessing for years,” said Etay Maor, senior director of security strategy for Cato Networks. “Third-party risk is one of the major topics discussed by the security industry, precisely because of the interconnectivity between businesses.”

Given the financial industry’s existing (and growing) dependence on third parties, this could be a difficult challenge to overcome. Meanwhile, ripple breaches are increasing roughly 20 percent per year, according to the report.

Kevin Kerr, lead security principal consultant for Trustwave, pointed to SolarWinds — where a trusted entity passed malware on to unsuspecting users of the software, the most recent of which was Denmark’s central bank. Other recent high-profile breaches fit the same bill.

“The financial [hit] to SolarWinds was significant, but who knows the actual financial impact to the organizations that had to shut down capabilities; where it impacted system availability, [and required them to] remediate, and rebuild," Kerr said. "Right now, there is no centralized way to measure multi-party breach impact in costs, reputations, contracts. And each affected organization would measure that impact differently.”

Indeed, software vulnerabilities present a key entry for bad actors perpetrating these kinds of attacks, according to Jared Ablon, founder and president of HackEDU.

“The negative consequences for the financial industry typically include reputational damage and even civil lawsuits involving CISOs or other key executives,” he said. “Companies that develop software need to stay vigilant in order to mitigate these risks.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.