One of the many lessons that COVID-19 has to offer information security practitioners is a fresh appreciation of the importance of supply chains and the pain that occurs when previously taken-for-granted connections are attacked. Last month we released Ripples Across the Risk Surface, our latest report  in partnership with RiskRecon. In this report, we explore this theme and what the ripple effect in breaches has to say to risk managers. We first defined this in our initial 2019 report, ripples are those cyber incidents which have effects (typically financial, legal, or in the form of legal entanglements) beyond the firm initially compromised.

Many risk managers focus on the potential effects of incidents that directly impact systems for which they are responsible. But it’s not just your systems that you need to be aware of when managing risk; what about all the other parties that have a role in the storage and processing of information or otherwise delivering services? The basis of this latest report is the study of the frequency, severity, and demographics of these multi-party events.

What’s new with the ripple effect?

 

New ripple breaches uncovered by year

We explore the 147 new ripples detected since the 2019 edition. Some of these events occur in the past, their multi-party nature only coming to light as new information is available. The majority of ripples are very recent, with nearly three quarters of all new ripples being uncovered just within the past three years. The rate of these multi-party ripple events over the 10 year analysis window is relatively stable, showing that ripples are a fixture in the risk landscape.

A new direction for this report is the concept of a ripple’s velocity — the time it takes for the effects of a ripple, once the event occurs at the generating firm, to be realized across the all the firms eventually caught in a ripple’s wake. This fresh analysis revealed some striking insights, displayed in the figure below.

Here you can see three clear phases of the relative speed of ripples based upon when the initial event first took place. For ripples where the first event took place in the early years of the 2010s, it typically took over a year for the effects of ripples to hit all the firms eventually involved. Heading into 2013-2016, the velocity of ripples increases to just a little over three months (approximately 100 days). Moving into more recent times, this velocity has increased yet again, with the firms downstream of a source event picking up their effects in little over a month. Not only are ripples a constant threat for the risk surface of firms, but the time to react to these events has shortened dramatically.

Duration of ripple breaches increasing

But what about costs?

Of course, costs are always a key factor when reviewing the impact of events. Single party events and ripple events differ in costs by a striking degree. The typical ripple event is over 10 times the cost of a single party event. Looking at the more extreme events (measured at the 95th percentile), this effect is even more pronounced, with ripple events at over 22 times the cost of even extreme single party events. This is especially dramatic as the majority of ripple events are with small numbers of firms (typically in the 3-5 firm range). The takeaway is that costs for ripple events do not just scale with the number of firms involved but are categorically much more dangerous than their single-party cousins.

Comparing ripple breach impact vs single event impact

We find these extreme events fascinating. We’ve looked at extreme single-party events in our IRIS Xtreme report. We’ll be taking a look at the extreme versions of these ripple events in a forthcoming report, the IRIS Tsunami report. For more on the ripple effect and how you can identify and protect against it, check out the full Ripples Across the RiskSurface report today!

 

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.