Cybercriminals target third party data handlers to hack large enterprises

Global enterprises accrued as much as $1.4 million in costs in 2021 from cyber-attacks on third party data handlers. With growing cloud solutions and third-party vendors, attacks where businesses are affected through their contractors have become a clear trend, a report by cybersecurity firm Kaspersky showed. 

One of the most prominent attacks this year was when Apple’s product blueprints were stolen from its supplier Quanta Computer by ransomware gang REvil, who demanded a $50 million ransom from Apple after Quanta refused to give in to the criminals. The Kaspersky survey showed that 32% of organizations suffered attacks involving suppliers who had their data.

The majority of other attacks also demonstrated lower financial impact. This included loss of company-owned devices, crypto-mining attacks and inappropriate IT use by employees, three of which clocked an average loss of $1.3 million each for the victim organizations.

“Documentation and certifications (such as SOC 2) of sensitive data or information transfers should be requested from suppliers to confirm they can work at such levels. In very sensitive cases, additionally we recommend conducting a preliminary compliance audit of a supplier before signing any contract,” said Evgeniya Naumova, Executive VP, Corporate Business at Kaspersky. 

However, the average financial impact of attacks decreased, showing a drop by 15%. While the loss was at $1.09 million in 2020, the average loss in 2021 was $927,000.

Kaspersky pointed out that the reason for the decrease was previous investments in prevention and mitigation bearing fruit. However, it is to be noted that enterprises were less likely to report data breaches this year, with 34% avoiding reporting a breach, as compared to 28%.

“Financially vulnerable companies may be reluctant to commit time and expense to a criminal investigation or risk reputational damage if a breach becomes public knowledge,” the report stated.

In a separate report, Swiss cybersecurity solutions company Acronis said that 53% of supply chains do not possess adequate security against cyberattacks. The October 2021 Cyber Readiness Report said that companies were vulnerable as they felt using “known, trusted software” could provide adequate protection. 

The study took into consideration inputs from 3600 IT managers and remote employees at small and medium companies across 18 countries.

Three out of 10 companies reported facing a cyberattack at least once a day, which was similar to the study from last year. However, only 20% of companies reported no attacks in 2021, while the number was 32% in 2020.