The challenges of quantifying the impact of third-party cyberattacks

The challenges of quantifying the impact of third-party cyberattacks

Cyber risk quantification is not a new term in the cybersecurity landscape. While it is still gaining momentum across modern businesses and the C-suite, the concept has been around for some time now.

Cyber risk quantification, in a nutshell, is the process of measuring, validating, and analysing identified cyber risks alongside security data with the help of modelling techniques. It is useful because it translates cyber risk into business terms, which makes securing high-level buy-in much easier.

While the quantification process sounds simple enough with the right tools, it can be complex to gauge how to quantify the impact of these risks.

In this post, we explore the risk exposure of third-party cybersecurity, the impacts of these threats, and the challenges in quantifying third-party cyber risks.

We’re not doing enough to assess and quantify third-party risks

Today, many organisations still have incomplete inventories of the third-party vendors with whom they share information, including fourth and fifth parties. This can affect how confidently companies mitigate the risks inherent to these relationships.

Research from last year is proof of this. In a global study in 2020, it was found that 80% of organisations surveyed experienced a breach that originated from gaps in their vendor ecosystem.

That’s not all. The study also revealed that even still, fewer than one-quarter of organisations monitor their entire supply chain. Only 30% of companies re-assess and report their vendors’ risk positions twice a year.

The impact of third-party cyberattacks

According to a 2019 study, the average cost of a third-party attack can rise to $3.92 million and the average cost per lost record to $150. This is only the average; other factors can shoot this number up, one of them being the hacker behind each breach.

Most organisations are generally only aware of the financial impact of a third-party data breach. The fallouts associated with these types of cyberattacks are not limited to cost, however. Other ways a third-party breach can affect your business include:

  • Legal consequences
  • Damage to the organisation’s image and reputation
  • A drop in the company’s market value
  • The exposure of your data

Challenges in quantifying the impact of third-party cyber risks

Using numbers or metrics to explain cyber risks allows you to have a different conversation about what risks mean. It is challenging, however, to make non-security professionals understand this, making it more difficult to convince them to invest in a solution that supports quantification.

You can overcome this challenge by proving the effectiveness of the investments made in comparison to other solutions you have been using.

Certain impacts of third-party risks are also hard to assess objectively and quantify. These are non-tangible impacts like damage to company image and reputation, strategic damage, and internal disorganisation.

Other significant but indirect impacts like loss of market share, a drop in the company’s market value can be complex to assess objectively.

There is also no universal formula for calculating the impact of a cyber attack on a company. It will depend on several parameters like the size of the company, the complexity of the IT systems, and cyber maturity.

Another major difficulty for companies willing to quantify their cyber risks is the lack of statistical databases or security data necessary for the quantification process. This challenge can be overcome when companies are more willing to share their stories and data with others.

Overcome the challenges of quantifying the impacts of third-party cyberattacks

The first step towards effective cyber risk quantification is companies becoming more forthcoming with their security data across the industry. Only then can we build more resilient methods to counter and mitigate third-party cyberattacks.

RiskXchange Central, our cybersecurity community, is how we envision sharing knowledge and best practices to strengthen our cyber defences against various risks, vulnerabilities and threats. It is a hub that brings the global security community together, where professionals collaborate and elevate their knowledge and skills.

Click here to join RiskXchange Central today.