In the report Ripples Across The Risk Surface (), the Cyentia Institute investigates supply chain cyber attack. Cyentia defines Ripples as supply chain cyber attacks that have cascading effects, causing widespread damage to companies. In these attacks, the primary victim, also known as ripple generator, unintentionally spreads the cyber attack to its associated companies. These companies become the secondary victims of the attack or downstream recipients of the Ripple which shall cascade its effects to companies associated with it, too.
On average, a Ripple event causes 10 times more financial damage than any other breach. On the other hand, the worst of the multi-party breach events causes 26x the financial damage of the worst single-party breach.
While there was a significant increase in the number of incidents between 2016 and 2018, after the peak in 2016, the numbers decreased significantly. The largest single losses from Ripple events by total cost include $501.2M in 2013, $247M in 2017, and $1.8M in 2020. Similarly, the largest single by affected individuals include losses of $76.6M in 2014, $146.3 M in 2015, and $6.4 M in 2020.
Figure 1: Most Common Industries as Generators and Receivers
As presented in the figure above, the most affected industries are Finance, the business support industry, and education. It was also noted that there were many instances in which victims were generating ripples while receiving downstream ripple events, at the same time.
Figure 2: Employee Data for Companies Involved
Victims of Ripple events vary in size. As shown in Figure 2, of the ripple generators, 29% have 10 to 100 employees, while 22% have 1,000 to 10,000. On downstream recipients, 28% have 10 to 100 employees, while 24% have 100 to 1,000. The numbers suggest that smaller companies are primary targets of Ripple events, likely caused by numerical superiority of smaller businesses (almost 99.9% of businesses in the USA are classified as small).
Among the newly observed recent Ripple events, a surge of ripple generators came from the professional sector. The professional and financial sectors combined are now the source of more than 47% of all Ripple events. While downstream recipients are more evenly distributed, professional and financial sectors still top the list and are closed followed by administration and healthcare.
In another notable trend, the Ripple events in 2011 took over a year to fully realize, while those from 2013 to 2016 spread in about or more than 100 days. More recently, Ripples can be realized within a few short months. Overall, 25% of companies are impacted within 32 days of the initial event, 50% within 151 days, and 75% after about more than a year.
Daniel Kasper is the principal of Cyber Economics.