Bitsight Insights: Risk Degrees of Separation

Beyond Hurricanes: The 4th Party Side of Cyber Aggregate Risk

On October 15, 2015, UltraDNS experienced a technical issue that led to a widely publicized outage, bringing down websites for Netflix, Expedia, and others for over an hour. In a separate incident on April 8, 2015, Sendgrid, a cloud-based email delivery service, experienced a breach where an undisclosed number of customers and employee usernames, email addresses, and passwords were stolen using a compromised employee email account. Bitsight has just published its latest Bitsight Insights report, Risk Degrees of Separation: The Impact of Fourth Party Networks on Organizations, finding that a surprising number of companies examined were associated with these and other popular cloud providers.

Data Matters

As part of this comprehensive study on fourth party connections, Bitsight examined over 35,000 companies from 22 different industry sectors and found many of them linked to companies that recently experienced a breach or an outage.

Bitsight Executive Report Example

New! The Security Ratings report is now the Executive Report. Request your report to see enhanced analysis such as your rating, likelihood of ransomware incidents, and likelihood of data breach incidents.

By leveraging the new Bitsight Discover platform, the team was able to quickly identify technology providers (e.g. Content Delivery Networks, Web Hosting Providers, etc.), and map their connections to domains and the companies associated with each domain. The results show that over 31 percent of companies examined in the study were associated with Adobe Systems, which experienced a data breach in 2013. Sendgrid experienced a data breach last year, and Bitsight research finds that more than 1,100 of the companies examined were associated with that cloud-based email delivery system. When companies rely on a handful of service providers, they could become vulnerable to single points of failure in their supply chains.

In addition to the risk of breaches, companies must be aware of the vulnerable software that their fourth parties use. According to Bitsight research, eight percent of the companies examined use Internet Information Services (IIS) 6, which is linked to Windows Server 2003 and Microsoft officially stopped support for last year.

percent of total companies examined running IIS 6

Here are some other interesting findings from the report:

  • Close to 40% of media and entertainment companies use Amazon Web Services as their content delivery network.
  • More than 13% of the aerospace and defense companies observed use IIS 6, indicating that they use Windows Server 2003 (no longer supported by Microsoft).
  • 350 companies observed in this study are still using Wordpress 3.6 or later, which Wordpress stopped supporting more than three years ago.

The Cyber Risk Aggregation Connection

The task of mapping cloud service connections goes beyond enterprise risk management teams. Cyber insurance companies also need to track their insureds’ third and fourth party connections. Today, insurers lack sufficient visibility into the level of concentration of third party cloud providers in their portfolio of insureds. To successfully assess and mitigate this level of cyber risk aggregation, insurers must identify areas of third party concentration in their portfolios, where a single breach of a compromised service provider could lead to dozens or hundreds of cyber claims. The Bitsight data science examined one insurance company's portfolio of insureds and its links to different service providers. The data below from Bitsight Discover for Risk Aggregation shows that 77% of insureds from the portfolio used Akamai Technologies and over 64% used Verisign.

 

The percent of insureds from one company's insurance book of business using certain service providers graph

What’s New?

In addition to this report, Bitsight is also announcing Bitsight Discover for Risk Aggregation. This new product is specifically designed for cyber insurers and reveals the level of reliance on a common set of service providers among all insureds within a portfolio. Bitsight Discover for Risk Aggregation allows insurance companies to manage aggregate cyber risk by identifying dependencies between their book of business and common service providers, pinpointing key areas that could significantly impact their portfolios. Combining Bitsight Security Ratings and Bitsight Discover depicts any dependencies to fourth parties and illustrates the security performance of each service provider, enhancing how risk is managed. This expansion of data breadth and innovative capabilities furthers Bitsight’s capability as the global leading provider of objective, verifiable and actionable security ratings.