Organizations overestimate their ability to manage cyber risk associated with their subsidiaries, CyCognito, a specialist in external attack surface management and protection, said in a new report.
The report, entitled Managing Risk from Subsidiaries, surveyed enterprises with more than $1 billion in annual revenue and an average of more than 19 subsidiaries to assess their level of cyber risk through merger and acquisition (M&A) activity. The basic equation is the more subsidiaries a company has under its corporate umbrella, the greater the overall cyber risk. Sixteen subsidiaries appears to be the top end for risk management, according to the study’s data.
“As an extension of the parent organization, the subsidiaries’ security posture is not well evaluated as part of the overall attack surface, thereby creating an attractive target for attackers,” said Rob Gurzeev, CyCognito founder and chief executive. “As global organizations work to get a handle on risk, visibility into the security posture of their subsidiaries are paramount to stave off revenue and reputation crushing attacks.”
For MSSPs, it's especially important to understand customer ownership structures, associated network segmentations, the coordination of cyber programs across a company, and where each service provider's responsibilities begin and end.
Current tools and processes for managing subsidiary risk are inadequate in a number of ways CyCognito said in the report, including:
- Prioritizing compliance at the expense of security.
- Complex on-boarding processes.
- Infrequent and lengthy risk management processes that leave too many blind spots.
- An excess of manual tools.
- A lag between results and remediation.
Business Subsidiaries and Cybersecurity Risks: Numbers to Know
Here are the report’s 10 key findings:
- 67% of respondents said their organization had experienced a cyber attack where the attack chain included a subsidiary or that they lacked the ability or information to rule out that possibility.
- 85% regard assessing subsidiary risk as a top 10 priority relative to other security and risk initiatives. Overall, 47% regard subsidiary risks as a top 5 priority.
- Pandemic-accelerated digital transformation and supply chain breaches are having the greatest impact on risk in subsidiaries.
- 50% of respondents would not be surprised if a cyber breach occurred tomorrow at one of their subsidiaries. Cybersecurity managers had a higher expectation of breach than risk managers.
- Meeting compliance mandates, measuring subsidiary risk and prioritizing investment to improve security posture are the three most important outcomes for subsidiary risk management.
- The three highest ranked concerns about existing subsidiary risk management practices: 1) they provide only a point-in-time snapshot, (2) the process takes too long, and (3) they offer only limited test coverage, leaving too many blind spots.
- The three changes respondents would most like to make in their process are getting actionable information, reducing false positives and increasing the process frequency.
- 67% of respondents report that time to remediate a detected subsidiary risk was a week or longer and on average up to three months. For 71% of respondents, the preference is a day or less.
- Enterprises with more subsidiaries are 50% more likely to take longer than a month to remediate detected security gaps than those with fewer subsidiaries.
- Respondents at parent companies with 17 or more subsidiaries were almost twice as likely to say that a subsidiary has been implicated in a cyber attack chain more than once than at parent companies with 16 or fewer subsidiaries.
Best Practices for Risk Mitigation
Based on results from the survey, CyCognito concluded that organizations should strengthen subsidiary risk management processes by:
- Embracing an elevated focus on security (vs. compliance) outcomes.
- Introducing simpler and faster on-boarding processes.
- Driving more frequent and comprehensive visibility into vulnerable attack vectors.
- Shrinking the time gap between results and remediation.
“With M&A, not only do you end up with a blend of employees, operations, revenue but you also blend your cyber security risk,” said Gurzeev. “Those risks are opportunities for attackers looking for the path of least resistance to networks, applications and data they can breach, whether the starting point is the parent company or one of its subsidiaries.”
MSSP Mergers and Acquisitions: Related Risks
The risks outlined above also apply to MSSPs that are buying peer MSSPs and cybersecurity companies. At least five factors are driving the M&A activity, MSSP Alert believes.
- Talent: The cyber skills shortage is driving MSSPs to find talent through M&A.
- Threats: The growing, shifting threat landscape is inspiring M&A deals to close technology and expertise gaps.
- Speed to market: Acquiring companies can often be a faster path into a new or evolving technology market or business region.
- Scale: Smaller MSSPs are merging to counter the scale of larger rivals.
- Growth: The traditional MSP market will experience sub-10 percent compound annual growth rates (CAGR) going forward. By contrast, the MSSP market is growing at an 18 percent CAGR.
Still, MSSPs must carefully consider cyber due diligence as part of each M&A engagement.