The evidence is clear: effecting a positive influence on cybersecurity behavior is difficult. I say this because, despite the relentless onslaught of cyber-attacks and their financial and reputational consequences, and despite the regulatory Sword of Damocles that hangs over every organization that collects protected data; things get worse every year. In fact, Security Intelligence reports that the average cost of a data breach has risen from $4.45 million to $9.48 million—more than 75%—over the last ten years, according to the Ponemon Institute.
That’s not to suggest organizations aren’t trying to make their digital enterprises impervious to threat actors’ schemes. Gartner reported that global cybersecurity spending reached $188+ billion in 2023 and is expected to reach $215 billion this year. That’s a lot of money to spend, even if it seems that, collectively, we are bailing against the tide. But collectively is one of the biggest challenges facing organizations. Because we are all connected by elaborate digital supply chains, where data is exchanged between organizations as a means of doing business, the responsibility of protecting data is also a collective one. And securing the digital supply chain is a major challenge. After all, a chain is only as strong as its weakest link.
Six Degrees of Digital Separation
If Acme Corporation invests in the people, processes, and technologies it needs to make its digital enterprise an impregnable fortress, but it has to share files with Ajax Inc. to manage its payroll, and Ajax Inc. is less diligent in its cybersecurity practices, Acme is at risk every time there is a transfer of data between the two organizations. And because the nature of digital supply chains is much like the Six Degrees of Kevin Bacon concept, every step that data takes means the risk is compounded. One of the biggest data breaches of 2023 illustrated that point when a managed file transfer product was attacked. As the effects rippled across the digital supply chain thousands of organizations and tens of millions of individuals were affected. According to KonBriefing research, the tally is now more than 2600 organizations and nearly 90 million people.
Instead of bailing against the tide, how can we turn the tide? The answer may come from that very digital supply chain.
Market Forces at Work
Most digital supply chains include larger organizations with significant financial influence over their first-degree network. If you want to do business with them, they can dictate the terms. With managed file transfer this is happening with some financial services giants like CitiBank, JP Morgan, and Bank of America each of which requires that any organization that wishes to share files with them follow a set of best practices and comply with the use of SFTP, for example. Organizations that don’t want to lose access to these important financial bellwethers are compelled to play by the rules or lose business. Similarly, cyber insurance carriers require that organizations adopt strict security controls as a condition for coverage. If you want a policy that protects you against losses resulting from cyber incidents, you must affirm the use of things like multi-factor authentication, file encryption, privileged access management, patch and vulnerability management, cyber awareness training, and more.
These market-based, carrot-and-stick requirements seem to correlate with a stouter security posture for organizations that observe them in their cybersecurity programs. Whereas compliance with various regulations often means doing the minimum to get by and calculating the potential risks as a cost of doing business, when the penalty of non-compliance with a potential business partner or customer puts you at a competitive disadvantage, the motivations are more potent. We have had conversations with several customers who, since the fallout of the managed file transfer attacks of last year, are exploring the idea of compelling improvement in their own digital supply chains by standardizing on support for a secure managed file transfer platform like Diplomat MFT.
Obviously Automation
It seems obvious that using SFTP as for secure transport and automating processes like PGP encryption, data capture for audit, and managing both scheduled and ad hoc transfers to minimize the risk of human error is the way to go. These are simple things that can be done easily with the right product. If you are interested in learning more about how our Diplomat MFT managed file transfer platform can help you improve your supply chain security, please let us know.
