Global enterprises with multiple subsidiaries are more exposed to cyber security threats and have more difficulty managing risk than companies with no, or fewer, subsidiaries, according to an Osterman Research report commissioned by CyCognito.
The study surveyed 201 organisations with at least 10 subsidiaries and at least 3,000 employees or US$1 billion in annual revenue.
Despite being extremely confident about running effective subsidiary risk management, about 67 per cent of respondents said their organisations had either experienced a cyber attack where the attack chain included a subsidiary, or that they lacked the ability or information to rule out the possibility.
About half of the respondents acknowledged that they wouldn't be surprised if a cyber breach were to occur "tomorrow." The survey respondents were in management roles for cyber security, compliance, or risk. Every organisation surveyed had staff dedicated to monitoring subsidiary risk.
“We were seeking to understand the threats and risks that organisations faced not just with subsidiaries they had just purchased or acquired, but more importantly the ones that had been in place for years or longer,” said Michael Sampson, senior analyst at Osterman Research.
“And given that cyber security challenges, risks and issues change continually, even if you have an apparently clean slate on any given day, I bet they can degrade over time as new vulnerabilities are discovered or highlighted.”
If there are exposed assets and data sources that the subsidiary doesn’t know about or chooses to keep from the parent company, the vulnerabilities get overlooked and become significant issues later on, according to Sampson.
Subsidiaries face multiple security risks
Focus on compliance at the expense of security, complex onboarding processes, infrequent and lengthy risk management processes, the excessive use of manual tools, and a lag between remediation and results were underlined in the report as the major roadblocks for managing subsidiary risks.
Macro trends and the environment in which businesses operate are affecting operational realities for security, according to the report. For instance, pandemic-induced digital transformation and recent high-profile supply chain breaches across the globe were named by 69 per cent and 56 per cent of respondents, respectively, as the most important concerns for subsidiaries.
“I think we're seeing organisations becoming increasingly aware that cyber security is a significant issue, and there are certain cyber security threats that have become very well known in the last five years,” said Sampson. “Supply chain ransomware and business email compromise would top that list.”
The report highlighted that organisations are more focused on the compliance aspects of monitoring subsidiary risks than the security aspects, which leaves gaps when it comes to onboarding and managing subsidiaries, leading to more attacks.
Subsidiary onboarding itself is a complex task and only about five per cent of respondents confirmed having a mature process to allow seamless integration of new business units, while other respondents complained about being saddled with tremendous workloads both at the parent and the subsidiary side of their enterprises.
Subsidiary management practices presently in place are too infrequent, in the sense that the data collected are of point-in-time nature and thus only provide a snapshot view, which quickly becomes outdated, respondents said.
Also, a majority of respondents were of the opinion that the current processes do not cover enough of their organisations' potential attack surface, leaving out vulnerabilities and quite often churning out time-consuming false positives.
Measuring risks takes too long
Another major concern is the amount of time it takes to measure risks associated with subsidiaries. On average, it currently takes from one week to three months for 54 per cent of the organisations, while 71 per cent of them would want to have it reduced to a day or less, according to survey respondents.
Survey respondents also pointed out a lag time between detection of a security gap and its remediation. About 73 per cent of them said it takes anywhere within a week to a month. This lag could present a dangerous opportunity for an attack. Added to that, the large number of tools needed to manage security risks only adds to the total process time.
According to the report, enterprises with a large portfolio of subsidiaries are 50 per cent more likely to take longer than a month to remediate detected security gaps than those with fewer subsidiaries.
Respondents at parent companies with 17 or more subsidiaries were almost twice as likely as those at companies with fewer subsidiaries to say that a subsidiary has been implicated in a cyber attack chain more than once.
“The challenge with subsidiary risk management is that you could have the parent company here and the subsidiaries elsewhere in various countries and they might be using completely different technology stacks, processes, ways of communicating and culture,” said Rob Gurzeev, CEO and founder of cyber scurity company CyCognito.
“If I'm the CSO of the corporation or even the whole conglomerate, I might have zero visibility into these other organisations' assets and I will have no context even if I learn about some kind of risk.”
While vulnerability management and penetration testing in the late 1990s were often restricted to a few company servers connected to the internet, the shift to cloud over the last decades have opened up system frameworks to thousands of engineers, vendors, partners and third parties.
Adding subsidiaries to already stretched network architecture only adds to the attack surface area, which needs to be handled more efficiently than it is at present, according to Gurzeev.