Osterman Research, commissioned by CyCognito, found that multinational companies with a large number of subsidiaries are more vulnerable to cybersecurity threats and more difficult to manage risks than companies with no subsidiaries or a small number of subsidiaries.

The survey targeted 201 companies with at least 10 subsidiaries and more than 3,000 employees or more than $1 billion in annual revenue.

Despite high confidence in the effectiveness of their own subsidiary risk management, some 67% of respondents said their organization had either experienced a cyberattack where the attack chain included a subsidiary, or could not rule out the possibility.

About half of the respondents admitted that they would not be surprised if a data breach happened “tomorrow”. These respondents are in management positions in cybersecurity, compliance or risk. Each of the interviewed companies has staff dedicated to monitoring subsidiary risks.

Michael Sampson, senior analyst at Osterman Research, said: “We want to understand the threats and risks facing businesses, not just subsidiaries that have just acquired or merged, but more importantly those that have been around for years or more. And given that Cybersecurity challenges, risks, and issues are constantly changing, and even if a company has a clean history of cybersecurity incidents today, I would wager that security status will continue to decline as new vulnerabilities are discovered or highlighted.”

If subsidiaries don’t know about the exposure of assets and data sources, or choose to hide them from the parent company, those vulnerabilities can go unnoticed and develop into significant problems later, Sampson said.

Subsidiaries face multiple security risks

The survey report highlights compliance at the expense of security, complex incorporation processes, infrequently executed and lengthy risk management processes, excessive use of manual tools, and lag between remediation and detection results as subsidiary risks major hurdles in management.

Macro trends and the business operating environment are impacting security operational realities, the report said. For example, in terms of top issues for subsidiaries, 69% of respondents cited the digital transformation triggered by the COVID-19 pandemic, while 56% pointed to recent major supply chain attacks around the world.

“I think we’re going to see companies take cybersecurity more seriously, and some cybersecurity threats have become well known over the past five years,” Sampson said. “Supply chain ransomware and business email compromise (BEC) are among the most common. Two.”

The report highlights that companies are placing greater emphasis on the compliance aspect of subsidiary risk monitoring than the security aspect, which leaves loopholes in the incorporation and management of subsidiaries, leading to more attacks.

Subsidiary incorporation is a complex task in itself, with only about 5% of respondents confirming that they have mature processes to seamlessly integrate new business units, while others complained that both parent and subsidiary companies are burdened with enormous burdens. workload.

Respondents indicated that the current subsidiary management operations in place are too rare, in the sense that due to the immediacy of the data collected, it can only provide a snapshot view, which will soon become outdated. In addition, most respondents believe that current processes do not adequately cover an organization’s potential attack surface, leave loopholes, and often generate large numbers of false positives that take time and effort to resolve.

Risk assessment takes too long

Another important consideration is the time-consuming assessment of subsidiary-related risks. Currently, 54% of companies surveyed spend an average of one week to three months conducting risk assessments, and 71% of them want to reduce risk assessment time to less than one day.

Respondents also pointed to the lag between security breach detection and remediation. About 73 percent of respondents said there was a one-week to one-month lag between a security breach being detected and its remediation. This lag can create a very dangerous attack opportunity. To make matters worse, the sheer number of tools required to manage security risks simply adds to the overall processing time.

According to the report, companies with a large number of subsidiaries are 50% more likely to spend more than a month to fix a detected security breach than those with a small number of subsidiaries. Respondents whose parent company has no less than 17 subsidiaries said that the possibility of a subsidiary being involved in a cyber-attack chain more than once was nearly double that of respondents whose company had fewer subsidiaries .

Rob Gurzeev, founder and CEO of cybersecurity firm CyCognito, said: “The challenge with subsidiary risk management is that parent and subsidiary companies may be located in different countries and may use completely different technology stacks, processes, communication styles and Culture. If I’m the chief security officer of a business or even an entire group, I probably don’t know anything about the assets of these other businesses, so even if I know a risk, I don’t have the context in which to go about it.”

While vulnerability management and penetration testing in the late 1990s were typically limited to a company’s few servers connected to the Internet, cloud migration over the past few decades has been open to thousands of engineers, vendors, partners, and third parties system framework. Adding subsidiaries to the stretched network architecture will only increase the attack surface and require more effective countermeasures, Gurzeev said.