• United States



Shweta Sharma
Senior Writer

Enterprises with subsidiaries more prone to cyberattacks, study says

News Analysis
Nov 01, 20215 mins

Global enterprises with numerous subsidiaries are more exposed to cybersecurity threats and have more difficulty managing risk than companies with no or fewer subsidiaries, according to an Osterman Research report.

cloud security
Credit: CIS

Global enterprises with multiple subsidiaries are more exposed to cybersecurity threats and have more difficulty managing risk than companies with no, or fewer, subsidiaries, according to an Osterman Research report commissioned by CyCognito.

The study surveyed 201 organizations with at least 10 subsidiaries and at least 3,000 employees or $1 billion in annual revenue.

Despite being extremely confident about running effective subsidiary risk management, about 67% of respondents said their organizations had either experienced a cyberattack where the attack chain included a subsidiary, or that they lacked the ability or information to rule out the possibility.

About half of the respondents acknowledged that they wouldn’t be surprised if a cyberbreach were to occur “tomorrow.” The survey respondents were in management roles for cybersecurity, compliance, or risk. Every organization surveyed had staff dedicated to monitoring subsidiary risk.

“We were seeking to understand the threats and risks that organizations faced not just with subsidiaries they had just purchased or acquired, but more importantly the ones that had been in place for years or longer,” said Michael Sampson, senior analyst at Osterman Research. “And given that cybersecurity challenges, risks and issues change continually, even if you have an apparently clean slate on any given day, I bet they can degrade over time as new vulnerabilities are discovered or highlighted.”

If there are exposed assets and data sources that the subsidiary doesn’t know about or chooses to keep from the parent company, the vulnerabilities get overlooked and become significant issues later on, according to Sampson.

Subsidiaries face multiple security risks

Focus on compliance at the expense of security, complex onboarding processes, infrequent and lengthy risk management processes, the excessive use of manual tools, and a lag between remediation and results were underlined in the report as the major roadblocks for managing subsidiary risks.

Macro trends and the environment in which businesses operate are affecting operational realities for security, according to the report. For instance, pandemic-induced digital transformation and recent high-profile supply chain breaches across the globe were named by 69% and 56% of respondents, respectively, as the most important concerns for subsidiaries.

“I think we’re seeing organizations becoming increasingly aware that cybersecurity is a significant issue, and there are certain cybersecurity threats that have become very well known in the last five years,” said Sampson. “Supply chain ransomware and business email compromise would top that list.”

The report highlighted that organizations are more focused on the compliance aspects of monitoring subsidiary risks than the security aspects, which leaves gaps when it comes to onboarding and managing subsidiaries, leading to more attacks.

Subsidiary onboarding itself is a complex task and only about 5% of respondents confirmed having a mature process to allow seamless integration of new business units, while other respondents complained about being saddled with tremendous workloads both at the parent and the subsidiary side of their enterprises.

Subsidiary management practices presently in place are too infrequent, in the sense that the data collected are of point-in-time nature and thus only provide a snapshot view, which quickly becomes outdated, respondents said. Also, a majority of respondents were of the opinion that the current processes do not cover enough of their organizations’ potential attack surface, leaving out vulnerabilities and quite often churning out time-consuming false positives.

Measuring risks takes too long

Another major concern is the amount of time it takes to measure risks associated with subsidiaries. On average, it currently takes from one week to three months for 54% of the organizations, while 71% of them would want to have it reduced to a day or less, according to survey respondents.

Survey respondents also pointed out a lag time between detection of a security gap and its remediation. About 73% of them said it takes anywhere within a week to a month. This lag could present a dangerous opportunity for an attack. Added to that, the large number of tools needed to manage security risks only adds to the total process time.

According to the report, enterprises with a large portfolio of subsidiaries are 50% more likely to take longer than a month to remediate detected security gaps than those with fewer subsidiaries. Respondents at parent companies with 17 or more subsidiaries were almost twice as likely as those at companies with fewer subsidiaries to say that a subsidiary has been implicated in a cyberattack chain more than once.

“The challenge with subsidiary risk management is that you could have the parent company here and the subsidiaries elsewhere in various countries and they might be using completely different technology stacks, processes, ways of communicating and culture,” said Rob Gurzeev, CEO and founder of cyberscurity company CyCognito. “If I’m the CSO of the corporation or even the whole conglomerate, I might have zero visibility into these other organizations’ assets and I will have no context even if I learn about some kind of risk.”

While vulnerability management and penetration testing in the late 1990s were often restricted to a few company servers connected to the internet, the shift to cloud over the last decades have opened up system frameworks to thousands of engineers, vendors, partners and third parties. Adding subsidiaries to already stretched network architecture only adds to the attack surface area, which needs to be handled more efficiently than it is at present, according to Gurzeev.