Dive Brief:
- A total of 98% of organizations worldwide have integrations with at least one third-party vendor that has been breached in the last two years, according to a report released Wednesday from SecurityScorecard and the Cyentia Institute.
- Third-party vendors are five times more likely to exhibit poor security, the report found. Half of organizations have indirect links to at least 200 fourth-party vendors that have suffered prior breaches.
- The information services sector maintained on average 25 vendor relationships, which is the largest number of any sector and more than double the overall average of third-party vendors, which was 10. Healthcare averaged 15.5 vendors and the financial services industry averaged the lowest number, with 6.5.
Dive Insight:
The research comes as organizations hit indirectly by attacks on a software supply chain are growing in frequency. Vulnerabilities that expose unsuspecting customers or ransomware attacks that create can chaos spell trouble not only for the targeted party, but for downstream customers.
“Visibility is a barrier to first parties in identifying potential vulnerabilities, as is the sheer volume of vendor relationships for organizations across sectors that indirectly exposes them to cyber risk,” Mike Woodward, VP of data quality and trust at SecurityScorecard, said via email.
The SecurityScorecard research is based on the analysis of more than 235,000 primary organizations globally and about 73,000 vendors and products that are used by them directly or used by their vendors.
A separate report from Black Kite shows attacks on 63 vendor organizations during 2022 impacted almost 300 companies. On average, there were 4.7 impacted companies per vendor in 2022, compared with 2.5 per vendor in 2021.
The most common vector of these attacks was unauthorized network access, accounting for 40% of the incidents, according to Black Kite.
While the exact method of access is not usually disclosed or immediately known, unauthorized network access often is due to phishing, stolen credentials or vulnerabilities in access control, according to Bob Maley, CSO at Black Kite.
“The rise in remote work has opened up more opportunities for bad actors to strike,” Maley said via email. “Remote employees are usually operating on public, accessible networks where hackers are able to gain easy entry.”
