A recent study has revealed that almost all companies around the globe are linked to at least one third-party provider that has experienced a data breach. SecurityScorecard, the world’s foremost source for cybersecurity ratings, and The Cyentia Institute, an independent cybersecurity research organisation, conducted the study to examine the relationship between the health sector and third-party vendor relationships.
As cyber threats become increasingly sophisticated, the need to protect data and manage risk across multiple organizations in a supply chain is more important than ever. Cyber attackers have taken advantage of inter-organizational trust relationships and widespread vendor technologies, resulting in breaches from third (and fourth) parties making headlines in the news. To better understand the underlying condition that enables such incidents to take place, an in-depth examination of the prevalence of security incidents among third parties was conducted. Data from over 230,000 organizations, as well as from 73,000 vendors and products used by them directly or through their vendors, was analyzed to measure the extent of vendor relationships, explore the effects of that exposure, and compare the security posture of organizations to that of their third and fourth-parties. The goal of this report is to provide data-driven insights on how to identify risky vendors and better manage exposure to cyber threats.
“An organizations’ attack surface spans beyond just the technology that they own or control, ” said Aleksandr Yampolskiy, co-founder and CEO of SecurityScorecard. “Organizations need visibility into the security ratings of their entire third and fourth party ecosystem so that they can know in an instant whether an organization deserves their trust and can take proactive steps to mitigate risk.”
The researchers noted three signifigant findings in their investigation. Firstly, the researchers found that the more third-party vendors an organization has, the greater risk there is to their security. According to the study, organizations typically have 60 to 90 times as many indirect fourth-party ties for every third-party vendor in their supply chain. According to research, third-party vendors are five times more likely to have weak security than the main organization. Among companies that achieve an A grade for their internal security posture, 10 percent of third-party providers receive a F rating. Secondly, the study revelead that the information services industry maintained an average of 25 vendors, which is two and a half times more than the global average of 10. On the opposite end of the scale, with an average of 6.5 third-party relationships, was the finance industry. The average number of vendors per organization in the healthcare and insurance sectors was 15.5 and 11, respectively. “Each of these third-party relations represents exposure to risk,” continued Baker. “In some cases due to compromised third-party code, or in others due to usage of an insecure hosting provider.” The last key finding was in relation to regulatory and security requirements. According to the researchers, 9 percent of organizations use vendors from five or fewer nations, while 14 percent use suppliers from ten or more nations.
“SecurityScorecard’s data demonstrates why managing cyber risk across the digital supply chain is absolutely critical as threat actors work to exploit any vulnerabilities an organization may have. Identifying and continuously monitoring all partners and customers within the digital supply chain is key to staying ahead of any potential risk,” said Wade Baker, partner and co-founder at The Cyentia Institute. “By having full visibility into the security posture of their third and fourth parties, organizations can work with their vendors to address any cybersecurity gaps they may have in their infrastructure and, in turn, reduce their own level of cyber risk.”