Despite having well-protected digital objects and endpoints (opens in a new tab)many companies are vulnerable to cyber attacks because they work with various suppliers and third parties that are not as secure.
That’s according to a new report by cybersecurity assessment company SecurityScorecard, which analyzed more than 235,000 organizations worldwide, as well as 73,000 suppliers and the products they use, to find that virtually all companies (98%) have supplier relationships that at least one third party that has suffered a data breach in the last two years.
Moreover, half of the organizations have indirect relationships (as in the case of third-party suppliers) with at least 200 companies that have suffered a cyberattack in the last two years.
F for safety
Researchers found that for each third-party supplier in the supply chain, companies tend to have indirect relationships with 60 to 90 times as many third-party relationships. As third parties are up to five times more likely to be vulnerable to weak security, the risk multiplies rapidly.
Approximately one-tenth (10%) of all third parties reviewed for the report received an F safety rating.
Looking at different industries, the information services sector has an average of 25 suppliers, while the financial sector has an average of 6.5. Healthcare had an average of 15.5 providers and insurance had 11. Each represents a significant risk to the original organization.
Cybercriminals seem to be aware of these facts as supply chain attacks have recently become one of the most devastating forms of cybercrime. The SUNBURST attack, where only one company was compromised and up to 100 organizations were affected, is just one example.
“An organization’s attack surface extends beyond the technology it owns or controls,” said Aleksandr Yampolskiy, co-founder and CEO of SecurityScorecard.
“Organizations need visibility into the security assessments of their entire third-party and third-party ecosystem to know at a glance whether an organization deserves their trust and take proactive steps to mitigate risk.”