The recent SEC regulations on cybersecurity incident disclosure have shed light on the prevalence of third-party breaches in the business world. A study conducted by SecurityScorecard has revealed that a staggering 98% of companies are affiliated with a third party that has experienced a breach. This alarming statistic underscores the rampant nature of cybersecurity threats lurking within the intricate web of business relationships.
One of the key findings of the study is the significant role played by technology supply chain vulnerabilities in enabling threat actors to exploit multiple organizations with minimal effort. In fact, 75% of external business-to-business relationships that facilitated third-party breaches involved software or other technology products and services. This highlights the critical importance of securing technological assets and vetting third-party vendors to prevent potential breaches.
Notorious cybercrime groups like Cl0p have been identified as major perpetrators of third-party breaches, with Cl0p being responsible for 64% of attributable breaches in 2023. The exploitation of zero-day vulnerabilities in software products, such as MOVEit file transfer software, has enabled cybercriminals to infiltrate multiple organizations through common attack vectors. This trend indicates a growing disproportionality in breach distribution among different threat actor groups, with those utilizing third-party attack vectors accounting for a significant share of victims.
The study also highlights the impact of specific vulnerabilities, such as CVE-2023-34362, which was associated with 61% of third-party breaches attributed to MOVEit software. The widespread nature of these vulnerabilities underscores the need for organizations to stay vigilant and proactive in addressing potential security risks within their supply chain.
Healthcare and financial services emerged as the sectors most heavily impacted by third-party breaches, with healthcare accounting for 35% of total breaches and financial services accounting for 16%. The complexity of the third-party ecosystem in these sectors poses unique challenges and vulnerabilities, making them prime targets for cybercriminals seeking to exploit weaknesses in supply chain relationships.
While the United States represents a majority of third-party breaches at 63%, countries like Japan stand out for their high rate of third-party cyber risk at 48%. The global nature of supply chain relationships exposes companies to vulnerabilities stemming from international dependencies, making it crucial for organizations to adopt robust cybersecurity measures to mitigate potential threats.
Ryan Sherstobitoff, SVP of Threat Research and Intelligence at SecurityScorecard, emphasized the importance of proactive supply chain cybersecurity measures in mitigating business risk. He highlighted the fact that many third-party breach victims are unaware of incidents until they receive ransomware notes, allowing threat actors to infiltrate multiple organizations undetected.
In conclusion, the rise of third-party breaches underscores the need for organizations to prioritize cybersecurity across their digital and third-party ecosystems. As cyber threats continue to evolve, companies must enhance their resilience by implementing continuous, metrics-driven cyber risk management practices to safeguard against potential breaches and mitigate business risk in an increasingly digital world.