Security Experts:

Connect with us

Hi, what are you looking for?


Supply Chain Security

98% of Firms Have a Supply Chain Relationship That Has Been Breached: Analysis

A new report found that 98% of organizations have a relationship with a third party that has been breached, while more than 50% have an indirect relationship with more than 200 fourth parties that have been breached.

The digital supply chain is probably more extensive and more complicated than you realize. Upward of 98% of organizations have a relationship with at least one third party that has experienced a breach in the last two years – and these figures are almost certainly no exaggeration.

The figures come from a report by SecurityScorecard. More than 230,000 organizations were examined to discover their relationships with third parties. Third parties were investigated to examine fourth parties (on which the third parties depend before delivering services to the first party). The expansion of relationships grows so rapidly that it makes six degrees of separation likely to be a conservative estimation.

From the figures: 98% of organizations have a relationship with a third party that has been breached, while more than 50% have an indirect relationship with more than 200 fourth parties that have been breached. These figures do not suggest that the first parties have been breached, but they do indicate the extent of risk exposure via the supply chain.

The escalating nature of third and fourth-party relationships

It is worth reflecting on the term ‘breach’. Some commentators include data exposure within the term – so an organization with an unsecured cloud database is described as breached. This is not how SecurityScorecard uses the term in this report. 

“We define a breach as any incident where parties gain unauthorized access to computer data, applications, networks, or devices,” Mike Woodward, VP data quality and trust at SecurityScorecard, told SecurityWeek. “The parties could be intruding threat actors who bypass or penetrate security mechanisms from the internet, or they could be organization insiders who abuse their privileged access to data and resources.”

Supply Chain Security Summit
Supply Chain Security and Third-Party Risk Summit | Virtual Event – March 22, 2023

Knowledge of a breach comes from public knowledge: from government disclosures and press reports. “Every day, we scan multiple sources, including government websites and press reports, for reports of breaches. We’re careful about the sources we will accept, and we point back to our source so our users can check for themselves,” he continued.

Of course, not all organizations disclose that they have been breached, and not all organizations even know they have been breached. So, the effect of this methodology means SecurityScorecard’s statement that ‘98% of organizations have a relationship with a third (or fourth) party that has been breached’ can only be the most conservative of estimates.

“SecurityScorecard’s data demonstrates why managing cyber risk across the digital supply chain is absolutely critical as threat actors work to exploit any vulnerabilities an organization may have. Identifying and continuously monitoring all partners and customers within the digital supply chain is key to staying ahead of any potential risk,” comments Wade Baker, partner and co-founder at The Cyentia Institute (a data-driven cybersecurity research group). 

“By having full visibility into the security posture of their third and fourth parties, organizations can work with their vendors to address any cybersecurity gaps they may have in their infrastructure and, in turn, reduce their own level of cyber risk.”

The report highlights which sectors have the highest number of third party relationships, notes that more secure first parties still have relationships with the less secure third parties, points out that third parties are 5x more likely to exhibit poor security, and even enumerates the number of companies that have relationships with foreign organizations.

“Seven percent of firms have relationships with vendors in only their home country (no foreign ties),” states the report. “About 59% of organizations have connections to five or fewer countries, and roughly 14% have vendors spanning 10 or more countries.” This doesn’t necessarily increase or decrease cyber risk, but it highlights a potentially overlooked complication: compliance with international laws, security requirements, and other geopolitical issues.

The overriding conclusion of the report is that no firm can afford to be insular about its cybersecurity. It must have visibility into its own digital ecosystem, but also similar visibility into the security of its suppliers – including, perhaps, the fourth party suppliers. And if that visibility is unavailable, maybe the risk of a relationship is too great.

Related: OpenVEX Spec Adds Clarity to Supply Chain Vulnerability Warnings

Related: PyPI Users Targeted With ‘Wacatac’ Trojan in New Supply Chain Attack

Related: Malware Delivered to PyTorch Users in Supply Chain Attack

Related: Iranian Hackers Deliver ‘Fantasy’ Wiper to Diamond Industry via Supply Chain Attack

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Supply Chain Security

Oracle's Critical Patch Update for January 2023 includes 327 patches, with more than 70 that address critical-severity vulnerabilities.

Supply Chain Security

Endor Labs has introduced an OWASP-style listing of the most important or impactful risks inherent in the use of open source software (OSS).

Cybersecurity Funding

Software supply chain security management startup Lineaje raises $7 million in a seed funding round led by Tenable Ventures.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Application Security

Enterprise communication and collaboration platform Slack has informed customers that hackers have stolen some of its private source code repositories, but claims impact is...