The digital supply chain is probably more extensive and more complicated than you realize. Upward of 98% of organizations have a relationship with at least one third party that has experienced a breach in the last two years – and these figures are almost certainly no exaggeration.
The figures come from a report by SecurityScorecard. More than 230,000 organizations were examined to discover their relationships with third parties. Third parties were investigated to examine fourth parties (on which the third parties depend before delivering services to the first party). The expansion of relationships grows so rapidly that it makes six degrees of separation likely to be a conservative estimation.
From the figures: 98% of organizations have a relationship with a third party that has been breached, while more than 50% have an indirect relationship with more than 200 fourth parties that have been breached. These figures do not suggest that the first parties have been breached, but they do indicate the extent of risk exposure via the supply chain.
It is worth reflecting on the term ‘breach’. Some commentators include data exposure within the term – so an organization with an unsecured cloud database is described as breached. This is not how SecurityScorecard uses the term in this report.
“We define a breach as any incident where parties gain unauthorized access to computer data, applications, networks, or devices,” Mike Woodward, VP data quality and trust at SecurityScorecard, told SecurityWeek. “The parties could be intruding threat actors who bypass or penetrate security mechanisms from the internet, or they could be organization insiders who abuse their privileged access to data and resources.”
Knowledge of a breach comes from public knowledge: from government disclosures and press reports. “Every day, we scan multiple sources, including government websites and press reports, for reports of breaches. We’re careful about the sources we will accept, and we point back to our source so our users can check for themselves,” he continued.
Of course, not all organizations disclose that they have been breached, and not all organizations even know they have been breached. So, the effect of this methodology means SecurityScorecard’s statement that ‘98% of organizations have a relationship with a third (or fourth) party that has been breached’ can only be the most conservative of estimates.
“SecurityScorecard’s data demonstrates why managing cyber risk across the digital supply chain is absolutely critical as threat actors work to exploit any vulnerabilities an organization may have. Identifying and continuously monitoring all partners and customers within the digital supply chain is key to staying ahead of any potential risk,” comments Wade Baker, partner and co-founder at The Cyentia Institute (a data-driven cybersecurity research group).
“By having full visibility into the security posture of their third and fourth parties, organizations can work with their vendors to address any cybersecurity gaps they may have in their infrastructure and, in turn, reduce their own level of cyber risk.”
The report highlights which sectors have the highest number of third party relationships, notes that more secure first parties still have relationships with the less secure third parties, points out that third parties are 5x more likely to exhibit poor security, and even enumerates the number of companies that have relationships with foreign organizations.
“Seven percent of firms have relationships with vendors in only their home country (no foreign ties),” states the report. “About 59% of organizations have connections to five or fewer countries, and roughly 14% have vendors spanning 10 or more countries.” This doesn’t necessarily increase or decrease cyber risk, but it highlights a potentially overlooked complication: compliance with international laws, security requirements, and other geopolitical issues.
The overriding conclusion of the report is that no firm can afford to be insular about its cybersecurity. It must have visibility into its own digital ecosystem, but also similar visibility into the security of its suppliers – including, perhaps, the fourth party suppliers. And if that visibility is unavailable, maybe the risk of a relationship is too great.
Related: OpenVEX Spec Adds Clarity to Supply Chain Vulnerability Warnings
Related: PyPI Users Targeted With ‘Wacatac’ Trojan in New Supply Chain Attack
Related: Malware Delivered to PyTorch Users in Supply Chain Attack
Related: Iranian Hackers Deliver ‘Fantasy’ Wiper to Diamond Industry via Supply Chain Attack
