Data breaches by third parties have become a major security problem
- SecurityScorecard report shows that most EU companies suffered a third-party data breach by 2024
- The Scandinavian countries did the best, the French the worst
- Companies must prioritize third-party risks next year, researchers warn
Third-party data breaches have emerged as one of the biggest cybersecurity threats to organizations in the European Union, new research shows.
A SecurityScorecard report took a closer look at the top 100 European companies and analyzed factors such as network security, malware infections, endpoint security, patch frequency, application security and DNS health.
It found that almost all European companies (98%) had suffered a third-party breach in the past year, meaning that almost every organization had a partner company that was exposed. While SecurityScorecard has not discussed this, it is safe to assume that at least some of these organizations have experienced some operational disruption as a result of these breaches, especially since “only” 18% of companies reported direct breaches in the past year.
Prioritize risks
Looking at individual industries, SecurityScorecard says that the transportation sector was the safest sector and there were no companies that scored low. At the other end of the spectrum is the energy sector, where 75% of organizations score C or lower (A is the best and F the worst). Additionally, a quarter (25%) reported direct breaches.
Scandinavian, British and German companies were ranked as the most secure, while France had the highest rates of third-party and fourth-party breaches (98% and 100% respectively).
According to Ryan Sherstobitoff, SVP Threat Research and Intelligence at SecurityScorecard, prioritizing third-party risk management should be a priority for all companies in the EU, especially with DORA just around the corner.
The DORA legislation, short for the Digital Operational Resilience Act, is a new European Union regulatory framework designed to increase the cybersecurity and operational resilience of financial institutions. This should make banks, insurance companies, investment firms and other entities in the financial sector more resilient to disruptions, cyber attacks and similar incidents.
The legislation is expected to come into full effect on January 17, 2025.