>
Despite well-defended digital buildings and endpoints (opens in new tab)many companies are at risk of cyber-attacks because they work with different suppliers and third parties that are not so secure.
This is according to a new report from security assessment firm SecurityScorecard, which analyzed more than 235,000 organizations worldwide, as well as 73,000 suppliers and products they use, to find that virtually all companies (98%) have supplier relationships with at least one third party that have been compromised in the past two years. year had a data breach.
In addition, half of organizations have indirect relationships (as used by third-party vendors) with at least 200 companies that have been victims of a cyberattack in the past two years.
F for safety
For every third-party supplier in a supply chain, companies typically have indirect relationships with 60 to 90 times as many fourth-party relationships, the researchers found. Since third parties are up to five times more likely to suffer from poor security, the risk quickly increases.
About one-tenth (10%) of all third parties analyzed for the report received an F for security.
Looking at different industries, the information services industry has an average of 25 suppliers, while the financial industry has an average of 6.5. Healthcare had an average of 15.5 suppliers, while insurance has 11. Each of them poses a significant risk to the original organization.
Cybercriminals seem to be well aware of these facts as supply chain attacks have become one of the most devastating forms of cybercrime in recent times. The SolarWinds attack, which compromised just one company’s software and affected tens of thousands of organizations worldwide, is probably the best example.
“An organization’s attack surface extends beyond just the technology they own or control,” said Aleksandr Yampolskiy, co-founder and CEO of SecurityScorecard.
“Organizations need visibility into the security assessments of their entire third- and fourth-party ecosystem so they can know at a glance whether an organization is worthy of their trust and take proactive steps to mitigate risk.”