The rise of supply chain attacks has increased scrutiny of the security of suppliers, clients, and business partners.
This prompted security rating providers SecurityScorecard and the Cyentia Institute to investigate the exposure of organizations to vendor risk around the world. Close Encounters of Third Parties (and Fourth Parties)was published on February 1, 2023.
98.3% of organizations worldwide work closely with at least one third-party vendor that has been compromised in the last two years, and over 50% work indirectly with over 200 third-party vendors (partners of third-party vendors) It turns out that they have a relationship. or Suppliers – those that have been compromised in the last two years.
Mike Woodward, Vice President of Data Analytics at SecurityScorecard, said: Information security.
“That’s why these staggering numbers are so alarming,” he said.
degree of separation
This high exposure to supply chain breaches is due to a variety of factors, the report says.
First, organizations rely on numerous third and fourth parties. On average, a company maintains relationships with his 10 third-party vendors. Of these, 15.5 are in the healthcare sector and 25 are in the information services industry.
Second, organizations typically have 60 to 90 times as many indirect third-party relationships for every third-party vendor in their supply chain.
The report also shows that third-party vendors lag significantly behind the leading organizations in terms of security. For example, according to SecurityScorecard’s rating system, twice as many of the leading organizations achieve the highest security rating of A, while third parties are five times more likely to receive an F on their scorecard. It’s getting taller.
Additionally, researchers found that organizations with poor security postures and low security scores have twice as many third-party vendors and ten times as many third parties, increasing risk.
SecurityScorecard CEO Aleksandr Yampolskiy said in a statement:
Woodward added that this has been demonstrated multiple times, including the British Airways hack in 2018. “It was provided through a Swissport vendor. When British Airways told the UK Information Commissioner’s Office (ICO) that the infringement was targeted at their own vendor, the ICO was responsible for British Airways, and in any case The airline replied that they would be fined.”
Visibility and patching policy
To reduce exposure to these risks, organizations are more conscious of what they and their partners have installed and whether it is regularly updated and patched as needed. There is a need, says Woodward. “IT departments can also require employees to update their systems on a regular basis by implementing security policies internally and throughout his chain of supply.”
“We are seeing hints from some regulators that they are about to start mandating these kinds of programs,” added Woodward.
“Organizations will have visibility into security assessments across their third-party and fourth-party ecosystems so they can instantly determine if an organization is trustworthy and take proactive steps to mitigate risk. We need to,” Yampolskiy said.
This echoes Joe Biden’s 2021 Executive Order on Improving the Cybersecurity of the Nation and introduces the idea of requiring U.S. organizations to create a software bill of materials (SBOM). Services and their versions, and possible unpatched vulnerabilities.
SecurityScorecard’s reports are based on data analysis from over 235,000 global leading organizations and over 73,000 vendor products.
