98 percent of organizations have vendor relationships with at least one third-party that has experienced a breach in the last two years, according to SecurityScorecard and The Cyentia Institute. The study also found that 50 percent of organizations have indirect relationships with at least 200 breached fourth-party vendors in the last two years.
“An organizations’ attack surface spans beyond just the technology that they own or control, ” said Aleksandr Yampolskiy, CEO of SecurityScorecard. “Organizations need visibility into the security ratings of their entire third and fourth party ecosystem so that they can know in an instant whether an organization deserves their trust and can take proactive steps to mitigate risk.”
The study, which analyzed data from over 235,000 (primary) organizations across the globe and more than 73,000 vendors and products used by them directly (third-parties) or used by their vendors (fourth-parties), offers an in-depth examination of how the interdependence of modern digital supply chains impacts organizational cyber risk exposure.
Security suffers the more third- and fourth-parties you have
For every third-party vendor in their supply chain, organizations typically have indirect relationships with 60 to 90 times that number of fourth-party relationships. Research showed that compared to the primary organization, third-party vendors are five times more likely to exhibit poor security. Approximately 10% of third-party vendors receive an F rating among organizations that earn an A rating for their own security posture.
Information services leads in third-parties
The research revealed the Information Services sector maintained an average of 25 vendors – 2.5 times the number of third party-relationships than the overall average of 10. The Finance sector was on the other end of the spectrum averaging 6.5 third-party relationships. The healthcare sector averaged 15.5 vendors per organization and the Insurance sector averaged 11 vendors. “Each of these third-party relations represents exposure to risk,” continued Baker. “In some cases due to compromised third-party code, or in others due to usage of an insecure hosting provider.”
Exposing data to international third-parties increases regulatory and security requirements
While examining the regional dimension of third-party relationships, SecurityScorecard found that 59% of organizations have vendors from five or fewer countries, while roughly 14% work with vendors spanning 10 or more countries.
“By having full visibility into the security posture of their third and fourth parties, organizations can work with their vendors to address any cybersecurity gaps they may have in their infrastructure and, in turn, reduce their own level of cyber risk,” said Wade Baker, partner at The Cyentia Institute.