According to the updated SEC regulations on cybersecurity incident disclosure, findings by SecurityScorecard reveal that 98% of companies are associated with a third party that has experienced a breach.
It often takes months or longer for breaches to become public knowledge. It may have taken victims weeks or months to discover a breach, which may not appear in public reporting for weeks or months thereafter (if it ever appears at all).
Technology supply chain vulnerabilities enable threat actors to scale their operations with minimal effort. 75% of external business-to-business (B2B) relationships that enabled third-party breaches involved software or other technology products and services. The remaining 25% of third-party breaches involved non-technical products or services.
Third-party breaches linked to cybercrime groups
Notorious cybercrime group Cl0p was responsible for 64% of attributable third-party breaches in 2023, followed only by LockBit at a mere 7%. The preeminence of Cl0p was due in large part to its large-scale exploitation of a zero-day vulnerability in MOVEit file transfer software, which was also the most frequently mentioned vulnerability.
This growing disproportionality in the distribution of breaches among groups makes sense when one considers why threat actors choose common third-party attack vectors in the first place. These methods often enable attackers to compromise large numbers of victims at once, giving their operations far greater scalability. For example, compromising one managed service provider (MSP) could enable an actor to compromise dozens or even hundreds of its customers with relatively minimal effort. It thus makes sense that threat actors using third-party attack vectors more frequently would be responsible for a disproportionately large share of victims.
61% of third-party breaches attributed to MOVEit (CVE-2023-34362). Newly identified victims of this massive campaign continued to surface in reporting months after the original attacks. The three most widely exploited vulnerabilities (MOVEit, CitrixBleed, and Proself) were involved in 77% of all third-party breaches involving a specified vulnerability. One reason for the widespread impact of the MOVEit zero-day was that it enabled third-party, fourth-party, and even fifth-party compromises.
A third-party attack vector
Approximately 29% of all breaches in 2023 were attributable to a third-party attack vector. This number likely underestimates the actual percentage, as many reports on breaches do not specify an attack vector.
Healthcare and financial services emerged as the sectors most heavily impacted by third-party breaches, with healthcare accounting for 35% of total breaches and financial services accounting for 16%.
The complex ecosystem of third-party relationships may shed light on why healthcare experiences so many breaches in general and third-party breaches in particular. The healthcare industry has many other distinctive risk factors that may account for its frequent breaches, such as vulnerable medical devices, a perceived vulnerability to ransomware extortion, the greater usefulness of more detailed PHI for fraud, and so on.
The preponderance of technical relationships in third-party breaches is also clear in financial industry, with the majority of this activity being attributed to specialized financial services software or technology.
The U.S. alone represents 63%. However, geographic variations may be harder to detect due to the overwhelming focus of news media and security vendors on breaches in the U.S. and other English-speaking countries.
While third-party breaches are common globally, Japan stood out with a significantly higher rate (48%). As a hub for automotive, manufacturing, technology, and financial services, Japanese companies face significant supply chain cyber risk due to international dependencies.
Ryan Sherstobitoff, SVP of Threat Research and Intelligence, SecurityScorecard, said: “The supplier ecosystem is a highly desirable target for ransomware groups. Third-party breach victims are often not aware of an incident until they receive a ransomware note, allowing time for attackers to infiltrate hundreds of companies without being detected.”
Third-party cyber risk is a business risk
According to Gartner, “The cost of a third-party cyber breach is typically 40% higher than the cost to remediate an internal cybersecurity breach.” With the average cost of a data breach reaching $4.45 million in 2023, organizations must proactively operationalize supply chain cyber risk management to mitigate business risk.
“In the digital age, trust is synonymous with cybersecurity. Companies must improve resilience by implementing continuous, metrics-driven, business-aligned cyber risk management across their digital and third-party ecosystems,” stated Dr. Aleksandr Yampolskiy, CEO, SecurityScorecard.