World’s largest companies at near-universal risk of supply chain breach


Out of the world’s 2,000 largest companies, 1,980 have a direct connection to a technology supplier that has experienced a recent cyber security incident or data breach, highlighting escalating risk levels to the global economy presented by multi-party supply chain attacks.

In research released to mark the opening day of the annual Black Hat security conference, SecurityScorecard and The Cyentia Institute said they had identified that 99% of the organisations listed on Forbes’ Global 2000 list – which includes many UK multinationals such as AstraZeneca, BP, Diageo, HSBC and Vodafone to name but a few – were exposed to such risk.

Losses arising from breaches affecting the Global 2000 are already well into the billions of US dollars, possibly as high as $80bn in the past 15 months, and the joint study found that 20% of the Global 2000 were using 1,000 or more IT products, meaning they face the same number of potential entry points.

Added to this, the significant interdependence that exists between this network of organisations concentrates this risk, said Wade Baker, Cyentia partner and co-founder.

“While the Global 2000 boasts $51.7tn in revenue, their interconnectedness exposes them to severe cyber risks – with 99% directly connected to breached vendors and incidents that can tally into the tens of billions,” he said.

Ryan Sherstobitoff, senior vice-president of threat research and intelligence at SecurityScorecard, added: “The world is only beginning to grasp the potential for chaos caused by concentration risk.

“Understanding and managing your supply chain is critical to protect business continuity. It’s not just about preventing disruptions; it’s about safeguarding the very foundation of our interconnected economy.”

CrowdStrike incident a warning

In recent weeks, SecurityScorecard is among a number of organisations to become increasingly agitated by the potential for significant worldwide disruption arising from IT issues, whether originating through cyber incidents, such as the 2023 breaches orchestrated via Progress Software’s MOVEit product, or through other means, such as the July 2024 CrowdStrike incident, the consequences of which continue to reverberate around the industry.

Speaking in the wake of the CrowdStrike disruption, SecurityScorecard CEO Alex Yampolskiy said that the concentration of mission-critical services among a few large suppliers had rendered global IT systems as fragile as a “precarious house perched on a cliff’s edge” and warned that more CrowdStrikes almost certainly lie ahead.

Know your supply chain

SecuritySorecard reiterated general guidance that know your supply chain (KYSC) principles now need to be urgently adopted on a widespread basis as a critical element of a business resilience strategy.

Understanding where dependencies within an organisation lie is critical if IT and security teams are to be empowered to respond effectively when something goes wrong.

There are several key steps that should form the core of such a strategy:

  • Continuous external attack surface monitoring, including automated scanning, to identify and mitigate IT and cyber risk in supplier, agency and partner environments;
  • Identifying single points of failure by mapping critical business processes and technologies to find potential flashpoints, and collaborating with the relevant suppliers to create a watchlist for enhanced attention;
  • Keep abreast of your supplier’s own IT deployments to identify and resolve hidden risks from their supply chains.



Source link