SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image

99% of Global 2000 firms linked to breached vendors

Thu, 8th Aug 2024

A recent study by SecurityScorecard and The Cyentia Institute has revealed that 99% of Global 2000 companies are directly linked to vendors that have experienced breaches.

This finding comes in the wake of new SEC cybersecurity requirements that mandate transparency concerning third-party breaches, shedding light on the increasing threat of multi-party supply chain attacks.

The intricate nature of modern business operations means that a vulnerability within one segment of the supply chain can have extensive repercussions, potentially affecting the entire business ecosystem. Notable instances like the breaches at Change Healthcare, MOVEit, and SolarWinds highlight the urgent necessity for robust supply chain cybersecurity measures.

According to the report, 20% of these large-scale companies utilise over a thousand different products. Additionally, supply chain incidents are significantly costlier to manage compared to first-party breaches, with expenses being 17 times higher. The estimated financial losses from breaches affecting Global 2000 companies are projected to be between USD $20 billion and USD $80 billion over a span of 15 months.

Wade Baker, partner and co-founder at The Cyentia Institute, commented on the findings, saying, "While the Global 2000 boasts USD $51.7 trillion in revenue, their interconnectedness exposes them to severe cyber risks with 99% directly connected to breached vendors and incidents that can tally into the tens of billions."

The interconnected nature of these corporations is further underscored by the fact that 90% of Global 2000 companies act as vendors to each other. The most widely used vendors are employed by at least 80% of these companies, with four out of the top five vendors having reported recent breaches.

Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence, remarked, "The world is only beginning to grasp the potential for chaos caused by concentration risk. Understanding and managing your supply chain is critical to protect business continuity. It's not just about preventing disruptions; it's about safeguarding the very foundation of our interconnected economy."

The research emphasises the importance of 'Knowing Your Supply Chain' (KYSC) as a critical component of cyber resilience. This entails understanding dependencies within one's organisation as well as those of associated vendors to respond to incidents effectively. Even trustworthy vendors can encounter issues, making it essential to adopt key steps in securing the supply chain.

Some of these steps include continuously monitoring the external attack surface, identifying single points of failure, and automatically detecting new vendors. Automated scanning helps to identify and mitigate risks across vendor, agency, and partner environments, while mapping critical business processes can pinpoint any single points of failure. Furthermore, passive monitoring of vendor IT deployments can uncover and resolve hidden supply chain risks.

The methodology behind this analysis is rooted in the Forbes Global 2000, which ranks the world's largest companies based on sales, profits, assets, and market value. The 2024 list accounts for USD $51.7 trillion in revenue, USD $4.5 trillion in profits, USD $238 trillion in assets, and USD $88 trillion in market value. The analysis centres on the security posture and breach history of the Global 2000 and the ecosystem of third-party vendors associated with each company to understand cyber risk across the supply chains.

The data regarding third-party relationships was obtained using SecurityScorecard's Automatic Vendor Detection capability. This tool identifies vendors and products that constitute the digital supply chain of modern organisations. SecurityScorecard performs continuous internet scans to identify vulnerable and misconfigured digital assets and monitors signals globally to enhance its dataset with commercial and open-source intelligence sources.

This report highlights the critical need for Global 2000 companies to adopt stringent cybersecurity measures, particularly concerning supply chain vulnerabilities, to protect against substantial financial and operational risks.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X