Rise in cyber risks targeting third-party vulnerabilities
SecurityScorecard, in association with McKinsey & Company, has unveiled a new report, "2024 Redefining Resilience: Concentrated Cyber Risk in a Global Economy Research", highlighting a steep rise in cyber risks targeting third-party vulnerabilities.
The study reveals a significant concentration of cyber risk in only 15 vendors, potentially threatening national security and the global economy.
The report finds that a mere 150 companies account for 90% of the technology products and services across the global attack surface. Out of these, 41% have evidence of at least one compromised device in the past year. Shockingly, 62% of the global external attack surface is concentrated in the products and services of merely 15 companies. The leading 15 vendors have below-average risk ratings, suggesting a heightened probability of a breach.
Dr. Aleksandr Yampolskiy, CEO and Co-Founder of SecurityScorecard, emphasises the precarious vulnerability of the global economy due to dependency on a small group of vendors. He said, "Much like a precarious house perched on a cliff's edge, the reliance on a handful of vendors shapes the foundation of our global economy. The question to ask is: 'Have we concentrated a mission-critical service to a single vendor — creating a single point of failure?'"
The exploitation of third-party vulnerabilities by adversaries is described as spreading like a digital forest fire. According to the research, ransomware operators C10p, LockBit, and BlackCat systematically target third-party vulnerabilities at scale. The significant scale of these companies amplifies their risk of compromise, posing considerable third-party risks to their extensive customer bases.
The report also sheds light on the financial impact of managing vendor-related cyber risk. Companies spend hundreds of thousands of dollars annually managing cyber risk within their vendor and third-party ecosystem and invest millions in cyber programs. Despite this, cybersecurity of their smallest vendor can still jeopardise their billion-dollar business.
The report suggests four key steps to mitigate supply chain cybersecurity: identifying single points of failure, continuously monitoring the external attack surface, automatically detecting new vendors, and operationalising vendor cybersecurity management. Charlie Lewis, Partner at McKinsey, added, "The interconnected nature of our digital landscape requires a shift in how companies think about their cyber ecosystem risk — it is no longer just about your resilience, you need to consider the broader system and how to build mutual support with peers, competitors, and your vendors."
The research insights from this report throw light on the concentrated cyber risk in a global economy and reiterate the importance of taking action against third-party risk, countering vendor-related cyber threats, and reshaping companies' perception of cyber ecosystem risk.