Third-Party Breaches Impact Vast Majority of Organizations

Third-party breaches are extremely common and impact the vast majority of organizations, suggesting an attack surface spans beyond just the technology that an organization owns or controls.

These were among the chief findings of a SecurityScorecard report which revealed that 98.3% of organizations have a relationship with at least one third party that experienced a breach in the past two years.

The report, which analyzed data from more than 230,000 organizations, found half have indirect relationships with at least 200 breached fourth-party vendors in the last two years.

Nearly six in 10 (59%) organizations have vendors from five or fewer countries, and roughly 14% work with vendors spanning 10 or more countries. For each third-party vendor in their supply chain, organizations typically have indirect relationships with 60 to 90 times that number of fourth parties. 

“Each of these relationships represents exposure to risk,” the report noted. “In some cases [that’s] due to compromised third-party code, or in others due to usage of an insecure hosting provider.”

The research, conducted in partnership with The Cyentia Institute, found the information services sector has two-and-a-half times the number of third-party relationships than the overall average, while the finance sector claimed the fewest.

“The exposure to breaches via third- and fourth-party relationships is incredibly high,” explained Mike Woodward, vice president of data quality and trust at SecurityScorecard. “It’s important for organizations to understand that these vendor breaches can expose them directly and indirectly to risk from circumstances that are outside of their own control.”

He adds it’s crucial for organizations to have full visibility into all the parties they work with.

“Using tools to help automate the vendor detection process allows organizations to get a full 360-degree view of their vendor ecosystems and enables them to see where they may be exposed to other companies’ vulnerabilities,” Woodward explained. 

When it comes to improving the security posture against third- and fourth-party data risk, he said all parties within an organization have a role to play. 

“First parties have a responsibility to understand and manage their vendor landscape and the risks associated with those relationships,” he said. “When vulnerabilities are identified, first parties can work with their vendors to help fill in security gaps and minimize risk.”

From Woodward’s perspective, an organization’s security posture goes beyond itself: In reality, it’s a combination of its own posture, its vendors’ posture and their vendors’ posture that make up the entire digital ecosystem.

“Staying on top of risks and vulnerabilities associated with third and fourth parties helps organizations manage risk,” he says. “Data breaches are bad for customers, bad for employees and bad for business.”

He noted that based on the sheer volume of vendor relationships that exist across industries, it is practically a foregone conclusion that, at some point, every organization will be at least indirectly exposed to cybersecurity risk through a third party.

He said the key for an organization is to identify those risky vendors and determine ways to better manage exposure.

“Organizations can prepare by continuously monitoring their vendors and working with them to mitigate potential vulnerabilities before they present an issue,” Woodward explained. 

Despite the widespread security risks in third and fourth parties, third-party risk is surprisingly ranked lower on the list of risk priorities than other enterprise risks, according to Forrester’s State of Third-Party Risk Management 2022 report.

According to the study, nearly seven in 10 (69%) enterprise risk management decision-makers identified an improved ability to identify and address risks from third-party providers as a chief management priority. 

However, just 20% of those respondents identified third-party risk as a “main concern” for the organization. 

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 290 posts and counting.See all posts by nathan-eddy