SecurityScorecard has announced findings from its 2024 Redefining Resilience: Concentrated Cyber Risk in a Global Economy Research, with McKinsey & Company as a knowledge partner.
The threat research uncovers an extreme concentration of cyber-risk in just 15 vendors, posing serious threats to national security and global economies. The research also details a surge in adversaries exploiting third-party vulnerabilities to maximise the stealth, speed and impact of supply chain cyberattacks.
“Much like a precarious house perched on a cliff’s edge, the reliance on a handful of vendors shapes the foundation of our global economy,” said Dr Aleksandr Yampolskiy, CEO and Co-Founder, SecurityScorecard. “The question to ask is: ‘Have we concentrated a mission-critical service to a single vendor – creating a single point of failure?’”
Third-party vulnerabilities spread like a digital forest fire
Threat researchers used the SecurityScorecard platform to identify the supply chain cyber-risk across approximately 12 million organisations.
Key findings include:
- 150 companies account for 90% of the technology products and services across the global attack surface.
- 41% of those companies had evidence of at least one compromised device in the past year.
- 11% had evidence of a ransomware infection in the past year.
- 62% of the global external attack surface is concentrated in the products and services of just 15 companies.
- The top 15 third parties have below-average cybersecurity risk ratings – indicating a higher likelihood of breach.
- Ransomware operators C10p, LockBit and BlackCat systematically target third-party vulnerabilities at scale. Within five minutes of connecting an Internet-facing device, state-sponsored threat actors will find it.
The sheer scale of these companies amplifies their risk of compromise, posing significant third-party risks to their extensive customer bases. Defending massive attack surfaces presents a formidable challenge, even for the most robust security teams. While these companies must maintain flawless security at all times, attackers need only exploit a single vulnerability within their expansive attack surface.
Take action to protect against third-party risk
According to McKinsey, companies spend hundreds of thousands of dollars per year managing cyber-risk within their vendor, and third-party ecosystem and millions on cyber programmes, yet their billion-dollar business is only as good as the cybersecurity of their smallest vendor.
Mitigating supply chain cybersecurity requires four key steps:
- Identify single points of failure
- Continuously monitor the external attack surface
- Automatically detect new vendors
- Operationalise vendor cybersecurity management
“The interconnected nature of our digital landscape requires a shift in how companies think about their cyber ecosystem risk — it is no longer just about your resilience, you need to consider the broader system and how to build mutual support with peers, competitors and your vendors,” said Charlie Lewis, Partner, McKinsey.
Click below to share this article
