Almost all global organizations have vendor relationships with recently breached third parties, a report by IT security firm SecurityScorecard found.
According to the Close Encounters of the Third (and Fourth) Party Kind report, 98% of organizations globally have vendor relationships with at least one company that has suffered a data breach in the last two years. Additionally, 50% of global organizations have indirect relationships with over 200 fourth-party vendors that were breached in the last 24 months.
The study conducted by Cyentia Institute analyzed 235,000 primary organizations and more than 73,000 vendors and products from third and fourth parties.
Sprawling relationships with potentially breached third parties
SecurityScorecard painted a grim picture of the sprawling relationships between primary organizations and third and fourth parties.
“For every third-party vendor in their supply chain, organizations typically have indirect relationships with 60 to 90 times that number of fourth-party relationships,” the report states.
Additionally, the security posture of partner organizations deteriorates down the supply chain. For example, third parties are five times more likely to have a poor security rating than primary organizations, while the growth multiplier of fourth-party organizations with a failing grade compared to primary organizations with an A rating is 10x.
Study also found that approximately 10% of third-party vendors scored an F for primary organizations with an A rating, while twice as many primary organizations (38.4%) had an A rating compared to third parties (17.7%).
Organizations have multiple partners across different countries
SecurityScoreCard’s study found that some organizations had up to two dozen third-party relationships spanning up to ten countries.
The information services sector has the highest number of third-party relations at an average of 25, two and half times the general average of 10. The hospitality and healthcare sectors followed closely at 15.5, followed by Agriculture (14), retail/wholesale and education (13.5), real estate and manufacturing (12), and insurance at 11. However, the finance sector had the least third-party vendor relationships at 6.5.
The top 5 products in third-party relationships were Google Analytics, Google Tag Manager, Amazon Web Hosting, PHP, and Facebook, accounting for 68% of the third-party vendor relationships.
Additionally, most organizations work with vendors spanning multiple countries, creating a regulatory challenge, according to the report. According to SecurityScoreCard, more than half (59%) of organizations have third-party relationships in five or fewer countries, while roughly 14% work with third parties in 10 or more countries.
Wade Baker, partner and co-founder at The Cyentia Institute, said that every third-party relationship is a security risk due to compromised third-party code. While partnering with breached third parties does not necessarily predict an imminent data breach, firms with poor security ratings were 7.7% more likely to suffer a breach.
According to Aleksandr Yampolskiy, co-founder and CEO of SecurityScorecard, third-party relationships mean that the attack surface spans beyond just the technology that an organization controls. Yampolskiy stressed the importance of maintaining full visibility into the security ratings of third- and fourth-party vendors.
“SecurityScorecard’s data demonstrates why managing cyber risk across the digital supply chain is absolutely critical as threat actors work to exploit any vulnerabilities an organization may have,” said Baker.
Baker believes that identifying and continuously monitoring all third parties within the supply chain is key to staying ahead of potential risks. Doing so would help organizations assess the risk of working with breached third parties and address areas of concern.
“By having full visibility into the security posture of their third and fourth parties, organizations can work with their vendors to address any cybersecurity gaps they may have in their infrastructure and, in turn, reduce their own level of cyber risk,” noted Baker.