SecurityScorecard has announced findings from its 2024 Redefining Resilience: Concentrated Cyber Risk in a Global Economy Research, with McKinsey & Company as a knowledge partner.
The threat research uncovers an extreme concentration of cyber-risk in just 15 vendors, posing serious threats to national security and global economies. The research also details a surge in adversaries exploiting third-party vulnerabilities to maximise the stealth, speed and impact of supply chain cyberattacks.
“Much like a precarious house perched on a cliff’s edge, the reliance on a handful of vendors shapes the foundation of our global economy,” said Dr Aleksandr Yampolskiy, CEO and Co-Founder, SecurityScorecard. “The question to ask is: ‘Have we concentrated a mission-critical service to a single vendor – creating a single point of failure?’”
Third-party vulnerabilities spread like a digital forest fire
Threat researchers used the SecurityScorecard platform to identify the supply chain cyber-risk across approximately 12 million organisations.
Key findings include:
- 150 companies account for 90% of the technology products and services across the global attack surface.
- 41% of those companies had evidence of at least one compromised device in the past year.
- 11% had evidence of a ransomware infection in the past year.
- 62% of the global external attack surface is concentrated in the products and services of just 15 companies.
- The top 15 third parties have below-average cybersecurity risk ratings – indicating a higher likelihood of breach.
- Ransomware operators C10p, LockBit and BlackCat systematically target third-party vulnerabilities at scale. Within five minutes of connecting an Internet-facing device, state-sponsored threat actors will find it.
The sheer scale of these companies amplifies their risk of compromise, posing significant third-party risks to their extensive customer bases. Defending massive attack surfaces presents a formidable challenge, even for the most robust security teams. While these companies must maintain flawless security at all times, attackers need only exploit a single vulnerability within their expansive attack surface.
Take action to protect against third-party risk
According to McKinsey, companies spend hundreds of thousands of dollars per year managing cyber-risk within their vendor, and third-party ecosystem and millions on cyber programmes, yet their billion-dollar business is only as good as the cybersecurity of their smallest vendor.
Mitigating supply chain cybersecurity requires four key steps:
- Identify single points of failure
- Continuously monitor the external attack surface
- Automatically detect new vendors
- Operationalise vendor cybersecurity management
“The interconnected nature of our digital landscape requires a shift in how companies think about their cyber ecosystem risk — it is no longer just about your resilience, you need to consider the broader system and how to build mutual support with peers, competitors and your vendors,” said Charlie Lewis, Partner, McKinsey.
