Approximately 75% of all recorded third-party cybersecurity breaches occurred after other entities in the victim’s software and technology supply chain were attacked, according to new statistics released today by cyber intelligence platform SecurityScorecard.
Third-party breaches account for around 29% of all breaches recorded by SecurityScorecard in 2023, the data shows, although given the significant under-reporting of attack vectors this is likely to be significantly lower than the actual number.
Vulnerabilities within technology supply chains have proven immeasurably valuable to cybercriminals in recent years—as demonstrated by large-scale breaches involving platforms and services operated by big names like Kaseya, Progress Software, and SolarWinds. That this situation has occurred is largely down to the fact that the compromise of the vendor’s technology allows threat actors to attack their customers with minimal effort.
“The vendor ecosystem is a very desirable target for ransomware groups. Victims of third-party breaches are often unaware of an incident until they are notified of the ransomware, giving attackers time to infiltrate hundreds of companies without being detected,” said Ryan Sherstobitoff, SecurityScorecard’s senior vice president of threat research and intelligence.
Last year, SecurityScorecard data reveals, supply chain attacks were dominated by one threat actor in particular, the Clop (aka Cl0p) ransomware crew, which was responsible for 64% of attributed third-party breaches, followed by LockBit, which could only manage 7% . This, of course, prompted Clop/Cl0p’s dramatic and extensive compromise of Progress Software’s MOVEit tool using a critical, now patched, zero-day vulnerability, CVE-2023-34362.
Between them, MOVEit and two other vulnerabilities, Citrix Bleed and Proself—a file storage system predominantly used in Japan—were involved in 77% of all third-party breaches that cited the vulnerability.
Big targets
Healthcare and financial services emerged as the sectors most affected by third-party breaches, including supply chain attacks, with 35% of observed attacks affecting healthcare professionals and 16% financial services.
The healthcare industry can be particularly prone to third-party attacks thanks to the sector’s tendency to rely on complex ecosystems of relationships, with multiple suppliers contributing to different parts of the patient care cycle – particularly in privatized insurance-driven markets such as the United States, but to some extent and in the NHS.
The majority of observed breaches, 64%, occurred in North America, with the US accounting for 63%. Only 9% occurred in Europe, with 3% in the UK, 22% in APAC, 4% in Australia. Analysts at SecurityScorecard warned that geographic variation could be harder to pin down because of the focus of security vendors and the media on markets such as the US, Australia and the UK.
Outside of the English-speaking world, Japan experienced a significantly higher rate of third-party breaches (and contributed to the high number of incidents reported in APAC). This is probably down to the significant reliance on international partnerships in Japan’s major industries, and may be partly a legacy of the traditional keiretsu business model, which produced complex, interdependent networks of firms within Japan.
Important keiretsus include Mitsubishi, which in addition to its namesake companies also operates camera manufacturer Nikon and brewer Kirin; and Sumitomo, which counts automaker Mazda and electronics company NEC among its members.
Third party risk affects everyone
However, few recorded breaches have occurred in the UK – compared to Japan and the US – there is no excuse for any organization not to pay attention to third party risk; according to data, 98% of organizations now have a relationship with a third party that has been breached at some point, and according to Gartner, the cost of remediating such a breach is typically much higher than the cost of remediating an internal breach, as much as 40% in some cases.
“In the digital age, trust is synonymous with cyber security. Companies need to improve resilience by implementing metrics-driven, business-aligned continuous cyber risk management across their digital and third-party ecosystems,” said SecurityScorecard CEO and co-founder Aleksandr Yampolskiy.