Many firms are working with risky third party vendors

Despite having well-defended digital premises and endpoints, many firms are at risk of cyberattacks because they work with different vendors and third parties that aren’t as secure. 

This is according to a new report from cybersecurity ratings firm SecurityScorecard, which analyzed more than 235,000 organizations worldwide, as well as 73,000 vendors and products they use, to find that virtually all firms (98%) have vendor relationships with at least one third party that suffered a data breach in the last two years. 

What’s more, half of the organizations have indirect relationships (as in used by the third-party vendors) with at least 200 companies that suffered a cyberattack in the last two years.

F for security

For every third-party vendor in a supply chain, businesses usually have indirect relationships with 60 to 90 times that number of fourth-party relationships, the researchers have found. With third parties being up to five times more likely to exhibit poor security, the risk quickly compounds. 

Roughly a tenth (10%) of all third parties analyzed for the report were rated F for security. 

Looking at different industries, the information services sector has an average of 25 vendors, while the finance sector has 6.5 on average. Healthcare averaged 15.5 vendors, while insurance has 11. Each one poses a significant risk to the original organization. 

Cybercriminals seem to be well aware of these facts, as supply chain attacks became one of the most devastating forms of cybercrime lately. The SolarWinds attack, in which just one company had its software compromised, and which resulted in tens of thousands of organizations worldwide being affected, is probably the best example.

“An organization’s attack surface spans beyond just the technology that they own or control, ” said Aleksandr Yampolskiy, co-founder and CEO of SecurityScorecard.

“Organizations need visibility into the security ratings of their entire third and fourth party ecosystem so that they can know in an instant whether an organization deserves their trust and can take proactive steps to mitigate risk.”