{"id":16840,"date":"2023-02-01T18:32:03","date_gmt":"2023-02-01T17:32:03","guid":{"rendered":"https:\/\/www.show.it\/98-of-firms-have-a-supply-chain-relationship-that-has-been-breached-analysis\/"},"modified":"2023-02-01T18:32:03","modified_gmt":"2023-02-01T17:32:03","slug":"98-of-firms-have-a-supply-chain-relationship-that-has-been-breached-analysis","status":"publish","type":"post","link":"https:\/\/www.show.it\/en\/98-of-firms-have-a-supply-chain-relationship-that-has-been-breached-analysis\/","title":{"rendered":"98% of Firms Have a Supply Chain Relationship That Has Been Breached: Analysis"},"content":{"rendered":"

The digital supply chain is probably more extensive and more complicated than you realize. Upward of 98% of organizations have a relationship with at least one third party that has experienced a breach in the last two years \u2013 and these figures are almost certainly no exaggeration.<\/p>\n

The figures come from a report by SecurityScorecard. More than 230,000 organizations were examined to discover their relationships with third parties. Third parties were investigated to examine fourth parties (on which the third parties depend before delivering services to the first party). The expansion of relationships grows so rapidly that it makes six degrees of separation likely to be a conservative estimation.<\/p>\n

From the figures: 98% of organizations have a relationship with a third party that has been breached, while more than 50% have an indirect relationship with more than 200 fourth parties that have been breached. These figures do not suggest that the first parties have been breached, but they do indicate the extent of risk exposure via the supply chain.<\/p>\n

\"\n\n\"
The escalating nature of third and fourth-party relationships<\/em><\/figcaption><\/figure>\n

It is worth reflecting on the term \u2018breach\u2019. Some commentators include data exposure within the term \u2013 so an organization with an unsecured cloud database is described as breached. This is not how SecurityScorecard uses the term in this report.\u00a0<\/p>\n

\u201cWe define a breach as any incident where parties gain unauthorized access to computer data, applications, networks, or devices,\u201d Mike Woodward, VP data quality and trust at SecurityScorecard, told SecurityWeek<\/em>. \u201cThe parties could be intruding threat actors who bypass or penetrate security mechanisms from the internet, or they could be organization insiders who abuse their privileged access to data and resources.\u201d<\/p>\n

\n
\"Supply
Supply Chain Security and Third-Party Risk Summit<\/a>\u00a0| Virtual Event \u2013 March 22, 2023<\/strong><\/figcaption><\/figure>\n<\/div>\n

Knowledge of a breach comes from public knowledge: from government disclosures and press reports. \u201cEvery day, we scan multiple sources, including government websites and press reports, for reports of breaches. We\u2019re careful about the sources we will accept, and we point back to our source so our users can check for themselves,\u201d he continued.<\/p>\n

Of course, not all organizations disclose that they have been breached, and not all organizations even know they have been breached. So, the effect of this methodology means SecurityScorecard\u2019s statement that \u201898% of organizations have a relationship with a third (or fourth) party that has been breached\u2019 can only be the most conservative of estimates.<\/p>\n

\u201cSecurityScorecard\u2019s data demonstrates why managing cyber risk across the digital supply chain is absolutely critical as threat actors work to exploit any vulnerabilities an organization may have. Identifying and continuously monitoring all partners and customers within the digital supply chain is key to staying ahead of any potential risk,\u201d comments Wade Baker, partner and co-founder at The Cyentia Institute (a data-driven cybersecurity research group).\u00a0<\/p>\n

\u201cBy having full visibility into the security posture of their third and fourth parties, organizations can work with their vendors to address any cybersecurity gaps they may have in their infrastructure and, in turn, reduce their own level of cyber risk.\u201d<\/p>\n

The report<\/a> highlights which sectors have the highest number of third party relationships, notes that more secure first parties still have relationships with the less secure third parties, points out that third parties are 5x more likely to exhibit poor security, and even enumerates the number of companies that have relationships with foreign organizations.<\/p>\n

\u201cSeven percent of firms have relationships with vendors in only their home country (no foreign ties),\u201d states the report. \u201cAbout 59% of organizations have connections to five or fewer countries, and roughly 14% have vendors spanning 10 or more countries.\u201d This doesn\u2019t necessarily increase or decrease cyber risk, but it highlights a potentially overlooked complication: compliance with international laws, security requirements, and other geopolitical issues.<\/p>\n

The overriding conclusion of the report is that no firm can afford to be insular about its cybersecurity. It must have visibility into its own digital ecosystem, but also similar visibility into the security of its suppliers \u2013 including, perhaps, the fourth party suppliers. And if that visibility is unavailable, maybe the risk of a relationship is too great.<\/p>\n

Related<\/strong>: OpenVEX Spec Adds Clarity to Supply Chain Vulnerability Warnings<\/a><\/p>\n

Related<\/strong>: PyPI Users Targeted With \u2018Wacatac\u2019 Trojan in New Supply Chain Attack<\/a><\/p>\n

Related<\/strong>: Malware Delivered to PyTorch Users in Supply Chain Attack<\/a><\/p>\n

Related<\/strong>: Iranian Hackers Deliver \u2018Fantasy\u2019 Wiper to Diamond Industry via Supply Chain Attack<\/a><\/p>\n

The post 98% of Firms Have a Supply Chain Relationship That Has Been Breached: Analysis<\/a> appeared first on SecurityWeek<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

The digital supply chain is probably more extensive and more complicated than you realize. Upward of 98% of organizations have a relationship with at least one third party that has experienced a breach in the last two years \u2013 and these figures are almost certainly no exaggeration. The figures come from a report by SecurityScorecard. […]<\/p>\n","protected":false},"author":2,"featured_media":16841,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[69,160,133],"tags":[],"class_list":["post-16840","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-featured","category-supply-chain","category-supply-chain-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts\/16840","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/comments?post=16840"}],"version-history":[{"count":0,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts\/16840\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/media\/16841"}],"wp:attachment":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/media?parent=16840"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/categories?post=16840"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/tags?post=16840"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}