Approximately 75% of all recorded cyber security breaches that originated through a third-party occurred after other entities in the victim’s software and technology supply chain were attacked, according to new statistics published today by cyber intelligence platform SecurityScorecard.
Third-party breaches account for about 29% of all breaches recorded by SecurityScorecard in 2023, the data show, although given significant underreporting of attack vectors this is very likely a significant understatement of the true number.
Vulnerabilities within technology supply chains have proved immeasurably valuable to cyber criminals in recent years – as large-scale breaches involving platforms and services operated by big names such as Kaseya, Progress Software and SolarWinds have demonstrated. That this situation has arisen is in no small part down to the fact that a compromise of a supplier’s technology enables threat actors to go about attacking their downstream customers with minimal effort.
“The supplier ecosystem is a highly desirable target for ransomware groups. Third-party breach victims are often not aware of an incident until they receive a ransomware note, allowing time for attackers to infiltrate hundreds of companies without being detected,” said SecurityScorecard senior vice president of threat research and intelligence, Ryan Sherstobitoff.
In the past year, SecurityScorecard’s data reveal, supply chain attacks were dominated by one threat actor in particular, the Clop (aka Cl0p) ransomware crew, which accounted for 64% of attributable third-party breaches, followed by LockBit, which could only manage 7%. This was, of course, fuelled by Clop/Cl0p’s dramatic and wide-ranging compromise of Progress Software’s MOVEit tool using a critical, now-patched, zero-day vulnerability, CVE-2023-34362.
Between them, MOVEit and two other vulnerabilities, Citrix Bleed and Proself – a file storage system used predominantly in Japan – were involved in 77% of all third-party breaches in which a vulnerability was specified.
Big targets
Healthcare and financial services emerged as the sectors most victimised by third-party breaches, including supply chain attacks, with 35% of the observed number of attacks hitting health specialists and 16% financial services.
The health industry may be particularly liable to fall victim to third-party attacks thanks to the sector’s tendency to rely on complex ecosystems of relationships, with multiple vendors contributing at various parts of the patient care cycle – particularly in privatised, insurance-driven markets such as the United States, but to some extent in the NHS as well.
The majority of the observed breaches, 64%, took place in North America, with the US accounting for 63% of those. Just 9% took place in Europe, with the UK accounting for 3%, and 22% occurred in APAC, 4% in Australia. SecurityScorecard’s analysts cautioned that geographical variations may be harder to pin down due to the focus of security suppliers and news media on markets such as the US, Australia and UK.
Beyond the English-speaking world, Japan experienced a significantly higher rate of third-party breaches (and contributed to the high volume of incidents booked in APAC). This is likely down to a significant reliance on international partnerships in Japan’s major industries, and is possibly in part a legacy of the traditional keiretsu business model, which has produced complex, interdependent webs of companies within Japan.
Important keiretsus include Mitsubishi, which besides its eponymous businesses also operates camera maker Nikon and brewery Kirin; and Sumitomo, which counts carmaker Mazda and electronics firm NEC among its members.
Third-party risk affects everybody
However few recorded breaches occurred in the UK – compared to Japan and the US – there is no excuse for any organisation not to pay attention to third-party risk; according to the data, 98% of organisations now have a relationship with a third-party that has been breached at some point, and according to Gartner, the cost of remediating such a breach is typically much higher than the cost of remediating an internal breach, as much as 40% in some cases.
“In the digital age, trust is synonymous with cyber security. Companies must improve resilience by implementing continuous, metrics-driven, business-aligned cyber risk management across their digital and third-party ecosystems,” said SecurityScorecard CEO and co-founder Aleksandr Yampolskiy.