Blog February 28, 2024

SecurityScorecard 2024 Global Third-Party Cybersecurity Breach Report: Software supply chain is top target for ransomware groups

by Paul Prudhomme, STRIKE Threat Intelligence Analyst
by Paul Prudhomme, STRIKE Threat Intelligence Analyst

The SecurityScorecard Global Third-Party Breach Report uses the world’s largest proprietary risk and threat dataset to provide unique insights into the intricate web of supply chain vulnerabilities exploited by ransomware groups.

 

As the digital landscape continues to evolve, so too do the tactics of cyber adversaries. Ransomware groups, in particular, have honed in on a prime target: the software supply chain. The first edition of the SecurityScorecard Third-Party Breach Report comes at a time when supply chain breaches dominate breach notifications. 

SecurityScorecard’s Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team analysts tailored this research for third-party risk management (TPRM) teams and cybersecurity professionals to provide comprehensive insights that inform and guide their security decision-making. 

 

Frequency of third-party breaches

STRIKE’s quantitative analysis of 2023 breaches indicates that nearly one-third of breaches involved a third-party attack vector. However, this figure likely underestimates the true extent, as many incident reports do not provide enough detail on attack vectors.

 

Variations by industry

Industry nuances play a pivotal role in shaping the threat landscape. Healthcare emerges as a hotspot for third-party breaches, followed closely by Financial Services. The industry with the highest percentage of its breaches involving third parties was, however, Technology, despite having a lower absolute number of such incidents than the other two industries.

Why do those three industries have so many, or such relatively frequent, third-party breaches in particular? Beyond their popularity as targets in general, STRIKE found that Healthcare in particular and also Financial Services have more numerous, diverse, and specialized third-party relationships that enable third-party breaches. To put it simply: they have more third-party risk because they have more third parties.

 

Vendor relationships that cause third-party breaches

SecurityScorecard threat analysts found that three-quarters of vendor relationships that enabled third-party breaches were technical in nature, involving the provision of software and other IT products and services. The other quarter of vendor relationships were non-technical in nature, such as professional services providers (e.g law or accounting firms). This point is where the salience of the Technology industry comes into play. Its businesses can be either the ultimate targets of a third-party breach or a third party that enables breaches affecting ultimate targets in other industries.

Software vulnerabilities are a key means by which Technology companies unwittingly facilitate third-party attacks on their customers. Last year’s campaign by the threat group C10p, in which it exploited a zero-day vulnerability in MOVEit file transfer software (CVE-2023-34362), is a strong example of this risk. This vulnerability was the most common in our sample by a huge margin and also made C10p the most prolific identifiable perpetrator of third-party breaches by a similar margin. Third-party attacks via Technology companies in particular are so popular among threat actors precisely because they enable actors to scale up their operations with relatively little extra input.

 

Variations by geography 

The most surprising finding was that the frequency of third-party breaches seems to vary little by geography, with one exception: Japan, where nearly half of all incidents involved third-party attack vectors. Japan has a distinctive history of supply chain vertical integration, but it remains unclear to what extent (if any) that business tradition may be a factor in this unusually high rate of third-party breaches. We plan to answer that question in future research.

 

Towards a safer tomorrow

As companies navigate third-party risk, armed with these insights, they are better able to secure their supply chain. With the threat landscape continuously evolving, SecurityScorecard research promises to illuminate pathways to enhanced resilience. Our collective strength lies in our ability to unite, share insights, and work hand in hand towards a common goal: a secure and resilient digital ecosystem.

To access the full findings and recommendations from the SecurityScorecard 2024 Global Third-Party Cybersecurity Breach Report, download the report now.

 

 

Assess cyber risks and make informed decisions with confidence, every time