BLACK HAT 2024 – New research from SecurityScorecard and The Cyentia Institute identified 99% of Global 2000 companies are directly connected to vendors that have had recent breaches. Prompted by new SEC cybersecurity requirements demanding transparency around third-party breaches, this report highlights the escalating risk of multi-party supply chain attacks.
The interconnected nature of modern business means that a vulnerability in one part of the supply chain can have far-reaching consequences, potentially impacting the entire ecosystem. Massive third-party incidents like Change Healthcare, MOVEit, and SolarWinds underscore the critical need for robust supply chain cybersecurity.
Key Findings: Global 2000: Industry Titans Battle the Beast of Supply Chain Cyber Risk
- 99% of Global 2000 companies are directly connected to a supply chain breach.
- 20% of these megacompanies use a thousand or more products.
- Supply chain incidents cost 17X more to remediate and manage than first-party breaches.
- The estimated total losses from Global 2000 breaches ranged between $20 billion and $80 billion over 15 months.
- Global 2000 companies face significant concentrated risk due to their interdependence, with 90% acting as vendors to each other.
- The top 8 most widely deployed vendors are used by at least 80% of Global 2000 companies, with 4 of the top 5 reporting a recent breach.
Wade Baker, partner and co-founder at The Cyentia Institute, said: “While the Global 2000 boasts $51.7 trillion in revenue, their interconnectedness exposes them to severe cyber risks – with 99% directly connected to breached vendors and incidents that can tally into the tens of billions.”
Know Your Supply Chain
Whether caused by a malicious DDoS attack or a faulty patch update, the end result of a supply chain event is the same: Users are denied access to critical systems.
Knowing Your Supply Chain (KYSC) is becoming an increasingly important component of cyber resilience. Understanding the dependencies within your organization and those of your vendors is critical for responding to incidents effectively. Even the most reliable vendors and partners can experience issues.
Key steps to securing the supply chain include:
- Continuously monitor the external attack surface: Safeguard your IT ecosystem with continuous automated scanning. Identify and mitigate IT infrastructure and cybersecurity risks across vendor, agency, and partner environments.
- Identify single points of failure: Map the critical business processes and technologies to identify any single points of failure. Create a watch list with these vendors.
- Automatically detect new vendors: Passively monitors vendors’ IT deployments to identify and resolve hidden supply chain risk.
Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence, said: “The world is only beginning to grasp the potential for chaos caused by concentration risk. Understanding and managing your supply chain is critical to protect business continuity. It's not just about preventing disruptions; it’s about safeguarding the very foundation of our interconnected economy.”
Methodology
The Forbes Global 2000 ranks the largest companies in the world using four metrics: sales, profits, assets, and market value. The 2024 list accounts for $51.7 trillion in revenue, $4.5 trillion in profits, $238 trillion in assets, and $88 trillion in market value. The analysis focused directly on the security posture and breach history of the Global 2000 and the ecosystem of third-party vendors surrounding each Global 2000 company to understand the nature of cyber risk across their supply chains.
The data on third-party relationships comes from SecurityScorecard’s Automatic Vendor Detection capability. Automatic Vendor Detection identifies vendors and products that make up the digital supply chain of modern organizations.
SecurityScorecard continuously scans the internet to identify vulnerable and misconfigured digital assets. Additionally, SecurityScorecard monitors signals across the Internet, relying on a global network of sensors that spans the Americas, Asia, and Europe. The company operates one of the world’s largest networks of sinkholes and honeypots to capture malicious signals and further enrich its data set by leveraging commercial and open-source intelligence sources.